+> [!NOTE]

+> Azure AD B2C is generally available in the Microsoft Azure global cloud and Microsoft Azure operated by 21Vianet. Azure AD B2C is not available in Microsoft Azure Government.

+

+The `azure-openai-emit-token-metric` policy sends custom metrics to Application Insights about consumption of large language model tokens through Azure OpenAI Service APIs. Token count metrics include: Total Tokens, Prompt Tokens, and Completion Tokens.

+## Limits for custom metrics

+* Your API Management instance must be integrated with Application insights. For more information, see [How to integrate Azure API Management with Azure Application Insights](./api-management-howto-app-insights.md).

+The following example sends Azure OpenAI token count metrics to Application Insights along with API ID as a custom dimension.

+## Limits for custom metrics

+## Prerequisites

+* Your API Management instance must be integrated with Application insights. For more information, see [How to integrate Azure API Management with Azure Application Insights](./api-management-howto-app-insights.md).

+* Enable Application Insights logging for your APIs.

+* Enable custom metrics with dimensions in Application Insights. For more information, see [Emit custom metrics](api-management-howto-app-insights.md#emit-custom-metrics).

+The following example sends a custom metric to count the number of API requests along with API ID as a custom dimension.

+The `llm-emit-token-metric` policy sends custom metrics to Application Insights about consumption of large language model (LLM) tokens through LLM APIs. Token count metrics include: Total Tokens, Prompt Tokens, and Completion Tokens.

+## Limits for custom metrics

+The following example sends LLM token count metrics to Application Insights along with API ID as a custom dimension.

+> If your user doesn't have permission to see backend health statuses, the output `No results.` is displayed.

+**Cause:** After Application Gateway sends an HTTP(S) probe request to the backend server, it waits for a response from the backend server for a configured period. If the backend server doesnΓÇÖt respond within this period (the timeout value), it is marked as Unhealthy until it responds within the configured timeout period again.

+2. After you figure out the time taken for the application to respond, select the **Health Probes** tab, then select the probe associated with your HTTP settings.

+**Message:** Application Gateway could not create a probe for this backend. This usually happens when the FQDN of the backend is not entered correctly. 

+4. If you're using Azure default DNS, verify with your domain name registrar that proper A record or CNAME record mapping is complete.

+**Cause:** After the DNS resolution phase, Application Gateway tries to connect to the backend server on the TCP port configured in the HTTP settings. If Application Gateway can't establish a TCP session on the port specified, the probe is marked as Unhealthy with this message.

+ b. Check whether the server is listening on the configured port. For example:

+**Cause:** After the TCP connection is established and a TLS handshake is done (if TLS is enabled), Application Gateway sends the probe as an HTTP GET request to the backend server. As described earlier, the default probe is set to `<protocol>://127.0.0.1:<port>/`, and it considers response status codes in the range 200 through 399 as Healthy. If the server returns any other status code, it is marked as Unhealthy with this message.

+Or, if you think the response is legitimate and you want Application Gateway to accept other status codes as Healthy, you can create a custom probe. This approach is useful in situations where the backend website needs authentication. Because the probe requests don't carry any user credentials, they will fail, and an HTTP 401 status code is returned by the backend server.

+(For V2) This occurs when you select HTTPS protocol in the backend setting, and neither the Custom ProbeΓÇÖs nor Backend SettingΓÇÖs hostname (in that order) matches the Common Name (CN) of the backend serverΓÇÖs certificate.</br>

+**Tips:** To determine the Common Name (CN) of the backend server certificate, you can use any of these methods. Also note, as per [**RFC 6125**](https://www.rfc-editor.org/rfc/rfc6125#section-6.4.4) if a SAN exists the SNI verification is done only against that field. The common name field is matched if there's no SAN in the certificate.

+Access the backend server directly (not through Application Gateway) and click on the certificate padlock in the address bar to view the certificate details. You can find it under the ΓÇ£Issued ToΓÇ¥ section.

+**Solution:** The solution depends on which part of the certificate chain expired on the backend server.

+* Expired Leaf (also known as Domain or Server) certificate ΓÇô Renew the server certificate with certificate provider and install the new certificate on the backend server. Ensure that you install the complete certificate chain comprised of `Leaf (topmost) > Intermediate(s) > Root`. Based on the type of Certificate Authority (CA), you may take the following actions on your gateway.

+* Expired Intermediate or Root certificate ΓÇô Typically, these certificates have relatively extended validity periods (a decade or two). When Root/Intermediate certificate expires, we recommend you check with your certificate provider for the renewed certificate files. Ensure you install this updated and complete certificate chain comprising `Leaf (topmost) > Intermediate(s) > Root` on the backend server.

+> A self-signed certificate which is NOT a Certificate Authority also results in the same error. This is because application gateway considers such self-signed certificate as "Leaf" certificate and looks for its signing Intermediate certificate. You can follow this article to correctly [generate a self-signed certificate](./self-signed-certificates.md).

+ 1. Choose the root certificate in the chain and click on Export. By default, this is a .CRT file.

+If the backend health is shown as Unknown, the portal view resembles the following screenshot:

+ b. On the **Subnets** tab of your virtual network, select the subnet where Application Gateway is deployed.

+ c. Check to see if there are any default routes (0.0.0.0/0) with the next hop not set as **Internet**. If the setting is either **Virtual Appliance** or **Virtual Network Gateway**, you must make sure that your virtual appliance, or the on-premises device, can properly route the packet back to the Internet destination without modifying the packet. If probes are routed through a virtual appliance and modified, the backend resource displays a **200** status code and the Application Gateway health status can display as **Unknown**. This doesn't indicate an error. Traffic should still be routing through the Application Gateway without issue.

+> [!NOTE]

+> If the application gateway is not able to access the CRL endpoints, it marks the backend health status as "unknown" and cause fast update failures. To prevent these issues, check that your application gateway subnet is able to access `crl.microsoft.com` and `crl3.digicert.com`. This can be done by configuring your Network Security Groups to send traffic to the CRL endpoints.

+Azure Application Gateway uses gateway-managed cookies for maintaining user sessions. When a user sends the first request to Application Gateway, it sets an affinity cookie in the response with a hash value which contains the session details, so that the subsequent requests carrying the affinity cookie are routed to the same backend server for maintaining stickiness.

+Note that the default affinity cookie name is *ApplicationGatewayAffinity* and you can change it. If you deploy multiple application gateway instances in the same network topology, you must set unique cookie names for each instance. If you're using a custom affinity cookie name, an additional cookie is added with `CORS` as suffix. For example: *CustomCookieNameCORS*.

+The only exception to this are requests bound for deregistering instances because of gateway-managed session affinity. These requests continue to be forwarded to the deregistering instances.

+If you select HTTPS as the backend protocol, the Application Gateway requires a trusted root certificate to trust the backend pool for end-to-end SSL. By default, the **Use well known CA certificate** option is set to **No**. If you plan to use a self-signed certificate, or a certificate signed by an internal Certificate Authority, then you must provide the Application Gateway the matching public certificate used by the backend pool. This certificate must be uploaded directly to the Application Gateway in .CER format.

+Application Gateway allows for the connection established to the backend to use a *different* hostname than the one used by the client to connect to Application Gateway. While this configuration can be useful in some cases, exercise caution when overriding the hostname such that it is different between the application gateway and the client compared to the backend target.

+| uri_path | Identifies the specific resource in the host that the web client wants to access. The variable refers to the original URL path, prior to any manipulation. This is the part of the request URI without the arguments. For example, in the request `http://contoso.com:8080/article.aspx?id=123&title=fabrikam`, the uri_path value is `/article.aspx`. |

+||Azure AI Search|search.windows.net|search.azure.us||

+There are currently two models available in Azure AI Health Insights:

+With these input patient data and configuration, the service can run the data through the selected health insights AI model, such as Trial Matcher or Radiology Insights.

+PUT https://{your-cognitive-service-endpoint}/health-insights/trial-matcher/jobs/id?api-version=2024-08-01-preview

+description: Learn how to use Azure AI Health Insight models on premises using Docker containers.

+To use the latest version of the container, you can use the `latest` tag. You can find a full list of tags on the MCR via `https://mcr.microsoft.com/v2/azure-cognitive-services/health-insights/clinical-matching/tags/list`.

+- Use the [`docker pull`](https://docs.docker.com/engine/reference/commandline/pull/) command to download this container image from the Microsoft public container registry.

+You can find the featured tags on the [docker hub clinical matching page](https://hub.docker.com/r/microsoft/azure-cognitive-services-health-insights-clinical-matching).

+> To use the clinical-matching model, you should use the docker compose command. see Example Docker compose file.

+curl -X PUT 'http://<serverURL>:5000/health-insights/<model>/jobs/id?api-version=<version>/' --header 'Content-Type: application/json' --header 'accept: application/json' --data-binary @example.json

+The below example shows how a [docker compose](https://docs.docker.com/reference/compose-file/) file can be created to deploy the health-insights containers.

+The **Location** field in the Azure Maps Power BI Visual can accept multiple values, such as country/region, state, city, street address, and zip code. Providing multiple sources of location information in the Location field enhances the accuracy of results and removes any ambiguity that might limit the identification of a specific location. For example, there are over 20 different cities in the United States named *Franklin*.

+| 3 | Similar to the drill-down option, except that you don't need to select the map. It expands down to the next level of the hierarchy remembering the current level's context. For example, if you're currently looking at countries/regions and select this icon, you move down in the hierarchy to the next level--states. For geocoding, Power BI sends data for each state and its corresponding country/region to help Azure Maps geocode more accurately. In most maps, either use this option or the drill-down option on the far right. This sends Azure as much information as possible and result in more accurate location information. |

+To ensure fields are correctly geocoded, you can set the Data Category on the data fields in Power BI. In Data view, select the desired column. From the ribbon, select the Modeling tab and then set the Data Category to one of the following properties: Address, Place, City, County, State or Province, Postal Code, Country, Continent, Latitude, or Longitude. These data categories help Azure correctly encode the data. To learn more, see [Data categorization in Power BI Desktop]. If you're live connecting to SQL Server Analysis Services, set the data categorization outside of Power BI using [SQL Server Data Tools (SSDT)].

+>

+> The **Show zeros** and **Show negatives** Power BI Visual General layer settings were deprecated starting in the September 2023 release of Power BI. You can no longer create new reports using these settings, but existing reports will continue to work. It is recommended that you upgrade existing reports. To upgrade to the new **range scaling** property, select the desired option in the **Range scaling** drop-down list:

+### [3.4.0] (CDN: September 30, 2024, npm: TBA)

+#### New features

+- Add support for PMTiles.

+#### Bug fixes

+- Accessibility: Fix overflow issue with the style picker label in small containers.

+- Fix attribution not updating after style changes with a GeoJSON data source.

+- Fix `setCamera` with bounds and min/max zoom.

+- Use `ResizeObserver` instead of window resize events.

+- Fix footer logo width.

+#### Other changes

+- Add `@types/geojson` as a dependency.

+- Update dependency `@microsoft/applicationinsights-web` to `^3.3.0`

+### [3.3.0] (August 8, 2024)

+#### New features

+#### Bug fixes

+#### New features

+#### Bug fixes

+#### Other changes

+#### Other changes

+#### New features

+#### Other changes

+#### New features

+#### Bug fixes

+#### New features

+#### Bug fixes

+#### New features

+#### Other changes

+#### Bug fixes

+#### Other changes

+#### Bug fixes

+#### Other changes

+#### Bug fixes

+#### Other changes

+#### Installation

+#### Bug fixes

+#### Installation

+#### New features

+#### Bug fixes

+#### Installation

+#### Bug fixes

+#### Other changes

+#### Installation

+#### New features

+#### Bug fixes

+#### Installation

+#### Installation

+#### New features

+#### Bug fixes

+#### Installation

+#### New features

+#### Installation

+#### New features

+#### Changes

+#### Bug fixes

+#### Installation

+#### New features

+#### Bug fixes

+#### Installation

+#### New features

+#### Bug fixes

+### Installation

+#### New features

+#### Bug fixes

+#### New features

+#### Other changes

+#### New features

+#### Bug fixes

+#### Other changes

+#### Other changes

+#### Bug fixes

+#### Bug fixes

+#### Other changes

+#### Bug fixes

+#### Other changes

+#### New features

+#### Bug fixes

+#### Other changes

+#### New features

+#### Bug fixes

+#### Bug fixes

+#### New features

+#### Bug fixes

+#### New features

+#### Bug fixes

+#### New features

+#### Bug fixes

+>If you are using a capacity pool with a size of 2 TiB or smaller and have the `ANFStdToBasicNetworkFeaturesRevert` and `ANFBasicToStdNetworkFeaturesUpgrade` AFECs enabled and want to change the capacity pool's QoS type from auto to manual, you must [perform the operation with the REST API](#resizing-the-capacity-pool-or-a-volume-using-rest-api) using the `2023-07-01` API version or later.

+> Currently, Azure Backup supports only persistent volumes in CSI driver-based Azure Disk Storage. During backups, the solution skips other persistent volume types, such as Azure File Share and blobs. Also, if you have defined retention rules for Vault tier then backups are only eligible to be moved to the vault if the persistent volumes are of size less than or equal to 1 TB.

+- **Backup Storage fee**: Azure Backup for AKS also supports storing backups in Vault Tier. This can be achieved by defining retention rules for **vault-standard** in the backup policy, with one restore point per day eligible to be moved into the Vault. Restore points stored in the Vault Tier are charged a separate fee called Backup Storage fee as per the total data stored (in GBs) and redundancy type enable on the Backup Vault.

+### LinkedAuthorizationFailed

+**Error code**: LinkedAuthorizationFailed

+**Cause**: To perform a restore operation, user needs to have a **read** permission over the backed up AKS cluster.

+**Recommended action**: Assign Reader role on the source AKS cluster and then proceed to perform the restore operation.

+To enable Trusted Access between a Backup vault and an AKS cluster. Learn [how to enable Trusted Access](azure-kubernetes-service-cluster-manage-backups.md#trusted-access-related-operations)

+ Title: Audit and enforce backup operations for Azure Kubernetes Service clusters using Azure Policy

+description: 'An article describing how to use Azure Policy to audit and enforce backup operations for all Azure Kubernetes Service clusters created in a given scope'

+# Audit and enforce backup operations for Azure Kubernetes Service clusters using Azure Policy

+One of the key responsibilities of a Backup or Compliance Admin in an organization is to ensure that all business-critical machines are backed up with the appropriate retention.

+Azure Backup provides various built-in policies (using [Azure Policy](../governance/policy/overview.md)) to help you automatically ensure that your Azure Kubernetes Service clusters are ready for backup configuration. Depending on how your backup teams and resources are organized, you can use any one of the below policies:

+## Policy 1 - Azure Backup Extension should be installed in AKS clusters

+Use this [audit-only](../governance/policy/concepts/effects.md#audit) policy to identify the AKS clusters that don't have the backup extension installed. However, this policy doesn't automatically install the backup extension to these AKS clusters. It's useful only to evaluate the overall readiness of the AKS clusters for backup compliance, and not to take action immediately.

+## Policy 2 - Azure Backup should be enabled for AKS clusters

+Use this [audit-only](../governance/policy/concepts/effects.md#audit) policy to identify the clusters that don't have backups enabled. However, this policy doesn't automatically configure backups for these clusters. It's useful only to evaluate the overall compliance of the clusters, and not to take action immediately.

+## Policy 3 - Install Azure Backup Extension in AKS clusters (Managed Cluster) with a given tag.

+A central backup team in an organization can use this policy to install backup extension to any AKS clusters in a region. You can choose to **include** clusters that contain a certain tag, in the scope of this policy.

+## Policy 4 - Install Azure Backup Extension in AKS clusters (Managed Cluster) without a given tag.

+A central backup team in an organization can use this policy to install backup extension to any AKS clusters in a region. You can choose to **exclude** clusters that contain a certain tag, from the scope of this policy.

+## Supported Scenarios

+Before you audit and enforce backups for AKS clusters, see the following scenarios supported:

+* The built-in policy is currently supported only for Azure Kubernetes Service clusters.

+* Users must take care to ensure that the necessary [prerequisites](azure-kubernetes-service-cluster-backup-concept.md#backup-extension) are enabled before Policies 3 and 4 are assigned.

+* Policies 3 and 4 can be assigned to a single region and subscription at a time.

+* For Policies 1, 2, 3 and 4, management group scope is currently unsupported.

+## Using the built-in policies

+This section describes the end-to-end process of assigning Policy 3: **Install Azure Backup Extension in AKS clusters (Managed Cluster) with a given tag**. Similar instructions apply for the other policies. Once assigned, any new AKS cluster created under this scope has backup extension installed automatically.

+To assign Policy 3, follow these steps:

+1. Sign in to the Azure portal and navigate to the **Policy** Dashboard.

+

+2. Select **Definitions** in the left menu to get a list of all built-in policies across Azure Resources.

+

+3. Filter the list for **Category=Backup** and select the policy named *Install Azure Backup Extension in AKS clusters (Managed Cluster) with a given tag*.

+

+4. Select the name of the policy. You're then redirected to the detailed definition for this policy.

+5. Select the **Assign** button at the top of the pane. This redirects you to the **Assign Policy** pane.

+

+6. Under **Basics**, select the three dots next to the **Scope** field. It opens up a right context pane where you can select the subscription for the policy to be applied on. You can also optionally select a resource group, so that the policy is applied only for AKS clusters in a particular resource group.

+7. In the **Parameters** tab, choose a location from the drop-down, and select the storage account to which the backup extension installed in the AKS cluster in the scope must be associated. You can also choose to specify a tag name and an array of tag values. An AKS cluster that contains any of the specified values for the given tag are excluded from the scope of the policy assignment.

+8. Ensure that **Effect** is set to deployIfNotExists.

+

+9. Navigate to **Review+create** and select **Create**.

+> [!NOTE]

+>

+> - Use [remediation](../governance/policy/how-to/remediate-resources.md) to enable these policies on existing AKS clusters.

