-Using managed identity adds the cache instance to the [trusted services list](../storage/common/storage-network-security.md?tabs=azure-portal), making firewall exceptions easier to carry out. If you aren't using managed identity and instead authorizing to a storage account using a key, then having firewall exceptions on the storage account tends to break the persistence process. This only applies to persistence in the Premium tier.

-| Linux | .NET 9 Preview 7^{1, 2} |

-

-Sending SMS to any recipient requires getting a phone number. Choosing the right number type is critical to the success of your messaging campaign. Some factors to consider when choosing a number type include destination(s) of the message, throughput requirement of your messaging campaign, and the timeline when you want to start sending messages. Azure Communication Services enables you to send SMS using a variety of sender types - toll-free number (1-8XX), short codes (12345), and alphanumeric sender ID (CONTOSO). The following table walks you through the features of each number type:

-|**Description**|Toll free numbers are telephone numbers with distinct three-digit codes that can be used for business to consumer communication without any charge to the consumer| Short codes are 5-6 digit numbers used for business to consumer messaging such as alerts, notifications, and marketing | Alphanumeric Sender IDs are displayed as a custom alphanumeric phrase like the companyΓÇÖs name (CONTOSO, MyCompany) on the recipient handset. Alphanumeric sender IDs can be used for a variety of use cases like one-time passcodes, marketing alerts, and flight status notifications. Dynamic alphanumeric sender ID is supported in countries that do not require registration for use.| Alphanumeric Sender IDs are displayed as a custom alphanumeric phrase like the companyΓÇÖs name (CONTOSO, MyCompany) on the recipient handset. Alphanumeric sender IDs can be used for a variety of use cases like one-time passcodes, marketing alerts, and flight status notifications. Pre-registered alphanumeric sender ID is supported in countries that require registration for use. |

-To utilize a new toll-free number for sending SMS messages, it is mandatory to undergo a toll-free verification process. For guidance on how to complete the verification of your toll-free number, please refer to the [Quickstart for submitting a toll-free verification](./apply-for-toll-free-verification.md). Note that only toll-free numbers that have been fully verified are authorized to send out SMS traffic. Any SMS traffic from unverified toll-free numbers directed to US and CA phone numbers will be blocked.

-Azure already encrypts data at rest and in transit. Confidential computing helps protect data in use, including cryptographic keys. Azure confidential computing helps customers prevent unauthorized access to data in use, including from the cloud operator, by processing data in a hardware-based and attested Trusted Execution Environment (TEE). When Azure confidential computing is enabled and properly configured, Microsoft is not able to access unencrypted customer data.

-description: For Deletion

-# For Deletion

-When you by a reservation, the current UTC date and time is used to record the transaction.

-| [Google BigQuery (legacy)](connector-google-bigquery-legacy.md)  | [Link](connector-google-bigquery.md#upgrade-the-google-bigquery-linked-service) |End of support announced and new version available | October 31, 2024 | January 10, 2025 |

-| [MariaDB (legacy driver version)](connector-mariadb.md)  | [Link](connector-mariadb.md#upgrade-the-mariadb-driver-version) | End of support announced and new version available | October 31, 2024 | January 10, 2025 |

-| [MySQL (legacy driver version)](connector-mysql.md)  | [Link](connector-mysql.md#upgrade-the-mysql-driver-version) | End of support announced and new version available | October 31, 2024| January 10, 2025|

-| [Salesforce (legacy)](connector-salesforce-legacy.md)   | [Link](connector-salesforce.md#upgrade-the-salesforce-linked-service) | End of support announced and new version available | October 11, 2024 | January 10, 2025|

-| [Salesforce Service Cloud (legacy)](connector-salesforce-service-cloud-legacy.md)   | [Link](connector-salesforce-service-cloud.md#upgrade-the-salesforce-service-cloud-linked-service) | End of support announced and new version available | October 11, 2024 |January 10, 2025 |

-| [PostgreSQL (legacy)](connector-postgresql-legacy.md)   | [Link](connector-postgresql.md#upgrade-the-postgresql-linked-service)| End of support announced and new version available |October 31, 2024 | January 10, 2025 |

-| [ServiceNow (legacy)](connector-servicenow-legacy.md)   | [Link](connector-servicenow.md#upgrade-your-servicenow-linked-service) | End of support announced and new version available | December 31, 2024 | March 1, 2025 |

-| [Snowflake (legacy)](connector-snowflake-legacy.md)   | [Link](connector-snowflake.md#upgrade-the-snowflake-linked-service) | End of support announced and new version available | October 31, 2024 | January 10, 2025 |

-| End of Support | At this stage, the connector is considered as deprecated, and no longer supported.<br>&nbsp;&nbsp;ΓÇó No plan to fix bugs. <br>&nbsp;&nbsp;ΓÇó No plan to add any new features. <br><br> If necessary due to outstanding security issues, or other factors, **Microsoft might expedite moving into the final disabled stage at any time, at Microsoft's discretion**.|

-Continuous integration is the practice of testing each change made to your codebase automatically and as early as possible. Continuous delivery follows the testing that happens during continuous integration and pushes changes to a staging or production system.

