+| Online courses| SkillUp Online: [Managing Identities](https://skillup.online/courses/course-v1:Microsoft+AZ-100.5+2018_T3/) <br> Learn how to integrate Azure AD with many SaaS applications and to secure user access to those applications. |

+>The preview is only supported in Azure Global and Azure Government clouds.

+|| Multifactor authentication (MFA) ¹| &#x2705; |

+|| Shared device sign-out | Enterprise state roaming for Windows 10 devices isn't available. |

+¹Microsoft Authenticator only shows GUID and not UPN for compliance reasons.

+ Title: Convert single-tenant app to multi-tenant on Azure AD

+description: Shows how to convert an existing single-tenant app to a multi-tenant app that can sign in a user from any Azure AD tenant.

+#Customer intent: As an Azure user, I want to convert a single tenant app to an Azure AD multi-tenant app so any Azure AD user can sign in,

+# Making your application multi-tenant

+If you offer a Software as a Service (SaaS) application to many organizations, you can configure your application to accept sign-ins from any Azure Active Directory (Azure AD) tenant by converting it to multi-tenant. Users in any Azure AD tenant will be able to sign in to your application after consenting to use their account with your application.

+For existing apps with its own account system (or other sign-ins from other cloud providers), you should add sign-in code via OAuth2, OpenID Connect, or SAML, and put a ["Sign in with Microsoft" button][AAD-App-Branding] in your application.

+In this how-to guide, you'll undertake the four steps needed to convert a single tenant app into an Azure AD multi-tenant app:

+2. [Update your code to send requests to the `/common` endpoint](#update-your-code-to-send-requests-to-common)

+4. [Understand user and admin consent and make appropriate code changes](#understand-user-and-admin-consent-and-make-appropriate-code-changes)

+You can also refer to the sample; [Build a multi-tenant SaaS web application that calls Microsoft Graph using Azure AD and OpenID Connect](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-3-Multi-Tenant/README.md). This how-to assumes familiarity with building a single-tenant application for Azure AD. If not, start with one of the quickstarts on the [developer guide homepage][AAD-Dev-Guide].

+By default, web app/API registrations in Azure AD are single-tenant upon creation. To make the registration multi-tenant, look for the **Supported account types** section on the **Authentication** pane of the application registration in the [Azure portal][AZURE-portal]. Change the setting to **Accounts in any organizational directory**.

+When a single-tenant application is created via the Azure portal, one of the items listed on the **Overview** page is the **Application ID URI**. This is one of the ways an application is identified in protocol messages, and can be added at any time. The App ID URI for single tenant apps can be globally unique within that tenant. In contrast, for multi-tenant apps it must be globally unique across all tenants, which ensures that Azure AD can find the app across all tenants.

+For example, if the name of your tenant was `contoso.onmicrosoft.com` then a valid App ID URI would be `https://contoso.onmicrosoft.com/myapp`. If the App ID URI doesnΓÇÖt follow this pattern, setting an application as multi-tenant fails.

+## Update your code to send requests to `/common`

+With a multi-tenant application, because the application can't immediately tell which tenant the user is from, requests can't be sent to a tenantΓÇÖs endpoint. Instead, requests are sent to an endpoint that multiplexes across all Azure AD tenants: `https://login.microsoftonline.com/common`.

+Edit your code and change the value for your tenant to `/common`. It's important to note that this endpoint isn't a tenant or an issuer itself. When the Microsoft identity platform receives a request on the `/common` endpoint, it signs the user in, thereby discovering which tenant the user is from. This endpoint works with all of the authentication protocols supported by the Azure AD (OpenID Connect, OAuth 2.0, SAML 2.0, WS-Federation).

+The sign-in response to the application then contains a token representing the user. The issuer value in the token tells an application what tenant the user is from. When a response returns from the `/common` endpoint, the issuer value in the token corresponds to the userΓÇÖs tenant.

+Web applications and web APIs receive and validate tokens from the Microsoft identity platform. Native client applications don't validate access tokens and must treat them as opaque. They instead request and receive tokens from the Microsoft identity platform, and do so to send them to APIs, where they're then validated. Multi-tenant applications canΓÇÖt validate tokens by matching the issuer value in the metadata with the `issuer` value in the token. A multi-tenant application needs logic to decide which issuer values are valid and which aren't based on the tenant ID portion of the issuer value.

+For example, if a multi-tenant application only allows sign-in from specific tenants who have signed up for their service, then it must check either the `issuer` value or the `tid` claim value in the token to make sure that tenant is in their list of subscribers. If a multi-tenant application only deals with individuals and doesnΓÇÖt make any access decisions based on tenants, then it can ignore the issuer value altogether.

+In the [multi-tenant samples][AAD-Samples-MT], issuer validation is disabled to enable any Azure AD tenant to sign in. Because the `/common` endpoint doesnΓÇÖt correspond to a tenant and isnΓÇÖt an issuer, when you examine the issuer value in the metadata for `/common`, it has a templated URL instead of an actual value:

+https://sts.windows.net/{tenantid}/

+To ensure your app can support multiple tenants, modify the relevant section of your code to ensure that your issuer value is set to `{tenantid}`.

+In contrast, single-tenant applications normally take endpoint values to construct metadata URLs such as:

+...where the GUID value is the rename-safe version of the tenant ID of the tenant.

+## Understand user and admin consent and make appropriate code changes

+For a user to sign in to an application in Azure AD, the application must be represented in the userΓÇÖs tenant. This allows the organization to do things like apply unique policies when users from their tenant sign in to the application. For a single-tenant application, one can use the registration via the [Azure portal][AZURE-portal].

+For a multi-tenant application, the initial registration for the application resides in the Azure AD tenant used by the developer. When a user from a different tenant signs in to the application for the first time, Azure AD asks them to consent to the permissions requested by the application. If they consent, then a representation of the application called a *service principal* is created in the userΓÇÖs tenant, and sign-in can continue. A delegation is also created in the directory that records the userΓÇÖs consent to the application. For details on the application's Application and ServicePrincipal objects, and how they relate to each other, see [Application objects and service principal objects][AAD-App-SP-Objects].

+![Diagram which illustrates a user's consent to a single-tier app.][Consent-Single-Tier]

+Certain delegated permissions also require a tenant administratorΓÇÖs consent. For example, the ability to write back to Azure AD as the signed in user requires a tenant administratorΓÇÖs consent. Like app-only permissions, if an ordinary user tries to sign in to an application that requests a delegated permission that requires administrator consent, the app receives an error. Whether a permission requires admin consent is determined by the developer that published the resource, and can be found in the documentation for the resource. The permissions documentation for the [Microsoft Graph API][MSFT-Graph-permission-scopes] indicate which permissions require admin consent.

+If your application uses permissions that require admin consent, consider adding a button or link where the admin can initiate the action. The request your application sends for this action is the usual OAuth2/OpenID Connect authorization request that also includes the `prompt=consent` query string parameter. Once the admin has consented and the service principal is created in the customerΓÇÖs tenant, subsequent sign-in requests don't need the `prompt=consent` parameter. Since the administrator has decided the requested permissions are acceptable, no other users in the tenant are prompted for consent from that point forward.

+The `prompt=consent` parameter can also be used by applications that request permissions that don't require admin consent. An example of when this would be used is if the application requires an experience where the tenant admin ΓÇ£signs upΓÇ¥ one time, and no other users are prompted for consent from that point on.

+![Diagram which illustrates consent to multi-tier known client app.][Consent-Multi-Tier-Known-Client]

+![Diagram which illustrates consent to multi-tier multi-party app.][Consent-Multi-Tier-Multi-Party]

+If an administrator consents to an application for all users in a tenant, users can't revoke access individually. Only the administrator can revoke access, and only for the whole application.

+Multi-tenant applications can also get access tokens to call APIs that are protected by Azure AD. A common error when using the Microsoft Authentication Library (MSAL) with a multi-tenant application is to initially request a token for a user using `/common`, receive a response, then request a subsequent token for that same user also using `/common`. Because the response from Azure AD comes from a tenant, not `/common`, MSAL caches the token as being from the tenant. The subsequent call to `/common` to get an access token for the user misses the cache entry, and the user is prompted to sign in again. To avoid missing the cache, make sure subsequent calls for an already signed in user are made to the tenantΓÇÖs endpoint.

+In this article, you learned how to convert a single tenant application to a multi-tenant application. After enabling single sign-on (SSO) between your app and Azure AD, update your app to access APIs exposed by Microsoft resources like Microsoft 365. This lets you offer a personalized experience in your application, such as showing contextual information to the users, for example, profile pictures and calendar appointments.

+> You can use MSAL Node's acquireTokenInteractive public API to acquire tokens via an external user-agent such as the default system browser.

+> const { shell } = require('electron');

+>

+> try {

+> const openBrowser = async (url) => {

+> await shell.openExternal(url);

+> };

+>

+> const authResponse = await pca.acquireTokenInteractive({

+> scopes: ["User.Read"],

+> openBrowser,

+> successTemplate: '<h1>Successfully signed in!</h1> <p>You can close this window now.</p>',

+> failureTemplate: '<h1>Oops! Something went wrong</h1> <p>Check the console for more information.</p>',

+> });

+>

+> return authResponse;

+> } catch (error) {

+> throw error;

+>

+- Supported account types: **Accounts in my organizational directory only (single tenant)**

+- Redirect URI: `http://localhost`

+ npm install --save @azure/msal-node @microsoft/microsoft-graph-sdk isomorphic-fetch bootstrap jquery popper.js

+ npm install --save-dev electron@20.0.0

+This preload script exposes a renderer API to give the renderer process controlled access to some `Node APIs` by applying IPC channels that have been configured for communication between the main and renderer processes.

+6. Finally, create a file named *constants.js* that will store the strings constants for describing the application **events**:

+│   ├── graph.js

+In the code snippet above, we first initialized MSAL Node `PublicClientApplication` by passing a configuration object (`msalConfig`). We then exposed `login`, `logout` and `getToken` methods to be called by main module (*main.js*). In `login` and `getToken`, we acquire ID and access tokens using MSAL Node `acquireTokenInteractive` public API.

+## Add Microsoft Graph SDK

+Create a file named *graph.js*. The *graph.js* file will contain an instance of the Microsoft Graph SDK Client to facilitate accessing data on the Microsoft Graph API, using the access token obtained by MSAL Node:

+Create an environment file to store the app registration details that will be used when acquiring tokens. To do so, create a file named *authConfig.js* inside the root folder of the sample (*ElectronDesktopApp*), and add the following code:

+After you sign in, select **See Profile** to view the user profile information returned in the response from the call to the Microsoft Graph API. After consent, you'll view the profile information returned in the response:

+When a user selects the **Sign In** button for the first time, the `acquireTokenInteractive` method of MSAL Node. This method redirects the user to sign-in with the Microsoft identity platform endpoint and validates the user's credentials, obtains an **authorization code** and then exchanges that code for an ID token, access token, and refresh token. MSAL Node also caches these tokens for future use.

+- Microsoft Azure commercial cloud and Microsoft Azure Government

+- Microsoft Azure commercial cloud and Microsoft Azure China 21Vianet

+## Sign-in endpoints

+After enabling collaboration with an organization from a different Microsoft cloud, cross-cloud Azure AD guest users can now sign in to your multi-tenant or Microsoft first-party apps by using a [common endpoint](redemption-experience.md#redemption-and-sign-in-through-a-common-endpoint) (in other words, a general app URL that doesn't include your tenant context). During the sign-in process, the guest user chooses **Sign-in options**, and then selects **Sign in to an organization**. The user then types the name of your organization and continues signing in using their Azure AD credentials.

+Cross-cloud Azure AD guest users can also use application endpoints that include your tenant information, for example:

+ * `https://myapps.microsoft.com/?tenantid=<your tenant ID>`

+ * `https://myapps.microsoft.com/<your verified domain>.onmicrosoft.com`

+ * `https://contoso.sharepoint.com/sites/testsite`

+You can also give cross-cloud Azure AD guest users a direct link to an application or resource by including your tenant information, for example `https://myapps.microsoft.com/signin/Twitter/<application ID?tenantId=<your tenant ID>`.

+## Supported scenarios with cross-cloud Azure AD guest users

+The following scenarios are supported when collaborating with an organization from a different Microsoft cloud:

+- Use B2B collaboration to invite a user in the partner tenant to access resources in your organization, including web line-of-business apps, SaaS apps, and SharePoint Online sites, documents, and files.

+- Use B2B collaboration to [share Power BI content to a user in the partner tenant](/power-bi/enterprise/service-admin-azure-ad-b2b#cross-cloud-b2b).

+- Apply Conditional Access policies to the B2B collaboration user and opt to trust multi-factor authentication or device claims (compliant claims and hybrid Azure AD joined claims) from the userΓÇÖs home tenant.

+- Microsoft Azure commercial cloud and Microsoft Azure Government

+- Microsoft Azure commercial cloud and Microsoft Azure China (operated by 21Vianet)

+- Apply Conditional Access policies to the B2B collaboration user and opt to trust multi-factor authentication or device claims (compliant claims and hybrid Azure AD joined claims) from the userΓÇÖs home tenant.

+ Title: Leave an organization - Azure Active Directory

+As an Azure Active Directory (Azure AD) [B2B collaboration](/articles/active-directory/external-identities/what-is-b2b.md) or [B2B direct connect](/articles/active-directory/external-identities/b2b-direct-connect-overview.md) user, you can leave an organization at any time if you no longer need to use apps from that organization, or maintain any association.

+You can usually leave an organization on your own without having to contact an administrator. However, in some cases this option won't be available and you'll need to contact your tenant admin, who can delete your account in the external organization. This article is intended for administrators. If you're a user looking for information about how to manage and leave an organization, see the [Manage organizations article.](https://support.microsoft.com/account-billing/manage-organizations-for-a-work-or-school-account-in-the-my-account-portal-a9b65a70-fec5-4a1a-8e00-09f99ebdea17)

+1. To view the organizations you belong to, first open your **My Account** page. You either have a work or school account created by an organization or a personal account such as for Xbox, Hotmail, or Outlook.com.

+ - **Home organization**: Your home organization is listed first. This organization owns your work or school account. Because your account is managed by your administrator, you're not allowed to leave your home organization. You'll see there's no link to **Leave**. If you don't have an assigned home organization, you'll just see a single heading that says **Organizations** with the list of your associated organizations.

+1. If you select **Leave** for an organization but you see the following message, it means youΓÇÖll need to contact the organization's admin, or privacy contact and ask them to remove you from their organization.

+In the **Home organization** section, there's no link to **Leave** your organization. Only an administrator can remove your account from your home organization.

+Administrators can use the **External user leave settings** to control whether external users can remove themselves from their organization. If you disallow the ability for external users to remove themselves from your organization, external users will need to contact your admin, or privacy contact to be removed.

+ - **No**: Users can't leave your organization themselves. They'll see a message guiding them to contact your admin, or privacy contact to request removal from your organization.

+ :::image type="content" source="media/leave-the-organization/external-user-leave-settings.png" alt-text="Screenshot showing External user leave settings in the portal.":::

+Permanent deletion can be initiated by the admin, or it happens at the end of the soft deletion period. Permanent deletion can take up to an extra 30 days for data removal ([learn more](/compliance/regulatory/gdpr-dsr-azure#step-5-delete)).

+- Learn more about [Azure AD B2B collaboration](what-is-b2b.md) and [Azure AD B2B direct connect](b2b-direct-connect-overview.md)

+- [Close your Microsoft account](/microsoft-365/commerce/close-your-account)

+Guest users can now sign in to your multi-tenant or Microsoft first-party apps through a common endpoint (URL), for example `https://myapps.microsoft.com`. Previously, a common URL would redirect a guest user to their home tenant instead of your resource tenant for authentication, so a tenant-specific link was required (for example `https://myapps.microsoft.com/?tenantid=<tenant id>`). Now the guest user can go to the application's common URL, choose **Sign-in options**, and then select **Sign in to an organization**. The user then types the domain name of your organization.

+**Supported operating systems**: Signing into virtual machines in Azure using Azure AD authentication is currently supported in Windows and Linux. For more specifics on supported operating systems, refer to the documentation for [Windows](../devices/howto-vm-sign-in-azure-ad-windows.md) and [Linux](/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux).

+**Network Requirements**: These virtual machines will need to access Azure AD for authentication so you must ensure that the virtual machines network configuration permits outbound access to Azure AD endpoints on 443. See the documentation for [Windows](../devices/howto-vm-sign-in-azure-ad-windows.md) and [Linux](/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux) for more information.