+## Next step

+[Learn more about Azure Policy](../governance/policy/overview.md)

+- Operational Tier support for AKS backup is supported in all the following Azure public cloud regions: East US, North Europe, West Europe, South East Asia, West US 2, East US 2, West US, North Central US, Central US, France Central, Korea Central, Australia East, UK South, East Asia, West Central US, Japan East, South Central US, West US 3, Canada Central, Canada East, Australia South East, Central India, Norway East, Germany West Central, Switzerland North, Sweden Central, Japan West, UK West, Korea South, South Africa North, South India, France South, Brazil South, UAE North, China East 2, China East 3, China North 2, China North 3, USGov Virginia, USGov Arizona and USGov Texas.

+- Vault Tier and Cross Region Restore support (preview) for AKS backup are available in the following regions: East US, West US, West US 3, North Europe, West Europe, North Central US, South Central US, West Central US, East US 2, Central US, UK South, UK West, East Asia, South-East Asia, Japan East South India, Central India, Canada Central and Norway East.

+ >Vaulted backup and Cross Region Restore for AKS using Azure Backup are currently in preview.

+ >

+ >To access backups stored in Vault Tier in the Azure paired region, enable Cross Region Restore capability for your Backup Vault. See the [list of Azure Paired Region](../reliability/cross-region-replication-azure.md#azure-paired-regions).

+- Provide a new and empty blob container as input while installing backup extension in an AKS cluster for the first time. Don't use same blob container for more than one AKS cluster.

+- Currently, an AKS backup supports only the backup of Azure disk-based persistent volumes (enabled by the CSI driver). The supported Azure Disk SKUs are Standard HDD, Standard SSD, and Premium SSD. The disks belonging to Premium SSD v2 and Ultra Disk SKU aren't supported. Both static and dynamically provisioned volumes are supported. For backup of static disks, the persistent volumes specification should have the *storage class* defined in the **YAML** file, otherwise such persistent volumes are skipped from the backup operation.

+- Azure Files shares and Azure Blob Storage persistent volumes are not supported by AKS backup due to lack of CSI Driver-based snapshotting capability. If you're using said persistent volumes in your AKS clusters, you can configure backups for them via the Azure Backup solutions. For more information, see [Azure file share backup](azure-file-share-backup-overview.md) and [Azure Blob Storage backup](blob-backup-overview.md).

+- You can only install the Backup Extension on agent nodes with Ubuntu and Azure Linux as Operating System. AKS Clusters with Windows based agent nodes don't allow Backup Extension installation.

+- You can't install Backup Extension in AKS Cluster with Arm64 based agent nodes irrespective of Operating System (Ubuntu/Azure Linux/Windows) running on these nodes.

+- The blob container provided as input during installation of the backup extension should be in the same region and subscription as that of the AKS cluster. Only blob containers in a General-purpose V2 Storage Account are supported and Premium Storage Account aren't supported.

+- Azure Backup for AKS provides both Operational Tier (Snapshot) and Vault Tier backup. Multiple backups per day can be stored in Operational Tier, with only one backup per day to be stored in the Vault as per the retention policy defined.

+- Backup vault doesn't support Azure Lighthouse. Thus, cross tenant management can't be enabled by Lighthouse for Azure Backup for AKS and you cannot backup/restore AKS Clusters across tenant.

+- The following namespaces are skipped from Backup Configuration and not cofigured for backups: `kube-system`, `kube-node-lease`, `kube-public`.

+ | Number of namespaces per backup instance | 800 |

+- Ensure that `Microsoft.KubernetesConfiguration`, `Microsoft.DataProtection`, and `Microsoft.ContainerService` are registered for your subscription before initiating the backup configuration and restore operations.

+The following namespaces are skipped from backup configuration and not cofigured for backups: kube-system, kube-node-lease, kube-public.

+- Ensure that `Microsoft.KubernetesConfiguration`, `Microsoft.DataProtection`, and `Microsoft.ContainerService` are registered for your subscription before initiating the backup configuration and restore operations.

+1. Prepare backup configuration to define which cluster resources are to be backed up using the `New-AzDataProtectionBackupConfigurationClientObject` cmdlet. In the following example, the configuration is defined as all cluster resources under current, and future namespaces will be backed up with the label as `key-value pair x=y`. Also, all the cluster scoped resources and persistent volumes are backed up. The following namespaces are skipped from backup configuration and not cofigured for backups: kube-system, kube-node-lease, kube-public.

+- Ensure that `Microsoft.KubernetesConfiguration`, `Microsoft.DataProtection`, and `Microsoft.ContainerService` are registered for your subscription before you initiate backup configuration and restore operations.

+ > - If the AKS cluster doesn't have the Backup extension installed, you can perform the installation during configuring backup for the cluster.

+1. **Select Namespaces to backup**, you can either select **All** to back up all existing and future namespaces in the cluster, or you can select **Choose from list** to select specific namespaces for backup. The following namespaces are skipped from Backup Configuration and not cofigured for backups: kube-system, kube-node-lease, kube-public.

+- You must [install the Backup Extension](azure-kubernetes-service-cluster-manage-backups.md#install-backup-extension) in the target AKS cluster. Also, you must [enable Trusted Access](azure-kubernetes-service-cluster-manage-backups.md#trusted-access-related-operations) between the Backup vault and the AKS cluster.

+- You must [install the Backup Extension](azure-kubernetes-service-cluster-manage-backups.md#install-backup-extension) in the target AKS cluster. Also, you must [enable Trusted Access](azure-kubernetes-service-cluster-manage-backups.md#trusted-access-related-operations) between the Backup vault and the AKS cluster.

+- You must [install the Backup Extension](azure-kubernetes-service-cluster-manage-backups.md#install-backup-extension) in the target AKS cluster. Also, you must [enable Trusted Access](azure-kubernetes-service-cluster-manage-backups.md#trusted-access-related-operations) between the Backup vault and the AKS cluster.

+1. Grant permissions to the backup vault MSI on the target ARM resource (PostgreSQL-Flexible server), establishing access, and control.

+## Understand pricing

+You incur charges for:

+- **Protected instance fee**: Azure Backup for PostgreSQL - Flexible servers charges a *protected instance fee* as per the size of the database. When you configure backup for a PostgreSQL Flexible server, a protected instance is created. Each instance is charged on the basis of its size (in GBs) on a per unit (250 GB) basis.

+- **Backup Storage fee**: Azure Backup for PostgreSQL - Flexible servers store backups in Vault Tier. Restore points stored in the vault-standard tier are charged a separate fee called Backup Storage fee as per the total data stored (in GBs) and redundancy type enable on the Backup Vault.

+>[!Note]

+>Azure Database for PostgreSQL - Single Server is on the retirement path and is scheduled for retirement by March 28, 2025.

+>

+>If you currently have an Azure Database for PostgreSQL - Single Server service hosting production servers, we're glad to inform you that you can migrate your Azure Database for PostgreSQL - Single Server to the Azure Database for PostgreSQL - Flexible Server.

+>

+>Azure Database for PostgreSQL - Flexible Server is a fully managed production-ready> database service designed for more granular control and flexibility over database management functions and configuration settings with the enterprise grade [backup solution by Azure Backup](backup-azure-database-postgresql-flex-overview.md). For more information about Azure Database for PostgreSQL - Flexible Server, visit Azure Database for PostgreSQL - Flexible Server.

+## Understand pricing

+You incur charges for:

+- **Protected instance fee**: Azure Backup for MySQL - Flexible servers charges a *protected instance fee* as per the size of the database. When you configure backup for am Azure MySQL - Flexible server, a protected instance is created. Each instance is charged on the basis of its size (in GBs) on a per unit (250 GB) basis.

+- **Backup Storage fee**: Azure Backup for MySQL - Flexible servers store backups in Vault Tier. Restore points stored in the vault-standard tier are charged a separate fee called Backup Storage fee as per the total data stored (in GBs) and redundancy type enable on the Backup Vault.

+- [Restore an Azure Database for MySQL - Flexible Server (preview)](backup-azure-mysql-flexible-server-restore.md).

+| **Error message** | `Azure Backup doesn't have required role privileges to carry out Backup and Restore operations` |

+| **Possible causes** | All operations fail with this error when the Backup user (AZUREWLBACKUPHANAUSER) doesn't have the **SAP_INTERNAL_HANA_SUPPORT** role assigned or the role might be overwritten. |

+| **Possible causes** | <ul><li>Connection to HANA instance failed</li><li>System database (DB) is offline</li><li>Tenant DB is offline</li><li>Backup user (AZUREWLBACKUPHANAUSER) doesn't have enough permissions/privileges.</li></ul> |

+| **Possible causes** | <ul><li>The specified SAP HANA instance is either invalid or can't be found.</li><li>Multiple SAP HANA instances on a single Azure Virtual Machine (VM) can't be backed up.</li></ul> |

+| **Possible causes** | HANA LSN Log chain break can be triggered for various reasons, including:<ul><li>Azure Storage call failure to commit backup.</li><li>The Tenant DB is offline.</li><li>Extension upgrade is terminated an in-progress Backup job.</li><li>Unable to connect to Azure Storage during backup.</li><li>SAP HANA has rolled back a transaction in the backup process.</li><li>A backup is complete, but catalog isn't yet updated with success in HANA system.</li><li>Backup failed from Azure Backup perspective, but success from the perspective of HANA ΓÇö the log backup/catalog destination might have been updated from Backint-to-file system, or the Backint executable might have been changed.</li></ul> |

+| **Recommended action** | To resolve this issue, Azure Backup triggers an auto-heal Full backup. While this auto-heal backup is in progress, all log backups are triggered by HANA fail with **OperationCancelledBecauseConflictingAutohealOperationRunningUserError**. Once the auto-heal Full backup is complete, logs and all other backups start working as expected.<br>If you don't see an auto-heal full backup triggered or any successful backup (Full/Differential/ Incremental) in 24 hours, contact Microsoft support.</br> |

+|Recommended action | Ensure that your restore scenario isn't in the following list of possible incompatible restores:<br> **Case 1:** SYSTEMDB can't be renamed during restore.<br>**Case 2:** Source ΓÇö SDC and target ΓÇö MDC: The source database can't be restored as SYSTEMDB or tenant DB on the target. <br> **Case 3:** Source ΓÇö MDC and target ΓÇö SDC: The source database (SYSTEMDB or tenant DB) can't be restored to the target.<br>To learn more, see the note **1642148** in the [SAP support launchpad](https://launchpad.support.sap.com). |

+**Error message** | `Database configured for backup doesn't exist.`

+### UserErrorRestoreTargetDirectoriesAbsent

+| **Error Message** | `PreRestoreDataParamsPrep: Target directory` doesn't exist. |

+| | |

+| **Possible Causes** | Restore as files is failing due to *directory* that is selected for restore doesn't exist on the Target server or isn't accessible.

+| **Recommended action** | Verify the directory that you selected is available on the target server and ensure you have selected the correct target server at the time of restore. |

+>[!Note]

+>Azure Backup currently doesn't support the *TLS inspection enabled* **Application Rule** on Azure Firewall.

+ Title: Audit and enforce backup for Managed Disks using Azure Policy

+description: 'An article describing how to use Azure Policy to audit and enforce backup for all Disks created in a given scope'

+# Audit and enforce backup for Managed Disks using Azure Policy

+One of the key responsibilities of a Backup or Compliance Admin in an organization is to ensure that all business-critical machines are backed up with the appropriate retention.

+Today, Azure Backup provides various built-in policies (using [Azure Policy](../governance/policy/overview.md)) to help you automatically ensure that your Azure Managed Disks are configured for backup. Depending on how your backup teams and resources are organized, you can use any one of the below policies:

+## Policy 1 - Azure Backup should be enabled for Managed Disks

+Use an [audit-only](../governance/policy/concepts/effects.md#audit) policy to identify disks which don't have backup enabled. However, this policy doesn't automatically configure backups for these disks. It is useful when you're only looking to evaluate the overall compliance of the disks but not looking to take action immediately.

+## Policy 2 - Configure backup for Azure Disks (Managed Disks) with a given tag to an existing backup vault in the same region

+A central backup team of an organization can use this policy to configure backup to an existing central Backup vault in the same subscription and location as the Managed Disks being governed. You can choose to **include** Disks that contain a certain tag, in the scope of this policy.

+## Policy 3 - Configure backup for Azure Disks (Managed Disks) without a given tag to an existing backup vault in the same region

+This policy works the same as Policy 2 above, with the only difference being that you can use this policy to **exclude** Disks that contain a certain tag, from the scope of this policy.

+## Supported Scenarios

+Before you audit and enforce backups for AKS clusters, see the following scenarios supported:

+* The built-in policy is currently supported only for Azure Managed Disks. Ensure that the Backup Vault and backup policy specified during assignment is a Disk backup policy.

+* The Policies 2 and 3 can be assigned to a single location and subscription at a time. To enable backup for Disks across locations and subscriptions, multiple instances of the policy assignment need to be created, one for each combination of location and subscription.

+* For the Policies 1, 2 and 3, management group scope is currently unsupported.

+* For the Policies 2 and 3, the specified vault and the disks configured for backup can be under different resource groups.

+## Using the built-in policies

+The below steps describe the end-to-end process of assigning Policy 2: **Configure backup on Managed Disks with a given tag to an existing backup vault in the same location to a given scope** . Similar instructions are applicable for the other policies. Once assigned, any new Managed Disk created in the scope is automatically configured for backup.

+To assign Policy 2, follow these steps:

+1. Sign in to the Azure portal and navigate to the **Policy** Dashboard.

+2. Select **Definitions** in the left menu to get a list of all built-in policies across Azure Resources.

+3. Filter the list for **Category=Backup** and select the policy named *Configure backup on Managed Disks with a given tag to an existing backup vault in the same location to a given scope*.

+

+4. Select the name of the policy. You're then redirected to the detailed definition for this policy.

+5. Select the **Assign** button at the top of the pane. This redirects you to the **Assign Policy** pane.

+6. Under **Basics**, select the three dots next to the **Scope** field. It opens up a right context pane where you can select the subscription for the policy to be applied on. You can also optionally select a resource group, so that the policy is applied only for Disks in a particular resource group.

+7. In the **Parameters** tab, choose a location from the drop-down, and select the vault, backup policy to which the Disks in the scope must be associated, and resource group where these disk snapshots are stored. You can also choose to specify a tag name and an array of tag values. A Disk that contains any of the specified values for the given tag is included in the scope of the policy assignment.

+8. Ensure that **Effect** is set to deployIfNotExists.

+9. Navigate to **Review+create** and select **Create**.

+> [!NOTE]

+>

+> - Use [remediation](../governance/policy/how-to/remediate-resources.md) to enable policy of exisiting Managed Disks.

+> - It's recommended that this policy not be assigned to more than 200 Disks at a time. If the policy is assigned to more than 200 Disks, it can result in the backup being triggered a few hours later than that specified by the schedule.

+## Next step

+[Learn more about Azure Policy](../governance/policy/overview.md)

+1. Make sure that .NET 4.6.2 version or above is installed on the VM.

+ >[!Caution]

+ >The support for backups of SQL VMs running .NET Framework 4.6.1 or below will soon be deprecated because these versions are [officially out of support](/lifecycle/products/microsoft-net-framework). We recommend that you upgrade the .NET Framework to version 4.6.2 or above to ensure that there are no backup failures.

+>[!Note]

+>Azure Backup currently doesn't support the *TLS inspection enabled* **Application Rule** on Azure Firewall.

+### Error code: LinkedAuthorizationFailed

+Error Message: To perform a restore operation, user needs to have a **read** permission over the backed up Managed Disk.

+Recommended Action: Assign Reader role over the source Disk and then proceed to perform the restore operation.

+ role_definition_name = "Storage AccountContributor"

+1. Post restoration completion to the target storage account, you can use pg_restore utility to restore the database and other files to a PostgreSQL Flexible server. Use the following command to connect to an existing postgresql flexible server and an existing database

+ `az storage blob download --container-name <container-name> --name <blob-name> --account-name <storage-account-name> --account-key <storage-account-key> --file - | pg_restore -h <postgres-server-url> -p <port> -U <username> -d <database-name> -v -`

+ * `--account-name`: Name of the Target Storage Account.

+ * `--container-name`: Name of the blob container.

+ * `--blob-name`: Name of the blob.

+ * `--account-key`: Storage Account Key.

+1. To restore the other three files (roles, schema and tablespaces), use the psql utility to restore them to a PostgreSQL Flexible server.

+ `az storage blob download --container-name <container-name> --name <blob-name> --account-name <storage-account-name> --account-key <storage-account-key> --file -

+ | psql -h <hostname> -U <username> -d <db name> -f <dump directory> -v -`

+ Re-run the above command for each file.

+Once you [create a Dapr secret store using one of the previous approaches](#creating-a-dapr-secret-store-component), you can reference that secret store from other Dapr components in the same environment. The following example demonstrates using Entra ID authentication.

+secretStoreComponent: "[your_secret_store_name]"

+ - name: namespaceName

+ # Required when using Azure Authentication.

+ # Must be a fully-qualified domain name

+ value: "[your_servicebus_namespace.servicebus.windows.net]"

+ - name: azureTenantId

+ value: "[your_tenant_id]"

+ - name: azureClientId

+ value: "[your_client_id]"

+ - name: azureClientSecret

+ secretRef: azClientSecret

+ - name: namespaceName

+ # Required when using Azure Authentication.

+ # Must be a fully-qualified domain name

+ value: "[your_servicebus_namespace.servicebus.windows.net]"

+ - name: azureTenantId

+ value: "[your_tenant_id]"

+ - name: azureClientId

+ value: "[your_client_id]"

+ - name: azureClientSecret

+ secretRef: azClientSecret

+ name: 'namespaceName'

+ // Required when using Azure Authentication.

+ // Must be a fully-qualified domain name

+ value: '[your_servicebus_namespace.servicebus.windows.net]'

+ name: 'azureTenantId'

+ value: '[your_tenant_id]'

+ name: 'azureClientId'

+ value: '[your_client_id]'

+ name: 'azureClientSecret'

+ secretRef: 'azClientSecret'

+ "name": "namespaceName",

+ "value": "[your_servicebus_namespace.servicebus.windows.net]",

+ "name": "azureTenantId",

+ "value": "[your_tenant_id]",

+ "name": "azureClientId",

+ "value": "[your_client_id]",

+ "name": "azureClientSecret",

+ "secretRef": "azClientSecret"

+- EA price sheet: Reservation prices are only available for the current month price sheet and cannot be retrieved for historical exports. To retain historical reservation prices, set up recurring exports.