-1. A development data factory is created and configured with Azure Repos Git. All developers should have permission to author Data Factory resources like pipelines and datasets.

-1. A developer [creates a feature branch](source-control.md#creating-feature-branches) to make a change. They debug their pipeline runs with their most recent changes. For more information on how to debug a pipeline run, see [Iterative development and debugging with Azure Data Factory](iterative-development-debugging.md).

-1. After a developer is satisfied with their changes, they create a pull request from their feature branch to the main or collaboration branch to get their changes reviewed by peers.

-1. After a pull request is approved and changes are merged in the main branch, the changes get published to the development factory.

-1. When the team is ready to deploy the changes to a test or UAT (User Acceptance Testing) factory, the team goes to their Azure Pipelines release and deploys the desired version of the development factory to UAT. This deployment takes place as part of an Azure Pipelines task and uses Resource Manager template parameters to apply the appropriate configuration.

-1. After the changes have been verified in the test factory, deploy to the production factory by using the next task of the pipelines release.

- >[!Note]

- >The integration runtime sharing is only available for self-hosted integration runtimes. Azure-SSIS integration runtimes don't support sharing.

-

- To learn how to set up a feature flag, see the below video tutorial:

->[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4IxdW]

- - Data factory entities depend on each other. For example, triggers depend on pipelines, and pipelines depend on datasets and other pipelines. Selective publishing of a subset of resources could lead to unexpected behaviors and errors.

- - On rare occasions when you need selective publishing, consider using a hotfix. For more information, see [Hotfix production environment](continuous-integration-delivery-hotfix-environment.md).

- We will no longer be publishing 'PartialArmTemplates' to the *adf_publish* branch starting 1-November 2021.

- **No action is required unless you are using 'PartialArmTemplates'. Otherwise, switch to any supported mechanism for deployments using: 'ARMTemplateForFactory.json' or 'linkedTemplates' files.**

-* An _int_ value from child pipeline to define the wait period for a [wait activity](control-flow-wait-activity.md)

-* A _string_ value to define the URL for the [Web activity](control-flow-web-activity.md)

-1. With _Object_ type, you can further expand into the nested json object, such as _@activity('Execute Pipeline1').output.pipelineReturnValue.keyName.nextLevelKey_

-2. With _Array_ type, you can specify the index in the list, with _@activity('Execute Pipeline1').output.pipelineReturnValue.keyName[0]_. The number is zero indexed, meaning that it starts with 0.

-While you can include multiple Set Pipeline Return Value activities in a pipeline, it's important to ensure that only one of them is executed in the pipeline.

-To avoid the previously described missing key problem when the calling pipeline, we encourage you to have the same list of keys for all branches in child pipeline. Consider using _null_ types for keys that don't have values, in a specific branch.

-Learn about another related control flow activity:

-The Azure Developer CLI (`azd`) is an open-source command-line tool that provides developer-friendly commands that map to key stages in your workflow. You can install `azd` locally on your machine or use it in other environments.

-The following is a typical template structure:

-To enable `azd` support with ADE, you need to set the `platform.type` to devcenter. This configuration allows `azd` to leverage new dev center components for remote environment state and provisioning, and means that the infra folder in your templates will effectively be ignored. Instead, `azd` will use one of the infrastructure templates defined in your dev center catalog for resource provisioning.

-When the dev center feature is enabled, the default behavior of some common azd commands changes to work with these remote environments. For more information, see [Work with Azure Deployment Environments](/azure/developer/azure-developer-cli/ade-integration?branch=main#work-with-azure-deployment-evironments).

-description: Understand how ADE and AZD work together to provision application infrastructure and deploy application code to the new infrastructure.

-# Customer intent: As a platform engineer, I want to use ADE and AZD together to provision application infrastructure and deploy application code to the new infrastructure.

-In this article, you create a new environment from an existing Azure Developer CLI (AZD) compatible template by using AZD. You learn how to configure Azure Deployment Environments (ADE) and AZD to work together to provision application infrastructure and deploy application code to the new infrastructure.

-To learn the key concepts of how AZD and ADE work together, see [Use Azure Developer CLI with Azure Deployment Environments](concept-azure-developer-cli-with-deployment-environments.md).

-Microsoft provides a quick start catalog that contains a set of AZD compatible templates that you can use to create environments. You can attach the quick start catalog to your dev center at creation or add it later. The quick start catalog contains a set of templates that you can use to create environments.

-## Examine an AZD compatible template

-You can use an existing AZD compatible template to create a new environment, or you can add an azure.yaml file to your repository. In this section, you examine an existing AZD compatible template.

-AZD provisioning for environments relies on curated templates from the catalog. Templates in the catalog might assign tags to provisioned Azure resources for you to associate your app services with in the azure.yaml file, or specify the resources explicitly. In this example, resources are specified explicitly.

-1. To view the quick start catalog in GitHub, paste the **Clone URL** into the address bar and press Enter.

-> Not all AZD compatible catalogs use the linked templates structure shown in the example. You can use a single catalog for all your environments by including the azure.yaml file. Using multiple catalogs and code repositories allows you more flexibility in configuring secure access for platform engineers and developers.