+* [Best practices](secure-with-azure-ad-best-practices.md)

+Applications | <ul><li>Register (create) new applications<li>Enumerate the list of all applications<li>Read properties of registered and enterprise applications<li>List permissions granted to applications<li>Manage application properties, assignments, and credentials for owned applications<li>Create or delete application passwords for users<li>Delete owned applications<li>Restore owned applications<li>List permissions granted to applications</ul> | <ul><li>Read properties of registered and enterprise applications<li>List permissions granted to applications</ul> | <ul><li>Read properties of registered and enterprise applications</li><li>List permissions granted to applications</li></ul>

+> To take advantaged of leaver scenarios, you can set the employeeLeaveDateTime manually for cloud-only users. For more information, see: [Configure the employeeLeaveDateTime property for a user](/graph/tutorial-lifecycle-workflows-set-employeeleavedatetime)

+- [Complete employee offboarding tasks in real-time on their last day of work using Lifecycle Workflows APIs](/graph/tutorial-lifecycle-workflows-offboard-custom-workflow)

+- [Automate employee onboarding tasks before their first day of work using Lifecycle Workflows APIs](/graph/tutorial-lifecycle-workflows-onboard-custom-workflow)

+- [Automate employee offboarding tasks after their last day of work using Lifecycle Workflows APIs](/graph/tutorial-lifecycle-workflows-scheduled-leaver)

+1. Select **Consent on behalf of your organization** and then select **Accept**. The application is added to your tenant and the application home page appears. To learn more about user and admin consent, see [Understand user and admin consent](../develop/howto-convert-app-to-be-multi-tenant.md#understand-user-and-admin-consent-and-make-appropriate-code-changes).

+ :::image type="content" source="./media/pim-create-azure-ad-roles-and-resource-roles-review/identity-governance.png" alt-text="Select Identity Governance in the Azure portal screenshot." lightbox="./media/pim-create-azure-ad-roles-and-resource-roles-review/identity-governance.png":::

+**A**: Currently, Azure Monitor is supported by [Splunk](./howto-integrate-activity-logs-with-splunk.md), IBM QRadar, [Sumo Logic](https://help.sumologic.com/docs/integrations/microsoft-azure/active-directory-azure/), [ArcSight](./howto-integrate-activity-logs-with-arcsight.md), LogRhythm, and Logz.io. For more information about how the connectors work, see [Stream Azure monitoring data to an event hub for consumption by an external tool](../../azure-monitor/essentials/stream-monitoring-data-event-hubs.md).

+**A**: First, [route the Azure AD activity logs to an event hub](https://help.sumologic.com/docs/integrations/microsoft-azure/active-directory-azure#collecting-logs-for-azure-active-directory), then follow the steps to [Install the Azure AD application and view the dashboards in SumoLogic](https://help.sumologic.com/docs/integrations/microsoft-azure/active-directory-azure#viewing-azure-active-directory-dashboards).

+2. Configure your SumoLogic instance to [collect logs for Azure Active Directory](https://help.sumologic.com/docs/integrations/microsoft-azure/active-directory-azure#collecting-logs-for-azure-active-directory).

+3. [Install the Azure AD SumoLogic app](https://help.sumologic.com/docs/integrations/microsoft-azure/active-directory-azure#viewing-azure-active-directory-dashboards) to use the pre-configured dashboards that provide real-time analysis of your environment.

+* [Frequently asked questions and known issues](concept-activity-logs-azure-monitor.md#frequently-asked-questions)

+ * **Sumo Logic**: To set up Sumo Logic to consume data from an event hub, see [Install the Azure AD app and view the dashboards](https://help.sumologic.com/docs/integrations/microsoft-azure/active-directory-azure#viewing-azure-active-directory-dashboards).

+ b. Copy **Login URL** value from Azure portal, paste it in the **Identity Provider SSO URL** textbox in Atlassian.

+ c. Copy **Azure AD Identifier** value from Azure portal, paste it in the **Identity Provider Entity ID** textbox in Atlassian.

+The release of memorandum 22-09 is designed to support Zero Trust initiatives within federal agencies. It also provides regulatory guidance in supporting federal cybersecurity and data privacy laws. The memo cites the [Department of Defense (DoD) Zero Trust Reference Architecture](https://cloudsecurityalliance.org/artifacts/dod-zero-trust-reference-architecture/):

+> [!NOTE]

+> The rest of the examples on this page require that you've followed the instructions in [Provide an identity to access the Azure Key Vault Provider for Secrets Store CSI Driver][identity-access-methods], chosen one of the identity methods, and configured a SecretProviderClass. Come back to this page after completed those steps.

+[install-azakskubectl]: /powershell/module/az.aks/install-azaksclitool

+[install-azakskubectl]: /powershell/module/az.aks/install-azaksclitool

+ Title: Connect to Azure Kubernetes Service (AKS) cluster nodes

+description: Learn how to connect to Azure Kubernetes Service (AKS) cluster nodes for troubleshooting and maintenance tasks.

+#Customer intent: As a cluster operator, I want to learn how to connect to virtual machines in an AKS cluster to perform maintenance or troubleshoot a problem.

+# Connect to Azure Kubernetes Service (AKS) cluster nodes for maintenance or troubleshooting

+Throughout the lifecycle of your Azure Kubernetes Service (AKS) cluster, you may need to access an AKS node. This access could be for maintenance, log collection, or other troubleshooting operations. You can access AKS nodes using SSH, including Windows Server nodes. You can also [connect to Windows Server nodes using remote desktop protocol (RDP) connections][aks-windows-rdp]. For security purposes, the AKS nodes aren't exposed to the internet. To connect to the AKS nodes, you use `kubectl debug` or the private IP address.

+This article shows you how to create a connection to an AKS node.

+## Before you begin

+This article assumes you have an SSH key. If not, you can create an SSH key using [macOS or Linux][ssh-nix] or [Windows][ssh-windows]. If you use PuTTY Gen to create the key pair, save the key pair in an OpenSSH format rather than the default PuTTy private key format (.ppk file).

+You also need the Azure CLI version 2.0.64 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

+## Create an interactive shell connection to a Linux node

+To create an interactive shell connection to a Linux node, use the `kubectl debug` command to run a privileged container on your node. To list your nodes, use the `kubectl get nodes` command:

+```bash

+kubectl get nodes -o wide

+```

+The following example resembles output from the command:

+```output

+NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME

+aks-nodepool1-12345678-vmss000000 Ready agent 13m v1.19.9 10.240.0.4 <none> Ubuntu 18.04.5 LTS 5.4.0-1046-azure containerd://1.4.4+azure

+aks-nodepool1-12345678-vmss000001 Ready agent 13m v1.19.9 10.240.0.35 <none> Ubuntu 18.04.5 LTS 5.4.0-1046-azure containerd://1.4.4+azure

+aksnpwin000000 Ready agent 87s v1.19.9 10.240.0.67 <none> Windows Server 2019 Datacenter 10.0.17763.1935 docker://19.3.1

+```

+Us the `kubectl debug` command to run a container image on the node to connect to it.

+```bash

+kubectl debug node/aks-nodepool1-12345678-vmss000000 -it --image=mcr.microsoft.com/dotnet/runtime-deps:6.0

+```

+The following command starts a privileged container on your node and connects to it.

+```bash

+kubectl debug node/aks-nodepool1-12345678-vmss000000 -it --image=mcr.microsoft.com/dotnet/runtime-deps:6.0

+```

+The following example resembles output from the command:

+```output

+Creating debugging pod node-debugger-aks-nodepool1-12345678-vmss000000-bkmmx with container debugger on node aks-nodepool1-12345678-vmss000000.

+If you don't see a command prompt, try pressing enter.

+root@aks-nodepool1-12345678-vmss000000:/#

+```

+This privileged container gives access to the node.

+> [!NOTE]

+> You can interact with the node session by running `chroot /host` from the privileged container.

+### Remove Linux node access

+When done, `exit` the interactive shell session. After the interactive container session closes, delete the pod used for access with `kubectl delete pod`.

+```bash

+kubectl delete pod node-debugger-aks-nodepool1-12345678-vmss000000-bkmmx

+```

+## Create the SSH connection to a Windows node

+At this time, you can't connect to a Windows Server node directly by using `kubectl debug`. Instead, you need to first connect to another node in the cluster, then connect to the Windows Server node from that node using SSH. Alternatively, you can [connect to Windows Server nodes using remote desktop protocol (RDP) connections][aks-windows-rdp] instead of using SSH.

+To connect to another node in the cluster, use the `kubectl debug` command. For more information, see [Create an interactive shell connection to a Linux node][ssh-linux-kubectl-debug].

+To create the SSH connection to the Windows Server node from another node, use the SSH keys provided when you created the AKS cluster and the internal IP address of the Windows Server node.

+Open a new terminal window and use the `kubectl get pods` command to get the name of the pod started by `kubectl debug`.

+```bash

+kubectl get pods

+```

+The following example resembles output from the command:

+```output

+NAME READY STATUS RESTARTS AGE

+node-debugger-aks-nodepool1-12345678-vmss000000-bkmmx 1/1 Running 0 21s

+```

+In the above example, *node-debugger-aks-nodepool1-12345678-vmss000000-bkmmx* is the name of the pod started by `kubectl debug`.

+Use the `kubectl port-forward` command to open a connection to the deployed pod:

+```bash

+kubectl port-forward node-debugger-aks-nodepool1-12345678-vmss000000-bkmmx 2022:22

+```

+The following example resembles output from the command:

+```output

+Forwarding from 127.0.0.1:2022 -> 22

+Forwarding from [::1]:2022 -> 22

+```

+The above example begins forwarding network traffic from port 2022 on your development computer to port 22 on the deployed pod. When using `kubectl port-forward` to open a connection and forward network traffic, the connection remains open until you stop the `kubectl port-forward` command.

+Open a new terminal and run the command `kubectl get nodes` to show the internal IP address of the Windows Server node:

+```bash

+kubectl get nodes -o wide

+```

+The following example resembles output from the command:

+```output

+NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME

+aks-nodepool1-12345678-vmss000000 Ready agent 13m v1.19.9 10.240.0.4 <none> Ubuntu 18.04.5 LTS 5.4.0-1046-azure containerd://1.4.4+azure

+aks-nodepool1-12345678-vmss000001 Ready agent 13m v1.19.9 10.240.0.35 <none> Ubuntu 18.04.5 LTS 5.4.0-1046-azure containerd://1.4.4+azure

+aksnpwin000000 Ready agent 87s v1.19.9 10.240.0.67 <none> Windows Server 2019 Datacenter 10.0.17763.1935 docker://19.3.1

+```

+In the above example, *10.240.0.67* is the internal IP address of the Windows Server node.

+Create an SSH connection to the Windows Server node using the internal IP address, and connect to port 22 through port 2022 on your development computer. The default username for AKS nodes is *azureuser*. Accept the prompt to continue with the connection. You are then provided with the bash prompt of your Windows Server node:

+```bash

+ssh -o 'ProxyCommand ssh -p 2022 -W %h:%p azureuser@127.0.0.1' azureuser@10.240.0.67

+```

+The following example resembles output from the command:

+```output

+The authenticity of host '10.240.0.67 (10.240.0.67)' can't be established.

+ECDSA key fingerprint is SHA256:1234567890abcdefghijklmnopqrstuvwxyzABCDEFG.

+Are you sure you want to continue connecting (yes/no)? yes

+[...]

+Microsoft Windows [Version 10.0.17763.1935]

+(c) 2018 Microsoft Corporation. All rights reserved.

+azureuser@aksnpwin000000 C:\Users\azureuser>

+```

+> [!NOTE]

+> If you prefer to use password authentication, include the parameter `-o PreferredAuthentications=password`. For example:

+>

+> ```console

+> ssh -o 'ProxyCommand ssh -p 2022 -W %h:%p azureuser@127.0.0.1' -o PreferredAuthentications=password azureuser@10.240.0.67

+> ```

+### Remove SSH access

+When done, `exit` the SSH session, stop any port forwarding, and then `exit` the interactive container session. After the interactive container session closes, delete the pod used for SSH access using the `kubectl delete pod` command.

+```bash

+kubectl delete pod node-debugger-aks-nodepool1-12345678-vmss000000-bkmmx

+```

+## Next steps

+If you need more troubleshooting data, you can [view the kubelet logs][view-kubelet-logs] or [view the Kubernetes master node logs][view-master-logs].

+<!-- INTERNAL LINKS -->

+[view-kubelet-logs]: kubelet-logs.md

+[view-master-logs]: monitor-aks-reference.md#resource-logs

+[install-azure-cli]: /cli/azure/install-azure-cli

+[aks-windows-rdp]: rdp.md

+[ssh-nix]: ../virtual-machines/linux/mac-create-ssh-keys.md

+[ssh-windows]: ../virtual-machines/linux/ssh-from-windows.md

+[ssh-linux-kubectl-debug]: #create-an-interactive-shell-connection-to-a-linux-node

+[kured-install]: https://github.com/kubereboot/kured/tree/main/cmd/kured

+[install-azakskubectl]: /powershell/module/az.aks/install-azaksclitool

+[install-azakskubectl]: /powershell/module/az.aks/install-azaksclitool

+[az-keyvault-list]: /cli/azure/keyvault#az-keyvault-list

+- AKS supports Azure AD workload identities on version 1.22 and higher.

+[python-azure-identity-client-library]: /python/api/overview/azure/identity-readme

+The built-in App Service CORS feature does not have options to allow only specific HTTP methods or verbs for each origin that you specify. It will automatically allow all methods and headers for each origin defined. This behavior is similar to [ASP.NET Core CORS](/aspnet/core/security/cors) policies when you use the options `.AllowAnyHeader()` and `.AllowAnyMethod()` in the code.

+Note that multiple App Service Environments can't exist in a single subnet. If you need to use your existing subnet for your new App Service Environment v3, you'll need to delete the existing App Service Environment before you create a new one. For this scenario, the recommended migration method is to [back up your apps and then restore them](#back-up-and-restore) in the new environment after it gets created and configured. There will be application downtime during this process because of the time it takes to delete the old environment, create the new App Service Environment v3, configure any infrastructure and connected resources to work with the new environment, and deploy your apps onto the new environment.

+## Back up and restore

+The [back up and restore](../manage-backup.md) feature allows you to keep your app configuration, file content, and database connected to your app when migrating to your new environment. Make sure you review the [details](../manage-backup.md#automatic-vs-custom-backups) of this feature.

+> [!IMPORTANT]

+> You must configure custom backups for your apps in order to restore them to an App Service Environment v3. Automatic backup doesn't support restoration on different App Service Environment versions. For more information on custom backups, see [Automatic vs custom backups](../manage-backup.md#automatic-vs-custom-backups).

+>

+The step-by-step instructions in the current documentation for [backup and restore](../manage-backup.md) should be sufficient to allow you to use this feature. You can select a custom backup and use that to restore the app to an App Service in your App Service Environment v3.

+|Benefits |Limitations |

+|||

+|Quick - should only take 5-10 minutes per app |Support is limited to [certain database types](../manage-backup.md#automatic-vs-custom-backups) |

+|Multiple apps can be restored at the same time (restoration needs to be configured for each app individually) |Old and new environments as well as supporting resources (for example apps, databases, storage accounts, and containers) must all be in the same subscription |

+|In-app MySQL databases are automatically backed up without any configuration |Backups can be up to 10 GB of app and database content, up to 4 GB of which can be the database backup. If the backup size exceeds this limit, you get an error. |

+|Can restore the app to a snapshot of a previous state |Using a [firewall enabled storage account](../../storage/common/storage-network-security.md) as the destination for your backups isn't supported |

+|Can integrate with [Azure Traffic Manager](../../traffic-manager/traffic-manager-overview.md) and [Azure Application Gateway](../../application-gateway/overview.md) to distribute traffic across old and new environments |Using a [private endpoint enabled storage account](../../storage/common/storage-private-endpoints.md) for backup and restore isn't supported |

+|Can create empty web apps to restore to in your new environment before you start restoring to speed up the process | Only supports custom backups |

+ The [back up and restore](../manage-backup.md) feature supports restoring apps between App Service Environment versions as long as a custom backup is used for the restoration. Automatic backup doesn't support restoration to different App Service Environment versions.

+> [Custom domain suffix](./how-to-custom-domain-suffix.md)

+ sku_name = "B1"

+probe setting. Received response body doesn't contain {string}.

+**Message:** The root certificate of the server certificate used by the backend doesn't match the trusted root certificate added to the application gateway. Ensure that you add the correct root certificate to whitelist the backend.

+**Message:** The Common Name (CN) of the backend certificate doesn't match the host header of the probe.

+ a. If you have an ExpressRoute/VPN connection to the virtual network over BGP, and if you're advertising a default route, you must make sure that the packet is routed back to the internet destination without modifying it. You can verify by using the **Connection Troubleshoot** option in the Application Gateway portal.

+The V1 SKU can be configured to support static or dynamic internal IP address and dynamic public IP address. The dynamic IP address of Application Gateway doesn't change on a running gateway. It can change only when you stop or start the Gateway. It doesn't change on system failures, updates, Azure host updates etc.