+#### How much historical data can I retrieve using Exports?

+You can retrieve up to 13 months of historical data through the portal UI for all datasets, except for RI recommendations, which are limited to the current recommendation snapshot. To access data older than 13 months, you can use the REST API.

+- Cost and usage (Actual), Cost and usage (Amortized), Cost and usage (FOCUS): Up to 7 years of data.

+- Reservation transactions: Up to 7 years of data across all channels.

+- Reservation recommendations, Reservation details: Up to 13 months of data.

+- All available prices:

+ - MCA/MPA: Up to 13 months.

+

+ - EA: Up to 25 months (starting from December 2022).

+

+Azure Marketplace charges are visible on the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_GTM/ModernBillingMenuBlade/BillingAccounts). Most Azure Marketplace purchases and consumption are billed outside of Azure Prepayment on a quarterly or monthly cadence and in arrears. Some third-party reseller services available on Azure Marketplace now consume your Enterprise Agreement (EA) Azure Prepayment balance. Previously these services were billed outside of EA Azure Prepayment and were invoiced separately. EA Azure Prepayment for these services in Azure Marketplace helps simplify customer purchase and payment management. For a complete list of services that now consume Azure Prepayment, see the [March 06, 2018 update on the Azure website](https://azure.microsoft.com/updates/azure-marketplace-third-party-reseller-services-now-use-azure-monetary-commitment/).

+For more information, see [Manage Azure Marketplace on Azure portal](direct-ea-administration.md#enable-azure-marketplace-purchases).

+PUT https://management.azure.com/providers/Microsoft.Subscription/aliases/{{guid}}?api-version=2021-10-01api-version=2021-10-01

+GET https://management.azure.com/providers/Microsoft.Subscription/aliases/{{guid}}?api-version=2021-10-01

+PUT https://management.azure.com/providers/Microsoft.Subscription/aliases/{{guid}}?api-version=2021-10-01api-version=2021-10-01

+GET https://management.azure.com/providers/Microsoft.Subscription/aliases/{{guid}}?api-version=2021-10-01

+PUT https://management.azure.com/providers/Microsoft.Subscription/aliases/{{guid}}?api-version=2021-10-01api-version=2021-10-01

+GET https://management.azure.com/providers/Microsoft.Subscription/aliases/{{guid}}?api-version=2021-10-01

+ Title: Save on select Linux VMs for a limited time

+description: Learn how to save up to 56% on select Linux VMs with a limited-time offer by purchasing a one-year Azure Reserved Virtual Machine Instance.

+#customer intent: I want to learn how to save money with reservations and buy one.

+# Save on select Linux VMs for a limited time

+Save up to 15 percent in addition to the existing one-year [Azure Reserved Virtual Machine (VM) Instances](/azure/virtual-machines/prepay-reserved-vm-instances?toc=%2Fazure%2Fcost-management-billing%2Freservations%2Ftoc.json&source=azlto3) discount for select Linux VMs for a limited period. Customers could potentially see total savings of to up to 56% compared to running an Azure VM on a pay-as-you-go basis. This offer is available between October 1, 2024, and March 31, 2025.

+## Purchase the offer

+To take advantage of this promotional offer, [purchase](https://portal.azure.com/#view/Microsoft_Azure_Reservations/CreateBlade) a one-year Azure Reserved Virtual Machine Instance for a qualified VM SKU and region.

+## Buy a reservation

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+2. Select **All services** > **Reservations**.

+3. Select **Add** and then select a qualified product listed in the [Terms and conditions of the offer](#terms-and-conditions-of-the-offer) section.

+4. Select the [scope](prepare-buy-reservation.md#reservation-scoping-options), and then a billing subscription that you want to use for the reservation. You can change the reservation scope after purchase.

+5. Set the **Region** to one supported by the offer. For more information, see the [Qualifying regions](#qualifying-regions) section.

+6. Select a reservation term and billing frequency.

+7. Select **Add to cart**.

+8. In the cart, you can change the quantity. After you review your cart and you're ready to purchase, select **Next: Review + buy**.

+9. Select **Buy now**.

+You can view the reservation in the [Reservations](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade/Reservations) page in the Azure portal.

+## Terms and conditions of the offer

+These terms and conditions (hereinafter referred to as "terms") govern the promotional offer ("offer") provided by Microsoft to customers purchasing a one-year Azure Reserved VM Instance in a qualified region between October 1, 2024 (12 AM Pacific Standard Time) and March 31, 2025 (11:59 PM Pacific Standard Time), for any of the following VM series:

+- Dadsv6┬╣

+- Daldsv6┬╣

+- Dalsv6┬╣

+- Dasv6┬╣

+- DCadsv5

+- DCasv5

+- Ddsv5┬▓

+- Ddv5

+- Dlsv5

+- Dpdsv6

+- Dpldsv6

+- Dplsv6

+- Dpsv6

+- Dsv5┬▓

+- Dv5┬▓

+- Eadsv6┬╣

+- Easv6┬╣

+- ECadsv5

+- ECasv5

+- Edsv5

+- Edv5

+- Epdsv6

+- Epsv6

+- Esv5

+- Ev5

+- Lasv3

+- Lsv3

+*┬╣ VM isn't available for the offer in US East.*

+*┬▓ VM isn't available for the offer in US Government Iowa and US Government Virginia.*

+Instance size flexibility is available for these VMs. For more information about instance size flexibility, see [Virtual machine size flexibility](/azure/virtual-machines/reserved-vm-instance-size-flexibility?source=azlto7).

+### Qualifying regions

+The offer applies to all regions where the Azure VM Reserved Instances are generally available (GA) for the VM series listed in the section above, except EU West (Amsterdam), EU North (Dublin), AP Southeast (Singapore), and QA Central (Qatar).

+The offer provides an additional discount of up to 15 percent in addition to the existing one-year [Azure Reserved Virtual Machine (VM) Instances](/azure/virtual-machines/prepay-reserved-vm-instances?toc=%2Fazure%2Fcost-management-billing%2Freservations%2Ftoc.json&source=azlto3) rates. The savings donΓÇÖt include operating system costs. Actual savings might vary based on instance type or usage. Customers could potentially see total savings of to up to 56% compared to running an Azure VM on a pay-as-you-go basis.

+### Eligibility

+The offer is available based on the following criteria:

+- To buy a reservation, you must have the owner role or reservation purchaser role on an Azure subscription that's of one of the following types:

+ - Enterprise (MS-AZR-0017P or MS-AZR-0148P)

+ - Pay-as-you-go (MS-AZR-0003P or MS-AZR-0023P)

+ - Microsoft Customer Agreement

+- Cloud solution providers can use the Azure portal or [Partner Center](/partner-center/azure-reservations?source=azlto1) to purchase Azure Reservations. You can't purchase a reservation if you have a custom role that mimics owner role or reservation purchaser role on an Azure subscription. You must use the built-in owner or built-in reservation purchaser role.

+- For more information about who can purchase a reservation, see [Buy an Azure reservation](prepare-buy-reservation.md?source=azlto2).

+### Offer details

+Upon successful purchase and payment for the one-year Azure Reserved VM Instance in a qualified region for one or more of the qualifying VMs during the specified period, the discount applies automatically to the number of running virtual machines. You don't need to assign a reservation to a virtual machine to benefit from the discounts. A reserved instance purchase covers only the compute part of your VM usage. For more information about how to pay and save with an Azure Reserved VM Instance, see [Prepay for Azure virtual machines to save money](/azure/virtual-machines/prepay-reserved-vm-instances?toc=%2Fazure%2Fcost-management-billing%2Freservations%2Ftoc.json&source=azlto3).

+- Other taxes might apply.

+- Payment is processed using the payment method on file for the selected subscriptions.

+- Estimated savings are calculated based on your current on-demand rate.

+### Charge back promotional offer costs

+Enterprise Agreement and Microsoft Customer Agreement billing readers can view amortized cost data for reservations. They can use the cost data to charge back the monetary value for a subscription, resource group, resource, or a tag to their partners. In amortized data, the effective price is the prorated hourly reservation cost. The cost is the total cost of reservation usage by the resource on that day. Users with an individual subscription can get the amortized cost data from their usage file. For more information, see [Charge back Azure Reservation costs](charge-back-usage.md).

+### Discount limitations

+- The discount automatically applies to the number of running virtual machines in qualified regions that match the reservation scope and attributes.

+- The discount applies for one year after the date of purchase.

+- The discount only applies to resources associated with subscriptions purchased through Enterprise, Cloud Solution Provider (CSP), Microsoft Customer Agreement, and individual plans with pay-as-you-go rates.

+- A reservation discount is "use-it-or-lose-it." So, if you don't have matching resources for any hour, then you lose a reservation quantity for that hour. You can't carry forward unused reserved hours.

+- When you deallocate, delete, or scale the number of VMs, the reservation discount automatically applies to another matching resource in the specified scope. If no matching resources are found in the specified scope, then the reserved hours are lost.

+- Stopped VMs are billed and continue to use reservation hours. To use your available reservation hours with other workloads, deallocate or delete VM resources or scale-in other VMs.

+- For more information about how Azure Reserved VM Instance discounts are applied, see [How the Azure reservation discount is applied to virtual machines](../manage/understand-vm-reservation-charges.md).

+### Exchanges and refunds

+The offer follows standard exchange and refund policies for reservations. For more information about exchanges and refunds, see [Self-service exchanges and refunds for Azure Reservations](exchange-and-refund-azure-reservations.md?source=azlto6).

+### Renewals

+- The renewal price **will not be** the limited time offer price, but the price available at time of renewal.

+- For more information about renewals, see [Automatically renew Azure reservations](reservation-renew.md?source=azlto5).

+### Termination or modification

+Microsoft reserves the right to modify, suspend, or terminate the offer at any time without prior notice.

+If you purchased the one-year Azure Reserved Virtual Machine Instances for the qualified VMs in qualified regions between October 1, 2024, and March 31, 2025, youΓÇÖll continue to get the discount throughout the one-year term, even if the offer is canceled.

+By participating in the offer, customers agree to be bound by these terms and the decisions of Microsoft. Microsoft reserves the right to disqualify any customer who violates these terms or engages in any fraudulent or harmful activities related to the offer.

+## Related content

+- [How the Azure reservation discount is applied to virtual machines](../manage/understand-vm-reservation-charges.md)

+- [Purchase Azure Reserved VM instances in the Azure portal](https://portal.azure.com/#view/Microsoft_Azure_Reservations/CreateBlade)

+- [Linux on Azure tech community blog](https://aka.ms/linuxpromoffer_techcommunityblog)

+| [ServiceNow (legacy)](connector-servicenow-legacy.md)   | [Link](connector-servicenow.md#upgrade-your-servicenow-linked-service) | End of support announced and new version available | December 31, 2024 | March 1, 2025 |

+## How to find your impacted objects in your data factory

+Here's the steps to get your objects which still rely on the deprecated connectors or connectors that have a precise end of support date. It is recommended to take action to upgrade those object to the new connector version before the end of the support date.

+1. Open your Azure Data Factory.

+2. Go to Manage ΓÇô Linked services page.

+3. You should see the Linked Service that is still on legacy version with alert behind it.

+4. Click on the number under the 'Related' column will show you the related objects that utilize this particular Linked service.

+5. To learn more about the upgrade guidance and the comparison between the legacy and the new version, you can navigate to the connector upgrade section within each connector page.

+1. Create a new Salesforce linked service and configure it by referring toΓÇ»[Linked service properties](connector-salesforce.md#linked-service-properties). You also need to manually update existing datasets that rely on the old linked service, editing each dataset to use the new linked service instead.

+>The new ServiceNow connector provides improved native ServiceNow support. If you are using the legacy ServiceNow connector in your solution, please [upgrade your ServiceNow connector](connector-servicenow.md#upgrade-your-servicenow-linked-service) before **December 31, 2024**. Refer to this [section](connector-servicenow.md#differences-between-servicenow-and-servicenow-legacy) for details on the difference between the legacy and latest version.

+>The new ServiceNow connector provides improved native ServiceNow support. If you are using the legacy ServiceNow connector in your solution, please [upgrade your ServiceNow connector](#upgrade-your-servicenow-linked-service) before **December 31, 2024**. Refer to this [section](#differences-between-servicenow-and-servicenow-legacy) for details on the difference between the legacy and latest version.

+## <a name="upgrade-your-servicenow-linked-service"></a> Upgrade the ServiceNow connector

+Here are the steps that help you to upgrade your ServiceNow connector:

+armclient patch /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.AgFoodPlatform/farmBeats/<datamanager-instance-name>?api-version=2023-06-01-preview "{properties:{sensorIntegration:{enabled:'true'}}}"

+armclient get /subscriptions/<subscription-id>/resourceGroups/<resource-group-name> /providers/Microsoft.AgFoodPlatform/farmBeats/<datamanager-instance-name>?api-version=2023-06-01-preview

+* Test our APIs [here](/rest/api/data-manager-for-agri).

+Read all the safety information in this article before you use your Azure Stack Edge Mini R device. The device includes a one battery pack, one AC/DC plugged power supply, one module power adapter, and one server module. Failure to follow instructions could result in fire, electric shock, injuries, or damage to your properties. Read all of the following safety information before using Azure Stack Edge Mini R.

+| | **DANGER:** Indicates a hazardous situation that, if not avoided, may result in death or serious injury. <br> **WARNING:** Indicates a hazardous situation that, if not avoided, could result in death or serious injury. <br> **CAUTION:** Indicates a hazardous situation that, if not avoided, could result in minor or moderate injury.|

+|  | No User Serviceable Parts. Don't access unless properly trained. |

+* Inspect the *as-received* device for damages. If the device enclosure is damaged, [contact Microsoft Support](azure-stack-edge-placeholder.md) to obtain a replacement. Don't attempt to operate the device.

+* If you suspect the device is malfunctioning, [contact Microsoft Support](azure-stack-edge-placeholder.md) to obtain a replacement. Don't attempt to service the device.

+* The device contains no user-serviceable parts. Hazardous voltage, current, and energy levels are present inside. Don't open. Return the device to Microsoft for servicing.

+It's recommended to operate the system:

+* Don't allow any liquid or any foreign object to enter the System. Don't place beverages or any other liquid containers on or near the system.

+* This equipment contains a lithium battery. Don't attempt to service the battery pack. Batteries in this equipment aren't user serviceable. Risk of Explosion if battery is replaced by an incorrect type.

+Only charge the battery pack when it's a part of the Azure Stack Edge Mini R device, don't charge as a separate device.

+* Don't burn or short circuit the battery pack. It must be recycled or disposed of properly.

+* In lieu of using the provided AC/DC power supply, this system also can use a field provided Type 2590 Battery. In this case, the end user shall verify that it meets all applicable safety, transportation, environmental, and any other national/regional and local regulations.

+* Provide a safe electrical earth connection to the power supply cord. The alternating current (AC) cord has a three-wire grounding plug (a plug that has a grounding pin). This plug fits only a grounded AC outlet. Don't defeat the purpose of the grounding pin.

+ * The device is dropped and the device casing is damaged.

+* Frequency: 50 Hz to 60 Hz

+* Don't attempt to modify or use AC power cord(s) other than the ones provided with the equipment.

+Regulatory information for Azure Stack Edge Mini R device, regulatory model number: TMA01.

+The Netgear A6150 WiFi USB Adapter is to be used with approved antennas only. This device and its antenna(s) must not be co-located or operating with any other antenna or transmitter except in accordance with FCC multitransmitter product procedures. For products available in the USA market, only channel 1~11 can be operated. Selection of other channels is not possible.

+This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there's no guarantee that interference won't occur in a particular installation.

+This product demonstrates EMC compliance under conditions that included the use of compliant peripheral devices and shielded cables between system components. It's important that you use compliant peripheral devices and shielded cables between system components to reduce the possibility of causing interference to radios, television sets, and other electronic devices.

+This symbol on the product or its batteries or its packaging means that this product and any batteries it contains must not be disposed of with your household waste. Instead, it is your responsibility to hand it over to an applicable collection point for the recycling of batteries and electrical and electronic equipment. This separate collection and recycling helps to conserve natural resources and prevent potential negative consequences for human health and the environment due to the possible presence of hazardous substances in batteries and electrical and electronic equipment, which could be caused by inappropriate disposal. For more information about where to drop off your batteries and electrical and electronic waste, contact your local city/municipality office, your household waste disposal service, or the shop where you purchased this product. Contact erecycle@microsoft.com for additional information on WEEE.

+This product might contain Lithium-Ion and/or Lithium Metal battery(ies). The batteries contained in this product comply with regulatory requirements of EU REGULATION (EU) 2023/1542 as applicable.

+The Netgear A6150 WiFi USB Adapter provided with this equipment is intended to be operated close to the human body and is tested for body-worn Specific Absorption Rate (SAR) compliance (see below values). When carrying the product or using it while worn on your body, maintain a distance of 10 mm from the body to ensure compliance with RF exposure requirements.

+**Netgear A6150 Specific Absorption Rate (SAR):** 0.54 W/kg averaged over 10 g of tissue

+ Title: Roadmap for Azure DevTest Labs

+description: Learn about features in development and coming soon for Azure DevTest Labs.

+#customer intent: As a customer, I want to understand upcoming features and enhancements in Azure DevTest Labs so that I can plan and optimize development and deployment strategies.

+# Azure DevTest Labs roadmap

+This roadmap presents a set of planned feature releases that underscores Microsoft's commitment to empowering enterprise development and testing teams. DevTest Labs enables development teams to self-serve customized, ready-to-test machines in the cloud, all while maintaining adherence to organizational governance policies. This feature list offers a glimpse into our plans for the next six months, highlighting key features we're developing. It isn't exhaustive but shows major investments. Some features might release as previews and evolve based on your feedback before becoming generally available. We always listen to your input, so the timing, design, and delivery of some features might change.