-Use an existing AZD compatible template to create a new environment.

-### Prepare to work with AZD

-When you work with AZD for the first time, there are some one-time setup tasks you need to complete. These tasks include installing the Azure Developer CLI, signing in to your Azure account, and enabling AZD support for Azure Deployment Environments.

-#### Install the Azure Developer CLI extension for Visual Studio Code

-When you install AZD, the AZD tools are installed within an AZD scope rather than globally, and are removed if AZD is uninstalled. You can install AZD in Visual Studio Code or from the command line.

-Sign in to AZD using the command palette:

-#### Enable AZD support for ADE

-When `platform.type` is set to `devcenter`, all AZD remote environment state and provisioning uses dev center components. AZD uses one of the infrastructure templates defined in your dev center catalog for resource provisioning. In this configuration, the *infra* folder in your local templates isn't used.

-Now you're ready to create an environment to work in. You begin with an existing template. ADE defines the infrastructure for your application, and the AZD template provides sample application code.

-1. In the AZD terminal, enter an environment name.

- AZD creates the project resources, including an *azure.yaml* file in the root of your project.

-1. To list the templates available, in the AZD terminal, run the following command:

-1. In the AZD terminal, enter an environment name.

- AZD creates the project resources, including an *azure.yaml* file in the root of your project.

-You can define AZD settings for your dev centers so that you don't need to specify them each time you update an environment. In this example, you define the names of the catalog, dev center, and project that you're using for your environment.

-You can use AZD to provision and deploy resources to your deployment environments using commands like `azd up` or `azd provision`.

-To how common AZD commands work with ADE, see [Work with Azure Deployment Environments](/azure/developer/azure-developer-cli/ade-integration?branch=main#work-with-azure-deployment-evironments).

-| Troubleshoot runtime issues | No | No | No |

-| RCA | No | No | No |

-| Performance Tuning | No | No | No |

-| Assistance in onboarding | No | No | No |

-| Spark core issues/updates | No | No | No |

-| Security/CVE updates | No | No | No |

-> [!div class="op_single_selector"]

-> - [Azure portal](howto-legacy-direct-portal.md)

-> - [PowerShell](howto-legacy-direct-powershell.md)

-This article describes how to convert an existing legacy Direct peering to an Azure resource by using the Azure portal.

-If you prefer, you can complete this guide by using [PowerShell](howto-legacy-direct-powershell.md).

-## Before you begin

-* Review the [prerequisites](prerequisites.md) and the [Direct peering walkthrough](walkthrough-direct-all.md) before you begin configuration.

-## Convert a legacy Direct peering to an Azure resource

-### Sign in to the portal and select your subscription

-### <a name=create></a>Convert a legacy Direct peering

-As an Internet Service Provider, you can convert legacy direct peering connections by using [Creating a Peering]( https://go.microsoft.com/fwlink/?linkid=2129593).

-1. On the **Create a Peering** page, on the **Basics** tab, fill in the boxes as shown here:

- > [!div class="mx-imgBorder"]

- > 

-* Select your Azure Subscription.

-* For Resource group, you can either choose an existing resource group from the drop-down list or create a new group by selecting Create new. We'll create a new resource group for this example.

-* Name corresponds to the resource name and can be anything you choose.

-* Region is auto-selected if you chose an existing resource group. If you chose to create a new resource group, you also need to choose the Azure region where you want the resource to reside.

->[!NOTE]

->The region where a resource group resides is independent of the location where you want to create peering with Microsoft. But it's a best practice to organize your peering resources within resource groups that reside in the closest Azure regions. For example, for peerings in Ashburn, you can create a resource group in East US or East US2.

-* Select your ASN in the **Peer ASN** box.

->[!IMPORTANT]

->You can only choose an ASN with ValidationState as Approved before you submit a peering request. If you just submitted your Peer ASN request, wait for 12 hours or so for ASN association to be approved. If the ASN you select is pending validation, you'll see an error message. If you don't see the ASN you need to choose, check that you selected the correct subscription. If so, check if you have already created Peer ASN by using **[Associate Peer ASN to Azure subscription](https://go.microsoft.com/fwlink/?linkid=2129592)**.

-#### Launch the resource and configure basic settings

-#### Configure connections and submit

-### <a name=get></a>Verify Direct peering

-The ultimate aim of any IoT device security measure is to create a secure IoT solution. But issues such as hardware limitations, cost, and level of security expertise all impact which options you choose. Further, your approach to security impacts how your IoT devices connect to the cloud. While there are [several elements of IoT security](https://www.microsoft.com/research/publication/seven-properties-highly-secure-devices/) to consider, a key element that every customer encounters is what authentication type to use.

-Three widely used authentication types are X.509 certificates, Trusted Platform Modules (TPM), and symmetric keys. While other authentication types exist, most customers who build solutions on Azure IoT use one of these three types. The rest of this article surveys pros and cons of using each authentication type.

-If you use X.509 certificates to authenticate your IoT devices, this section offers guidance on how to integrate certificates into your manufacturing process. You'll need to make several decisions. These include decisions about common certificate variables, when to generate certificates, and when to install them.