+A request routing rule is a key component of an application gateway because it determines how to route traffic on the listener. The rule binds the listener, the backend server pool, and the backend HTTP settings.

+In addition to using default health probe monitoring, you can also customize the health probe to suit your application's requirements. Custom probes allow more granular control over the health monitoring. When using custom probes, you can configure a custom hostname, URL path, probe interval, and how many failed responses to accept before marking the backend pool instance as unhealthy, custom status codes and response body match, etc. We recommend that you configure custom probes to monitor the health of each backend pool.

+ Consider this example, you're currently using SSL Policy and SSL Profile with &#34;older&#34; policies/ciphers. To use a &#34;new&#34; Predefined or Customv2 policy for any one of them will also require you to upgrade the other configuration. You may use the new predefined policies, or customv2 policy, or combination of these across the gateway.

+There is a limitation right now on Application Gateway that different listeners using the same port cannot have SSL policies (predefined or custom) with different TLS protocol versions. Choosing the same TLS version for different listeners will work for configuring cipher suite preference for each listener. However, to use different TLS protocol versions for separate listeners, you will need to use distinct ports for each.

+> - If you're using a custom SSL policy in Application Gateway v1 SKU (Standard or WAF), make sure that you add the mandatory cipher &#34;TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256&#34; to the list. This cipher is required to enable metrics and logging in the Application Gateway v1 SKU. This is not mandatory for Application Gateway v2 SKU (Standard_v2 or WAF_v2).

+> - Cipher suites "TLS_AES_128_GCM_SHA256" and "TLS_AES_256_GCM_SHA384" with TLSv1.3 are not customizable and included by default when setting a CustomV2 policy with a minimum TLS version of 1.2 or 1.3. These two cipher suites won't appear in the Get Details output, with an exception of Portal.

+To create the gateway, use the `New-AzureApplicationGateway` cmdlet, replacing the values with your own. Billing for the gateway doesn't start at this point. Billing begins in a later step, when the gateway is successfully started.

+The following example shows how to use a configuration file to set up the application gateway to load balance HTTP traffic on public port 80 and send network traffic to backend port 80 between two IP addresses by using a custom probe.

+| **UnhealthyThreshold** | The number of failed HTTP responses needed to flag the backend instance as *unhealthy*.|

+The probe name is referenced in the \<BackendHttpSettings\> configuration to assign which backend pool uses custom probe settings.

+In this article, you add a custom health probe to an existing application gateway through the Azure portal. Azure Application Gateway uses these health probes to monitor the health of the resources in the backend pool.

+ |**Pick host name from backend HTTP settings**|Yes or No|Sets the *host* header in the probe to the host name from the HTTP settings to which this probe is associated. Specially required for multi-tenant backends such as Azure app service. [Learn more](./configuration-http-settings.md#pick-host-name-from-backend-address)|

+ > The probe will monitor health of the backend only when it's associated with one or more HTTP settings. It will monitor backend resources of those backend pools which are associated to the HTTP settings to which this probe is associated with. The probe request will be sent as \<protocol\>://\<hostName\>:\<port\>/\<urlPath\>.

+After entering the probe properties, you can test the health of the backend resources to verify that the probe configuration is correct and that the backend resources are working as expected.

+ > You can choose to save the probe even with unhealthy backend resources, but it isn't recommended. This is because the Application Gateway won't forward requests to the backend servers from the backend pool, which are determined to be unhealthy by the probe. In case there are no healthy resources in a backend pool, you won't be able to access your application and will get a HTTP 502 error.

+ |**Pick host name from backend HTTP settings**|Yes or No|Sets the *host* header in the probe to the host name of the backend resource in the backend pool associated with the HTTP Setting to which this probe is associated. Specially required for multi-tenant backends such as Azure app service. [Learn more](./configuration-http-settings.md#pick-host-name-from-backend-address)|

+View the health of the backend resources as determined by the probe using the [backend health view](./application-gateway-diagnostics.md#backend-health).

+### Create a public IP address for the frontend configuration

+Create a public IP resource **publicIP01** in resource group **appgw-rg** for the West US region. This example uses a public IP address for the frontend IP address of the application gateway. Application gateway requires the public IP address to have a dynamically created DNS name therefore the `-DomainNameLabel` cannot be specified during the creation of the public IP address.

+#Creates a backend IP address pool named pool01 with IP addresses 134.170.185.46, 134.170.188.221, 134.170.185.50.

+# Creates a frontend IP configuration. This associates the $publicip variable defined previously with the frontend IP that will be used by the listener.

+Once the gateway is created, the next step is to configure the front end for communication. When you're using a public IP address, application gateway requires a dynamically assigned DNS name, which is not friendly. To ensure end users can hit the application gateway a CNAME record can be used to point to the public endpoint of the application gateway. [Configuring a custom domain name for in Azure](../cloud-services/cloud-services-custom-domain-name-portal.md). To do this, retrieve details of the application gateway and its associated IP/DNS name using the PublicIPAddress element attached to the application gateway. The application gateway's DNS name should be used to create a CNAME record, which points the two web applications to this DNS name. The use of A-records is not recommended since the VIP may change on restart of application gateway.

+ Title: Backend health and diagnostic logs

+# Backend health and diagnostic logs for Application Gateway

+* [Backend health](#backend-health): Application Gateway provides the capability to monitor the health of the servers in the backend pools through the Azure portal and through PowerShell. You can also find the health of the backend pools through the performance diagnostic logs.

+## Backend health

+Application Gateway provides the capability to monitor the health of individual members of the backend pools through the portal, PowerShell, and the command-line interface (CLI). You can also find an aggregated health summary of backend pools through the performance diagnostic logs.

+The backend health report reflects the output of the Application Gateway health probe to the backend instances. When probing is successful and the back end can receive traffic, it's considered healthy. Otherwise, it's considered unhealthy.

+> If there is a network security group (NSG) on an Application Gateway subnet, open port ranges 65503-65534 for v1 SKUs, and 65200-65535 for v2 SKUs on the Application Gateway subnet for inbound traffic. This port range is required for Azure infrastructure communication. They are protected (locked down) by Azure certificates. Without proper certificates, external entities, including the customers of those gateways, won't be able to initiate any changes on those endpoints.

+### View backend health through the portal

+In the portal, backend health is provided automatically. In an existing application gateway, select **Monitoring** > **Backend health**.

+Each member in the backend pool is listed on this page (whether it's a NIC, IP, or FQDN). Backend pool name, port, backend HTTP settings name, and health status are shown. Valid values for health status are **Healthy**, **Unhealthy**, and **Unknown**.

+> If you see a backend health status of **Unknown**, ensure that access to the back end is not blocked by an NSG rule, a user-defined route (UDR), or a custom DNS in the virtual network.

+![Backend health][10]

+### View backend health through PowerShell

+The following PowerShell code shows how to view backend health by using the `Get-AzApplicationGatewayBackendHealth` cmdlet:

+### View backend health through Azure CLI

+* **Performance log**: You can use this log to view how Application Gateway instances are performing. This log captures performance information for each instance, including total requests served, throughput in bytes, total requests served, failed request count, and healthy and unhealthy backend instance count. A performance log is collected every 60 seconds. The Performance log is available only for the v1 SKU. For the v2 SKU, use [Metrics](application-gateway-metrics.md) for performance data.

+|RequestQuery | **Server-Routed**: Backend pool instance that was sent the request.</br>**X-AzureApplicationGateway-LOG-ID**: Correlation ID used for the request. It can be used to troubleshoot traffic issues on the backend servers. </br>**SERVER-STATUS**: HTTP response code that Application Gateway received from the back end. |

+|sslEnabled| Whether communication to the backend pools used TLS/SSL. Valid values are on and off.|

+|sslEnabled| Whether communication to the backend pools used TLS. Valid values are on and off.|

+|healthyHostCount | Number of healthy hosts in the backend pool. |

+|unHealthyHostCount | Number of unhealthy hosts in the backend pool. |

+> If you're familiar with Visual Studio and basic concepts of changing values for constants and variables in C#, you can use the [log converter tools](https://github.com/Azure-Samples/networking-dotnet-log-converter) available from GitHub.

+Azure Application Gateway supports end-to-end encryption of traffic. Application Gateway terminates the TLS/SSL connection at the application gateway. The gateway then applies the routing rules to the traffic, re-encrypts the packet, and forwards the packet to the appropriate backend server based on the routing rules defined. Any response from the web server goes through the same process back to the end user.

+To configure end-to-end TLS with an application gateway, a certificate is required for the gateway and certificates are required for the backend servers. The gateway certificate is used to derive a symmetric key as per TLS protocol specification. The symmetric key is then used encrypt and decrypt the traffic sent to the gateway. The gateway certificate needs to be in Personal Information Exchange (PFX) format. This file format allows you to export the private key that is required by the application gateway to perform the encryption and decryption of traffic.

+For end-to-end TLS encryption, the back end must be explicitly allowed by the application gateway. Upload the public certificate of the backend servers to the application gateway. Adding the certificate ensures that the application gateway only communicates with known backend instances. This further secures the end-to-end communication.

+2. Assign an address range to be used for the backend address pool.

+## Create a public IP address for the frontend configuration

+> Application Gateway doesn't support the use of a public IP address created with a defined domain label. Only a public IP address with a dynamically created domain label is supported. If you require a friendly DNS name for the application gateway, we recommend you use a CNAME record as an alias.

+1. Create an application gateway IP configuration. This setting configures which of the subnets the application gateway uses. When application gateway starts, it picks up an IP address from the configured subnet and routes network traffic to the IP addresses in the backend IP pool. Keep in mind that each instance takes one IP address.

+2. Create a frontend IP configuration. This setting maps a private or public IP address to the front end of the application gateway. The following step associates the public IP address in the preceding step with the frontend IP configuration.

+3. Configure the backend IP address pool with the IP addresses of the backend web servers. These IP addresses are the IP addresses that receive the network traffic that comes from the frontend IP endpoint. Replace the IP addresses in the sample with your own application IP address endpoints.

+ > A fully qualified domain name (FQDN) is also a valid value to use in place of an IP address for the backend servers. You enable it by using the **-BackendFqdns** switch.

+4. Configure the frontend IP port for the public IP endpoint. This port is the port that end users connect to.

+6. Create the HTTP listener for the application gateway. Assign the frontend IP configuration, port, and TLS/SSL certificate to use.

+7. Upload the certificate to be used on the TLS-enabled backend pool resources.

+ > The default probe gets the public key from the *default* TLS binding on the backend's IP address and compares the public key value it receives to the public key value you provide here.

+ > If you're using host headers and Server Name Indication (SNI) on the back end, the retrieved public key might not be the intended site to which traffic flows. If you're in doubt, visit https://127.0.0.1/ on the backend servers to confirm which certificate is used for the *default* TLS binding. Use the public key from that request in this section. If you're using host-headers and SNI on HTTPS bindings and you do not receive a response and certificate from a manual browser request to https://127.0.0.1/ on the backend servers, you must set up a default TLS binding on the them. If you do not do so, probes fail and the back end is not allowed.

+ > The certificate provided in the previous step should be the public key of the .pfx certificate present on the back end. Export the certificate (not the root certificate) installed on the backend server in Claim, Evidence, and Reasoning (CER) format and use it in this step. This step allows the back end with the application gateway.

+ If you're using the Application Gateway v2 SKU, then create a trusted root certificate instead of an authentication certificate. For more information, see [Overview of end to end TLS with Application Gateway](ssl-overview.md#end-to-end-tls-with-the-v2-sku):

+## Apply a new certificate if the backend certificate is expired

+Use this procedure to apply a new certificate if the backend certificate is expired.

+* **Backend server pool:** The list of IP addresses of the backend servers. The IP addresses listed should either belong to the virtual network but in a different subnet for the application gateway or should be a public IP/VIP.

+* **Backend server pool settings:** Every pool has settings like port, protocol, and cookie-based affinity. These settings are tied to a pool and are applied to all servers within the pool.

+* **Frontend port:** This port is the public port that is opened on the application gateway. Traffic hits this port, and then gets redirected to one of the backend servers.

+* **Listener:** The listener has a frontend port, a protocol (Http or Https, these are case-sensitive), and the SSL certificate name (if configuring SSL offload).

+* **Rule:** The rule binds the listener and the backend server pool and defines which backend server pool the traffic should be directed to when it hits a particular listener. Currently, only the *basic* rule is supported. The *basic* rule is round-robin load distribution.

+This step creates an application gateway IP configuration named "gatewayIP01". When Application Gateway starts, it picks up an IP address from the subnet configured and route network traffic to the IP addresses in the backend IP pool. Keep in mind that each instance takes one IP address.

+This step configures the backend IP address pool named "pool01" with IP addresses "10.1.1.8, 10.1.1.9, 10.1.1.10". Those are the IP addresses that receive the network traffic that comes from the frontend IP endpoint. You replace the preceding IP addresses to add your own application IP address endpoints.

+This step configures application gateway setting "poolsetting01" for the load balanced network traffic in the backend pool.

+This step configures the frontend IP port named "frontendport01" for the ILB.

+This step creates the frontend IP configuration called "fipconfig01" and associates it with a private IP from the current virtual network subnet.

+This step creates the listener called "listener01" and associates the frontend port to the frontend IP configuration.

+Get-AzureApplicationGateway : ResourceNotFound: The gateway doesn't exist.

+description: Azure Application Gateway monitors the health of all resources in its backend pool and automatically removes any resource considered unhealthy from the pool.

+Azure Application Gateway by default monitors the health of all resources in its backend pool and automatically removes any resource considered unhealthy from the pool. Application Gateway continues to monitor the unhealthy instances and adds them back to the healthy backend pool once they become available and respond to health probes. By default, Application gateway sends the health probes with the same port that is defined in the backend HTTP settings. A custom probe port can be configured using a custom health probe.

+The source IP address that Application Gateway uses for health probes will depend on the backend pool:

+An application gateway automatically configures a default health probe when you don't set up any custom probe configuration. The monitoring behavior works by making an HTTP GET request to the IP addresses or FQDN configured in the backend pool. For default probes if the backend http settings are configured for HTTPS, the probe uses HTTPS to test health of the backend servers.

+For example: You configure your application gateway to use backend servers A, B, and C to receive HTTP network traffic on port 80. The default health monitoring tests the three servers every 30 seconds for a healthy HTTP response with a 30 second timeout for each request. A healthy HTTP response has a [status code](https://msdn.microsoft.com/library/aa287675.aspx) between 200 and 399. In this case, the HTTP GET request for the health probe will look like `http://127.0.0.1/`.

+| Unhealthy threshold |3 |Governs how many probes to send in case there's a failure of the regular health probe. In v1 SKU, these additional health probes are sent in quick succession to determine the health of the backend quickly and don't wait for the probe interval. For v2 SKU, the health probes wait the interval. The backend server is marked down after the consecutive probe failure count reaches the unhealthy threshold. |

+Custom probes allow you to have more granular control over the health monitoring. When using custom probes, you can configure a custom hostname, URL path, probe interval, and how many failed responses to accept before marking the backend pool instance as unhealthy, etc.

+| Name |Name of the probe. This name is used to identify and refer to the probe in backend HTTP settings. |

+| Protocol |Protocol used to send the probe. This has to match with the protocol defined in the backend HTTP settings it is associated to|

+| Unhealthy threshold |Probe retry count. The backend server is marked down after the consecutive probe failure count reaches the unhealthy threshold |

+description: Learn how to configure TLS policy for Azure Application Gateway and reduce encryption and decryption overhead from a backend server farm.

+You can use Azure Application Gateway to centralize TLS/SSL certificate management and reduce encryption and decryption overhead from a backend server farm. This centralized TLS handling also lets you specify a central TLS policy that's suited to your organizational security requirements. This helps you meet compliance requirements as well as security guidelines and recommended practices.

+> - If you're using a custom SSL policy in Application Gateway v1 SKU (Standard or WAF), make sure that you add the mandatory cipher "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" to the list. This cipher is required to enable metrics and logging in the Application Gateway v1 SKU.

+> - The cipher suites ΓÇ£TLS_AES_128_GCM_SHA256ΓÇ¥ and ΓÇ£TLS_AES_256_GCM_SHA384ΓÇ¥ are mandatory for TLSv1.3. You need NOT mention these explicitly when setting a CustomV2 policy with minimum protocol version 1.2 or 1.3 through [PowerShell](application-gateway-configure-ssl-policy-powershell.md) or CLI. Accordingly, these ciphers suites won't appear in the Get Details output, with an exception of Portal.

+- Application Gateway v2 doesn't support the following DHE ciphers. These won't be used for the TLS connections with clients even though they are mentioned in the predefined policies. Instead of DHE ciphers, secure and faster ECDHE ciphers are recommended.