+Key DevTest Labs deliverables can be grouped under the following themes:

+- [Ready-to-test virtual machines](#ready-to-test-virtual-machines)

+- [Enterprise management](#enterprise-management)

+- [Performance and reliability](#performance-and-reliability)

+## Ready-to-test virtual machines

+The fundamental goal of DevTest Labs is to provide a seamless, intuitive experience that empowers development and testing teams. DevTest Labs enables you to swiftly access ready-to-test machines for deploying and validating the latest versions or features of any version of your application. We're dedicated to advancing this vision by continuously investing in innovative technologies to enhance machine customization and optimize testing efficiency.

+- **Hibernate VM:** Hibernating a machine preserves its exact state upon resumption, allowing developers to effortlessly troubleshoot issues identified during testing.

+- **Lab-level Secrets:** Platform engineers and dev managers will be able to set up centralized secrets accessible to the entire team, streamlining virtual machine creation and management.

+- **Generation 2 VMs:** Generation 2 VMs will improve virtual machine boot and installation times and enable secure boot by default.

+## Enterprise management

+DevTest Labs delivers a streamlined and optimized experience for end-users while also offering robust enterprise capabilities to enforce organizational governance, covering security, cost management, and monitoring. We're committed to enhancing these capabilities with upcoming features that will fortify the machines and help reduce costs.

+- **Managed Identity and GitHub Apps:** To ensure secure connections to source control repositories and storage accounts, we'll introduce the ability to:

+ - Attach Azure Repos repositories via managed identities

+ - Attach GitHub repositories through GitHub Apps

+ - Access lab storage accounts via managed identities

+- **Trusted Launch:** Trusted launch will enhance protection for lab machines against advanced and persistent attacks by enabling features like secure boot, vTPM, virtualization-based security, and integration with Microsoft Defender for Cloud.

+- **Spot VMs:** Spot VMs will lower test machine costs for workloads that can handle interruptions.

+- **Standard Load Balancer:** Standard Load Balancer provides significant improvements over basic such as high performance, ultra-low latency, superior resilient load-balancing, and increased security by default.

+## Performance and Reliability

+DevTest Labs aims to provide a seamless testing experience that is as responsive as a local machine, and we're consistently enhancing the reliability, speed, and performance of DevTest Labs through platform optimization.

+**API and Portal Reliability:** We're continuing to invest in our API performance and aiming to attain higher reliability.

+This roadmap outlines our current priorities, and we remain flexible to adapt based on customer feedback. We invite you to share your thoughts and suggest other capabilities you would like to see. Your insights help us refine our focus and deliver even greater value.

+## Related content

+- [What is DevTest Labs?](./devtest-lab-overview.md)

+Follow instructions from [Get the connection string to the storage account](../storage/common/storage-configure-connection-string.md) to get the connection string to the storage account, which you use in the script (`BLOB_STORAGE_CONNECTION_STRING`). You need the connection string and the name of the blob container you just created.

+ * `BLOB_STORAGE_CONNECTION_STRING` - Connection string to the Blob Storage account that you noted earlier.

+ * `BLOB_CONTAINER_NAME` - Name of the blob container you created in the blob storage.

+ * `EVENT_HUB_CONNECTION_STR` - Connection string to the Event Hubs namespace you noted earlier.

+ * `EVENT_HUB_NAME` - Name of the event hub.

+## Connect a virtual network

+# [**Maximum Resiliency**](#tab/maximum)

+**Maximum resiliency** (Recommended): provides the highest level of resiliency to your virtual network. It provides two redundant connections from the virtual network gateway to two different ExpressRoute circuits in different ExpressRoute locations.

+### Clone the script

+To create maximum resiliency connections, clone the setup script from GitHub.

+```azurepowershell-interactive

+# Clone the setup script from GitHub.

+git clone https://github.com/Azure-Samples/azure-docs-powershell-samples/

+# Change to the directory where the script is located.

+CD azure-docs-powershell-samples/expressroute/

+```

+Run the **New-AzHighAvailabilityVirtualNetworkGatewayConnections.ps1** script to create high availability connections. The following example shows how to create two new connections to two ExpressRoute circuits.

+```azurepowershell-interactive

+$SubscriptionId = Get-AzureSubscription -SubscriptionName "<SubscriptionName>"

+$circuit1 = Get-AzExpressRouteCircuit -Name "MyCircuit1" -ResourceGroupName "MyRG"

+$circuit2 = Get-AzExpressRouteCircuit -Name "MyCircuit2" -ResourceGroupName "MyRG"

+$gw = Get-AzVirtualNetworkGateway -Name "ExpressRouteGw" -ResourceGroupName "MyRG"

+highAvailabilitySetup/New-AzHighAvailabilityVirtualNetworkGatewayConnections.ps1 -SubscriptionId $SubscriptionId -ResourceGroupName "MyRG" -Location "West EU" -Name1 "ERConnection1" -Name2 "ERConnection2" -Peer1 $circuit1.Peerings[0] -Peer2 $circuit2.Peerings[0] -RoutingWeight1 10 -RoutingWeight2 10 -VirtualNetworkGateway1 $gw

+```

+If you want to create a new connection and use an existing one, you can use the following example. This example creates a new connection to a second ExpressRoute circuit and uses an existing connection to the first ExpressRoute circuit.

+```azurepowershell-interactive

+$SubscriptionId = Get-AzureSubscription -SubscriptionName "<SubscriptionName>"

+$circuit1 = Get-AzExpressRouteCircuit -Name "MyCircuit1" -ResourceGroupName "MyRG"

+$gw = Get-AzVirtualNetworkGateway -Name "ExpressRouteGw" -ResourceGroupName "MyRG"

+$connection = Get-AzVirtualNetworkGatewayConnection -Name "ERConnection1" -ResourceGroupName "MyRG"

+highAvailabilitySetup/New-AzHighAvailabilityVirtualNetworkGatewayConnections.ps1 -SubscriptionId $SubscriptionId -ResourceGroupName "MyRG" -Location "West EU" -Name2 "ERConnection2" -Peer2 $circuit1.Peerings[0] -RoutingWeight2 10 -VirtualNetworkGateway1 $gw -ExistingVirtualNetworkGatewayConnection $connection

+```

+# [**Standard/High Resiliency**](#tab/standard)

+**Standard resiliency**: provides a single redundant connection from the virtual network gateway to a single ExpressRoute circuit.

+You can connect a virtual network gateway to an ExpressRoute circuit using the **New-AzVirtualNetworkGatewayConnection** cmdlet. Make sure that the virtual network gateway is created and is ready for linking before you run the cmdlet.

+> [!NOTE]

+> For **High Resiliency**, you must connect to a Metro circuit instead of a Standard circuit.

+ Title: About ExpressRoute Metro

+# About ExpressRoute Metro

+ExpressRoute Metro is a high-resiliency configuration designed to provide multi-site redundancy. This configuration allows you to benefit from a dual-homed setup that facilitates diverse connections to two distinct ExpressRoute peering locations within a city. The high resiliency configuration benefits from the redundancy across the two peering locations to offer higher availability and resilience for your connectivity from your on-premises to resources in Azure.

+For more information, see [Private IP DNAT Support and Scenarios with Azure Firewall](https://techcommunity.microsoft.com/t5/azure-network-security-blog/private-ip-dnat-support-and-scenarios-with-azure-firewall/ba-p/4230073).

+Azure Policy is a powerful tool for managing your Azure resources to meet business standards compliance needs. When people, processes, or pipelines create or update resources, Azure Policy reviews the request. When the policy definition effect is [modify](./effect-modify.md), [append](./effect-append.md), or [deployIfNotExists](./effect-deploy-if-not-exists.md), Policy alters the request or adds to it. When the policy definition effect is [audit](./effect-audit.md) or [auditIfNotExists](./effect-audit-if-not-exists.md), Policy causes an Activity log entry to be created for new and updated resources. And when the policy definition effect is [deny](./effect-deny.md) or [denyAction](./effect-deny-action.md), Policy stops the creation or alteration of the request.

+These outcomes are exactly as desired when you know the policy is defined correctly. However, it's important to validate a new policy works as intended before allowing it to change or block work. The validation must ensure only the intended resources are determined to be non-compliant and no compliant resources are incorrectly included (known as a _false positive_) in the results.

+- Tightly define your policy.

+- Test your policy's effectiveness.

+- Audit new or updated resource requests.

+- Deploy your policy to resources.

+- Continuous monitoring.

+It's important to understand how the business policy is implemented as a policy definition and the relationship of Azure resources with other Azure services. This step is accomplished by [identifying the requirements](../tutorials/create-custom-policy-definition.md#identify-requirements) and [determining the resource properties](../tutorials/create-custom-policy-definition.md#determine-resource-properties). But it's also important to see beyond the narrow definition of your business policy. For examples, does your policy state that _All Virtual Machines must..._? What about other Azure services that make use of VMs, such as HDInsight or Azure Kubernetes Service (AKS)? When defining a policy, we must consider how this policy impacts resources that are used by other services.

+For this reason, your policy definitions should be as tightly defined and focused on the resources and the properties you need to evaluate for compliance as possible.

+Before looking to manage new or updated resources with your new policy definition, it's best to see how it evaluates a limited subset of existing resources, such as a test resource group. The [Azure Policy VS Code extension](../how-to/extension-for-vscode.md#on-demand-evaluation-scan) allows for isolated testing of definitions against existing Azure resources using the on demand evaluation scan. You might also assign the definition in a _Dev_ environment using the [enforcement mode](./assignment-structure.md#enforcement-mode) _Disabled_ (doNotEnforce) on your policy assignment to prevent the [effect](./effect-basics.md) from triggering or activity log entries from being created.

+This step gives you a chance to evaluate the compliance results of the new policy on existing resources without impacting work flow. Check that no compliant resources show as non-compliant (_false positive_) and that all the resources you expect to be non-compliant are marked correctly. After the initial subset of resources validates as expected, slowly expand the evaluation to more existing resources and more scopes.

+Evaluating existing resources in this way also provides an opportunity to remediate non-compliant resources before full implementation of the new policy. This cleanup can be done manually or through a [remediation task](../how-to/remediate-resources.md) if the policy definition effect is `deployIfNotExists` or `modify`.

+Policy definitions with a `deployIfNotExists` should use the [Azure Resource Manager template what if](../../../azure-resource-manager/templates/deploy-what-if.md) to validate and test the changes that happen when deploying the ARM template.

+After you validate your new policy definition is reporting correctly on existing resources, it's time to look at the effect of the policy when resources are created or updated. If the policy definition supports effect parameterization, use [audit](./effect-audit.md) or [auditIfNotExist](./effect-audit-if-not-exists.md). This configuration allows you to monitor the creation and updating of resources to see whether the new policy definition triggers an entry in Azure Activity log for a resource that's non-compliant without affecting existing work or requests.

+The recommendation is to update and create new resources that match your policy definition to see that the `audit` or `auditIfNotExists` effect is correctly being triggered when expected. Be on the lookout for resource requests that shouldn't be affected by the new policy definition that trigger the `audit` or `auditIfNotExists` effect. These affected resources are another example of _false positives_ and must be fixed in the policy definition before full implementation.

+In the event the policy definition is changed at this stage of testing, the recommendation is to begin the validation process over with the auditing of existing resources. A change to the policy definition for a _false positive_ on new or updated resources is likely to also have an effect on existing resources.

+After completing validation of your new policy definition with both existing resources and new or updated resource requests, you begin the process of implementing the policy. The recommendation is to create the policy assignment for the new policy definition to a subset of all resources first, such as a resource group. You can further filter by resource type or location using the [resourceSelectors](./assignment-structure.md#resource-selectors) property within the policy assignment. After validating initial deployment, extend the scope of the policy to broader as a resource group. After validating initial deployment, expand the policy's effect by adjusting the `resourceSelector` filters to target more locations or resource types. Or by removing the assignment and replacing it with a new one at broader scopes like subscriptions and management groups. Continue this gradual rollout until it's assigned to the full scope of resources intended to be covered by your new policy definition.

+During rollout, if resources are located that should be exempt from your new policy definition, address them in one of the following ways:

+- Update the policy definition to be more explicit to reduce unintended effects.

+- Change the scope of the policy assignment (by removing and creating a new assignment).

+- Add the group of resources to the exclusion list for the policy assignment.

+Any changes to the scope (level or exclusions) should be fully validated and communicated with your security and compliance organizations to ensure there are no gaps in coverage.

+Implementing and assigning your policy definition isn't the final step. Continuously monitor the [compliance](../how-to/get-compliance-data.md) level of resources to your new policy definition and setup appropriate [Azure Monitor alerts and notifications](/azure/azure-monitor/alerts/alerts-overview) for when non-compliant devices are identified. The recommendation is to evaluate the policy definition and related assignments on a scheduled basis to validate the policy definition is meeting business policy and compliance needs. Policies should be removed if no longer needed. Policies also need to update from time to time as the underlying Azure resources evolve and add new properties and capabilities.

+- Learn about the [policy definition structure](./definition-structure-basics.md).

+- Review what a management group is with [Organize your resources with Azure management groups](../../management-groups/overview.md).

+Azure Policy events enable applications to react to state changes. This integration is done without the need for complicated code or expensive and inefficient polling services. Instead, events are pushed through [Azure Event Grid](../../../event-grid/index.yml) to subscribers such as [Azure Functions](../../../azure-functions/index.yml), [Azure Logic Apps](../../../logic-apps/index.yml), or even to your own custom HTTP listener. Critically, you only pay for what you use.

+Azure Policy events are sent to the Azure Event Grid, which provides reliable delivery services to your applications through rich retry policies and dead-letter delivery. Event Grid takes care of the proper routing, filtering, and multicasting of the events to destinations via Event Grid subscriptions. To learn more, see [Event Grid message delivery and retry](../../../event-grid/delivery-and-retry.md).

+- Events: These events can be anything a user might want to react to for an Azure resource. For example, if a policy compliance state is created, changed, and deleted for a resource such as a virtual machine or storage accounts.

+Another scenario is to automatically trigger remediation tasks without manually selecting _create remediation task_ on the policy page. Event Grid checks for compliance state and resources that are currently noncompliant can be remedied. Learn more about [remediation structure](../concepts/remediation-structure.md). Remediation requires a managed identity and policies must be in `modify` or `deployIfNotExists` effect. [Learn more about effect types](../how-to/remediate-resources.md).

+Event Grid is helpful as an audit system to store state changes and understand cause of noncompliance over time. The scenarios for Event Grid are endless and based on the motivation, Event Grid is configurable.

+ "id": "/subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.PolicyInsights/remediations/remediateNotCompliant",

+ "policyAssignmentId": "/subscriptions/{subID}/providers/Microsoft.Authorization/policyAssignments/resourceShouldBeCompliantInit",

+Azure Resource Manager properties are commonly defined as strings and booleans. When a one-to-many relationship exists, complex properties are instead defined as arrays. In Azure Policy, arrays are used in several different ways:

+- The type of a [definition parameter](../concepts/definition-structure.md#parameters), to provide multiple options.

+- Part of a [policy rule](../concepts/definition-structure.md#policy-rule) using the conditions `in` or `notIn`.

+- Part of a policy rule that counts how many array members satisfy a condition.

+- In the [append](../concepts/effect-append.md) and [modify](../concepts/effect-modify.md) effects to update an existing array

+Defining a parameter as an array allows the policy flexibility when more than one value is needed. This policy definition allows any single location for the parameter `allowedLocations` and defaults to _eastus2_:

+ "allowedLocations": {

+ "type": "string",

+ "metadata": {

+ "description": "The list of allowed locations for resources.",

+ "displayName": "Allowed locations",

+ "strongType": "location"

+ },

+ "defaultValue": "eastus2"

+ }

+As `type` was _string_, only one value can be set when assigning the policy. If this policy is assigned, resources in scope are only allowed within a single Azure region. Most policies definitions need to allow for a list of approved options, such as allowing _eastus2_, _eastus_, and _westus2_.

+To create the policy definition to allow multiple options, use the _array_ `type`. The same policy can be rewritten as follows:

+ "allowedLocations": {

+ "type": "array",

+ "metadata": {

+ "description": "The list of allowed locations for resources.",

+ "displayName": "Allowed locations",

+ "strongType": "location"

+ },

+ "defaultValue": [

+ "eastus2"

+ ],

+ "allowedValues": [

+ "eastus2",

+ "eastus",

+ "westus2"

+ ]

+ }

+> Once a policy definition is saved, the `type` property on a parameter can't be changed.

+This new parameter definition takes more than one value during policy assignment. With the array property `allowedValues` defined, the values available during assignment are further limited to the predefined list of choices. Use of `allowedValues` is optional.

+When you assign the policy through the Azure portal, a parameter of `type` _array_ is displayed as a single textbox. The hint says `Use ; to separate values. (e.g. London;New York)`. To pass the allowed location values of _eastus2_, _eastus_, and _westus2_ to the parameter, use the following string:

+The format for the parameter value is different when using Azure CLI, Azure PowerShell, or the REST API. The values are passed through a JSON string that also includes the name of the parameter.

+ "allowedLocations": {

+ "value": [

+ "eastus2",

+ "eastus",

+ "westus2"

+ ]

+ }

+- Azure CLI: Command [az policy assignment create](/cli/azure/policy/assignment#az-policy-assignment-create) with parameter `params`.

+- Azure PowerShell: Cmdlet [New-AzPolicyAssignment](/powershell/module/az.resources/New-Azpolicyassignment) with parameter `PolicyParameter`.

+- REST API: In the _PUT_ [create](/rest/api/policy/policy-assignments/create) operation as part of the Request Body as the value of the `properties.parameters` property.