-If you're used to using passwords, you might ask why you can't use the same certificate in all your devices, in the same way that you'd be able to use the same password in all your devices. First, using the same password everywhere is dangerous. The practice has exposed companies to major DDoS attacks, including the one that took down DNS on the US East Coast several years ago. Never use the same password everywhere, even with personal accounts. Second, a certificate isn't a password, it's a unique identity. A password is like a secret code that anyone can use to open a door at a secured building. It's something you know, and you could give the password to anyone to gain entrance. A certificate is like a driver's license with your photo and other details, which you can show to a guard to get into a secured building. It's tied to who you are. Provided that the guard accurately matches people with driver's licenses, only you can use your license (identity) to gain entrance.

-There are a few factors that impact the decision on where certificates are stored. These factors include the type of device, expected profit margins (whether you can afford secure storage), device capabilities, and existing security technology on the device that you may be able to use. Consider the following options:

-Connectivity at the factory determines how and when you'll get the certificates to install on the devices. Connectivity options are as follows:

-Like a driver's license, certificates have an expiration date that is set when they are created. Here are the options for length of certificate validity:

-The internet connectivity capabilities at your factory will impact your process for generating certificates. You have several options for when to generate certificates:

-If you use pre-loaded certificates with an HSM, the process is simplified. After the HSM is installed in the device, the device code can access it. Then you'll call the HSM APIs to access the certificate that's stored in the HSM. This approach is the most convenient for your manufacturing process.

-If you don't use a pre-loaded certificate, you must install the certificate as part of your production process. The simplest approach is to install the certificate in the HSM at the same time that you flash the initial firmware image. Your process must add a step to install the image on each device. After this step, you can run final quality checks and any other steps, before you package and ship the device.

-There are software tools available that let you run the installation process and final quality check in a single step. You can modify these tools to generate a certificate, or to pull a certificate from a pre-generated certificate store. Then the software can install the certificate where you need to install it. Software tools of this type enable you to run production quality manufacturing at scale.

-If you use a TPM to authenticate your IoT devices, this section offers guidance. The guidance covers the widely used TPM 2.0 devices that have hash-based message authentication code (HMAC) key support. The TPM specification for TPM chips is an ISO standard that's maintained by the Trusted Computing Group. For more on TPM, see the specifications for [TPM 2.0](https://trustedcomputinggroup.org/tpm-library-specification/) and [ISO/IEC 11889](https://www.iso.org/standard/66510.html).

-A critical step in manufacturing a device with a TPM chip is to take ownership of the TPM. This step is required so that you can provide a key to the device owner. The first step is to extract the endorsement key (EK) from the device. The next step is to actually claim ownership. How you accomplish this depends on which TPM and operating system you use. If needed, contact the TPM manufacturer or the developer of the device operating system to determine how to claim ownership.

-At this point in the production process, you should know which DPS instance the device will be used with. As a result, you can add devices to the enrollment list for automated provisioning. For more information about automatic device provisioning, see the [DPS documentation](about-iot-dps.md).

-IoT Hub is an Azure service that enables you to ingest high volumes of telemetry from your IoT devices into the cloud for storage or processing. In this codeless quickstart, you use the Azure CLI to create an IoT hub and a simulated device. You'll send device telemetry to the hub, and send messages, call methods, and update properties on the device. You'll also use the Azure portal to visualize device metrics. This article shows a basic workflow for developers who use the CLI to interact with an IoT Hub application.

-Next, you prepare two Azure CLI sessions. If you're using the Cloud Shell, you'll run these sessions in separate Cloud Shell tabs. If using a local CLI client, you'll run separate CLI instances. Use the separate CLI sessions for the following tasks:

-In this section, you use the Azure CLI to create a resource group and an IoT hub. An Azure resource group is a logical container into which Azure resources are deployed and managed. An IoT hub acts as a central message hub for bi-directional communication between your IoT application and the devices.

- *YourIotHubName*. Replace this placeholder below with the name you chose for your IoT hub.

-1. In the first CLI session, run the [az iot device simulate](/cli/azure/iot/device#az-iot-device-simulate) command. This command starts the simulated device. The device sends telemetry to your IoT hub and receives messages from it.

- *YourIotHubName*. Replace this placeholder below with the name you chose for your IoT hub.

- *YourIotHubName*. Replace this placeholder below with the name you chose for your IoT hub.

- *YourIotHubName*. Replace this placeholder below with the name you chose for your IoT hub.

- *YourIotHubName*. Replace this placeholder below with the name you chose for your IoT hub.

- Optionally, you can send cloud-to-device messages by using the Azure portal. To do this, browse to the overview page for your IoT Hub, select **IoT Devices**, select the simulated device, and select **Message to Device**.

- *YourIotHubName*. Replace this placeholder below with the name you chose for your IoT hub.

- > If you're using PowerShell in the CLI shell, use the PowerShell version of the command below. PowerShell requires you to escape the characters in the JSON payload.

- *YourIotHubName*. Replace this placeholder below with the name you chose for your IoT hub.

- *YourIotHubName*. Replace this placeholder below with the name you chose for your IoT hub.

-If you continue to the next recommended article, you can keep the resources you've already created and reuse them.