+* Backend VMs or instances of virtual machine scale set aren't responding to the default health probe.

+* Azure Application Gateway's [backend pool isn't configured or empty](#empty-backendaddresspool).

+502 errors can also be frequent indicators that the default health probe can't reach backend VMs.

+| Unhealthy threshold |3 |Probe retry count. The backend server is marked down after the consecutive probe failure count reaches the unhealthy threshold. |

+Custom health probes allow additional flexibility to the default probing behavior. When you use custom probes, you can configure the probe interval, the URL, the path to test, and how many failed responses to accept before marking the backend pool instance as unhealthy.

+| Name |Name of the probe. This name is used to refer to the probe in backend HTTP settings. |

+| Protocol |Protocol used to send the probe. The probe uses the protocol defined in the backend HTTP settings |

+| Unhealthy threshold |Probe retry count. The backend server is marked down after the consecutive probe failure count reaches the unhealthy threshold. |

+When a user request is received, the application gateway applies the configured rules to the request and routes it to a backend pool instance. It waits for a configurable interval of time for a response from the backend instance. By default, this interval is **20** seconds. In Application Gateway v1, if the application gateway doesn't receive a response from backend application in this interval, the user request gets a 502 error. In Application Gateway v2, if the application gateway doesn't receive a response from the backend application in this interval, the request will be tried against a second backend pool member. If the second request fails the user request gets a 502 error.

+Application Gateway allows you to configure this setting via the BackendHttpSetting, which can be then applied to different pools. Different backend pools can have different BackendHttpSetting, and a different request time-out configured.

+If the application gateway has no VMs or virtual machine scale set configured in the backend address pool, it can't route any customer request and sends a bad gateway error.

+Ensure that the backend address pool isn't empty. This can be done either via PowerShell, CLI, or portal.

+The output from the preceding cmdlet should contain non-empty backend address pool. The following example shows two pools returned which are configured with an FQDN or an IP addresses for the backend VMs. The provisioning state of the BackendAddressPool must be 'Succeeded'.

+If all the instances of BackendAddressPool are unhealthy, then the application gateway doesn't have any backend to route user request to. This can also be the case when backend instances are healthy but don't have the required application deployed.

+Ensure that the instances are healthy and the application is properly configured. Check if the backend instances can respond to a ping from another VM in the same VNet. If configured with a public end point, ensure a browser request to the web application is serviceable.

+> As described, the HTTP protocol is used only to perform a handshake when establishing a WebSocket connection. Once the handshake is completed, a WebSocket connection gets opened for transmitting the data, and the Web Application Firewall (WAF) cannot parse any contents. Therefore, WAF doesn't perform any inspections on such data.

+Another reason for this is that application gateway backend health probe supports HTTP and HTTPS protocols only. If the backend server doesn't respond to HTTP or HTTPS probes, it is taken out of backend pool.

+ Title: Azure Application Gateway frontend IP address configuration

+description: This article describes how to configure the Azure Application Gateway frontend IP address.

+# Application Gateway frontend IP address configuration

+You can configure the application gateway to have a public IP address, a private IP address, or both. A public IP address is required when you host a back end that clients must access over the Internet via an Internet-facing virtual IP (VIP).

+## Public and private IP address support

+Application Gateway V2 currently doesn't support only private IP mode. It supports the following combinations:

+* Private IP address and public IP address

+* Public IP address only

+For more information, see [Frequently asked questions about Application Gateway](application-gateway-faq.yml#how-do-i-use-application-gateway-v2-with-only-private-frontend-ip-address).

+A public IP address isn't required for an internal endpoint that's not exposed to the Internet. That's known as an *internal load-balancer* (ILB) endpoint or private frontend IP. An application gateway ILB is useful for internal line-of-business applications that aren't exposed to the Internet. It's also useful for services and tiers in a multi-tier application within a security boundary that aren't exposed to the Internet but that require round-robin load distribution, session stickiness, or TLS termination.

+Only one public IP address and one private IP address is supported. You choose the frontend IP when you create the application gateway.

+- For a public IP address, you can create a new public IP address or use an existing public IP in the same location as the application gateway. For more information, see [static vs. dynamic public IP address](./application-gateway-components.md#static-versus-dynamic-public-ip-address).

+- For a private IP address, you can specify a private IP address from the subnet where the application gateway is created. For Application Gateway v2 sku deployments, a static IP address must be defined when adding a private IP address to the gateway. For Application Gateway v1 sku deployments, if you don't specify an IP address, an available IP address is automatically selected from the subnet. The IP address type that you select (static or dynamic) can't be changed later. For more information, see [Create an application gateway with an internal load balancer](./application-gateway-ilb-arm.md).

+A frontend IP address is associated to a *listener*, which checks for incoming requests on the frontend IP.

+## Next steps

+- [Learn about listener configuration](configuration-listeners.md)

+The application gateway routes traffic to the backend servers by using the configuration that you specify here. After you create an HTTP setting, you must associate it with one or more request-routing rules.

+> Some vulnerability scans may flag the Application Gateway affinity cookie because the Secure or HttpOnly flags are not set. These scans do not take into account that the data in the cookie is generated using a one-way hash. The cookie doesn't contain any user information and is used purely for routing.

+The [Chromium browser](https://www.chromium.org/Home) [v80 update](https://chromiumdash.appspot.com/schedule) brought a mandate where HTTP cookies without [SameSite](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-03#rfc.section.5.3.7) attribute have to be treated as SameSite=Lax. For CORS (Cross-Origin Resource Sharing) requests, if the cookie has to be sent in a third-party context, it has to use *SameSite=None; Secure* attributes and it should be sent over HTTPS only. Otherwise, in an HTTP only scenario, the browser doesn't send the cookies in the third-party context. The goal of this update from Chrome is to enhance security and to avoid Cross-Site Request Forgery (CSRF) attacks.

+Connection draining helps you gracefully remove backend pool members during planned service updates. You can apply this setting to all members of a backend pool by enabling connection draining on the HTTP setting. It ensures that all deregistering instances of a backend pool continue to maintain existing connections and serve on-going requests for a configurable timeout and don't receive any new requests or connections. The only exception to this are requests bound for deregistering instances because of gateway-managed session affinity and will continue to be forwarded to the deregistering instances. Connection draining applies to backend instances that are explicitly removed from the backend pool.

+Application Gateway supports both HTTP and HTTPS for routing requests to the backend servers. If you choose HTTP, traffic to the backend servers is unencrypted. If unencrypted communication isn't acceptable, choose HTTPS.

+This setting combined with HTTPS in the listener supports [end-to-end TLS](ssl-overview.md). This allows you to securely transmit sensitive data encrypted to the back end. Each backend server in the backend pool that has end-to-end TLS enabled must be configured with a certificate to allow secure communication.

+This setting specifies the port where the backend servers listen to traffic from the application gateway. You can configure ports ranging from 1 to 65535.

+If you select HTTPS as the backend protocol, the Application Gateway requires a trusted root certificate to trust the backend pool for end-to-end SSL. By default, the **Use well known CA certificate** option is set to **No**. If you plan to use a self-signed certificate, or a certificate signed by an internal Certificate Authority, then you must provide the Application Gateway the matching public certificate that the backend pool will be using. This certificate must be uploaded directly to the Application Gateway in .CER format.

+If you plan to use a certificate on the backend pool that is signed by a trusted public Certificate Authority, then you can set the **Use well known CA certificate** option to **Yes** and skip uploading a public certificate.

+This setting is the number of seconds that the application gateway waits to receive a response from the backend server.

+## Override backend path

+ | Original request | Override backend path | Request forwarded to back end |

+ | Original request | Path rule | Override backend path | Request forwarded to back end |

+> The custom probe doesn't monitor the health of the backend pool unless the corresponding HTTP setting is explicitly associated with a listener.

+## Pick host name from backend address

+This capability dynamically sets the *host* header in the request to the host name of the backend pool. It uses an IP address or FQDN.

+For example, if *www.contoso.com* is specified in the **Host name** setting, the original request *`https://appgw.eastus.cloudapp.azure.com/path1` is changed to *`https://www.contoso.com/path1` when the request is forwarded to the backend server.

+- [Learn about the backend pool](configuration-overview.md#backend-pool)

+Application Gateway uses one private IP address per instance, plus another private IP address if a private frontend IP is configured.

+Azure also reserves five IP addresses in each subnet for internal use: the first four and the last IP addresses. For example, consider 15 application gateway instances with no private frontend IP. You need at least 20 IP addresses for this subnet: five for internal use and 15 for the application gateway instances.

+Consider a subnet that has 27 application gateway instances and an IP address for a private frontend IP. In this case, you need 33 IP addresses: 27 for the application gateway instances, one for the private front end, and five for internal use.

+2. Allow incoming requests from source as **GatewayManager** service tag and destination as **Any** and destination ports as 65503-65534 for the Application Gateway v1 SKU, and ports 65200-65535 for v2 SKU for [backend health status communication](./application-gateway-diagnostics.md). This port range is required for Azure infrastructure communication. These ports are protected (locked down) by Azure certificates. Without appropriate certificates in place, external entities can't initiate changes on those endpoints.

+> Using UDRs on the Application Gateway subnet might cause the health status in the [backend health view](./application-gateway-diagnostics.md#backend-health) to appear as **Unknown**. It also might cause generation of Application Gateway logs and metrics to fail. We recommend that you don't use UDRs on the Application Gateway subnet so that you can view the backend health, logs, and metrics.

+- [Learn about frontend IP address configuration](configuration-frontend-ip.md).

+## Frontend IP address

+Choose the frontend IP address that you plan to associate with this listener. The listener will listen to incoming requests on this IP.

+## Frontend port

+Choose the frontend port. Select an existing port or create a new one. Choose any value from the [allowed range of ports](./application-gateway-components.md#ports). You can use not only well-known ports, such as 80 and 443, but any allowed custom port that's suitable. A port can be used for public-facing listeners or private-facing listeners.

+- Choose HTTPS if you want [TLS termination](features.md#secure-sockets-layer-ssltls-termination) or [end-to-end TLS encryption](./ssl-overview.md). The traffic between the client and the application gateway is encrypted. And the TLS connection terminates at the application gateway. If you want end-to-end TLS encryption, you must choose HTTPS and configure the **backend HTTP** setting. This ensures that traffic is re-encrypted when it travels from the application gateway to the back end.

+HTTP/2 protocol support is available to clients that connect to application gateway listeners only. The communication to backend server pools is over HTTP/1.1. By default, HTTP/2 support is disabled. The following Azure PowerShell code snippet shows how to enable this:

+You can centralize TLS/SSL certificate management and reduce encryption-decryption overhead for a backend server farm. Centralized TLS handling also lets you specify a central TLS policy that's suited to your security requirements. You can choose *default*, *predefined*, or *custom* TLS policy.

+## Frontend IP address

+For more information, see [Application Gateway frontend IP address configuration](configuration-frontend-ip.md).

+When you create an application gateway by using the Azure portal, you create a default rule (*rule1*). This rule binds the default listener (*appGatewayHttpListener*) with the default backend pool (*appGatewayBackendPool*) and the default backend HTTP settings (*appGatewayBackendHttpSettings*). After you create the gateway, you can edit the settings of the default rule or create new rules.

+The application gateway routes traffic to the backend servers by using the configuration that you specify here. After you create an HTTP setting, you must associate it with one or more request-routing rules.

+## Backend pool

+You can point a backend pool to four types of backend members: a specific virtual machine, a virtual machine scale set, an IP address/FQDN, or an app service.

+After you create a backend pool, you must associate it with one or more request-routing rules. You must also configure health probes for each backend pool on your application gateway. When a request-routing rule condition is met, the application gateway forwards the traffic to the healthy servers (as determined by the health probes) in the corresponding backend pool.

+An application gateway monitors the health of all resources in its back end by default. But we strongly recommend that you create a custom probe for each backend HTTP setting to get greater control over health monitoring. To learn how to configure a custom probe, see [Custom health probe settings](application-gateway-probe-overview.md#custom-health-probe-settings).

+> After you create a custom health probe, you need to associate it to a backend HTTP setting. A custom probe won't monitor the health of the backend pool unless the corresponding HTTP setting is explicitly associated with a listener using a rule.

+When you create an application gateway using the Azure portal, you create a default rule (*rule1*). This rule binds the default listener (*appGatewayHttpListener*) with the default backend pool (*appGatewayBackendPool*) and the default backend HTTP settings (*appGatewayBackendHttpSettings*). After you create the gateway, you can edit the settings of the default rule or create new rules.

+- Choose basic if you want to forward all requests on the associated listener (for example, *blog<i></i>.contoso.com/\*)* to a single backend pool.

+- Choose path-based if you want to route requests from specific URL paths to specific backend pools. The path pattern is applied only to the path of the URL, not to its query parameters.

+Associate a listener to the rule so that the *request-routing rule* that's associated with the listener is evaluated to determine the backend pool to route the request to.

+## Associated backend pool

+Associate to the rule the backend pool that contains the backend targets that serve requests that the listener receives.

+ - For a basic rule, only one backend pool is allowed. All requests on the associated listener are forwarded to that backend pool.

+ - For a path-based rule, add multiple backend pools that correspond to each URL path. The requests that match the URL path that's entered are forwarded to the corresponding backend pool. Also, add a default backend pool. Requests that don't match any URL path in the rule are forwarded to that pool.

+## Associated backend HTTP setting

+Add a backend HTTP setting for each rule. Requests are routed from the application gateway to the backend targets by using the port number, protocol, and other information that's specified in this setting.

+For a basic rule, only one backend HTTP setting is allowed. All requests on the associated listener are forwarded to the corresponding backend targets by using this HTTP setting.

+For a path-based rule, add multiple backend HTTP settings that correspond to each URL path. Requests that match the URL path in this setting are forwarded to the corresponding backend targets by using the HTTP settings that correspond to each URL path. Also, add a default HTTP setting. Requests that don't match any URL path in this rule are forwarded to the default backend pool by using the default HTTP setting.

+The backend pool is used to route requests to the backend servers that serve the request. The backend can be composed of NICs, virtual machine scale sets, public IP addresses, internal IP addresses, fully qualified domain names (FQDN), and multi-tenant backends like Azure App Service. In this example, you use virtual machines as the target backend. You can either use existing virtual machines or create new ones. In this example, you create two virtual machines that Azure uses as backend servers for the application gateway.

+If you want to monitor the health of your backend pool, see [Backend health and diagnostic logs for Application Gateway](application-gateway-diagnostics.md).

+> Issuance policies only affect certificates that will be issued in the future. Modifying this issuance policy won't affect any existing certificates.

+The backend pool is used to route requests to the backend servers that serve the request. Backend pools can be composed of NICs, virtual machine scale sets, public IP addresses, internal IP addresses, fully qualified domain names (FQDN), and multi-tenant backends like Azure App Service. In this example, you'll create an empty backend pool with your application gateway and then add backend targets to the backend pool.

+description: Learn how to use an Azure PowerShell script to integrate your key vault with your application gateway for TLS/SSL termination certificates.

+### Create pool and frontend ports

+Application gateway allows you to have an App Service app or other multi-tenant service as a backend pool member. In this article, you learn to configure an App Service app with Application Gateway. The configuration for Application Gateway will differ depending on how App Service will be accessed:

+By associating the same domain name to both Application Gateway and App Service in the backend pool, the request flow doesn't need to override the host name. The backend web application will see the original host as was used by the client.

+This configuration is the easiest and doesn't require a custom domain. As such it allows for a quick convenient setup.

+When App Service doesn't have a custom domain associated with it, the host header on the incoming request on the web application will need to be set to the default domain, suffixed with ".azurewebsites.net" or else the platform won't be able to properly route the request.

+4. If the certificate is signed by a well known authority, select "Yes" for "User well known CA certificate". Alternatively [Add authentication/trusted root certificates of backend servers](./end-to-end-ssl-portal.md#add-authenticationtrusted-root-certificates-of-backend-servers)

+4. If the certificate is signed by a well known authority, select "Yes" for "User well known CA certificate". Alternatively [Add authentication/trusted root certificates of backend servers](./end-to-end-ssl-portal.md#add-authenticationtrusted-root-certificates-of-backend-servers)

+Using the earlier configured Backend Pool and the HTTP Settings, the request routing rule can be set up to take traffic from a listener and route it to the Backend Pool using the HTTP Settings. For this, make sure you have an HTTP or HTTPS listener available that is not already bound to an existing routing rule.

+The above conditions (explained in more detail in [Architecture Center](/azure/architecture/best-practices/host-name-preservation)) would indicate that your web application doesn't deal well with rewriting the host name. This is commonly seen. The recommended way to deal with this is to follow the instructions for configuration Application Gateway with App Service using a custom domain. Also see: [Troubleshoot App Service issues in Application Gateway](troubleshoot-app-service-redirection-app-service-url.md).