+The `in` and `notIn` conditions only work with array values. They check the existence of a value in an array. The array can be a literal JSON array or a reference to an array parameter. For example:

+ "field": "tags.environment",

+ "in": [

+ "dev",

+ "test"

+ ]

+ "field": "location",

+ "notIn": "[parameters('allowedLocations')]"

+The [value count](../concepts/definition-structure.md#value-count) expression count how many array members meet a condition. It provides a way to evaluate the same condition multiple times, using different values on each iteration. For example, the following condition checks whether the resource name matches any pattern from an array of patterns:

+ "count": {

+ "value": [

+ "test*",

+ "dev*",

+ "prod*"

+ ],

+ "name": "pattern",

+ "where": {

+ "field": "name",

+ "like": "[current('pattern')]"

+ }

+ },

+ "greater": 0

+In order to evaluate the expression, Azure Policy evaluates the `where` condition three times, once for each member of `[ "test*", "dev*", "prod*" ]`, counting how many times it was evaluated to `true`. On every iteration, the value of the current array member is paired with the `pattern` index name defined by `count.name`. This value can then be referenced inside the `where` condition by calling a special template function: `current('pattern')`.

+To make the previous condition more generic, use a `parameters` reference instead of a literal array:

+ "count": {

+ "value": "[parameters('patterns')]",

+ "name": "pattern",

+ "where": {

+ "field": "name",

+ "like": "[current('pattern')]"

+ }

+ },

+ "greater": 0

+When the `value count` expression isn't under any other `count` expression, `count.name` is optional and the `current()` function can be used without any arguments:

+ "count": {

+ "value": "[parameters('patterns')]",

+ "where": {

+ "field": "name",

+ "like": "[current()]"

+ }

+ },

+ "greater": 0

+The `value count` also support arrays of complex objects, allowing for more complex conditions. For example, the following condition defines a desired tag value for each name pattern and checks whether the resource name matches the pattern, but doesn't have the required tag value:

+ "count": {

+ "value": [

+ {

+ "pattern": "test*",

+ "envTag": "dev"

+ },

+ {

+ "pattern": "dev*",

+ "envTag": "dev"

+ },

+ {

+ "pattern": "prod*",

+ "envTag": "prod"

+ },

+ ],

+ "name": "namePatternRequiredTag",

+ "where": {

+ "allOf": [

+ {

+ "field": "name",

+ "like": "[current('namePatternRequiredTag').pattern]"

+ },

+ {

+ "field": "tags.env",

+ "notEquals": "[current('namePatternRequiredTag').envTag]"

+ ]

+ }

+ },

+ "greater": 0

+For useful examples, see [value count examples](../concepts/definition-structure.md#value-count-examples).

+Many use cases require working with array properties in the evaluated resource. Some scenarios require referencing an entire array (for example, checking its length). Others require applying a condition to each individual array member (for example, ensure that all firewall rule block access from the internet). Understanding the different ways Azure Policy can reference resource properties, and how these references behave when they refer to array properties is the key for writing conditions that cover these scenarios.

+Resource properties can be referenced by Azure Policy using [aliases](../concepts/definition-structure.md#aliases) There are two ways to reference the values of a resource property within Azure Policy:

+- Use [field](../concepts/definition-structure.md#fields) condition to check whether all selected resource properties meet a condition. Example:

+ "field": "Microsoft.Test/resourceType/property",

+The field condition has an implicit `allOf` behavior. If the alias represents a collection of values, it checks whether all individual values meet the condition. The `field()` function returns the values represented by the alias as-is, which can then be manipulated by other template functions.

+Array resource properties are represented by two different types of aliases. One normal alias and [array aliases](../concepts/definition-structure-alias.md) that have `[*]` attached to it:

+The first alias represents a single value, the value of `stringArray` property from the request content. Since the value of that property is an array, it isn't useful in policy conditions. For example:

+This condition compares the entire `stringArray` array to a single string value. Most conditions, including `equals`, only accept string values, so there's not much use in comparing an array to a string. The main scenario where referencing the array property is useful is when checking whether it exists:

+With the `field()` function, the returned value is the array from the request content, which can then be used with any of the [supported template functions](../concepts/definition-structure.md#policy-functions) that accept array arguments. For example, the following condition checks whether the length of `stringArray` is greater than 0:

+Aliases that use the `[*]` syntax represent a collection of property values selected from an array property, which is different than selecting the array property itself. For example, `Microsoft.Test/resourceType/stringArray[*]` returns a collection that has all of the members of `stringArray`. As mentioned previously, a `field` condition checks that all selected resource properties meet the condition, therefore the following condition is true only if all the members of `stringArray` are equal to `"value"`.

+If the array is empty, the condition evaluates to true because no member of the array is in violation. In this scenario, the recommendation is to use the [count expression](../concepts/definition-structure.md#count) instead. If the array contains objects, a `[*]` alias can be used to select the value of a specific property from each array member. Example:

+This condition is true if the values of all `property` properties in `objectArray` are equal to `"value"`. For more examples, see [More alias examples](#more-alias-examples).

+When using the `field()` function to reference an array alias, the returned value is an array of all the selected values. This behavior means that the common use case of the `field()` function, the ability to apply template functions to resource property values, is limited. The only template functions that can be used in this case are the ones that accept array arguments. For example, it's possible to get the length of the array with `[length(field('Microsoft.Test/resourceType/objectArray[*].property'))]`. However, more complex scenarios like applying template function to each array member and comparing it to a desired value are only possible when using the `count` expression. For more information, see [Field count expression](#field-count-expressions).

+To summarize, see the following example resource content and the selected values returned by various aliases:

+ "properties": {

+ "stringArray": [

+ "a",

+ "b",

+ "c"

+ ],

+ "nestedArray": [

+ 1,

+ 2

+ ]

+ "nestedArray": [

+ 3,

+ 4

+ ]

+When you use the field condition on the example resource content, the results are as follows:

+When you use the `field()` function on the example resource content, the results are as follows:

+[Field count](../concepts/definition-structure.md#field-count) expressions count how many array members meet a condition and compare the count to a target value. `Count` is more intuitive and versatile for evaluating arrays compared to `field` conditions. The syntax is:

+ "field": <[*

+ ] alias>,

+When used without a `where` condition, `count` simply returns the length of an array. With the example resource content from the previous section, the following `count` expression is evaluated to `true` since `stringArray` has three members:

+This behavior also works with nested arrays. For example, the following `count` expression is evaluated to `true` since there are four array members in the `nestedArray` arrays:

+The power of `count` is in the `where` condition. When `count` is specified, Azure Policy enumerates the array members and evaluates each against the condition, counting how many array members evaluated to `true`. Specifically, in each iteration of the `where` condition evaluation, Azure Policy selects a single array member `i` and evaluate the resource content against the `where` condition **as if `i` is the only member of the array**. Having only one array member available in each iteration provides a way to apply complex conditions on each individual array member.

+In order to evaluate the `count` expression, Azure Policy evaluates the `where` condition three times, once for each member of `stringArray`, counting how many times it was evaluated to `true`. When the `where` condition refers to the `Microsoft.Test/resourceType/stringArray[*]` array members, instead of selecting all the members of `stringArray`, it selects only a single array member every time:

+The fact that the `where` expression is evaluated against the **entire** request content (with changes only to the array member that is currently being enumerated) means that the `where` condition can also refer to fields outside the array:

+Nested count expressions can be used to apply conditions to nested array fields. For example, the following condition checks that the `objectArray[*]` array has exactly two members with `nestedArray[*]` that contains one or more members:

+Since both members of `objectArray[*]` have a child array `nestedArray[*]` with two members, the outer count expression returns `2`.

+More complex example: check that the `objectArray[*]` array has exactly two members with `nestedArray[*]` with any members equal to `2` or `3`:

+ "field": "Microsoft.Test/resourceType/objectArray[*].nestedArray[*]",

+ "in": [

+ 2,

+ 3

+ ]

+When using template functions, use the `current()` function to access the value of the current array member or the values of any of its properties. To access the value of the current array member, pass the alias defined in `count.field` or any of its child aliases as an argument to the `current()` function. For example:

+ "value": "[current('Microsoft.Test/resourceType/objectArray[*].property')]",

+ "like": "value*"

+The `field()` function can also be used to access the value of the current array member as long as the **count** expression isn't inside an **existence condition** (`field()` function always refer to the resource evaluated in the **if** condition). The behavior of `field()` when referring to the evaluated array is based on the following concepts:

+- Array aliases are resolved into a collection of values selected from all array members.

+- `field()` functions referencing array aliases return an array with the selected values.

+- Referencing the counted array alias inside the `where` condition returns a collection with a single value selected from the array member that is evaluated in the current iteration.

+This behavior means that when referring to the counted array member with a `field()` function inside the `where` condition, **it returns an array with a single member**. While this behavior might not be intuitive, it's consistent with the idea that array aliases always return a collection of selected properties. Here's an example:

+Therefore, when there's a need to access the value of the counted array alias with a `field()` function, the way to do so is to wrap it with a `first()` template function:

+For useful examples, see [Field count examples](../concepts/definition-structure.md#field-count-examples).

+The [append](../concepts/effects.md#append) and [modify](../concepts/effects.md#modify) alter properties on a resource during creation or update. When you work with array properties, the behavior of these effects depends on whether the operation is trying to modify the `[*]` alias or not:

+## More alias examples

+The recommendation is to use the [field count expressions](#field-count-expressions) to check whether `allOf`or `anyOf` the members of an array in the request content meet a condition. For some simple conditions, it's possible to achieve the same result by using a field accessor with an array alias as described in [Referencing the array members collection](#referencing-the-array-members-collection). This pattern can be useful in policy rules that exceed the limit of allowed `count` expressions. Here are examples for common use cases:

+The example policy rule for the following scenario table:

+ "if": {

+ "allOf": [

+ {

+ "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules",

+ "exists": "true"

+ },

+ ]

+ },

+ "then": {

+ "effect": "[parameters('effectType')]"

+ }

+The `ipRules` array is as follows for the following scenario table:

+ {

+ "value": "127.0.0.1",

+ "action": "Allow"

+ },

+ {

+ "value": "192.168.1.1",

+ "action": "Allow"

+ }

+For each of the following condition examples, replace `<field>` with `"field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].value"`.

+The following outcomes are the result of the combination of the condition and the example policy rule and array of previous existing values:

+|`{<field>,"notEquals":"127.0.0.1"}` |Nothing |None match |One array element evaluates as false (`127.0.0.1 != 127.0.0.1`) and one as true (`127.0.0.1 != 192.168.1.1`), so the `notEquals` condition is _false_ and the effect isn't triggered. |

+|`{<field>,"notEquals":"10.0.4.1"}` |Policy effect |None match |Both array elements evaluate as true (`10.0.4.1 != 127.0.0.1 and 10.0.4.1 != 192.168.1.1`), so the `notEquals` condition is _true_ and the effect is triggered. |

+|`"not":{<field>,"notEquals":"127.0.0.1" }` |Policy effect |One or more match |One array element evaluates as false (`127.0.0.1 != 127.0.0.1`) and one as true (`127.0.0.1 != 192.168.1.1`), so the `notEquals` condition is _false_. The logical operator evaluates as true (not _false_), so the effect is triggered. |

+|`"not":{<field>,"notEquals":"10.0.4.1"}` |Nothing |One or more match |Both array elements evaluate as true (`10.0.4.1 != 127.0.0.1 and 10.0.4.1 != 192.168.1.1`), so the `notEquals` condition is _true_. The logical operator evaluates as false (not _true_), so the effect isn't triggered. |

+|`"not":{<field>,"Equals":"127.0.0.1"}` |Policy effect |Not all match |One array element evaluates as true (`127.0.0.1 == 127.0.0.1`) and one as false (`127.0.0.1 == 192.168.1.1`), so the `Equals` condition is _false_. The logical operator evaluates as true (not _false_), so the effect is triggered. |

+|`"not":{<field>,"Equals":"10.0.4.1"}` |Policy effect |Not all match |Both array elements evaluate as false (`10.0.4.1 == 127.0.0.1 and 10.0.4.1 == 192.168.1.1`), so the `Equals` condition is _false_. The logical operator evaluates as true (not _false_), so the effect is triggered. |

+|`{<field>,"Equals":"127.0.0.1"}` |Nothing |All match |One array element evaluates as true (`127.0.0.1 == 127.0.0.1`) and one as false (`127.0.0.1 == 192.168.1.1`), so the `Equals` condition is _false_ and the effect isn't triggered. |

+|`{<field>,"Equals":"10.0.4.1"}` |Nothing |All match |Both array elements evaluate as false (`10.0.4.1 == 127.0.0.1 and 10.0.4.1 == 192.168.1.1`), so the `Equals` condition is _false_ and the effect isn't triggered. |

+- Review the [Azure Policy definition structure](../concepts/definition-structure-basics.md).

+- Review [Understanding policy effects](../concepts/effect-basics.md).

+- Review what a management group is with [Organize your resources with Azure management groups](../../management-groups/overview.md).

+This article provides information on how to export your existing Azure Policy resources. Exporting your resources is useful and recommended for backup, but is also an important step in your journey with Cloud Governance and treating your [policy-as-code](../concepts/policy-as-code.md). Azure Policy resources can be exported through [REST API](/rest/api/policy), [Azure CLI](#export-with-azure-cli), and [Azure PowerShell](#export-with-azure-powershell).

+Azure Policy definitions, initiatives, and assignments can each be exported as JSON with [Azure CLI](/cli/azure/install-azure-cli). Each of these commands uses a `name` parameter to specify which object to get the JSON for. The `name` property is often a _GUID_ and isn't the `displayName` of the object.

+The Azure CLI and Azure PowerShell example commands use a built-in Policy definition with the `name` `b2982f36-99f2-4db5-8eff-283140c09693` and the `displayName` _Storage accounts should disable public network access_.

+- Definition - [az policy definition show](/cli/azure/policy/definition#az-policy-definition-show).

+- Initiative - [az policy set-definition show](/cli/azure/policy/set-definition#az-policy-set-definition-show).

+- Assignment - [az policy assignment show](/cli/azure/policy/assignment#az-policy-assignment-show).

+az policy definition show --name 'b2982f36-99f2-4db5-8eff-283140c09693'

+Azure Policy definitions, initiatives, and assignments can each be exported as JSON with [Azure PowerShell](/powershell/azure/). Each of these cmdlets uses a `Name` parameter to specify which object to get the JSON for. The `Name` property is often a _GUID_ (Globally Unique Identifier) and isn't the `displayName` of the object.

+- Definition - [Get-AzPolicyDefinition](/powershell/module/az.resources/get-azpolicydefinition).

+- Initiative - [Get-AzPolicySetDefinition](/powershell/module/az.resources/get-azpolicysetdefinition).

+- Assignment - [Get-AzPolicyAssignment](/powershell/module/az.resources/get-azpolicyassignment).

+Get-AzPolicyDefinition -Name 'b2982f36-99f2-4db5-8eff-283140c09693' | ConvertTo-Json -Depth 10

+## Export to CSV with Resource Graph in Azure portal

+Azure Resource Graph gives the ability to query at scale with complex filtering, grouping and sorting. Azure Resource Graph supports the policy resources table, which contains policy resources such as definitions, assignments and exemptions. Review our [sample queries.](../samples/resource-graph-samples.md#azure-policy). The Resource Graph explorer portal experience allows downloads of query results to CSV using the ["Download to CSV"](../../resource-graph/first-query-portal.md#download-query-results-as-a-csv-file) toolbar option.

+- Review the [Azure Policy definition structure](../concepts/definition-structure-basics.md).

+- Review [Understanding policy effects](../concepts/effect-basics.md).

+This article walks you through programmatically creating and managing policies. Azure Policy definitions enforce different rules and effects over your resources. Enforcement makes sure that resources stay compliant with your corporate standards and service-level agreements.

+1. If you haven't already, install the [ARMClient](https://github.com/projectkudu/ARMClient). It's a tool that sends HTTP requests to Azure Resource Manager-based APIs.

+1. Update your Azure PowerShell module to the latest version. See [Install Azure PowerShell module](/powershell/azure/install-azure-powershell) for detailed information. For more information about the latest version, see [Azure PowerShell](https://github.com/Azure/azure-powershell/releases).

+1. Register the Azure Policy Insights resource provider using Azure PowerShell to validate that your subscription works with the resource provider. To register a resource provider, you must have permission to run the register action operation for the resource provider. This operation is included in the Contributor and Owner roles. Run the following command to register the resource provider:

+ For more information about registering and viewing resource providers, see [Resource Providers and Types](../../../azure-resource-manager/management/resource-providers-and-types.md).

+1. If you haven't already, install Azure CLI. You can get the latest version at [Install Azure CLI on Windows](/cli/azure/install-azure-cli-windows).

+The first step toward better visibility of your resources is to create and assign policies over your resources. The next step is to learn how to programmatically create and assign a policy. The example policy audits storage accounts that are open to all public networks using PowerShell, Azure CLI, and HTTP requests.

+ "if": {

+ "allOf": [

+ {

+ "field": "type",

+ "equals": "Microsoft.Storage/storageAccounts"

+ },

+ {

+ "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",

+ "equals": "Allow"

+ }

+ ]

+ },

+ "then": {

+ "effect": "audit"

+ }

+ For more information about authoring a policy definition, see [Azure Policy Definition Structure](../concepts/definition-structure.md).

+1. Run the following command to create a policy definition using the _AuditStorageAccounts.json_ file.

+ The command creates a policy definition named _Audit Storage Accounts Open to Public Networks_. For more information about other parameters that you can use, see [New-AzPolicyDefinition](/powershell/module/az.resources/new-azpolicydefinition).

+ When called without location parameters, `New-AzPolicyDefinition` defaults to saving the policy definition in the selected subscription of the sessions context. To save the definition to a different location, use the following parameters:

+1. After you create your policy definition, you can create a policy assignment by running the following commands:

+ The `Scope` parameter on `New-AzPolicyAssignment` works with management group, subscription, resource group, or a single resource. The parameter uses a full resource path, which the `ResourceId` property on `Get-AzResourceGroup` returns. The pattern for `Scope` for each container is as follows. Replace `{rName}`, `{rgName}`, `{subId}`, and `{mgName}` with your resource name, resource group name, subscription ID, and management group name, respectively. `{rType}` would be replaced with the _resource type_ of the resource, such as `Microsoft.Compute/virtualMachines` for a virtual machine.

+For more information about managing resource policies using the Resource Manager PowerShell module, see [Az.Resources](/powershell/module/az.resources/#policy).