- datalakeStorageSettings:

- host: <account>.blob.core.windows.net

- datalakeStorageSettings:

- host: <account>.blob.core.windows.net

-datalakeStorageSettings:

-datalakeStorageSettings:

-datalakeStorageSettings:

-datalakeStorageSettings:

-datalakeStorageSettings:

-* The Azure IoT Operations extension for Azure CLI. Use the following command to add the extension or update it to the latest version:

-1. Remove the existing connected k8s cli if any

- ```azurecli

- az extension remove --name connectedk8s

- ```

-1. Download and install a preview version of the `connectedk8s` extension for Azure CLI.

- ```azurecli

- curl -L -o connectedk8s-1.10.0-py2.py3-none-any.whl https://github.com/AzureArcForKubernetes/azure-cli-extensions/raw/refs/heads/connectedk8s/public/cli-extensions/connectedk8s-1.10.0-py2.py3-none-any.whl

- az extension add --upgrade --source connectedk8s-1.10.0-py2.py3-none-any.whl

- ```

-* The latest version of the Azure IoT Operations extension for Azure CLI. Use the following command to add the extension or update it to the latest version:

-1. Remove the existing connected k8s cli if any

- ```azurecli

- az extension remove --name connectedk8s

- ```

-1. Download and install a preview version of the `connectedk8s` extension for Azure CLI.

- ```azurecli

- curl -L -o connectedk8s-1.10.0-py2.py3-none-any.whl https://github.com/AzureArcForKubernetes/azure-cli-extensions/raw/refs/heads/connectedk8s/public/cli-extensions/connectedk8s-1.10.0-py2.py3-none-any.whl

- az extension add --upgrade --source connectedk8s-1.10.0-py2.py3-none-any.whl

- ```

-The default deployment of the connector for OPC UA installs all the resources needed by [cert-manager](https://cert-manager.io/) to create an OPC UA compliant self-signed certificate. This certificate is stored in the `aio-opc-opcuabroker-default-application-cert` secret. This secret is mapped into all the connector for OPC UA pods and acts as the OPC UA client application instance certificate. `cert-manager` handles the automatic renewal of this application instance certificate.

-To complete the configuration of the application authentication mutual trust, you need to configure your OPC UA server to trust the connector for OPC UA application instance certificate:

-1. To extract the connector for OPC UA certificate into a `opcuabroker.crt` file, run the following command:

-1. Many OPC UA servers only support certificates in the DER format. If necessary, use the following command to convert the _opcuabroker.crt_ certificate to _opcuabroker.der_:

-1. Consult the documentation of your OPC UA server to learn how to add the `opcuabroker.crt` or `opcuabroker.der` certificate file to the server's trusted certificates list.

-description: Azure IoT Operations is a unified data plane for the edge. It's composed of various data services that run on Azure Arc-enabled edge Kubernetes clusters.

-_Azure IoT Operations Preview_ is a unified data plane for the edge. It's composed of a set of modular, scalable, and highly available data services that run on Azure Arc-enabled edge Kubernetes clusters such as [AKS Edge Essentials](#validated-environments). It enables data capture from various different systems and integrates with data modeling applications such as Microsoft Fabric to help organizations deploy the industrial metaverse.

-* Lets you manage all edge services from the cloud by using Azure Arc.

-* The _operations experience_ is a web UI that provides a unified experience for operational technologists to manage assets and dataflows in an Azure IoT Operations deployment. An IT administrator can use [Azure Arc site manager (preview)](/azure/azure-arc/site-manager/overview) to group Azure IoT Operations instances by physical location and make it easier for OT users to find instances.

-* Dataflows subscribe to MQTT topics to retrieve messages for processing.

-* Northbound cloud connectors subscribe to MQTT topics to fetch messages for forwarding to cloud services.

-To connect to the cloud from Azure IoT Operations, you have the following options:

-The northbound cloud connectors let you connect the MQTT broker directly to cloud services such as:

-* [MQTT brokers](connect-to-cloud/howto-configure-mqtt-bridge.md)

-* [Azure Event Hubs or Kafka](connect-to-cloud/howto-configure-kafka.md)

-* [Azure Data Lake Storage](connect-to-cloud/howto-configure-data-lake.md)

-In Azure IoT operations v0.6.0, the data processor was replaced by [dataflows](./connect-to-cloud/overview-dataflow.md). Dataflows provide enhanced data transformation and data contextualization capabilities within Azure IoT Operations. Dataflows can use schemas stored in the schema registry to deserialize and serialize messages.

-| Australia East | Australia East (Sydney) | Γ£ô | |

-az aks create -n <cluster-name> -g <resource-group> --node-vm-size Standard_D4s_v3 --node-count 3 --enable-azure-container-storage <storage-pool-type>

-NFS Azure file shares are only offered on premium file shares, which store data on solid-state drives (SSD). The IOPS and throughput of NFS shares scale with the provisioned capacity. See the [provisioned model](understanding-billing.md#provisioned-v1-model) section of the **Understanding billing** article to understand the formulas for IOPS, IO bursting, and throughput. The average IO latencies are low-single-digit-millisecond for small IO size, while average metadata latencies are high-single-digit-millisecond. Metadata heavy operations such as untar and workloads like WordPress might face additional latencies due to the high number of open and close operations.