+The above conditions (explained in more detail in [Architecture Center](/azure/architecture/best-practices/host-name-preservation)) would indicate that your web application doesn't deal well with rewriting the host name. This is commonly seen. The recommended way to deal with this is to follow the instructions for configuration Application Gateway with App Service using a custom domain. Also see: [Troubleshoot App Service issues in Application Gateway](troubleshoot-app-service-redirection-app-service-url.md).

+The web apps deployed in these examples use public IP addresses that can be accessed directly from the Internet. This helps with troubleshooting when you're learning about a new feature and trying new things. But if you intend to deploy a feature into production, you'll want to add more restrictions. Consider the following options:

+# Backend server certificate isn't allow-listed for an application gateway using an Internal Load Balancer with an App Service Environment

+When you create an application gateway by using an ILB with an ASE at the back end, the backend server may become unhealthy. This problem occurs if the authentication certificate of the application gateway doesn't match the configured certificate on the backend server. See the following scenario as an example:

+When you access the application gateway, you receive the following error message because the backend server is unhealthy:

+When you don't use a host name to access an HTTPS website, the backend server will return the configured certificate on the default website, in case SNI is disabled. For an ILB ASE, the default certificate comes from the ILB certificate. If there are no configured certificates for the ILB, the certificate comes from the ASE App certificate.

+When you use a fully qualified domain name (FQDN) to access the ILB, the backend server will return the correct certificate that's uploaded in the HTTP settings. If that isn't the case , consider the following options:

+- Use FQDN in the backend pool of the application gateway to point to the IP address of the ILB. This option only works if you have a private DNS zone or a custom DNS configured. Otherwise, you have to create an "A" record for a public DNS.

+- Use a wildcard certificate on the ILB and the backend server, so that for all the websites, the certificate is common. However, this solution is possible only for subdomains and not if each website requires different hostnames.

+The backend pool is used to route requests to the backend servers that serve the request. Backend pools can be NICs, virtual machine scale sets, public IPs, internal IPs, fully qualified domain names (FQDN), and multi-tenant backends like Azure App Service. In this example, you'll create an empty backend pool with your application gateway and then add backend targets to the backend pool.

+The backend pool is used to route requests to the backend servers that serve the request. Backend pools can be composed of NICs, virtual machine scale sets, public IPs, internal IPs, fully qualified domain names (FQDN), and multi-tenant backends like Azure App Service. In this example, you'll create an empty backend pool with your application gateway and then add backend targets to the backend pool.

+The backend pool is used to route requests to the backend servers that serve the request. Backend pools can be composed of NICs, virtual machine scale sets, public IPs, internal IPs, fully qualified domain names (FQDN), and multi-tenant backends like Azure App Service.

+For information about Application Gateway diagnostics, see [Backend health, diagnostic logs, and metrics for Application Gateway](application-gateway-diagnostics.md).

+It is important to consider any impact on your Application Gateway resource when making changes or revoking access to your Key Vault resource. In case your application gateway is unable to access the associated key vault or locate its certificate object, it will automatically put that listener in a disabled state. The action is triggered only for configuration errors. Transient connectivity problems do not have any impact on the listeners.

+To configure end-to-end TLS with an application gateway, you need a certificate for the gateway. Certificates are also required for the backend servers. The gateway certificate is used to derive a symmetric key in compliance with the TLS protocol specification. The symmetric key is then used to encrypt and decrypt the traffic sent to the gateway.

+For end-to-end TLS encryption, the right backend servers must be allowed in the application gateway. To allow this access, upload the public certificate of the backend servers, also known as Authentication Certificates (v1) or Trusted Root Certificates (v2), to the application gateway. Adding the certificate ensures that the application gateway communicates only with known backend instances. This configuration further secures end-to-end communication.

+To create a new application gateway with end-to-end TLS encryption, you'll need to first enable TLS termination while creating a new application gateway. This action enables TLS encryption for communication between the client and application gateway. Then, you'll need to put on the Safe Recipients list the certificates for the backend servers in the HTTP settings. This configuration enables TLS encryption for communication between the application gateway and the backend servers. That accomplishes end-to-end TLS encryption.

+### Add authentication/root certificates of backend servers

+ For Standard and WAF (v1) application gateways, you should upload the public key of your backend server certificate in .cer format.

+ For Standard_v2 and WAF_v2 application gateways, you should upload the root certificate of the backend server certificate in .cer format. If the backend certificate is issued by a well-known certificate authority (CA), you can select the **Use Well Known CA Certificate** check box, and then you don't have to upload a certificate.

+To configure an existing application gateway with end-to-end TLS encryption, you must first enable TLS termination in the listener. This action enables TLS encryption for communication between the client and the application gateway. Then, put those certificates for backend servers in the HTTP settings on the Safe Recipients list. This configuration enables TLS encryption for communication between the application gateway and the backend servers. That accomplishes end-to-end TLS encryption.

+### Add authentication/trusted root certificates of backend servers

+2. Select **HTTP settings** from the left-side menu. You can either put certificates in an existing backend HTTP setting on the Safe Recipients list or create a new HTTP setting. (In the next step, the certificate for the default HTTP setting, **appGatewayBackendHttpSettings**, is added to the Safe Recipients list.)

+ For Standard and WAF (v1) application gateways, you should upload the public key of your backend server certificate in .cer format.

+ For Standard_v2 and WAF_v2 application gateways, you should upload the root certificate of the backend server certificate in .cer format. If the backend certificate is issued by a well-known CA, you can select the **Use Well Known CA Certificate** check box, and then you don't have to upload a certificate.

+URL Path Based Routing allows you to route traffic to backend server pools based on URL Paths of the request.

+Application Gateway and WAF v2 SKU supports the capability to add, remove, or update HTTP request and response headers, while the request and response packets move between the client and backend pools. You can also rewrite URLs, query string parameters and host name. With URL rewrite and URL path-based routing, you can choose to either route requests to one of the backend pools based on the original path or the rewritten path, using the re-evaluate path map option.

+| Average backend page response size | Small | Medium | Large |

+> These values are approximate values for an application gateway throughput. The actual throughput depends on various environment details, such as average page size, location of backend instances, and processing time to serve a page. For exact performance numbers, you should run your own tests. These values are only provided for capacity planning guidance.

+It is important that you scale your Application Gateway according to your traffic and with a bit of a buffer so that you're prepared for any traffic surges or spikes and minimizing the impact that it may have in your QoS. The following suggestions help you set up Application Gateway with WAF to handle extra traffic.

+If you're using a v1 SKU gateway, youΓÇÖll have the ability to set your Application Gateway up to 32 instances for scaling. Check your Application GatewayΓÇÖs CPU utilization in the past one month for any spikes above 80%, it is available as a metric for you to monitor. It is recommended that you set your instance count according to your peak usage and with a 10% to 20% additional buffer to account for any traffic spikes.

+Internal application gateways use only private IP addresses. If you're using a Custom or [Private DNS zone](../dns/private-dns-overview.md), the domain name should be internally resolvable to the private IP address of the Application Gateway. Therefore, internal load-balancers can only route requests from clients with access to a virtual network for the application gateway.

+- Application is using cookie-based affinity but requests still bouncing between backend servers

+### Application is using cookie-based affinity but requests still bouncing between backend servers

+You have enabled the Cookie-based Affinity setting, when you access the Application Gateway by using a short name URL in Internet Explorer, for example: `http://website` , the request is still bouncing between backend servers.

+ > This ApplicationGatewayAffinity value is the cookie-id, that the Application Gateway sets for the client to be sent to a particular backend server.

+- **Example B:** The next session log followed by the previous one is the client responding back to the Application Gateway, which has set the ApplicationGatewayAffinity. If the ApplicationGatewayAffinity cookie-id matches, the packet should be sent to the same backend server that was used previously. Check the next several lines of http communication to see whether the client's ApplicationGatewayAffinity cookie is changing.

+- Backend VMs or instances of [virtual machine scale sets](../virtual-machine-scale-sets/overview.md) aren't responding to the default health probe.

+- Azure Application Gateway's [backend pool isn't configured or empty](application-gateway-troubleshooting-502.md#empty-backendaddresspool).

+If your deployment doesn't explicitly define health probes, Application Gateway would attempt an HTTP GET on your WebSocket server endpoint.

+Since Application Gateway doesn't add WebSocket headers, the Application Gateway's health probe response from your WebSocket server will most likely be `400 Bad Request`.

+Helm install with `appgw.shared=true` will deploy AGIC, but won't make any changes to Application Gateway.

+ # The staging environment won't issue trusted certificates but is

+Through Azure CLI, delete your AGIC Helm deployment from your cluster. You'll need to delete the AGIC Helm deployment first before you can enable the AGIC AKS add-on. Please note that any changes that occur within your AKS cluster between the time of deleting your AGIC Helm deployment and the time you enable the AGIC add-on won't be reflected on your Application Gateway, and therefore this migration process should be done outside of business hours to minimize impact. Application Gateway will continue to have the last configuration applied by AGIC so existing routing rules won't be affected.

+AGIC helps eliminate the need to have another load balancer/public IP in front of the AKS cluster and avoids multiple hops in your datapath before requests reach the AKS cluster. Application Gateway talks to pods using their private IP directly and doesn't require NodePort or KubeProxy services. This also brings better performance to your deployments.

+> It's particularly important to set `enabledForTemplateDeployment` to `true`. The certificate might or might not have a password. For a certificate with a password, the following example shows a possible configuration for the `sslCertificates` entry in `properties` for the ARM template configuration for Application Gateway.

+To import your firewall logs into Log Analytics, see [Backend health, diagnostic logs, and metrics for Application Gateway](application-gateway-diagnostics.md#diagnostic-logging). When you have the firewall logs in your Log Analytics workspace, you can view data, write queries, create visualizations, and add them to your portal dashboard.

+[Backend health, diagnostic logs, and metrics for Application Gateway](application-gateway-diagnostics.md)

+No. Currently the script doesn't support certificates in KeyVault. However, this is being considered for a future version.

+For more information, see [Backend health and diagnostic logs for Application Gateway](application-gateway-diagnostics.md#access-log)

+| **ApplicationGatewayPerformanceLog**|Performance log|You can use this log to view how Application Gateway instances are performing. This log captures performance information for each instance, including total requests served, throughput in bytes, total requests served, failed request count, and healthy and unhealthy backend instance count. A performance log is collected every 60 seconds. The Performance log is available only for the v1 SKU. For the v2 SKU, use [Metrics](#metrics) for performance data.|

+This article describes the monitoring data generated by Azure Application Gateway. Azure Application Gateway uses [Azure Monitor](../azure-monitor/overview.md). If you're unfamiliar with the features of Azure Monitor common to all Azure services that use it, read [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md).

+If you're creating or running an application which use Application Gateway [Azure Monitor Application Insights](../azure-monitor/overview.md#application-insights) may offer additional types of alerts.

+Validate that the certificate file uploaded doesn't have any missing data.

+> The autoscaling v2 SKU now supports [default health probes](application-gateway-probe-overview.md#default-health-probe) to automatically monitor the health of all resources in its backend pool and highlight those backend members that are considered unhealthy. The default health probe is automatically configured for backends that don't have any custom probe configuration. To learn more, see [health probes in application gateway](application-gateway-probe-overview.md).

+> * If you're looking to do DNS based global routing and do **not** have requirements for Transport Layer Security (TLS) protocol termination ("SSL offload"), per-HTTP/HTTPS request or application-layer processing, review [Traffic Manager](../traffic-manager/traffic-manager-overview.md).

+> If the public or private IP configuration resource is missing when trying to select a _Target sub-resource_ on the _Resource_ tab of private endpoint creation, please ensure a listener is actively utilizing the respected frontend IP configuration. Frontend IP configurations without an associated listener won't be shown as a _Target sub-resource_.

+> If you're provisioning a **Private Endpoint** from within another tenant, you will need to utilize the Azure Application Gateway Resource ID, along with sub-resource to your frontend configuration. For example, if the frontend configuration of the gateway was named _PrivateFrontendIp_, the resource ID would be as follows: _/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxx/resourceGroups/resourceGroupname/providers/Microsoft.Network/applicationGateways/appgwname/frontendIPConfigurations/PrivateFrontendIp_.

+- Private link configuration for Application Gateway doesn't expose the "Alias" property and must be referenced via resource URI.

+- Private Endpoint creation doesn't create a \*.privatelink DNS record/zone. All DNS records should be entered in existing zones used for your Application Gateway.

+This Bicep file creates a simple setup with a public frontend IP address, a basic listener to host a single site on the application gateway, a basic request routing rule, and two virtual machines in the backend pool.

+The application gateway directs application web traffic to specific resources in a backend pool. You assign listeners to ports, create rules, and add resources to a backend pool. For the sake of simplicity, this article uses a simple setup with a public frontend IP address, a basic listener to host a single site on the application gateway, a basic request routing rule, and two virtual machines in the backend pool.

+A backend can have NICs, virtual machine scale sets, public IP addresses, internal IP addresses, fully qualified domain names (FQDN), and multi-tenant backends like Azure App Service. In this example, you create two virtual machines to use as backend servers for the application gateway. You also install NGINX on the virtual machines to test the application gateway.

+In this quickstart, you use the Azure portal to create an [Azure Application Gateway](overview.md) and test it to make sure it works correctly. You will assign listeners to ports, create rules, and add resources to a backend pool. For the sake of simplicity, a simple setup is used with a public frontend IP address, a basic listener to host a single site on the application gateway, a basic request routing rule, and two virtual machines (VMs) in the backend pool.

+The backend pool is used to route requests to the backend servers that serve the request. Backend pools can be composed of NICs, Virtual Machine Scale Sets, public IP addresses, internal IP addresses, fully qualified domain names (FQDN), and multi-tenant backends like Azure App Service. In this example, you'll create an empty backend pool with your application gateway and then add backend targets to the backend pool.

+The application gateway directs application web traffic to specific resources in a backend pool. You assign listeners to ports, create rules, and add resources to a backend pool. For the sake of simplicity, this article uses a simple setup with a public frontend IP address, a basic listener to host a single site on the application gateway, a basic request routing rule, and two virtual machines in the backend pool.

+Now that you have created the Application Gateway, create the backend virtual machines which will host the websites. A backend can be composed of NICs, virtual machine scale sets, public IP address, internal IP address, fully qualified domain names (FQDN), and multi-tenant backends like Azure App Service.

+For the sake of simplicity, this template creates a simple setup with a public frontend IP, a basic listener to host a single site on the application gateway, a basic request routing rule, and two virtual machines in the backend pool.

+If you choose to install and use the PowerShell locally, this tutorial requires the Azure PowerShell module version 1.0.0 or later. To find the version, run `Get-Module -ListAvailable Az` . If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-az-ps). If you're running PowerShell locally, you also need to run `Login-AzAccount` to create a connection with Azure.

+If you choose to install and use the PowerShell locally, this article requires the Azure PowerShell module version 1.0.0 or later. To find the version, run `Get-Module -ListAvailable Az` . If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-az-ps). If you're running PowerShell locally, you also need to run `Login-AzAccount` to create a connection with Azure.

+In this example, we'll modify a redirection URL by rewriting the location header in the HTTP response sent by a backend application.

+Application Gateway allows you to add, remove, or update HTTP request and response headers while the request and response packets move between the client and backend pools.

+> Use of */* to prefix and suffix the pattern should not be specified in the pattern to match value. For example, (\d)(\d) will match two digits. /(\d)(\d)/ won't match two digits.

+> The case of the condition variable needs to match case of the capture variable. For example, if my condition variable is User-Agent, my capture variable must be for User-Agent (i.e. {http_req_User-Agent_2}). If my condition variable is defined as user-agent, my capture variable must be for user-agent (i.e. {http_req_user-agent_2}).

+* There needs to be at least 1 conditional rewrite rule or 1 rewrite rule which doesn't have 'Re-evaluate path map' enabled for path-based routing rules to prevent infinite evaluation loop for a path-based routing rule.

+Application Gateway inserts an X-Forwarded-For header into all requests before it forwards the requests to the backend. This header is a comma-separated list of IP ports. There might be scenarios in which the backend servers only need the headers to contain IP addresses. You can use header rewrite to remove the port information from the X-Forwarded-For header. One way to do this is to set the header to the add_x_forwarded_for_proxy server variable. Alternatively, you can also use the variable client_ip:

+> The limitations and implications of such a configuration are described in [Preserve the original HTTP host name between a reverse proxy and its backend web application](/azure/architecture/best-practices/host-name-preservation). The recommended setup for App Service is to follow the instructions for **"Custom Domain (recommended)"** in [Configure App Service with Application Gateway](configure-web-app.md). Rewriting the location header on the response as described in the below example should be considered a workaround and doesn't address the root cause.