+ "displayName": "Audit Storage Accounts Open to Public Networks",

+ "policyType": "Custom",

+ "mode": "Indexed",

+ "description": "This policy ensures that storage accounts with exposure to Public Networks are audited.",

+ "parameters": {},

+ "policyRule": {

+ "if": {

+ "allOf": [

+ {

+ "field": "type",

+ "equals": "Microsoft.Storage/storageAccounts"

+ {

+ "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",

+ "equals": "Allow"

+ ]

+ },

+ "then": {

+ "effect": "audit"

+ }

+ Replace the preceding `{subscriptionId}` with the ID of your subscription or `{managementGroupId}` with the ID of your [management group](../../management-groups/overview.md).

+ For more information about the structure of the query, see [Azure Policy Definitions - Create or Update](/rest/api/policy/policy-definitions/create-or-update) and [Policy Definitions - Create or Update At Management Group](/rest/api/policy/policy-definitions/create-or-update-at-management-group).

+Use the following procedure to create a policy assignment and assign the policy definition at the resource group level.

+1. Copy the following JSON snippet to create a JSON policy assignment file. Replace example information in &lt;&gt; symbols with your own values.

+ "properties": {

+ "description": "This policy assignment makes sure that storage accounts with exposure to Public Networks are audited.",

+ "displayName": "Audit Storage Accounts Open to Public Networks Assignment",

+ "parameters": {},

+ "policyDefinitionId": "/subscriptions/<subscriptionId>/providers/Microsoft.Authorization/policyDefinitions/Audit Storage Accounts Open to Public Networks",

+ "scope": "/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>"

+ }

+ For more information about making HTTP calls to the REST API, see [Azure REST API Resources](/rest/api/resources/).

+ "if": {

+ "allOf": [

+ {

+ "field": "type",

+ "equals": "Microsoft.Storage/storageAccounts"

+ },

+ {

+ "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",

+ "equals": "Allow"

+ }

+ ]

+ },

+ "then": {

+ "effect": "audit"

+ }

+ For more information about authoring a policy definition, see [Azure Policy Definition Structure](../concepts/definition-structure.md).

+ The command creates a policy definition named _Audit Storage Accounts Open to Public Networks_. For more information about other parameters that you can use, see [az policy definition create](/cli/azure/policy/definition#az-policy-definition-create).

+ When called without location parameters, `az policy definition creation` defaults to saving the policy definition in the selected subscription of the sessions context. To save the definition to a different location, use the following parameters:

+ - **subscription** - Save to a different subscription. Requires a _GUID_ value for the subscription ID or a _string_ value for the subscription name.

+1. Use the following command to create a policy assignment. Replace example information in angle brackets `< >` symbols with your own values.

+ The `scope` parameter on `az policy assignment create` works with management group, subscription, resource group, or a single resource. The parameter uses a full resource path. The pattern for `scope` for each container is as follows. Replace `{rName}`, `{rgName}`, `{subId}`, and `{mgName}` with your resource name, resource group name, subscription ID, and management group name, respectively. `{rType}` would be replaced with the _resource type_ of the resource, such as `Microsoft.Compute/virtualMachines` for a virtual machine.

+The policy definition ID for the policy definition that you created should resemble the following example:

+For more information about how you can manage resource policies with Azure CLI, see [Azure CLI Resource Policies](/cli/azure/policy).

+- [Azure REST API Resources](/rest/api/resources/).

+- [Azure PowerShell Modules](/powershell/module/az.resources/#policy).

+- [Azure CLI Policy Commands](/cli/azure/policy).

+- [Azure Policy resource provider REST API reference](/rest/api/policy).

+## Nexus

+ Title: Azure HDInsight component retirements and action required

+description: Learn about HDInsight retirement versions and its components in Azure HDInsight clusters.

+# Azure HDInsight component retirements and action required

+This page lists all the upcoming retirement versions of HDInsight including the components and services. If youΓÇÖre currently on one of the versions mentioned on this page, we strongly recommend that you immediately migrate to the latest version. If you choose not to migrate and continue using any of the following versions, be aware of the risk will remain associated with your continued usage.

+## Call to action

+To maintain the security posture,ΓÇ» migrate to the latest image of [HDInsight 5.1](./hdinsight-5x-component-versioning.md#open-source-components-available-with-hdinsight-5x), which is Generally Available since November 1, 2023. This release contains all theΓÇ»[latest versions of supported software](./hdinsight-5x-component-versioning.md) along with significant improvements on the security patches on open-source components.ΓÇ»

+### Supported HDInsight versions

+This table lists the versions of HDInsight that are available in the Azure portal and other deployment methods like PowerShell, CLI, and the .NET SDK.

+HDInsight bundles open-source components and HDInsight platform into a package that deployed on a cluster. For more information, see [how HDInsight versioning works](hdinsight-overview-versioning.md).

+## Supported HDInsight versions

+### HDInsight versions

+| HDInsight version | VM OS | Release date| Support type | Support expiration date | Retirement date | High availability | Action Required|

+| | | | | | | ||

+| [HDInsight 5.1](./hdinsight-5x-component-versioning.md) |Ubuntu 18.0.4 LTS |November 1, 2023 | [Standard](hdinsight-component-versioning.md#support-options-for-hdinsight-versions) | Not announced |Not announced| Yes |-|

+| [HDInsight 5.0](./hdinsight-5x-component-versioning.md) |Ubuntu 18.0.4 LTS |March 11, 2022 | [Basic](hdinsight-component-versioning.md#support-options-for-hdinsight-versions) | March 31, 2025 | March 31, 2025| Yes | [HDInsight 5.x component versions](./hdinsight-5x-component-versioning.md)|

+| HDInsight 4.0 |Ubuntu 18.0.4 LTS |September 24, 2018 | [Basic](hdinsight-component-versioning.md#support-options-for-hdinsight-versions) | March 31, 2025 | March 31, 2025 |Yes |[migrate your HDInsight clusters to 5.1](https://azure.microsoft.com/updates/azure-hdinsight-40-will-be-retired-on-31-march-2025-migrate-your-hdinsight-clusters-to-51/) |

+**Support expiration** means that Microsoft no longer provides support for the specific HDInsight version. You might not be able to create clusters from the Azure portal.

+**Retirement** means that existing clusters of a HDInsight version continue to run as is. You can't create new clusters of this version through any means, which includes the CLI and SDKs. Other control plane features, such as manual scaling and autoscaling, not guaranteed to work after retirement date. Support isn't available for retired versions.

+|Retirement Item | Retirement Date | Action Required by Customers| Cluster creation required?|

+|-|-|-|-|

+|[Basic and Standard A-series VMs Retirement](https://azure.microsoft.com/updates/basic-and-standard-aseries-vms-on-hdinsight-will-retire-on-31-august-2024/) |August 31, 2024 |[Av1-series retirement - Azure Virtual Machines](/azure/virtual-machines/sizes/migration-guides/av1-series-retirement) |N|

+|[Azure Monitor experience (preview)](https://azure.microsoft.com/updates/v2/hdinsight-azure-monitor-experience-retirement/) | February 01, 2025 |[Azure Monitor Agent (AMA) migration guide for Azure HDInsight clusters](./azure-monitor-agent.md) |Y|

+## Next steps

+- [Supported Apache components and versions in HDInsight](./hdinsight-component-versioning.md)

+1. Your new module identity appears at the bottom of the screen. Select it to see module identity details.

+1. Save the **Connection string (primary key)**. You use it in the next section to set up your module on the device in a console app.

+This article assumes you already have a Gateway Load Balancer configured for IPv4 traffic, with a corresponding virtual network and subnet. In this step, you add IPv6 ranges to your Gateway Load Balancer's virtual network and subnet. This range is need when creating an IPv6 frontend configuration for your Gateway Load Balancer using a private IP address from this subnet/virtual network.

+#Add IPv6 ranges to the virtual network and subnet

+#Retrieve the virtual network object

+#Add IPv6 prefix to the virtual network

+#Update the running virtual network

+#Retrieve the subnet object from the local copy of the virtual network

+#Update the running virtual network with the new subnet configuration

+Now that you've added IPv6 prefix ranges to your Gateway Load Balancer's subnet and virtual network, we can create a new IPv6 frontend configuration on the Gateway Load Balancer, with an IPv6 address from your subnet's range.

+## View IPv6 dual-stack virtual network in Azure portal

+You can view the IPv6 dual-stack virtual network in Azure portal as follows:

+## View IPv6 dual-stack virtual network in Azure portal

+You can view the IPv6 dual-stack virtual network in Azure portal as follows:

+- It isn't possible to mix Basic and Standard SKU IPs or Load Balancers. All Public IPs associated with a Load Balancer and its backend pool members must match.

+1. For public load balancers, if you don't have one already, [create a new Network Security Group](../virtual-network/tutorial-filter-network-traffic.md) with allow rules for the traffic coming through the Load Balancer rules

+No, this retirement won't impact your existing or new deployments on CSES. This means that you can still create and use Basic Load Balancers for CSES deployments. However, we advise using Standard SKU on Azure Resource Manager (ARM) native resources (those that don't depend on CSES) when possible, because Standard has more advantages than Basic.

+ --location westus2 \

+ --only-show-errors \

+ --no-wait

+Learn troubleshooting guidance for outbound connections in Azure Load Balancer. This includes understanding source network address translation (SNAT) and its impact on connections, using individual public IPs on VMs, and designing applications for connection efficiency to avoid SNAT port exhaustion. Most problems with outbound connectivity that customers experience is due to SNAT port exhaustion and connection timeouts leading to dropped packets.

+ To learn more about how SNAT and port usage works for NAT gateway, see [SNAT fundamentals](../virtual-network/nat-gateway/nat-gateway-resource.md#fundamentals). There are a few conditions where you can't use NAT gateway for outbound connections. For more information on NAT gateway limitations, see [NAT Gateway limitations](../virtual-network/nat-gateway/nat-gateway-resource.md#limitations).

+If youΓÇÖre using a public standard load balancer and experience SNAT exhaustion or connection failures, ensure youΓÇÖre using outbound rules with manual port allocation. Otherwise, youΓÇÖre likely relying on load balancerΓÇÖs default port allocation. Default port allocation automatically assigns a conservative number of ports, which is based on the number of instances in your backend pool. Default port allocation isn't a recommended method for enabling outbound connections. When your backend pool scales, your connections can be impacted if ports need to be reallocated.

+The effective security rules applied to a network interface are an aggregation of rules that exist in the network security group associated to a network interface and the subnet the network interface is in. For more information, see [Network security groups](../virtual-network/network-security-groups-overview.md?toc=%2Fazure%2Fnetwork-watcher%2Ftoc.json) and [How network security groups filter network traffic](../virtual-network/network-security-group-how-it-works.md?toc=%2Fazure%2Fnetwork-watcher%2Ftoc.json). Additionally, the effective security rules include the admin rules that are applied to the virtual network using the Azure Virtual Network Manager. For more information, see [Azure Virtual Network Manager](../virtual-network-manager/overview.md?toc=%2Fazure%2Fnetwork-watcher%2Ftoc.json).

+> [View details of a security rule](diagnose-vm-network-traffic-filtering-problem.md#view-details-of-a-security-rule)

+IP flow verify is a feature in Azure Network Watcher that you can use to check if a packet is allowed or denied to or from an Azure virtual machine based on the configured security and admin rules. It helps you to troubleshoot virtual machine connectivity issues by checking network security group (NSG) rules and Azure Virtual Network Manager admin rules. It's a quick and simple tool to diagnose connectivity issues to or from other Azure resources, the internet, and on-premises environment.

+- IP flow verify only tests TCP and UDP rules. To test ICMP traffic rules, use [NSG diagnostics](network-watcher-network-configuration-diagnostics-overview.md).

+- IP flow verify only tests security and admin rules applied to a virtual machine's network interface. To test rules applied to virtual machine scale sets, use [NSG diagnostics](network-watcher-network-configuration-diagnostics-overview.md).

+ :::image type="content" source="./media/monitor-vm-communication/virtual-network-azure-portal.png" alt-text="Screenshot shows how to search for virtual networks in the Azure portal." lightbox="./media/monitor-vm-communication/virtual-network-azure-portal.png":::

+ :::image type="content" source="./media/monitor-vm-communication/connection-monitor.png" alt-text="Screenshot shows Connection monitor page in the Azure portal." lightbox="./media/monitor-vm-communication/connection-monitor.png":::

+ :::image type="content" source="./media/monitor-vm-communication/create-connection-monitor-basics.png" alt-text="Screenshot shows the Basics tab of creating a connection monitor in the Azure portal." lightbox="./media/monitor-vm-communication/create-connection-monitor-basics.png":::

+ :::image type="content" source="./media/monitor-vm-communication/add-source-endpoint.png" alt-text="Screenshot shows how to add a source endpoint for a connection monitor in the Azure portal." lightbox="./media/monitor-vm-communication/add-source-endpoint.png":::

+ :::image type="content" source="./media/monitor-vm-communication/add-test-configuration.png" alt-text="Screenshot shows how to add a test configuration for a connection monitor in the Azure portal." lightbox="./media/monitor-vm-communication/add-test-configuration.png":::

+ :::image type="content" source="./media/monitor-vm-communication/add-destination-endpoint.png" alt-text="Screenshot shows how to add a destination endpoint for a connection monitor in the Azure portal." lightbox="./media/monitor-vm-communication/add-destination-endpoint.png":::

+ :::image type="content" source="./media/monitor-vm-communication/new-connection-monitor.png" alt-text="Screenshot shows the new connection monitor." lightbox="./media/monitor-vm-communication/new-connection-monitor.png":::

+ :::image type="content" source="./media/monitor-vm-communication/connection-monitor-summary.png" alt-text="Screenshot that shows the summary page of the new connection monitor." lightbox="./media/monitor-vm-communication/connection-monitor-summary.png":::

+> [Diagnose communication problems between networks](diagnose-communication-problem-between-networks.md)

+ Title: 'Tutorial: Log network traffic flow to and from a VM'

+description: In this tutorial, you learn how to log network traffic flow to and from a virtual machine (VM) using Network Watcher NSG flow logs.

+ :::image type="content" source="./media/nsg-flow-logs-tutorial/virtual-network-azure-portal.png" alt-text="Screenshot shows searching for virtual networks in the Azure portal." lightbox="./media/nsg-flow-logs-tutorial/virtual-network-azure-portal.png":::

+ :::image type="content" source="./media/nsg-flow-logs-tutorial/register-microsoft-insights.png" alt-text="Screenshot of registering Microsoft Insights provider in the Azure portal." lightbox="./media/nsg-flow-logs-tutorial/register-microsoft-insights.png":::

+ :::image type="content" source="./media/nsg-flow-logs-tutorial/nsg-log-file.png" alt-text="Screenshot showing how to download nsg flow log from the storage account container in the Azure portal." lightbox="./media/nsg-flow-logs-tutorial/nsg-log-file.png":::

+ # [Azure CLI](#tab/cli)

+1. Save the [Bicep file](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.network/networkwatcher-flowLogs-create/main.bicep) as **main.bicep** to your local computer.

+ # [Azure CLI](#tab/cli)

+ Title: "Cluster

+Starting with the 2024-07-01 API version, a customer can assign managed identity to a Cluster Manager. Both System-assigned and User-Assigned managed identities are supported.

+Note, `<APIVersion>` is the API version 2024-07-01 or newer.

+Starting with the 2024-07-01 API version, a customer can assign managed identity to a Cluster. Both System-assigned and User-Assigned managed identities are supported.

+Note, `<APIVersion>` is the API version 2024-07-01 or newer.

+| Azure Database for MySQL with Microsoft Entra authentication integration enabled | Yes | No | | You cannot transfer an Azure database for MySQL (Single and Flexible server) with Microsoft Entra authentication enabled to a different directory. |

+| Azure Database for PostgreSQL Flexible Server with Microsoft Entra authentication integration enabled or with Customer Managed Key enabled | Yes | No | | You cannot transfer an Azure Database for PostgreSQL with Microsoft Entra authentication or with Customer Managed Key enabled to a different directory. You have to disable these features first, transfer the server, and then re-enable these features. |

+Access to customer data by Microsoft operations and support personnel is denied by default. When access to data related to a support case is granted, it's only granted using a just-in-time (JIT) model using policies that are audited and vetted against our compliance and privacy policies. The access-control requirements are established by the following Azure Security Policy:

+Azure support personnel are assigned unique corporate Active Directory accounts by Microsoft. Azure relies on Microsoft corporate Active Directory, managed by Microsoft Information Technology (MSIT), to control access to key information systems. Multifactor authentication is required, and access is granted only from secure consoles.

+**Data segregation**: Azure is a multitenant service, which means that multiple customer deployments and VMs are stored on the same physical hardware. Azure uses logical isolation to segregate each customerΓÇÖs data from the data of others. Segregation provides the scale and economic benefits of multitenant services while rigorously preventing customers from accessing one anotherΓÇÖs data.

+**In-transit data protection**: Microsoft provides many options that can be utilized by customers for securing data in transit internally within the Azure network and externally across the Internet to the end user. These include communication through Virtual Private Networks (utilizing IPsec/IKE encryption), Transport Layer Security (TLS) 1.2 or later (via Azure components such as Application Gateway or Azure Front Door), protocols directly on the Azure virtual machines (such as Windows IPsec or SMB), and more.

+Additionally, "encryption by default" using MACsec (an IEEE standard at the data-link layer) is enabled for all Azure traffic traveling between Azure datacenters to ensure confidentiality and integrity of customer data.

+**Data redundancy**: Microsoft helps ensure that data is protected if there's a cyberattack or physical damage to a datacenter. Customers may opt for:

+Data can be replicated within a selected geographic area for redundancy but can't be transmitted outside it. Customers have multiple options for replicating data, including the number of copies and the number and location of replication datacenters.

+- **Geo-redundant storage (GRS)**: Geo-redundant storage is enabled for your storage account by default when you create it. GRS maintains six copies of your data. With GRS, your data is replicated three times within the primary region. Your data is also replicated three times in a secondary region hundreds of miles away from the primary region, providing the highest level of durability. If a failure at the primary region, Azure Storage fails over to the secondary region. GRS helps ensure that your data is durable in two separate regions.