-description: Calculate the total size of a container in Azure Blob storage for billing purposes.

-# Calculate the total billing size of a blob container

-This script calculates the size of a container in Azure Blob storage for the purpose of estimating billing costs. The script totals the size of the blobs in the container.

-> [!IMPORTANT]

-> The sample script provided in this article may not accurately calculate the billing size for blob snapshots.

-> [!NOTE]

-> This PowerShell script calculates the size of a container for billing purposes. If you are calculating container size for other purposes, see [Calculate the total size of a Blob storage container](../scripts/storage-blobs-container-calculate-size-powershell.md) for a simpler script that provides an estimate.

-## Determine the size of the blob container

-The total size of the blob container includes the size of the container itself and the size of all blobs under the container.

-The following sections describes how the storage capacity is calculated for blob containers and blobs. In the following section, Len(X) means the number of characters in the string.

-### Blob containers

-The following calculation describes how to estimate the amount of storage that's consumed per blob container:

-```

-48 bytes + Len(ContainerName) * 2 bytes +

-For-Each Metadata[3 bytes + Len(MetadataName) + Len(Value)] +

-For-Each Signed Identifier[512 bytes]

-```

-Following is the breakdown:

-* 48 bytes of overhead for each container includes the Last Modified Time, Permissions, Public Settings, and some system metadata.

-* The container name is stored as Unicode, so take the number of characters and multiply by two.

-* For each block of blob container metadata that's stored, we store the length of the name (ASCII), plus the length of the string value.

-* The 512 bytes per Signed Identifier includes signed identifier name, start time, expiry time, and permissions.

-### Blobs

-The following calculations show how to estimate the amount of storage consumed per blob.

-* Block blob (base blob or snapshot):

- ```

- 124 bytes + Len(BlobName) * 2 bytes +

- For-Each Metadata[3 bytes + Len(MetadataName) + Len(Value)] +

- 8 bytes + number of committed and uncommitted blocks * Block ID Size in bytes +

- SizeInBytes(data in unique committed data blocks stored) +

- SizeInBytes(data in uncommitted data blocks)

- ```

-* Page blob (base blob or snapshot):

- ```

- 124 bytes + Len(BlobName) * 2 bytes +

- For-Each Metadata[3 bytes + Len(MetadataName) + Len(Value)] +

- number of nonconsecutive page ranges with data * 12 bytes +

- SizeInBytes(data in unique pages stored)

- ```

-Following is the breakdown:

-* 124 bytes of overhead for blob, which includes:

- - Last Modified Time

- - Size

- - Cache-Control

- - Content-Type

- - Content-Language

- - Content-Encoding

- - Content-MD5

- - Permissions

- - Snapshot information

- - Lease

- - Some system metadata

-* The blob name is stored as Unicode, so take the number of characters and multiply by two.

-* For each block of metadata that's stored, add the length of the name (stored as ASCII), plus the length of the string value.

-* For the block blobs:

- * 8 bytes for the block list.

- * Number of blocks times the block ID size in bytes.

- * The size of the data in all of the committed and uncommitted blocks.

- >[!NOTE]

- >When snapshots are used, this size includes only the unique data for this base or snapshot blob. If the uncommitted blocks are not used after a week, they are garbage-collected. After that, they don't count toward billing.

-* For page blobs:

- * The number of nonconsecutive page ranges with data times 12 bytes. This is the number of unique page ranges you see when calling the **GetPageRanges** API.

- * The size of the data in bytes of all of the stored pages.

- >[!NOTE]

- >When snapshots are used, this size includes only the unique pages for the base blob or the snapshot blob that's being counted.

-## Sample script

-[!code-powershell[main](../../../powershell_scripts/storage/calculate-container-size/calculate-container-size-ex.ps1 "Calculate container size")]

-## Next steps

-description: Calculate the size of all Azure Blob Storage containers in a storage account.

-# Calculate the size of blob containers with PowerShell

-This script calculates the size of all Azure Blob Storage containers in a storage account.

-> [!IMPORTANT]

-> This PowerShell script provides an estimated size for the containers in an account and should not be used for billing calculations. For a script that calculates container size for billing purposes, see [Calculate the size of a Blob storage container for billing purposes](../scripts/storage-blobs-container-calculate-billing-size-powershell.md).

-## Sample script

-## Clean up deployment

-Run the following command to remove the resource group, container, and all related resources.

-```powershell

-Remove-AzResourceGroup -Name bloblisttestrg

-```

-## Script explanation

-This script uses the following commands to calculate the size of the Blob storage container. Each item in the table links to command-specific documentation.

-| Command | Notes |

-|||

-| [Get-AzStorageAccount](/powershell/module/az.storage/get-azstorageaccount) | Gets a specified Storage account or all of the Storage accounts in a resource group or the subscription. |

-| [Get-AzStorageContainer](/powershell/module/az.storage/get-azstoragecontainer) | Lists the storage containers. |

-| [Get-AzStorageBlob](/powershell/module/az.storage/Get-AzStorageBlob) | Lists blobs in a container. |

-## Next steps

-For a script that calculates container size for billing purposes, see [Calculate the size of a Blob storage container for billing purposes](../scripts/storage-blobs-container-calculate-billing-size-powershell.md).