+You might want to remove headers that reveal sensitive information from an HTTP response. For example, you might want to remove information like the backend server name, operating system, or library details. You can use the application gateway to remove these headers:

+Now, if the user requests *contoso.com/listing?category=any*, then it will be matched with the default path since none of the path patterns in the path map (/listing1, /listing2, /listing3) will match. Since you associated the above rewrite set with this path, this rewrite set will be evaluated. As the query string won't match the condition in any of the 3 rewrite rules in this rewrite set, no rewrite action will take place and therefore, the request will be routed unchanged to the backend associated with the default path (which is *GenericList*).

+For a URL rewrite, Application Gateway rewrites the URL before the request is sent to the backend. This won't change what users see in the browser because the changes are hidden from the user.

+For a URL redirect, Application Gateway sends a redirect response to the client with the new URL. That, in turn, requires the client to resend its request to the new URL provided in the redirect. The URL that the user sees in the browser will update to the new URL.

+- If a response has more than one header with the same name, then rewriting the value of one of those headers will result in dropping the other headers in the response. This can usually happen with Set-Cookie header since you can have more than one Set-Cookie header in a response. One such scenario is when you're using an app service with an application gateway and have configured cookie-based session affinity on the application gateway. In this case the response will contain two Set-Cookie headers: one used by the app service, for example: `Set-Cookie: ARRAffinity=ba127f1caf6ac822b2347cc18bba0364d699ca1ad44d20e0ec01ea80cda2a735;Path=/;HttpOnly;Domain=sitename.azurewebsites.net` and another for application gateway affinity, for example, `Set-Cookie: ApplicationGatewayAffinity=c1a2bd51lfd396387f96bl9cc3d2c516; Path=/`. Rewriting one of the Set-Cookie headers in this scenario can result in removing the other Set-Cookie header from the response.

+> Application gateway doesn't provide any capability to create a new certificate or send a certificate request to a certification authority.

+- Wildcard Certificate: This certificate supports any number of subdomains based on *.site.com, where your subdomain would replace the *. It doesnΓÇÖt, however, support site.com, so in case the users are accessing your website without typing the leading "www", the wildcard certificate won't cover that.

+If the certificates of the members in the backend pool aren't signed by well-known CA authorities, then each instance in the backend pool with end to end TLS enabled must be configured with a certificate to allow secure communication. Adding the certificate ensures that the application gateway only communicates with known backend instances. This further secures the end-to-end communication.

+> If a custom probe isn't configured, then Application Gateway sends a default probe in this format - \<protocol\>://127.0.0.1:\<port\>/. For example, for a default HTTPS probe, it will be sent as https://127.0.0.1:443/. Note that, the 127.0.0.1 mentioned here is only used as HTTP host header and as per RFC 6066, won't be used as SNI header. For more information on health probe errors, check the [backend health troubleshooting guide](application-gateway-backend-health-troubleshooting.md).

+Learn how to diagnose and resolve issues you might encounter when Azure App Service is used as a backend target with Azure Application Gateway.

+Configure the IP config, frontend IP config, backend pool, HTTP settings, certificate, port, listener, and rule in an identical format to the existing Standard application gateway. The new SKU follows the same object model as the Standard SKU.

+Configure the IP config, frontend IP config, backend pool, HTTP settings, certificate, port, and listener in an identical format to the existing Standard application gateway. The new SKU follows the same object model as the Standard SKU.

+* **Fixed capacity mode**. In this mode, the application gateway doesn't autoscale and operates at a fixed Scale Unit capacity.

+If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 1.0.0 or later. To find the version, run `Get-Module -ListAvailable Az`. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-az-ps). If you're running PowerShell locally, you also need to run `Login-AzAccount` to create a connection with Azure.

+If you choose to install and use the PowerShell locally, this procedure requires the Azure PowerShell module version 1.0.0 or later. To find the version, run `Get-Module -ListAvailable Az` . If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-az-ps). If you're running PowerShell locally, you also need to run `Connect-AzAccount` to create a connection with Azure.

+URL Path Based Routing allows you to route traffic to backend server pools based on URL Paths of the request.

+In the following example, Application Gateway is serving traffic for contoso.com from three backend server pools for example: VideoServerPool, ImageServerPool, and DefaultServerPool.

+The urlPathMap element is used to specify Path patterns to backend server pool mappings. The following code example is the snippet of urlPathMap element from template file.

+| [Azure NetApp Files](../azure-netapp-files/use-availability-zones.md) |  |

+The following command upgrades the agent to version 1.8.14:

+az connectedk8s upgrade -g AzureArcTest1 -n AzureArcTest --agent-version 1.8.14

+# Use Azure RBAC for Azure Arc-enabled Kubernetes clusters

+- [Install or upgrade the Azure CLI](/cli/azure/install-azure-cli) to the latest version.

+- Install the latest version of `connectedk8s` Azure CLI extension:

+ - [Upgrade your agents](agent-upgrade.md#manually-upgrade-agents) to the latest version.

+- [Install](/cli/azure/install-azure-cli) or [update](/cli/azure/update-azure-cli) Azure CLI to the latest version.

+- Install the latest version of the `connectedk8s` Azure CLI extension:

+ - [Upgrade your agents](agent-upgrade.md#manually-upgrade-agents) to the latest version.

+ - [Upgrade your agents](agent-upgrade.md#manually-upgrade-agents) to the latest version.

+- [Install or upgrade Azure CLI](/cli/azure/install-azure-cli) to the latest version.

+- Install the latest versions of the following Azure CLI extensions:

+ - `connectedk8s`

+ - `k8s-extension`

+ - `customlocation`

+ - [Upgrade your agents](agent-upgrade.md#manually-upgrade-agents) to the latest version.

+* [Install or upgrade Azure CLI](/cli/azure/install-azure-cli) to the latest version.

+* Install the latest version of the `connectedk8s` and `k8s-extension` Azure CLI extensions by running the following commands:

+ * [Upgrade your agents](agent-upgrade.md#manually-upgrade-agents) to the latest version.

+* [Install or upgrade Azure CLI](/cli/azure/install-azure-cli) to the latest version.

+* Install the latest version of **connectedk8s** Azure CLI extension:

+> [!NOTE]

+>

+> * `--custom-ca-cert` is an alias for `--proxy-cert`. Either parameters can be used interchangeably. Passing both parameters in the same command will honour the one passed last.

+| SUSE Rancher | [Rancher Kubernetes Engine](https://rancher.com/products/rke/) | RKE CLI version: [v1.3.13](https://github.com/rancher/rke/releases/tag/v1.3.13); Kubernetes versions: 1.24.2, 1.23.8 |

+| Nutanix | [Nutanix Kubernetes Engine](https://www.nutanix.com/products/kubernetes-engine) | Version [2.5](https://portal.nutanix.com/page/documents/details?targetId=Nutanix-Kubernetes-Engine-v2_5:Nutanix-Kubernetes-Engine-v2_5); upstream K8s v1.23.11 |

+| Mirantis | [Mirantis Kubernetes Engine](https://www.mirantis.com/software/mirantis-kubernetes-engine/) | MKE Version [3.5.5](https://docs.mirantis.com/mke/3.5/release-notes/3-5-5.html) <br> MKE Version [3.4.7](https://docs.mirantis.com/mke/3.4/release-notes/3-4-7.html) |

+| Guest Notification service | 443 | `https://guestnotificationservice.azure.com` | Appliance VM IP and control plane endpoint need outbound connection. | Used to connect on-premises resources to Azure. |

+| Resource bridge (appliance) container image download | 443 | *.blob.core.windows.net, `https://ecpacr.azurecr.io` | Appliance VM IP and control plane endpoint need outbound connection. | Required to pull container images. |

+| Azure Arc for K8s container image download | 443 | `https://azurearcfork8sdev.azurecr.io` | Appliance VM IP and control plane endpoint need outbound connection. | Required to pull container images. |

+Cancellation tokens are supported in .NET functions when running in an isolated process. The following example raises an exception when a cancellation request has been received:

+

+The following example performs clean-up actions if a cancellation request has been received:

+[BlobClient]: /dotnet/api/azure.storage.blobs.blobclient?view=azure-dotnet&preserve-view=true

+* If you have questions, submit an issue to the team [here](https://github.com/Azure/azure-sdk-for-net/issues)

+[map-config-api]: /rest/api/maps/v20220901preview/map-configuration

+[mapConfiguration]: /rest/api/maps/v20220901preview/map-configuration

+For a complete list of supported auto-instrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers).

+For a complete list of supported auto-instrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers).

+For a complete list of supported auto-instrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers).

+For a complete list of supported auto-instrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers).

+For a complete list of supported auto-instrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers).

+ For a complete list of supported auto-instrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers).

+# What is auto-instrumentation for Azure Monitor Application Insights?

+Auto-instrumentation collects [Application Insights](app-insights-overview.md) [telemetry](data-model.md).

+> [!div class="checklist"]

+> - No code changes required

+> - [SDK update](sdk-support-guidance.md) overhead is eliminated

+> - Recommended when available

+The table below displays the current state of auto-instrumentation availability.

+Links are provided to additional information for each supported scenario.

+|Environment/Resource Provider | .NET Framework | .NET Core / .NET | Java | Node.js | Python |

+|-||||-|-|

+|Azure App Service on Windows - Publish as Code | [ :white_check_mark: :link: ](azure-web-apps-net.md) ^[1](#OnBD) | [ :white_check_mark: :link: ](azure-web-apps-net-core.md) ^[1](#OnBD) | [ :white_check_mark: :link: ](azure-web-apps-java.md) | [ :white_check_mark: :link: ](azure-web-apps-nodejs.md) ^[1](#OnBD) | :x: |

+|Azure App Service on Windows - Publish as Docker | [ :white_check_mark: ](https://azure.github.io/AppService/2022/04/11/windows-containers-app-insights-preview.html) ^{[2](#Preview)} | [ :white_check_mark: ](https://azure.github.io/AppService/2022/04/11/windows-containers-app-insights-preview.html) ^{[2](#Preview)} | [ :white_check_mark: ](https://azure.github.io/AppService/2022/04/11/windows-containers-app-insights-preview.html) ^{[2](#Preview)} | :x: | :x: |

+|Azure App Service on Linux | :x: | [ :white_check_mark: :link: ](azure-web-apps-net-core.md?tabs=linux) ^{[2](#Preview)} | [ :white_check_mark: :link: ](azure-web-apps-java.md) | [ :white_check_mark: :link: ](azure-web-apps-nodejs.md?tabs=linux) | :x: |

+|Azure Functions - basic | [ :white_check_mark: :link: ](monitor-functions.md) ^[1](#OnBD) | [ :white_check_mark: :link: ](monitor-functions.md) ^[1](#OnBD) | [ :white_check_mark: :link: ](monitor-functions.md) ^[1](#OnBD) | [ :white_check_mark: :link: ](monitor-functions.md) ^[1](#OnBD) | [ :white_check_mark: :link: ](monitor-functions.md) ^[1](#OnBD) |

+|Azure Functions - dependencies | :x: | :x: | [ :white_check_mark: :link: ](monitor-functions.md) ^{[2](#Preview)} | :x: | [ :white_check_mark: :link: ](monitor-functions.md#distributed-tracing-for-python-function-apps) |

+|Azure Spring Cloud | :x: | :x: | [ :white_check_mark: :link: ](azure-web-apps-java.md) | :x: | :x: |

+|Azure Kubernetes Service (AKS) | :x: | :x: | [ :white_check_mark: :link: ](java-in-process-agent.md) | :x: | :x: |

+|Azure VMs Windows | [ :white_check_mark: :link: ](azure-vm-vmss-apps.md) ^{[2](#Preview)} ^[3](#Agent) | [ :white_check_mark: :link: ](azure-vm-vmss-apps.md) ^{[2](#Preview)} ^[3](#Agent) | [ :white_check_mark: :link: ](java-in-process-agent.md) | :x: | :x: |

+|On-premises VMs Windows | [ :white_check_mark: :link: ](status-monitor-v2-overview.md) ^[3](#Agent) | [ :white_check_mark: :link: ](status-monitor-v2-overview.md) ^{[2](#Preview)} ^[3](#Agent) | [ :white_check_mark: :link: ](java-in-process-agent.md) | :x: | :x: |

+|Standalone agent - any environment | :x: | :x: | [ :white_check_mark: :link: ](java-in-process-agent.md) | :x: | :x: |

+**Footnotes**

+- <a name="OnBD">1</a>: Application Insights is on by default and enabled automatically.

+- <a name="Preview">2</a>: This feature is in public preview. [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)

+- <a name="Agent">3</a>: An agent must be deployed and configured.

+> [!NOTE]

+> Auto-instrumentation was known as "codeless attach" before October 2021.

+* [Application Insights Overview](app-insights-overview.md)

+* [Application Insights Overview dashboard](overview-dashboard.md)

+* [Application map](app-map.md)

+For a complete list of supported auto-instrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers).

+For a complete list of supported auto-instrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers).

+> [!NOTE]

+> On 30 September 2025, API keys used to stream live metrics telemetry into application insights will be retired. After that date, applications which use API keys will no longer be able to send live metrics data to your application insights resource. Authenticated telemetry ingestion for live metrics streaming to application insights will need to be done with [Azure AD authentication for application insights](./azure-ad-authentication.md).

+For a complete list of supported auto-instrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers).

+For a complete list of supported auto-instrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers).

+ * **Availability zone**

+ This option lets you deploy the new volume in the logical availability zone that you specify. Select an availability zone where Azure NetApp Files resources are present. For details, see [Manage availability zone volume placement](manage-availability-zone-volume-placement.md).

+* [Manage availability zone volume placement for Azure NetApp Files](manage-availability-zone-volume-placement.md)

+ * **Availability zone**

+ This option lets you deploy the new volume in the logical availability zone that you specify. Select an availability zone where Azure NetApp Files resources are present. For details, see [Manage availability zone volume placement](manage-availability-zone-volume-placement.md).

+* [Manage availability zone volume placement for Azure NetApp Files](manage-availability-zone-volume-placement.md)

+ :::image type="content" source="../media/azure-netapp-files/backup-navigate.png" alt-text="Screenshot that shows how to navigate to Backups option." lightbox="../media/azure-netapp-files/backup-navigate.png":::

+ :::image type="content" source="../media/azure-netapp-files/backup-policy-window-daily.png" alt-text="Screenshot that shows the Backup Policy window." lightbox="../media/azure-netapp-files/backup-policy-window-daily.png":::

+

+ :::image type="content" source="../media/azure-netapp-files/backup-policy-snapshot-policy-option.png" alt-text="Screenshot that shows the Backup Policy window with Snapshot Policy selected." lightbox="../media/azure-netapp-files/backup-policy-snapshot-policy-option.png":::

+ :::image type="content" source="../media/azure-netapp-files/backup-configure-window.png" alt-text="Screenshot that shows Configure Backups window." lightbox="../media/azure-netapp-files/backup-configure-window.png":::

+* Dual-protocol volumes support both Active Directory Domain Services (AD DS) and Azure Active Directory Domain Services (AADDS).

+ * **Availability zone**

+ This option lets you deploy the new volume in the logical availability zone that you specify. Select an availability zone where Azure NetApp Files resources are present. For details, see [Manage availability zone volume placement](manage-availability-zone-volume-placement.md).

+* [Manage availability zone volume placement for Azure NetApp Files](manage-availability-zone-volume-placement.md)

+ Title: Manage availability zone volume placement for Azure NetApp Files | Microsoft Docs

+description: Describes how to create a volume with an availability zone by using Azure NetApp Files.

+documentationcenter: ''

+editor: ''

+ms.assetid:

+ na

+# Manage availability zone volume placement for Azure NetApp Files

+Azure NetApp Files lets you deploy new volumes in the logical availability zone of your choice. To better understand availability zones, refer to [Using availability zones for high availability](use-availability-zones.md).

+## Requirements and considerations

+* The availability zone volume placement feature is supported only on newly created volumes. It is not currently supported on existing volumes.

+* This feature does not guarantee free capacity in the availability zone. For example, even if you can deploy a VM in availability zone 3 of the East US region, it doesnΓÇÖt guarantee free Azure NetApp Files capacity in that zone. If no sufficient capacity is available, volume creation will fail.

+* After a volume is created with an availability zone, the specified availability zone canΓÇÖt be modified. Volumes canΓÇÖt be moved between availability zones.

+* NetApp accounts and capacity pools are not bound by the availability zone. A capacity pool can contain volumes in different availability zones.

+* This feature provides zonal volume placement, with latency within the zonal latency envelopes. It does not provide proximity placement towards compute. As such, it doesnΓÇÖt provide lowest latency guarantee.

+* Each data center is assigned to a physical zone. Physical zones are mapped to logical zones in your Azure subscription. Azure subscriptions are automatically assigned this mapping at the time a subscription is created. This feature aligns with the generic logical-to-physical availability zone mapping for the subscription.