+**Data destruction**: When customers delete data or leave Azure, Microsoft follows strict standards for deleting data and the physical destruction of decommissioned hardware. Microsoft executes a complete deletion of data on customer request and on contract termination. For more information, see [Data management at Microsoft](https://www.microsoft.com/trust-center/privacy/data-management).

+Microsoft doesn't inspect, approve, or monitor applications that customers deploy to Azure. Moreover, Microsoft doesn't know what kind of data customers choose to store in Azure. Microsoft doesn't claim data ownership over the customer information entered into Azure.

+Azure established internal records-retention requirements for back-end data. Customers are responsible for identifying their own record retention requirements. For records that are stored in Azure, customers are responsible for extracting their data and retaining their content outside of Azure for a customer-specified retention period.

+Secure Boot is a feature of the [Unified Extensible Firmware Interface (UEFI)](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface) that requires all low-level firmware and software components to be verified before loading. During boot, UEFI Secure Boot checks the signature of each piece of boot software, including UEFI firmware drivers (also known as option ROMs), Extensible Firmware Interface (EFI) applications, and the operating system drivers and binaries. If the signatures are valid or trusted by the Original Equipment Manufacturer (OEM), the machine boots and the firmware gives control to the operating system.

+- Revoked signatures database (dbx) ΓÇô Holds revoked digests of code modules that are identified to be malicious, vulnerable, compromised, or untrusted. If a hash is in the signature db and the revoked signatures db, the revoked signatures database takes precedent.

+The OEM stores the Secure Boot digests on the machine's nonvolatile RAM (NV-RAM) at the time of manufacturing.

+1. The signature db is populated with the signers or image hashes of UEFI applications, operating system loaders (such as the Microsoft Operating System Loader or Boot Manager), and UEFI drivers that are trusted.

+2. The revoked signatures dbx is populated with digests of modules that are no longer trusted.

+4. After the db, dbx, and KEK databases are added and final firmware validation and testing is complete, the OEM locks the firmware from editing and generates a platform key (PK). The PK can be used to sign updates to the KEK or to turn off Secure Boot.

+During each stage in the boot process, the digests of the firmware, bootloader, operating system, kernel drivers, and other boot chain artifacts are calculated and compared to acceptable values. Firmware and software that are discovered to be untrusted aren't allowed to load. Thus, low-level malware injection or preboot malware attacks can be blocked.

+Today, every machine that is onboarded and deployed to the Azure compute fleet to host customer workloads comes from factory floors with Secure Boot enabled. Targeted tooling and processes are in place at every stage in the hardware buildout and integration pipeline to ensure that Secure Boot enablement isn't reverted by accident or by malicious intent.

+- Bootloader's signature is valid

+- Any connector based on [Codeless Connector Platform](create-codeless-connector.md)

+#### Limitations

+- Currently, only built-in roles are supported.

+- Data about deleted groups, where a user was removed from a group, is not currently supported.

+#### Versions of the IdentityInfo table

+There are actually two versions of the *IdentityInfo* table:

+- The *Log Analytics* schema version serves Microsoft Sentinel in the Azure portal.

+- The *Advanced hunting* schema version serves Microsoft Sentinel in the Microsoft Defender portal via Microsoft Defender for Identity.

+Both versions of this table are fed by Microsoft Entra ID, but the Log Analytics version added a few fields.

+[The unified security operations platform](https://go.microsoft.com/fwlink/p/?linkid=2263690), being in the Defender portal, uses the *Advanced hunting* version of this table. To minimize the differences between the two versions of the table, most of the unique fields in the Log Analytics version are gradually being added to the *Advanced hunting* version as well. Regardless of in which portal you're using Microsoft Sentinel, you'll have access to nearly all the same information, though there may be a small time lag in synchronization between the versions. For more information, see the [documentation of the *Advanced hunting* version of this table](/defender-xdr/advanced-hunting-identityinfo-table).

+| **BlastRadius** | string | A calculation based on the position of the user in the org tree and the user's Microsoft Entra roles and permissions. <br>Possible values: *Low, Medium, High* | -- |

+| **OnPremisesDistinguishedName** | string | The Microsoft Entra ID distinguished name (DN). A distinguished name is a sequence of relative distinguished names (RDN), connected by commas. | **DistinguishedName** |

+ Title: Azure Spring Apps retirement announcement

+description: Announces the retirement of the Azure Spring Apps service.

+# Azure Spring Apps retirement announcement

+Azure Spring Apps is a fully managed service for running Java Spring applications, jointly built by Microsoft and VMware by Broadcom. After careful consideration and analysis, Microsoft and Broadcom have made the difficult decision to retire the Azure Spring Apps service. We recommend Azure Container Apps as the primary service for your migration of workloads running on Azure Spring Apps. Azure Container Apps is a strong and enterprise ready platform that provides fully managed, serverless container service for polyglot apps and enhanced Java features to help you manage, monitor, and troubleshoot Java apps at scale.

+We're committed to supporting you with a long-term platform with migration tools, expert resources, and technical support through the end of the service.

+## Timeline

+Azure Spring Apps, including the Standard consumption and dedicated (currently in Public Preview only), Basic, Standard, and Enterprise plans, will be retired through a two-phased retirement plan:

+- On September 30, 2024, the Standard consumption and dedicated plan (preview) will enter a six-month retirement period and will be retired on March 31, 2025.

+- In mid-March 2025, all other Azure Spring Apps plans, including Basic, Standard, and Enterprise plans, will enter a three-year retirement period and will be retired on March 31, 2028.

+## Migration recommendation

+To ensure that you maintain high performance and achieve scalability, flexibility, and cost-efficiency for your business, we recommend Azure Container Apps as the primary service for your migration of workloads running on Azure Spring Apps.

+Azure Container Apps is a fully managed, serverless container service for polyglot apps and offers enhanced Java features to help you manage, monitor, and troubleshoot Java apps at scale.

+Key Features of Azure Container Apps:

+- Fully managed, serverless container platform

+- Scale to zero capability

+- Open-source foundation and add-ons

+- [Enhanced Java support](../../container-apps/java-overview.md)

+ - Managed Spring components support (Eureka Server, Config Server, Spring Boot Admin)

+ - Built-in JVM metrics

+ - Diagnostics for Java apps

+For more information about Azure Container Apps, see [Azure Container Apps overview](../../container-apps/overview.md).

+## Migration guidance and tooling for the Azure Spring Apps Standard consumption and dedicated plan

+For the Azure Spring Apps Standard consumption and dedicated plan (preview), new customers will no longer be able to sign up for the service after September 30, 2024, while existing customers will remain operational until this plan is retired on March 31, 2025.

+Migration guidance and tooling will be enabled for the Azure Spring Apps Standard consumption and dedicated plan (preview) by mid-October, providing customers with a transition from Azure Spring Apps to Azure Container Apps. For more information, see [Migrate Azure Spring Apps Standard consumption and dedicated plan to Azure Container Apps](../consumption-dedicated/overview-migration.md).

+## Migration guidance and tooling for the Azure Spring Apps Basic, Standard, and Enterprise plans

+For the Azure Spring Apps Basic, Standard, and Enterprise plans, new customers will no longer be able to sign up for the service after March 31, 2025, while existing customers will remain operational until the plans are phased out on March 31, 2028.

+We encourage you to start testing out Azure Container Apps for your Java Spring workloads and get prepared for the migration when the retirement for the Basic, Standard, and Enterprise plans starts in mid-March 2025.

+Migration guidance will be ready by the end of December 2024 and the migration tool assisting with Azure Container Apps environment setup will be available by mid-March 2025 before the retirement starts.

+## What is the impact for customers using Tanzu Components with Azure Spring Apps Enterprise?

+If customers are interested in obtaining or continuing Spring commercial support and using Tanzu Components while migrating to Azure Container Apps, the components can download and run as JAR files on top of Azure Container Apps. For more information, please work with Broadcom sellers.

+## FAQ

+### What are the migration destinations?

+We recommend Azure Container Apps as the primary service for your migration of workloads running on Azure Spring Apps. Azure Container Apps is a fully managed serverless container service for polyglot apps and offers enhanced Java features to help you manage, monitor, and troubleshoot Java apps at scale.

+Migration guidance and tooling will be enabled for the Azure Spring Apps Standard consumption and dedicated plan (currently in Public Preview only) by mid-October, providing customers with a transition from Azure Spring Apps to Azure Container Apps. For more information, see [Migrate Azure Spring Apps Standard consumption and dedicated plan to Azure Container Apps](../consumption-dedicated/overview-migration.md).

+We're working on the migration guidance and tooling from the Azure Spring Apps Basic, Standard, and Enterprise plans to Azure Container Apps. This guidance and tooling will be available by March 2025.

+You might also consider the following alternative solutions:

+- PaaS solution: Azure App Service is a fully managed platform for building, deploying, and scaling web apps, mobile app backends, and RESTful APIs. It supports multiple programming languages (such as Java and .NET), integrates with various development tools, and provides features like autoscaling, load balancing, and security for applications. Learn more: [App Service Overview](../../app-service/overview.md).

+- Containerized solution: Azure Kubernetes Service (AKS) is a managed container orchestration service that simplifies the deployment, management, and scaling of containerized applications using Kubernetes. It offers features like automated updates, monitoring, and scaling, enabling developers to focus on application development rather than infrastructure management. Learn more: [What is Azure Kubernetes Service (AKS)?](/azure/aks/what-is-aks).

+- If you're currently using Spring commercial support or Tanzu components as part of Azure Spring Apps Enterprise, you need to switch to using Tanzu Platform Spring Essentials on Azure Container Apps. Learn more: [VMware Tanzu Spring](https://tanzu.vmware.com/spring).

+### What is the migration timeline?

+Existing customers are required to migrate their Azure Spring Apps Standard consumption and dedicated workloads to Azure Container Apps by March 31, 2025. Customers on Basic, Standard, and Enterprise plans are required to complete this transition by March 31, 2028. Azure Spring Apps will be entirely retired by March 31, 2028.

+### Will Azure Spring Apps still allow new customer sign-ups?

+For Azure Spring Apps Standard consumption and dedicated plan (preview), new customers will no longer be able to sign up for the service after September 30, 2024, while existing customers will remain operational until these plans are retired on March 31, 2025.

+For Azure Spring Apps Basic, Standard, and Enterprise plans, new customers will no longer be able to sign up for the service after March 31, 2025, while existing customers will remain operational until the plans are phased out on March 31, 2028.

+### Will Microsoft continue to support my current workload?

+Yes, support will continue for your workloads on Azure Spring Apps until the retirement date. You'll continue to receive SLA assurance, infrastructure updates/maintenance (VM and AKS), management of OSS/Tanzu components, and updates for container images of your apps including base OS, runtime (JDK, dotnet runtime, and so on), and APM agents. You can still raise support tickets as usual for prompt assistance through the end of the service.

+### Will Azure Spring Apps provide any new features during the retirement period?

+No, we won't take up any feature requests from customers and won't be building any features in the Azure Spring Apps service. Instead, we'll prioritize new features and enhancements on Azure Container Apps.

+### What will happen after retirement date?

+After March 31, 2025, the Azure Spring Apps Standard consumption and dedicated plan (preview) will be completely discontinued. As a result, you will no longer receive support and access to your workloads and Azure Spring Apps services.

+After March 31, 2028, Azure Spring Apps Basic, Standard and Enterprise plans will be completely discontinued. As a result, you will no longer receive support and access to your workloads and Azure Spring Apps services. We strongly suggest you migrate your workloads to Azure Container Apps by March 31, 2028.

+### Does Microsoft Container Apps offer feature parity with Azure Spring Apps?

+Customers should be able to achieve most of the desired capabilities to host their Spring applications on Azure Container Apps. Managed Spring components, Java metrics, and diagnostics support are available for you to use on Azure Container Apps. For more information, see [Java on Azure Container Apps overview](../../container-apps/java-overview.md). If you have any questions, open a support ticket from the Azure portal or open an issue in the [azure-container-apps](https://github.com/microsoft/azure-container-apps/issues) repository on GitHub.

+If you have interest in obtaining or continuing Spring commercial support and using Tanzu components, you can download the components and run them as JAR files on top of Azure Container Apps. Please work with your Broadcom sales to explore running Tanzu Platform Spring Essentials on top of Azure Container Apps.

+### Will Microsoft Azure Container Apps be available in the same Azure regions as Azure Spring Apps?

+For the Standard consumption and dedicated plan (preview), Azure Container Apps and Azure Spring Apps are available in the same regions.

+Azure Container Apps will be available in the same Azure regions as Azure Spring Apps for customers under the Basic, Standard, and Enterprise plans before the migration starts in March 2025.

+### Are there pricing differences across Microsoft solutions?

+Azure Spring Apps operates on a consumption-based model with a basic unit where you only pay for vCPU and memory for your apps.

+[Azure Container Apps](https://azure.microsoft.com/pricing/details/container-apps/) offers the following two pricing models:

+- A consumption model billed based on per-second resource allocation (on VCPU and memory) and requests.

+- A dedicated model with a single tenancy guarantee, access to specialized hardware, and more predictable pricing.

+Billing for the dedicated plan is based on the number of vCPU seconds and gibibyte (GiB) seconds allocated across Azure Container App instances. Azure Container Apps also provides savings plan.

+The costs for Microsoft solutions will vary based on their pricing model and optimizations that can be enabled. We recommend using the [Azure Pricing Calculator](https://azure.microsoft.com/pricing/calculator/?ef_id=_k_8d2e1450f88b14d2046272e613f0ee0b_k_&OCID=AIDcmm5edswduu_SEM__k_8d2e1450f88b14d2046272e613f0ee0b_k_&msclkid=8d2e1450f88b14d2046272e613f0ee0b), which provides details on meters, usage prices, and available savings plans to accurately assess anticipated costs.

+### What is the impact for customers using Tanzu Components within Azure Spring Apps Enterprise?

+If you're interested in obtaining or continuing Spring commercial support and using Tanzu Components while migrating to Azure Container Apps, you can download the components and run them as JAR files on top of Azure Container Apps. For more information, please work with your Broadcom sales contact.

+### How can I stay up to date with Azure Spring Apps retirement guidance?

+The following table indicates the overall release timeline for whole Azure Spring Apps retirement period. We'll keep it updated when the corresponding guidance and tooling is ready for release.

+| Item | Target plans | Release date |

+||--|--|

+| Official retirement start date | Standard consumption and dedicated plan | September 30, 2024 |

+| Block new service instance creation for all customers | Standard consumption and dedicated plan | September 30, 2024 |

+| Guidance and tooling for migration to Azure Container Apps | Standard consumption and dedicated plan | October 2024 |

+| Guidance for helping switch from Tanzu components to alternative solutions | Enterprise plan | October 2024 |

+| Guidance for migrating to Azure Container Apps (without migration tooling support) | Basic, Standard, and Enterprise plans | December 2024 |

+| Official retirement date after a half year retirement period | Standard consumption and dedicated plan | March 31, 2025 |

+| Official retirement start date | Basic, Standard, and Enterprise plans | Mid-March 2025 |

+| Guidance for migrating to Azure Container Apps with migration tooling support | Basic, Standard, and Enterprise plans | Mid-March 2025 |

+| Block new customer sign-ups | Basic, Standard, and Enterprise plans | April 2025 |

+| Official retirement date after a three-year retirement period | Basic, Standard, and Enterprise plans | March 31 2028 |

+### How can I get transition help and support during migration?

+If you have any questions, you can open a support ticket through the Azure portal for technical help: create an [Azure Support Request](/azure/azure-portal/supportability/how-to-create-azure-support-request).

+ Title: Migrate Azure Spring Apps Standard consumption and dedicated plan to Azure Container Apps

+description: The complete overview guide for migrating Azure Spring Apps Standard consumption and dedicated plan to Azure Container Apps, including steps, benefits, and frequently asked questions.

+#Customer intent: As an Azure Cloud user, I want to deploy, run, and monitor Spring applications.

+# Migrate Azure Spring Apps Standard consumption and dedicated plan to Azure Container Apps

+This article describes when and how to migrate Azure Spring Apps Standard consumption and dedicated plan (currently in Public Preview only) to Azure Container Apps. To consolidate cloud-native benefits and streamline our offerings, the Azure Spring Apps service is retiring, including the Standard consumption and dedicated (preview), Basic, Standard, and Enterprise plans. The Standard consumption and dedicated plan (preview) enters its six-month sunset period on September 30, 2024 and retires in March 2025.

+We recommend Azure Container Apps as the best destination for your migration. Azure Container Apps is a fully managed, serverless container platform for polyglot apps and offers enhanced Java features previously available in Azure Spring Apps.

+We've introduced a migration feature to ease the transition from the Azure Spring Apps Standard consumption and dedicated plan (preview) to Azure Container Apps. Select **Migrate** in the Azure portal and confirm the action.

+This feature will be available mid-October 2024 and you can start the migration process as soon as it's available.

+After the migration finishes, the app appears as a standard app inside Azure Container Apps, with the Java development stack turned on. With this option enabled, you get access to Java specific metrics and logs to monitor and troubleshoot your apps. For more information, see [Java metrics for Java apps in Azure Container Apps](../../container-apps/java-metrics.md) and [Set dynamic logger level to troubleshoot Java applications in Azure Container Apps](../../container-apps/java-dynamic-log-level.md).

+The following video announces the general availability of Java experiences on Azure Container Apps:

+<br>

+> [!VIDEO https://www.youtube.com/embed/-T90dC2CCPA]

+## Frequently asked questions

+The following section addresses several questions you might have about the migration process.

+### Are there plans to retire any other Azure Spring Apps SKUs?

+Yes, other Azure Spring Apps plans are also retiring, with a three-year sunset period. For more information, see the [Azure Spring Apps retirement announcement](../basic-standard/retirement-announcement.md?toc=/azure/spring-apps/consumption-dedicated/toc.json&bc=/azure/spring-apps/consumption-dedicated/breadcrumb/toc.json).

+### What happens if I don't take any actions by March 30, 2025?

+Your apps are automatically migrated to Azure Container Apps.

+### Can I continue to use the Azure Spring Apps Standard consumption and dedicated plan?