-For more information on the Azure PowerShell module, see [Azure PowerShell documentation](/powershell/azure/).

-Find more PowerShell script samples in [PowerShell samples for Azure Storage](../blobs/storage-samples-blobs-powershell.md).

-description: Read an example that shows how to delete Azure Blob storage based on a prefix in the container name, using Azure PowerShell.

-# Delete containers based on container name prefix

-This script deletes containers in Azure Blob storage based on a prefix in the container name.

-## Sample script

-[!code-powershell[main](../../../powershell_scripts/storage/delete-containers-by-prefix/delete-containers-by-prefix.ps1 "Delete containers by prefix")]

-## Clean up deployment

-Run the following command to remove the resource group, remaining containers, and all related resources.

-```powershell

-Remove-AzResourceGroup -Name containerdeletetestrg

-```

-## Script explanation

-This script uses the following commands to delete containers based on container name prefix. Each item in the table links to command-specific documentation.

-| Command | Notes |

-|||

-| [Get-AzStorageAccount](/powershell/module/az.storage/get-azstorageaccount) | Gets a specified Storage account or all of the Storage accounts in a resource group or the subscription. |

-| [Get-AzStorageContainer](/powershell/module/az.storage/Get-AzStorageContainer) | Lists the storage containers associated with a storage account. |

-| [Remove-AzStorageContainer](/powershell/module/az.storage/Remove-AzStorageContainer) | Removes the specified storage container. |

-## Next steps

-For more information on the Azure PowerShell module, see [Azure PowerShell documentation](/powershell/azure/).

-Additional storage PowerShell script samples can be found in [PowerShell samples for Azure Blob storage](../blobs/storage-samples-blobs-powershell.md).

-description: Create an Azure Storage account, then retrieve and rotate one of its account access keys.

-# Rotate storage account access keys with PowerShell

-This script creates an Azure Storage account, displays the new storage account's primary access key, then renews (rotates) the key.

-## Sample script

-[!code-powershell[main](../../../powershell_scripts/storage/rotate-storage-account-keys/rotate-storage-account-keys.ps1 "Rotate storage account keys")]

-## Clean up deployment

-Run the following command to remove the resource group, storage account, and all related resources.

-```powershell

-Remove-AzResourceGroup -Name rotatekeystestrg

-```

-## Script explanation

-This script uses the following commands to create the storage account and retrieve and rotate one of its access keys. Each item in the table links to command-specific documentation.

-| Command | Notes |

-|||

-| [Get-AzLocation](/powershell/module/az.resources/get-azlocation) | Gets all locations and the supported resource providers for each location. |

-| [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup) | Creates an Azure resource group. |

-| [New-AzStorageAccount](/powershell/module/az.storage/new-azstorageaccount) | Creates a Storage account. |

-| [Get-AzStorageAccountKey](/powershell/module/az.storage/get-azstorageaccountkey) | Gets the access keys for an Azure Storage account. |

-| [New-AzStorageAccountKey](/powershell/module/az.storage/new-azstorageaccountkey) | Regenerates an access key for an Azure Storage account. |

-## Next steps

-For more information on the Azure PowerShell module, see [Azure PowerShell documentation](/powershell/azure/).

-Additional storage PowerShell script samples can be found in [PowerShell samples for Azure Blob storage](../blobs/storage-samples-blobs-powershell.md).

- Ensure that the registry path *HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU, NoAutoUpdate* is set to 1.

- - iOS and iPadOS

- - iOS and iPadOS

- - Android (preview only)

- | ManagedPrivateUdp | RDP Shortpath for managed networks | Enabled |

- | DirectUdp | RDP Shortpath for managed networks with ICE/STUN | Enabled |

- | PublicUdp | RDP Shortpath for public networks with ICE/STUN | Enabled |

- | RelayUdp | RDP Shortpath for public networks via TURN | Enabled |

-If your environment uses Symmetric NAT, then you can use an indirect connection with TURN. For more information you can use to configure firewalls and Network Security Groups, see [Network configurations for RDP Shortpath](rdp-shortpath.md?tabs=public-networks#network-configuration).

-RDP Shortpath establishes a direct UDP-based transport between a local device Windows App or the Remote Desktop app on supported platforms and session host in Azure Virtual Desktop.

-By default, the Remote Desktop Protocol (RDP) tries to establish a remote session using UDP and uses a TCP-based reverse connect transport as a fallback connection mechanism. UDP-based transport offers better connection reliability and more consistent latency. TCP-based reverse connect transport provides the best compatibility with various networking configurations and has a high success rate for establishing RDP connections.

-1. **Managed networks**, where direct connectivity is established between the client and the session host when using a private connection, such as a virtual private network (VPN). A connection using a managed network is established in one of the following ways:

- 1. An *indirect* UDP connection using the Traversal Using Relay NAT (TURN) protocol with a relay between a client and session host.