+* VMs and Azure NetApp Files volumes are to be deployed separately, within the same logical availability zone to create zone alignment between VMs and Azure NetApp Files. The availability zone volume placement feature does not create zonal VMs upon volume creation, or vice versa.

+## Register the feature

+The feature of availability zone volume placement is currently in preview. If you are using this feature for the first time, you need to register the feature first.

+1. Register the feature:

+ ```azurepowershell-interactive

+ Register-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFAvailabilityZone

+ ```

+2. Check the status of the feature registration:

+ ```azurepowershell-interactive

+ Get-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFAvailabilityZone

+ ```

+ > [!NOTE]

+ > The **RegistrationState** may be in the `Registering` state for up to 60 minutes before changing to `Registered`. Wait until the status is **Registered** before continuing.

+You can also use [Azure CLI commands](/cli/azure/feature) `az feature register` and `az feature show` to register the feature and display the registration status.

+## Create a volume with an availability zone

+1. Select **Volumes** from your capacity pool. Then select **+ Add volume** to create a volume.

+ For details about volume creation, see:

+ * [Create an NFS volume](azure-netapp-files-create-volumes.md)

+ * [Create an SMB volume](azure-netapp-files-create-volumes-smb.md)

+ * [Create a dual-protocol volume](create-volumes-dual-protocol.md)

+2. In the **Create a Volume** page, under the **Basic** tab, select the **Availability Zone** pulldown to specify an availability zone where Azure NetApp Files resources are present.

+ > [!IMPORTANT]

+ > Logical availability zones for the subscription without Azure NetApp Files presence are marked `(Unavailable)` and are greyed out.

+ [  ](../media/azure-netapp-files/availability-zone-menu-drop-down.png#lightbox)

+

+3. Follow the UI to create the volume. The **Review + Create** page shows the selected availability zone you specified.

+ [  ](../media/azure-netapp-files/availability-zone-display-down.png#lightbox)

+

+4. After you create the volume, the **Volume Overview** page includes availability zone information for the volume.

+ [  ](../media/azure-netapp-files/availability-zone-volume-overview.png#lightbox)

+> [!IMPORTANT]

+> Once the volume is created using the availability zone volume placement feature, the volume has the same level of support as other volumes deployed in the subscription without this feature enabled. For example, if there is an issue with backup and restore on the volume, it will be supported because the problem is not with the availability zone volume placement feature itself.

+## Next steps

+* [Use availability zones for high availability](use-availability-zones.md)

+* [Create an NFS volume for Azure NetApp Files](azure-netapp-files-create-volumes.md)

+* [Create an SMB volume for Azure NetApp Files](azure-netapp-files-create-volumes-smb.md)

+* [Create a dual-protocol volume for Azure NetApp Files](create-volumes-dual-protocol.md)

+ Title: Use availability zones for high availability in Azure NetApp Files | Microsoft Docs

+description: Azure availability zones are highly available, fault tolerant, and more scalable than traditional single or multiple data center infrastructures.

+documentationcenter: ''

+editor: ''

+ms.assetid:

+ na

+# Use availability zones for high availability in Azure NetApp Files

+Azure [availability zones](../availability-zones/az-overview.md#availability-zones) are physically separate locations within each supporting Azure region that are tolerant to local failures. Failures can range from software and hardware failures to events such as earthquakes, floods, and fires. Tolerance to failures is achieved because of redundancy and logical isolation of Azure services. To ensure resiliency, a minimum of three separate availability zones are present in all availability zone-enabled regions.

+>[!IMPORTANT]

+> Availability zones are referred to as _logical zones_. Each data center is assigned to a physical zone. Physical zones are mapped to logical zones in your Azure subscription, and the mapping will be different with different subscriptions. Azure subscriptions are automatically assigned this mapping when a subscription is created. Azure NetApp Files aligns with the generic logical-to-physical availability zone mapping for all Azure services for the subscription.

+Azure availability zones are highly available, fault tolerant, and more scalable than traditional single or multiple data center infrastructures. Azure availability zones let you design and operate applications and databases that automatically transition between zones without interruption. You can design resilient solutions by using Azure services that use availability zones.

+The use of high availability (HA) architectures with availability zones are now a default and best practice recommendation inΓÇ»[AzureΓÇÖs Well-Architected Framework](/architecture/framework/resiliency/app-design#use-availability-zones-within-a-region). Enterprise applications and resources are increasingly deployed into multiple availability zones to achieve this level of high availability (HA) or failure domain (zone) isolation.

+Azure NetApp Files lets you deploy volumes in availability zones. The Azure NetApp Files [availability zone volume placement](manage-availability-zone-volume-placement.md) feature lets you deploy volumes in the logical availability zone of your choice, in alignment with Azure compute and other services in the same zone.

+Azure NetApp Files deployments will occur in the availability of zone of choice if the Azure NetApp Files is present in that availability zone and if it has sufficient capacity. All VMs within the region in (peered) VNets can access all Azure NetApp Files resources.

+>[!IMPORTANT]

+>Azure NetApp Files availability zone volume placement provides zonal placement. It doesn't provide proximity placement towards compute. As such, it doesnΓÇÖt provide lowest latency guarantee. VM-to-storage latencies are within the availability zone latency envelopes.

+You can co-locate your compute, storage, networking, and data resources across an availability zone, and replicate this arrangement in other availability zones. Many applications are built for HA across multiple availability zones using application-based replication and failover technologies, like [SQL Server Always-On Availability Groups (AOAG)](/sql/database-engine/availability-groups/windows/always-on-availability-groups-sql-server), [SAP HANA with HANA System Replication (HSR)](../virtual-machines/workloads/sap/sap-hana-high-availability-netapp-files-suse.md), and [Oracle with Data Guard](../virtual-machines/workloads/oracle/oracle-reference-architecture.md#high-availability-for-oracle-databases).

+Latency is subject to availability zone latency for within availability zone access and the regional latency envelope for cross-availability zone access.

+## Azure regions with availability zones

+For a list of regions that that currently support availability zones, refer to [Azure regions with availability zones](../availability-zones/az-overview.md#azure-regions-with-availability-zones).

+## Next steps

+* [Manage availability zone volume placement](manage-availability-zone-volume-placement.md)

+* [Availability zone volume placement](manage-availability-zone-volume-placement.md) (Preview)

+ Azure availability zones are highly available, fault tolerant, and more scalable than traditional single or multiple data center infrastructures. Using Azure availability zones lets you design and operate applications and databases that automatically transition between zones without interruption. Azure NetApp Files lets you deploy new volumes in the logical availability zone of your choice to support enterprise, mission-critical HA deployments across multiple AZs. AzureΓÇÖs push towards the use of [availability zones (AZs)](../availability-zones/az-overview.md#availability-zones) has increased, and the use of high availability (HA) deployments with availability zones are now a default and best practice recommendation in AzureΓÇÖs [Well Architected Framework](/architecture/framework/resiliency/design-best-practices#use-zone-aware-services).

+* Settings

+* componentPolicyStates

+* deploymentStacks

+* snapshots

+* contentPackages

+* contentTemplates

+* galleries/serviceArtifacts

+* loadBalancers - By default, limited to 800 instances. That limit can be increased by [registering the following features](preview-features.md) - Microsoft.Resources/ARMDisableResourcesPerRGLimit

+* securityConnectors

+> | farmBeats / solutions | No | No |

+> | farmBeatsSolutionDefinitions | No | No |

+> | automationAccounts / runtimes | Yes | Yes |

+> | registeredSubscriptions | No | No |

+> | billingAccounts / invoices / summary | No | No |

+> | billingAccounts / reservationOrders | No | No |

+> | billingAccounts / reservationOrders / reservations | No | No |

+> | galleries / serviceArtifacts | Yes | Yes |

+> | ManagedCCF | Yes | Yes |

+> | ispCustomers | Yes | Yes |

+> | ispCustomers / ispCacheNodes | Yes | Yes |

+> | clusters | Yes | Yes |

+> | datastores | Yes | Yes |

+> | hosts | Yes | Yes |

+> | resourcepools | Yes | Yes |

+> | vcenters / inventoryitems | No | No |

+> | virtualmachines | Yes | Yes |

+> | virtualmachines / extensions | Yes | Yes |

+> | virtualmachines / guestagents | No | No |

+> | virtualmachines / hybrididentitymetadata | No | No |

+> | virtualmachinetemplates | Yes | Yes |

+> | virtualnetworks | Yes | Yes |

+> | jobs / eventGridFilters | No | No |

+> | namespaces | Yes | Yes |

+## Microsoft.Graph

+> [!div class="mx-tableFixed"]

+> | Resource type | Supports tags | Tag in cost report |

+> | - | -- | -- |

+> | AzureADApplication | Yes | Yes |

+> | AzureADApplicationPrototype | Yes | Yes |

+> | registeredSubscriptions | No | No |

+> | workspaces / analyticsconnectors | Yes | Yes |

+> | instances / chambers / fileRequests | No | No |

+> | instances / chambers / files | No | No |

+> | provisionedClusters / upgradeProfiles | No | No |

+> | networkFunctions / components | No | No |

+> | actiongroups / networkSecurityPerimeterAssociationProxies | No | No |

+> | actiongroups / networkSecurityPerimeterConfigurations | No | No |

+> | scheduledqueryrules / networkSecurityPerimeterAssociationProxies | No | No |

+> | scheduledqueryrules / networkSecurityPerimeterConfigurations | No | No |

+> | loadtests / outboundNetworkDependenciesEndpoints | No | No |

+> | registeredSubscriptions | No | No |

+> | registries / codes | No | No |

+> | registries / codes / versions | No | No |

+> | registries / components | No | No |

+> | registries / components / versions | No | No |

+> | registries / environments | No | No |

+> | registries / environments / versions | No | No |

+> | registries / models | No | No |

+> | registries / models / versions | No | No |

+> | mediaservices / assets / tracks | No | No |

+> | clusters / admissions | No | No |

+> | pkis | Yes | Yes |

+> | pkis / certificateAuthorities | No | No |

+> | pkis / enrollmentPolicies | Yes | Yes |

+> | componentPolicyStates | No | No |

+> | telemetryconfig | No | No |

+> | snapshots | No | No |

+> | validateResources | No | No |

+> | azureDevOpsConnectors / repos | No | No |

+> | azureDevOpsConnectors / stats | No | No |

+> | gitHubConnectors / repos | No | No |

+> | gitHubConnectors / stats | No | No |

+> | contentPackages | No | No |

+> | contentTemplates | No | No |

+> | clusters / applications / services | No | No |

+> | clusters / applicationTypes | No | No |

+> | clusters / applicationTypes / versions | No | No |

+> | testBaseAccounts / firstPartyApps | No | No |

+> | imageTemplates / triggers | No | No |

+> | farmBeats / solutions | No |

+> | farmBeatsSolutionDefinitions | No |

+> | automationAccounts / runtimes | Yes |

+> | registeredSubscriptions | No |

+> | billingAccounts / invoices / summary | No |

+> | billingAccounts / reservationOrders | No |

+> | billingAccounts / reservationOrders / reservations | No |

+> | galleries / serviceArtifacts | Yes |

+> | ManagedCCF | Yes |

+> | ispCustomers | Yes |

+> | ispCustomers / ispCacheNodes | Yes |

+> | clusters | Yes |

+> | datastores | Yes |

+> | hosts | Yes |

+> | resourcepools | Yes |

+> | vcenters / inventoryitems | No |

+> | virtualmachines | Yes |

+> | virtualmachines / extensions | Yes |

+> | virtualmachines / guestagents | No |

+> | virtualmachines / hybrididentitymetadata | No |

+> | virtualmachinetemplates | Yes |

+> | virtualnetworks | Yes |

+> | jobs / eventGridFilters | No |

+> | namespaces | Yes |

+## Microsoft.Graph

+> [!div class="mx-tableFixed"]

+> | Resource type | Complete mode deletion |

+> | - | -- |

+> | AzureADApplication | Yes |

+> | AzureADApplicationPrototype | Yes |

+> | registeredSubscriptions | No |

+> | workspaces / analyticsconnectors | Yes |

+> | instances / chambers / fileRequests | No |

+> | instances / chambers / files | No |

+> | provisionedClusters / upgradeProfiles | No |

+> | networkFunctions / components | No |

+> | actiongroups / networkSecurityPerimeterAssociationProxies | No |

+> | actiongroups / networkSecurityPerimeterConfigurations | No |

+> | scheduledqueryrules / networkSecurityPerimeterAssociationProxies | No |

+> | scheduledqueryrules / networkSecurityPerimeterConfigurations | No |

+> | loadtests / outboundNetworkDependenciesEndpoints | No |

+> | registeredSubscriptions | No |

+> | registries / codes | No |

+> | registries / codes / versions | No |

+> | registries / components | No |

+> | registries / components / versions | No |

+> | registries / environments | No |

+> | registries / environments / versions | No |

+> | registries / models | No |

+> | registries / models / versions | No |

+> | mediaservices / assets / tracks | No |

+> | clusters / admissions | No |

+> | pkis | Yes |

+> | pkis / certificateAuthorities | No |

+> | pkis / enrollmentPolicies | Yes |

+> | componentPolicyStates | No |

+> | telemetryconfig | No |

+> | snapshots | No |

+> | validateResources | No |

+> | azureDevOpsConnectors / repos | No |

+> | azureDevOpsConnectors / stats | No |

+> | gitHubConnectors / repos | No |

+> | gitHubConnectors / stats | No |

+> | contentPackages | No |

+> | contentTemplates | No |

+> | clusters / applications / services | No |

+> | clusters / applicationTypes | No |

+> | clusters / applicationTypes / versions | No |

+> | testBaseAccounts / firstPartyApps | No |

+> | imageTemplates / triggers | No |

+- Once you [set up](video-indexer-get-started.md), start using [insights](video-indexer-output-json-v2.md) and check out other **How to guides**.

+ Title: Azure Video Indexer insights overview

+description: This article gives a brief overview of Azure Video Indexer insights.

+# Azure Video Indexer insights

+Insights contain an aggregated view of the data: faces, topics, emotions. Azure Video Indexer analyzes the video and audio content by running 30+ AI models, generating rich insights. For more information about available models, see [overview](video-indexer-overview.md).

+The [Azure Video Indexer](https://www.videoindexer.ai/) website enables you to use your video's deep insights to: find the right media content, locate the parts that youΓÇÖre interested in, and use the results to create an entirely new project. Once created, the project can be rendered and downloaded from Azure Video Indexer and be used in your own editing applications or downstream workflows. For more information, see [Use editor to create projects](use-editor-create-project.md).

+Once you are [set up](video-indexer-get-started.md) with Azure Video Indexer, start using [insights](video-indexer-output-json-v2.md) and check out other **How to guides**.

+## Start using insights

+For more details, see [Upload and index videos](upload-index-videos.md) and check out other **How to guides**.

+* For the API integration, seeΓÇ»[Use Azure Video Indexer REST API](video-indexer-use-apis.md).

+* Check out our [introduction lab](https://github.com/Azure-Samples/media-services-video-indexer/blob/master/IntroToVideoIndexer.md).

+Once you set up, start using [insights](video-indexer-output-json-v2.md) and check out other **How to guides**.

+### UserErrorUnableToOpenMount

+**Error code**: UserErrorUnableToOpenMount

+**Cause**: Backups failed because the backup extensions on the VM were unable to open the mount points in the VM.

+**Recommended action**: The backup extension on the VM must be able to access all mount points in the VM to determine the underlying disks, take snapshot, and calculate the size. Ensure that all mount points are accessible.

+The [GetTranscriptionFiles](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/GetTranscriptionFiles) operation returns a list of result files for a transcription. A [transcription report](#transcription-report-file) file is provided for each submitted batch transcription job. In addition, one [transcription](#transcription-result-file) file (the end result) is provided for each successfully transcribed audio file.

+- [Create a batch transcription](batch-transcription-create.md)

+- Support for [Urbetter DDK](https://urbetters.com/collections).

+If you will train a custom model with audio data, choose a Speech resource region with dedicated hardware for training audio data. See footnotes in the [regions](regions.md#speech-service) table for more information. In regions with dedicated hardware for Custom Speech training, the Speech service will use up to 20 hours of your audio training data, and can process about 10 hours of data per day. In other regions, the Speech service uses up to 8 hours of your audio data, and can process about 1 hour of data per day. After the model is trained, you can copy the model to another region as needed with the [CopyModelToSubscriptionToSubscription](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/CopyModelToSubscription) REST API.