+You can continue to run existing apps until March 30, 2025, but you can't create new apps and service instances after September 30, 2024.

+### How can I get help if the migration process fails?

+Fill out the support request form on the Azure portal, using the following values:

+- For **Issue type**, select **Technical**.

+- For **Subscription**, select your subscription.

+- For **Service**, select **Azure Spring Apps**.

+- For **Resource**, select your Azure Spring Apps resource.

+- For **Summary**, type a description of your issue.

+- For **Problem type**, select **My issue is not listed**.

+### Do I need to manually create Spring Cloud Config Server and Spring Cloud Service Registry instances in Azure Container Apps?

+Yes, you must recreate Spring Cloud Config Server and Spring Cloud Service Registry instances in Azure Container Apps. Both Spring Cloud Config Server and Spring Cloud Service Registry are also managed components in Azure Container Apps, but there are some experiential differences. For more information, see [Tutorial: Connect to a managed Eureka Server for Spring in Azure Container Apps](../../container-apps/java-eureka-server.md) and [Tutorial: Connect to a managed Config Server for Spring in Azure Container Apps](../../container-apps/java-config-server.md).

+If you need assistance creating and migrating Spring Cloud Config Server and Spring Cloud Service Registry to Azure Container Apps, create a support request.

+### Is there any downtime during the migration process?

+There's no downtime unless you're using Spring Cloud Config Server and Spring Cloud Service Registry, which you must manually recreate in Azure Container Apps.

+### What happens to apps that have in-flight transactions during the migration?

+All in-flight transactions execute without any interruptions, unless you're using Spring Cloud Config Server and Spring Cloud Service Registry, which you must manually recreate in Azure Container Apps.

+### Is there any change in IP address/FQDN after the migration?

+There's no change. All IP addresses/FQDNs remain the same after the migration.

+### I'm using persistent storage. How do I recreate it in Azure Container Apps?

+Persistent storage migrates automatically to Azure Container Apps.

+### What are the pricing implications when moving to Azure Container Apps?

+Azure Container Apps has the same pricing structure as Azure Spring Apps for the consumption and dedicated plans. Charges for active and idle CPU/memory use, along with virtual machine SKUs in dedicated workloads, are identical in Azure Spring Apps and Azure Container Apps. The monthly free grant also applies directly to Azure Container Apps. The only exception to the rule is number of requests for managed Java components are billed in Azure Container Apps consumption plan.

+The following table describes the differences:

+| Resources used for managed Java components | Azure Spring Apps Standard consumption plan | Azure Container Apps consumption plan |

+|||--|

+| Spring Cloud Service Registry active CPU | No change. | No change. |

+| Spring Cloud Service Registry idle CPU | No change. | No change. |

+| Spring Cloud Config Server active CPU | No change. | No change. |

+| Spring Cloud Config Server idle CPU | No change. | No change. |

+| One million requests made to Spring Cloud Service Registry | No extra cost. | See [Azure Container Apps pricing](https://azure.microsoft.com/pricing/details/container-apps/). |

+| One million requests made to Spring Cloud Config Server | No extra cost. | See [Azure Container Apps pricing](https://azure.microsoft.com/pricing/details/container-apps/). |

+Also, with Azure Container Apps, you can take advantage of the Azure savings plan and benefit from savings through commitment. For more information, see [Azure savings plan for compute](https://azure.microsoft.com/pricing/offers/savings-plan-compute/).

+### How do I continue to use my own virtual network in Azure Container Apps?

+There's no change to the virtual network experience. You can continue using your own virtual network.

+### Will my app be migrated to the consumption plan or the consumption and dedicated plan with workload profiles in Azure Container Apps?

+There's a direct mapping between the service plans in Azure Spring Apps and Azure Container Apps. If your app is currently running on the consumption plan, it moves to the consumption only plan in Azure Container Apps. If your app is currently running on a consumption and dedicated workload profile, it transitions to the corresponding workload profile in Azure Container Apps.

+### How can I continue to keep my deployment pipelines/workflow working?

+Your deployment pipelines/workflow must point to Azure Container Apps to work properly. For more information, see [Introducing more ways to deploy Azure Container Apps](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/introducing-more-ways-to-deploy-azure-container-apps/ba-p/3678390).

+### How do I continue to make my automation scripts work using Azure CLI?

+Azure CLI scripts must change to make them work in Azure Container Apps. For more information, see [az containerapp](/cli/azure/containerapp).

+### [Basic/Standard plan](#tab/basic-standard-plan)

+| Spring Boot version | Spring Cloud version | End of support |

+|||-|

+| 3.2.x | 2023.0.x also known as Leyton | 2024-11-23 |

+| 3.1.x | 2022.0.3+ also known as Kilburn | 2024-05-18 |

+| 3.0.x | 2022.0.3+ also known as Kilburn | 2023-11-24 |

+| 2.7.x | 2021.0.3+ also known as Jubilee | 2023-11-24 |

+#### [Basic/Standard plan](#tab/basic-standard-plan)

+To enable distributed configuration, include the following `spring-cloud-config-client` dependency in the dependencies section of your *pom.xml* file:

+```xml

+<dependency>

+ <groupId>org.springframework.cloud</groupId>

+ <artifactId>spring-cloud-config-client</artifactId>

+</dependency>

+<dependency>

+ <groupId>org.springframework.cloud</groupId>

+ <artifactId>spring-cloud-starter-bootstrap</artifactId>

+</dependency>

+```

+> [!WARNING]

+> Don't specify `spring.cloud.config.enabled=false` in your bootstrap configuration. Otherwise, your application stops working with Config Server.

+### [Enterprise plan](#tab/azure-spring-apps-enterprise)

+### [Enterprise plan](#tab/azure-spring-apps-enterprise)

+### [Enterprise plan](#tab/azure-spring-apps-enterprise)

+### [Enterprise plan](#tab/azure-spring-apps-enterprise)

+### [Enterprise plan](#tab/azure-spring-apps-enterprise)

+### [Enterprise plan](#tab/enterprise-plan)

+* **Application Configuration Service for Tanzu**: Application Configuration Service for Tanzu is one of the commercial VMware Tanzu components. It enables the management of Kubernetes-native ConfigMap resources that are populated from properties defined in one or more Git repositories.

+* **Tanzu Service Registry**: Tanzu Service Registry is one of the commercial VMware Tanzu components. It provides your apps with an implementation of the Service Discovery pattern, one of the key tenets of a Spring-based architecture. Your apps can use the Service Registry to dynamically discover and call registered services.

+### [Basic/Standard plan](#tab/basic-standard-plan)

+> [Quickstart: Provision an Azure Spring Apps service instance](../basic-standard/quickstart-provision-service-instance.md)

+### [Enterprise plan](#tab/enterprise-plan)

+> [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md)

+ app_location: "src" # App source code path

+ output_location: "" # Built app content directory - optional

+ **Note**: The above values of `api_location` ,`app_location`,`output_location` are for no framework and these value changes based on framework.

+> [!NOTE]

+> For steps to deploy a Blazor app via Visual Studio, see [Deploy a Blazor app on Azure Static Web Apps](/aspnet/core/blazor/host-and-deploy/webassembly).

+### Specify data transfer options for download

+You can set configuration options when downloading a blob to optimize performance. The following configuration options are available for download operations:

+- `BlockSize`: The size of each block when downloading a block blob. The default value is 4 MB.

+- `Concurrency`: The maximum number of parallel connections to use during download. The default value is 5.

+These options are available when downloading using the following methods:

+- [DownloadBuffer](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob#Client.DownloadBuffer)

+- [DownloadFile](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob#Client.DownloadFile)

+The [DownloadStream](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob#Client.DownloadStream) method doesn't support these options, and downloads data in a single request.

+For more information on transfer size limits for Blob Storage, see [Scale targets for Blob storage](scalability-targets.md#scale-targets-for-blob-storage).

+The following code example shows how to specify data transfer options using the [DownloadFileOptions](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/blob#DownloadFileOptions). The values provided in this sample aren't intended to be a recommendation. To properly tune these values, you need to consider the specific needs of your app.

+To learn more about tuning data transfer options, see [Performance tuning for uploads and downloads with Go](storage-blobs-tune-upload-download-go.md).

+- [Upload](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/blockblob#Client.Upload)

+- `BlockSize`: The size of each block when uploading a block blob. The default value is 4 MB.

+- `Concurrency`: The maximum number of parallel connections to use during upload. The default value is 5.

+These configuration options are available when uploading using the following methods:

+- [UploadBuffer](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob#Client.UploadBuffer)

+- [UploadStream](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob#Client.UploadStream)

+- [UploadFile](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob#Client.UploadFile)

+The [Upload](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/blockblob#Client.Upload) method doesn't support these options, and uploads data in a single request.

+To learn more about tuning data transfer options, see [Performance tuning for uploads and downloads with Go](storage-blobs-tune-upload-download-go.md).

+ Title: Performance tuning for uploads and downloads with Azure Storage client library for Go

+description: Learn how to tune your uploads and downloads for better performance with Azure Storage client library for Go.

+ms.devlang: golang

+# Performance tuning for uploads and downloads with Go

+When an application transfers data using the Azure Storage client library for Go, there are several factors that can affect speed, memory usage, and even the success or failure of the request. To maximize performance and reliability for data transfers, it's important to be proactive in configuring client library transfer options based on the environment your app runs in.

+This article walks through several considerations for tuning data transfer options. When properly tuned, the client library can efficiently distribute data across multiple requests, which can result in improved operation speed, memory usage, and network stability.

+## Performance tuning for uploads

+Properly tuning data transfer options is key to reliable performance for uploads. Storage transfers are partitioned into several subtransfers based on the values of these properties. The maximum supported transfer size varies by operation and service version, so be sure to check the documentation to determine the limits. For more information on transfer size limits for Blob storage, see [Scale targets for Blob storage](scalability-targets.md#scale-targets-for-blob-storage).

+### Set transfer options for uploads

+If the total blob size is less than or equal to 256 MB, the data is uploaded with a single [Put Blob](/rest/api/storageservices/put-blob) request. If the blob size is greater than 256 MB, or if the blob size is unknown, the blob is uploaded in chunks using a series of [Put Block](/rest/api/storageservices/put-block) calls followed by [Put Block List](/rest/api/storageservices/put-block-list).

+The following properties can be configured and tuned based on the needs of your app:

+- `BlockSize`: The maximum length of a transfer in bytes when uploading a block blob in chunks. Defaults to 4 MB.

+- `Concurrency`: The maximum number of subtransfers that can be used in parallel. Defaults to 5.

+These configuration options are available when uploading using the following methods:

+- [UploadBuffer](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob#Client.UploadBuffer)

+- [UploadStream](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob#Client.UploadStream)

+- [UploadFile](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob#Client.UploadFile)

+The [Upload](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/blockblob#Client.Upload) method doesn't support these options, and uploads data in a single request.

+> [!NOTE]

+> The client libraries use defaults for each data transfer option, if not provided. These defaults are typically performant in a data center environment, but not likely to be suitable for home consumer environments. Poorly tuned data transfer options can result in excessively long operations and even request timeouts. It's best to be proactive in testing these values, and tuning them based on the needs of your application and environment.

+#### BlockSize

+The `BlockSize` argument is the maximum length of a transfer in bytes when uploading a block blob in chunks.

+To keep data moving efficiently, the client libraries might not always reach the `BlockSize` value for every transfer. Depending on the operation, the maximum supported value for transfer size can vary. For more information on transfer size limits for Blob storage, see the chart in [Scale targets for Blob storage](scalability-targets.md#scale-targets-for-blob-storage).

+#### Code example

+The following code example shows how to define values for an [UploadFileOptions](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob#UploadFileOptions) instance and pass these configuration options as a parameter to [UploadFile](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob#Client.UploadFile).

+The values provided in this sample aren't intended to be a recommendation. To properly tune these values, you need to consider the specific needs of your app.

+```go

+func uploadBlobWithTransferOptions(client *azblob.Client, containerName string, blobName string) {

+ // Open the file for reading

+ file, err := os.OpenFile("path/to/sample/file", os.O_RDONLY, 0)

+ handleError(err)

+ defer file.Close()

+ // Upload the data to a block blob with transfer options

+ _, err = client.UploadFile(context.TODO(), containerName, blobName, file,

+ &azblob.UploadFileOptions{

+ BlockSize: int64(8 * 1024 * 1024), // 8 MiB

+ Concurrency: uint16(2),

+ })

+ handleError(err)

+}

+```

+In this example, we set the number of parallel transfer workers to 2, using the `Concurrency` field. This configuration opens up to two connections simultaneously, allowing the upload to happen in parallel. If the blob size is larger than 256 MB, the blob is uploaded in chunks with a maximum chunk size of 8 MiB, as set by the `Block_Size` field.

+### Performance considerations for uploads

+During an upload, the Storage client libraries split a given upload stream into multiple subuploads based on the configuration options defined during client construction. Each subupload has its own dedicated call to the REST operation. The Storage client library manages these REST operations in parallel (depending on transfer options) to complete the full upload.

+You can learn how the client library handles buffering in the following sections.

+> [!NOTE]

+> Block blobs have a maximum block count of 50,000 blocks. The maximum size of your block blob, then, is 50,000 times `Block_Size`.

+#### Buffering during uploads

+The Storage REST layer doesnΓÇÖt support picking up a REST upload operation where you left off; individual transfers are either completed or lost. To ensure resiliency for stream uploads, the Storage client libraries buffer data for each individual REST call before starting the upload. In addition to network speed limitations, this buffering behavior is a reason to consider a smaller value for `BlockSize`, even when uploading in sequence. Decreasing the value of `BlockSize` decreases the maximum amount of data that is buffered on each request and each retry of a failed request. If you're experiencing frequent timeouts during data transfers of a certain size, reducing the value of `BlockSize` reduces the buffering time, and might result in better performance.

+## Performance tuning for downloads

+Properly tuning data transfer options is key to reliable performance for downloads. Storage transfers are partitioned into several subtransfers based on the values of these properties.

+### Set transfer options for downloads

+The following properties can be tuned based on the needs of your app:

+- `BlockSize`: The maximum chunk size used for downloading a blob. Defaults to 4 MB.

+- `Concurrency`: The maximum number of subtransfers that can be used in parallel. Defaults to 5.

+These options are available when downloading using the following methods:

+- [DownloadBuffer](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob#Client.DownloadBuffer)

+- [DownloadFile](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob#Client.DownloadFile)

+The [DownloadStream](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob#Client.DownloadStream) method doesn't support these options, and downloads data in a single request.

+#### Code example

+The following code example shows how to define values for an [DownloadFileOptions](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob#DownloadFileOptions) instance and pass these configuration options as a parameter to [DownloadFile](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob#Client.DownloadFile).

+The values provided in this sample aren't intended to be a recommendation. To properly tune these values, you need to consider the specific needs of your app.

+```go

+func downloadBlobTransferOptions(client *azblob.Client, containerName string, blobName string) {

+ // Create or open a local file where we can download the blob

+ file, err := os.Create("path/to/sample/file")

+ handleError(err)

+ // Download the blob to the local file

+ _, err = client.DownloadFile(context.TODO(), containerName, blobName, file,

+ &azblob.DownloadFileOptions{

+ BlockSize: int64(4 * 1024 * 1024), // 4 MiB

+ Concurrency: uint16(2),

+ })

+ handleError(err)

+}

+```

+### Performance considerations for downloads

+During a download, the Storage client libraries split a given download request into multiple subdownloads based on the configuration options defined during client construction. Each subdownload has its own dedicated call to the REST operation. Depending on transfer options, the client libraries manage these REST operations in parallel to complete the full download.

+## Related content

+- This article is part of the Blob Storage developer guide for Go. See the full list of developer guide articles at [Build your app](storage-blob-go-get-started.md#build-your-app).

+- To understand more about factors that can influence performance for Azure Storage operations, see [Latency in Blob storage](storage-blobs-latency.md).

+- To see a list of design considerations to optimize performance for apps using Blob storage, see [Performance and scalability checklist for Blob storage](storage-performance-checklist.md).

+|Spark Version|HMS 2.3.x|HMS 3.1.X|

+|--|--|--|

+|3.3|Yes|Yes|

+|`spark.sql.hive.metastore.version`|Supported versions: <ul><li>`2.3`</li><li>`3.1`</li></ul> Make sure you use the first 2 parts without the 3rd part|

+|`spark.sql.hive.metastore.jars`|<ul><li>Version 2.3: `/opt/hive-metastore/lib-2.3/*:/usr/hdp/current/hadoop-client/lib/*:/usr/hdp/current/hadoop-client/*` </li><li>Version 3.1: `/opt/hive-metastore/lib-3.1/*:/usr/hdp/current/hadoop-client/lib/*:/usr/hdp/current/hadoop-client/*`</li></ul>|

+|`spark.sql.hive.metastore.sharedPrefixes`|`com.mysql.jdbc,com.microsoft.sqlserver,com.microsoft.vegas`|

+spark.sql.hive.metastore.sharedPrefixes com.mysql.jdbc,com.microsoft.sqlserver,com.microsoft.vegas

+Here is an example for metastore version 2.3 with linked service named as HiveCatalog21:

+spark.sql.hive.metastore.version 2.3

+spark.sql.hive.metastore.jars /opt/hive-metastore/lib-2.3/*:/usr/hdp/current/hadoop-client/lib/*

+spark.sql.hive.metastore.sharedPrefixes com.mysql.jdbc,com.microsoft.sqlserver,com.microsoft.vegas

+ "spark.sql.hive.metastore.jars":"/opt/hive-metastore/lib-<your hms version, 2 parts>/*:/usr/hdp/current/hadoop-client/lib/*",

+ "spark.sql.hive.metastore.sharedPrefixes":"com.mysql.jdbc,com.microsoft.sqlserver,com.microsoft.vegas"

+For more information, see [Azure WAFΓÇÖs Bot Manager 1.1 and JavaScript Challenge: Navigating the Bot Threat Terrain](https://techcommunity.microsoft.com/t5/azure-network-security-blog/azure-waf-s-bot-manager-1-1-and-javascript-challenge-navigating/ba-p/4249652).