-To provide the best chance of a UDP connection being successful when using a public connection, there are the *direct* and *indirect* connection types:

- For a client to use STUN, its network must allow UDP traffic. Assuming both the client and session host can route to the other's discovered IP address and port directly, communication is established with direct UDP over the WebSocket protocol. If firewalls or other network devices block direct connections, an indirect UDP connection will be tried.

- TURN typically authorizes access to the server via username/password and its preferred mode of operation is to use UDP sockets. If firewalls or other network devices block UDP traffic, the connection will fall back to a TCP-based reverse connect transport.

-Most networks typically include firewalls that inspect traffic and block it based on rules. Most customers configure their firewalls to prevent incoming connections (that is, unsolicited packets from the Internet sent without a request). Firewalls employ different techniques to track data flow to distinguish between solicited and unsolicited traffic. In the context of TCP, the firewall tracks SYN and ACK packets, and the process is straightforward. UDP firewalls usually use heuristics based on packet addresses to associate traffic with UDP flows and allow or block it.

-There are many different NAT implementations available. In most cases, NAT gateway and firewall are the functions of the same physical or virtual device.

-1. After the session host and client exchange their candidate lists, both parties attempt to connect with each other using all the gathered candidates. This connection attempt is simultaneous on both sides. Many NAT gateways are configured to allow the incoming traffic to the socket as soon as the outbound data transfer initializes it. This behavior of NAT gateways is the reason the simultaneous connection is essential. If STUN fails because it's blocked, an indirect connection attempt is made using TURN.

-> [!IMPORTANT]

-> When using a TCP-based transport, outbound traffic from session host to client is through the Azure Virtual Desktop Gateway. With RDP Shortpath for public networks using STUN, outbound traffic is established directly between session host and client over the internet. This removes a hop which improves latency and end user experience. However, due to the changes in data flow between session host and client where the Gateway is no longer used, there will be standard [Azure egress network charges](https://azure.microsoft.com/pricing/details/bandwidth/) billed in addition per subscription for the internet bandwidth consumed. To learn more about estimating the bandwidth used by RDP, see [RDP bandwidth requirements](rdp-bandwidth.md).

-If your environment uses Symmetric NAT, which is the mapping of a single private source *IP:Port* to a unique public destination *IP:Port*, then you can use an indirect connection with TURN. This will be the case if you use Azure Firewall and Azure NAT Gateway. For more information about NAT with Azure virtual networks, see [Source Network Address Translation with virtual networks](../virtual-network/nat-gateway/nat-gateway-resource.md#source-network-address-translation).

-Where users have RDP Shortpath for both managed network and public networks is available to them, then the first algorithm found will be used. The user will use whichever connection gets established first for that session. For more information, see [Example scenarios](#example-scenarios).

-#### TURN availability

-TURN is available in the following Azure regions:

- :::column:::

- - Australia Southeast

- - Central India

- - East US

- - East US 2

- - France Central

- - Japan West

- - North Europe

- :::column-end:::

- :::column:::

- - South Central US

- - Southeast Asia

- - UK South

- - UK West

- - West Europe

- - West US

- - West US 2

- :::column-end:::

-| RDP Shortpath Server Endpoint | VM subnet | Any | Any | 1024-65535<br />(*default 49152-65535*) | UDP | Allow |

-| STUN/TURN UDP | VM subnet | Any | 20.202.0.0/16 | 3478 | UDP | Allow |

-| STUN/TURN TCP | VM subnet | Any | 20.202.0.0/16 | 443 | TCP | Allow |

-| RDP Shortpath Server Endpoint | Client network | Any | Public IP addresses assigned to NAT Gateway or Azure Firewall (provided by the STUN endpoint) | 1024-65535<br />(*default 49152-65535*) | UDP | Allow |

-| STUN/TURN UDP | Client network | Any | 20.202.0.0/16 | 3478 | UDP | Allow |

-| STUN/TURN TCP | Client network | Any | 20.202.0.0/16 | 443 | TCP | Allow |

-A firewall or NAT device is blocking a direct UDP connection, but an indirect UDP connection can be relayed using TURN between the client device and the session host over a public network (internet). Another direct connection, such as a VPN, isn't available.

-Both RDP Shortpath for public networks and managed networks are configured, however a UDP connection couldn't be established using direct VPN connection. A firewall or NAT device is also blocking a direct UDP connection using the public network (internet), but an indirect UDP connection can be relayed using TURN between the client device and the session host over a public network (internet).

- | VPN Gateway (using Basic IPs) |At this time, it's not necessary to upgrade. When an upgrade is necessary, we'll update this decision path with migration information and send out a service health alert. |

-When multiple ExpressRoute circuits are connected to a Virtual WAN hub, ECMP enables traffic from spoke virtual networks to on-premises over ExpressRoute to be distributed across all ExpressRoute circuits advertising the same on-premises routes. To enable ECMP for your Virtual WAN hub, please reach out to virtual-wan-ecmp@microsoft.com with your Virtual WAN hub resource ID.

-* As part of the Basic IP to Standard IP migration, the gateways will be upgraded to Gen2. This upgrade will occur automatically when you initiate the migration.