+To copy a model to another Speech resource, use the [CopyModelToSubscriptionToSubscription](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/CopyModelToSubscription) operation of the [Speech-to-text REST API](rest-speech-to-text.md). Construct the request body according to the following instructions:

+Make an HTTP PATCH request using the URI as shown in the following example. Use the URI of the new model. You can get the new model ID from the `self` property of the [CopyModelToSubscriptionToSubscription](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/CopyModelToSubscription) response body. Replace `YourSubscriptionKey` with your Speech resource key, replace `YourServiceRegion` with your Speech resource region, and set the request body properties as previously described.

+2. Run the [CopyModelToSubscriptionToSubscription](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/CopyModelToSubscription) operation to replicate the custom model to all prepared regions (Secondary).

+During an outage, Speaker Recognition service will automatically fail over to a paired region and use the backed-up data to continue processing requests until the main region is back online.

+|Count of utterances per project | 1 | 25,000|

+> [!NOTE]

+> Entity resolution responses are only supported starting from **_api-version=2022-10-01-preview_** and **_"modelVersion": "2022-10-01-preview"_**.

+> * The language support below is for model version `2022-10-01-preview`.

+|Language |Language code|Supports resolution|Notes |

+||-|--||

+|Arabic |`ar` | | |

+|Chinese-Simplified |`zh-hans` |Γ£ô |`zh` also accepted|

+|Chinese-Traditional |`zh-hant` | | |

+|Czech |`cs` | | |

+|Danish |`da` | | |

+|Dutch |`nl` |Γ£ô | |

+|English |`en` |Γ£ô | |

+|Finnish |`fi` | | |

+|French |`fr` |Γ£ô | |

+|German |`de` |Γ£ô | |

+|Hebrew |`he` | | |

+|Hindi |`hi` |Γ£ô | |

+|Hungarian |`hu` | | |

+|Italian |`it` |Γ£ô | |

+|Japanese |`ja` |Γ£ô | |

+|Korean |`ko` | | |

+|Norwegian (Bokmål) |`no` | |`nb` also accepted|

+|Polish |`pl` | | |

+|Portuguese (Brazil) |`pt-BR` |Γ£ô | |

+|Portuguese (Portugal)|`pt-PT` | |`pt` also accepted|

+|Russian |`ru` | | |

+|Spanish |`es` |Γ£ô | |

+|Swedish |`sv` | | |

+|Turkish |`tr` |Γ£ô | |

+|NumberType| The type of number, the SMS message is being sent from. It can be either **LongCodeNumber** or **ShortCodeNumber** |

+flow above (and much more). See, for example, the [Python client library](https://pypi.org/project/azure-confidentialledger/) and [.NET client library](/dotnet/api/azure.security.confidentialledger).

+- An **Application ID** (also known as the Azure Active Directory Client ID or appID)

+- [Authenticating Azure confidential ledger nodes](authenticate-ledger-nodes.md)

+[API reference documentation](/dotnet/api/overview/azure/security.confidentialledger-readme) | [Library source code](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/confidentialledger/Azure.Security.ConfidentialLedger) | [Package (NuGet)](https://www.nuget.org/packages/Azure.Security.ConfidentialLedger/1.0.0)

+The Azure confidential ledger client library for .NET allows you to create an immutable ledger entry in the service. The [Code examples](#code-examples) section shows how to create a write to the ledger and retrieve the transaction ID.

+* Role-based access control assignments. These will need to be re-assigned.

+1. Enable the Azure Cosmos DB service endpoint on the virtual network and subnet using the step shown in the [Enable the service endpoint for an existing subnet of a virtual network](#configure-using-powershell) section of this article.

+### Why is a new database *__datatransferstate* created in the account when I run container copy jobs? Am I being charged for this database?

+* *__datatransferstate* is a database that is created while running container copy jobs. This database is used by the platform to store the state and progress of the copy job.

+* Deleting this database will remove the container copy job history from the account. It can be safely deleted once all the jobs in the account have completed, if you no longer need the job history. The platform will not clean up the *__datatransferstate* database automatically.

+As a work-around, create a database called *__datatransferstate* manually within the account and try creating the container copy job again.

+| Ports: `-p` | | Currently, only ports `8081` and `10250-10255` are needed by the emulator endpoint. |

+- Verify that no other applications are using emulator ports: `8081` and `10250-10255`.

+- Verify that the container port `8081`, is mapped correctly and accessible from an environment outside of the container.

+- Post feedback on our [Azure Cosmos DB Q&A forums](/answers/topics/azure-cosmos-db.html).

+In this step, you'll assign a role to the function app's system-assigned managed identity. Azure Cosmos DB has multiple built-in roles that you can assign to the managed identity for control-plane access. For data-plane access, you'll create a new custom role with acess to read metadata.

+> For more information about the importance of least privilege access, see the [Lower exposure of privileged accounts](../security/fundamentals/identity-management-best-practices.md#lower-exposure-of-privileged-accounts) article.

+We now have a function app that has a system-assigned managed identity with the custom role. The following function app will query the Azure Cosmos DB account for a list of databases.

+ * **Mongoose**: ```npm install mongoose@5.13.15 --save```

+ > [!IMPORTANT]

+ > The Mongoose example connection below is based on Mongoose 5+, which has changed since earlier versions. Azure Cosmos DB for MongoDB is compatible with up to version `5.13.15` of Mongoose. For more information, please see the [issue discussion](https://github.com/Automattic/mongoose/issues/11072) in the Mongoose GitHub repository.

+ * **Dotenv** *(if you'd like to load your secrets from an .env file)*: ```npm install dotenv --save```

+ npm install mongoose@5.13.15 --save

+ > [!IMPORTANT]

+ > Azure Cosmos DB for MongoDB is compatible with up to version `5.13.15` of Mongoose. For more information, please see the [issue discussion](https://github.com/Automattic/mongoose/issues/11072) in the Mongoose GitHub repository.

+* For a reference of the log and metric data, see [monitoring Azure Cosmos DB data reference](monitor-reference.md#resource-logs).

+> [!IMPORTANT]

+> Setting `EnableContentResponseOnWrite` to `false` will also disable the response from a trigger operation.

+These samples show how to set up a container with a custom conflict resolution policy. This policy uses the logic in a stored procedure to resolve the conflict. If a stored procedure is designated to resolve conflicts, conflicts won't show up in the conflict feed unless there's an error in the designated stored procedure.

+After the policy is created with the container, you need to create the stored procedure. The .NET SDK sample below shows an example of this workflow. This policy is supported in the API for NoSQL only.

+These samples show how to set up a container with a custom conflict resolution policy. With this implementation, each conflict will show up in the conflict feed. It's up to you to handle the conflicts individually from the conflict feed.

+These samples show how to read from a container's conflict feed. Conflicts may show up in the conflict feed only for a couple of reasons:

+- The conflict was not resolved automatically

+- The conflict caused an error with the designated stored procedure

+- The conflict resolution policy is set to **custom** and does not designate a stored procedure to handle conflicts

+In the .NET SDK and Java SDK you can optionally use continuation tokens as a bookmark for your query's progress. Azure Cosmos DB query executions are stateless at the server side and can be resumed at any time using the continuation token. For the Python SDK, continuation tokens are only supported for single partition queries. The partition key must be specified in the options object because it's not sufficient to have it in the query itself.

+ payload @> '{"ref":"refs/heads/master"}'

+> | **Extension** | **Description** | **PG 11** | **PG 12** | **PG 13** | **PG 14** | **PG 15** |

+> | [citus](https://github.com/citusdata/citus) | Citus distributed database. | 9.5.11 | 10.0.7 | 10.2.6 | 11.0.4 | 11.1.3 |

+> | **Extension** | **Description** | **PG 11** | **PG 12** | **PG 13** | **PG 14** | **PG 15** |

+> | [citext](https://www.postgresql.org/docs/current/static/citext.html) | Provides a case-insensitive character string type. | 1.5 | 1.6 | 1.6 | 1.6 | 1.6 |

+> | [cube](https://www.postgresql.org/docs/current/static/cube.html) | Provides a data type for multidimensional cubes. | 1.4 | 1.4 | 1.4 | 1.5 | 1.5 |

+> | [hll](https://github.com/citusdata/postgresql-hll) | Provides a HyperLogLog data structure. | 2.16 | 2.16 | 2.16 | 2.16 | 2.16 |

+> | [hstore](https://www.postgresql.org/docs/current/static/hstore.html) | Provides a data type for storing sets of key-value pairs. | 1.5 | 1.6 | 1.7 | 1.8 | 1.8 |

+> | [isn](https://www.postgresql.org/docs/current/static/isn.html) | Provides data types for international product numbering standards. | 1.2 | 1.2 | 1.2 | 1.2 | 1.2 |

+> | [lo](https://www.postgresql.org/docs/current/lo.html) | Large Object maintenance. | 1.1 | 1.1 | 1.1 | 1.1 | 1.1 |

+> | [ltree](https://www.postgresql.org/docs/current/static/ltree.html) | Provides a data type for hierarchical tree-like structures. | 1.1 | 1.1 | 1.2 | 1.2 | 1.2 |

+> | [seg](https://www.postgresql.org/docs/current/seg.html) | Data type for representing line segments or floating-point intervals. | 1.3 | 1.3 | 1.3 | 1.4 | 1.4 |

+> | [tdigest](https://github.com/tvondra/tdigest) | Data type for on-line accumulation of rank-based statistics such as quantiles and trimmed means. | 1.2.0 | 1.2.0 | 1.2.0 | 1.4.0 | 1.4.0 |

+> | [topn](https://github.com/citusdata/postgresql-topn/) | Type for top-n JSONB. | 2.4.0 | 2.4.0 | 2.4.0 | 2.4.0 | 2.5.0 |

+> | **Extension** | **Description** | **PG 11** | **PG 12** | **PG 13** | **PG 14** | **PG 15** |

+> | [dict\_int](https://www.postgresql.org/docs/current/static/dict-int.html) | Provides a text search dictionary template for integers. | 1.0 | 1.0 | 1.0 | 1.0 | 1.0 |

+> | [dict\_xsyn](https://www.postgresql.org/docs/current/dict-xsyn.html) | Text search dictionary template for extended synonym processing. | 1.0 | 1.0 | 1.0 | 1.0 | 1.0 |

+> | [unaccent](https://www.postgresql.org/docs/current/static/unaccent.html) | A text search dictionary that removes accents (diacritic signs) from lexemes. | 1.1 | 1.1 | 1.1 | 1.1 | 1.1 |

+> | **Extension** | **Description** | **PG 11** | **PG 12** | **PG 13** | **PG 14** | **PG 15** |

+> | [autoinc](https://www.postgresql.org/docs/current/contrib-spi.html#id-1.11.7.45.7) | Functions for autoincrementing fields. | 1.0 | 1.0 | 1.0 | 1.0 | 1.0 |

+> | [earthdistance](https://www.postgresql.org/docs/current/static/earthdistance.html) | Provides a means to calculate great-circle distances on the surface of the Earth. | 1.1 | 1.1 | 1.1 | 1.1 | 1.1 |

+> | [fuzzystrmatch](https://www.postgresql.org/docs/current/static/fuzzystrmatch.html) | Provides several functions to determine similarities and distance between strings. | 1.1 | 1.1 | 1.1 | 1.1 | 1.1 |

+> | [insert\_username](https://www.postgresql.org/docs/current/contrib-spi.html#id-1.11.7.45.8) | Functions for tracking who changed a table. | 1.0 | 1.0 | 1.0 | 1.0 | 1.0 |

+> | [intagg](https://www.postgresql.org/docs/current/intagg.html) | Integer aggregator and enumerator (obsolete). | 1.1 | 1.1 | 1.1 | 1.1 | 1.1 |

+> | [intarray](https://www.postgresql.org/docs/current/static/intarray.html) | Provides functions and operators for manipulating null-free arrays of integers. | 1.2 | 1.2 | 1.3 | 1.5 | 1.5 |

+> | [moddatetime](https://www.postgresql.org/docs/current/contrib-spi.html#id-1.11.7.45.9) | Functions for tracking last modification time. | 1.0 | 1.0 | 1.0 | 1.0 | 1.0 |

+> | [pg\_partman](https://pgxn.org/dist/pg_partman/doc/pg_partman.html) | Manages partitioned tables by time or ID. | 4.6.0 | 4.6.0 | 4.6.0 | 4.6.2 | 4.7.0 |

+> | [pg\_surgery](https://www.postgresql.org/docs/current/pgsurgery.html) | Functions to perform surgery on a damaged relation. | | | | 1.0 | 1.0 |

+> | [pg\_trgm](https://www.postgresql.org/docs/current/static/pgtrgm.html) | Provides functions and operators for determining the similarity of alphanumeric text based on trigram matching. | 1.4 | 1.4 | 1.5 | 1.6 | 1.6 |

+> | [pgcrypto](https://www.postgresql.org/docs/current/static/pgcrypto.html) | Provides cryptographic functions. | 1.3 | 1.3 | 1.3 | 1.3 | 1.3 |

+> | [refint](https://www.postgresql.org/docs/current/contrib-spi.html#id-1.11.7.45.5) | Functions for implementing referential integrity (obsolete). | 1.0 | 1.0 | 1.0 | 1.0 | 1.0 |

+> | [tablefunc](https://www.postgresql.org/docs/current/static/tablefunc.html) | Provides functions that manipulate whole tables, including crosstab. | 1.0 | 1.0 | 1.0 | 1.0 | 1.0 |

+> | [tcn](https://www.postgresql.org/docs/current/tcn.html) | Triggered change notifications. | 1.0 | 1.0 | 1.0 | 1.0 | 1.0 |

+> | [timetravel](https://www.postgresql.org/docs/current/contrib-spi.html#id-1.11.7.45.6) | Functions for implementing time travel. | 1.0 | | | | |

+> | [uuid-ossp](https://www.postgresql.org/docs/current/static/uuid-ossp.html) | Generates universally unique identifiers (UUIDs). | 1.1 | 1.1 | 1.1 | 1.1 | 1.1 |

+> | **Extension** | **Description** | **PG 11** | **PG 12** | **PG 13** | **PG 14** | **PG 15** |

+> | [bloom](https://www.postgresql.org/docs/current/bloom.html) | Bloom access method - signature file-based index. | 1.0 | 1.0 | 1.0 | 1.0 | 1.0 |

+> | [btree\_gin](https://www.postgresql.org/docs/current/static/btree-gin.html) | Provides sample GIN operator classes that implement B-tree-like behavior for certain data types. | 1.3 | 1.3 | 1.3 | 1.3 | 1.3 |

+> | [btree\_gist](https://www.postgresql.org/docs/current/static/btree-gist.html) | Provides GiST index operator classes that implement B-tree. | 1.5 | 1.5 | 1.5 | 1.6 | 1.7 |

+> | **Extension** | **Description** | **PG 11** | **PG 12** | **PG 13** | **PG 14** | **PG 15** |

+> | [plpgsql](https://www.postgresql.org/docs/current/static/plpgsql.html) | PL/pgSQL loadable procedural language. | 1.0 | 1.0 | 1.0 | 1.0 | 1.0 |

+> | **Extension** | **Description** | **PG 11** | **PG 12** | **PG 13** | **PG 14** | **PG 15** |

+> | [amcheck](https://www.postgresql.org/docs/current/amcheck.html) | Functions for verifying relation integrity. | 1.1 | 1.2 | 1.2 | 1.3 | 1.3 |

+> | [dblink](https://www.postgresql.org/docs/current/dblink.html) | A module that supports connections to other PostgreSQL databases from within a database session. See the "dblink and postgres_fdw" section for information about this extension. | 1.2 | 1.2 | 1.2 | 1.2 | 1.2 |

+> | [old\_snapshot](https://www.postgresql.org/docs/current/oldsnapshot.html) | Allows inspection of the server state that is used to implement old_snapshot_threshold. | | | | 1.0 | 1.0 |

+> | [pageinspect](https://www.postgresql.org/docs/current/pageinspect.html) | Inspect the contents of database pages at a low level. | 1.7 | 1.7 | 1.8 | 1.9 | 1.10 |

+> | [pg\_buffercache](https://www.postgresql.org/docs/current/static/pgbuffercache.html) | Provides a means for examining what's happening in the shared buffer cache in real time. | 1.3 | 1.3 | 1.3 | 1.3 | 1.3 |

+> | [pg\_cron](https://github.com/citusdata/pg_cron) | Job scheduler for PostgreSQL. | 1.4 | 1.4 | 1.4 | 1.4 | 1.4 |

+> | [pg\_freespacemap](https://www.postgresql.org/docs/current/pgfreespacemap.html) | Examine the free space map (FSM). | 1.2 | 1.2 | 1.2 | 1.2 | 1.2 |

+> | [pg\_prewarm](https://www.postgresql.org/docs/current/static/pgprewarm.html) | Provides a way to load relation data into the buffer cache. | 1.2 | 1.2 | 1.2 | 1.2 | 1.2 |

+> | [pg\_stat\_statements](https://www.postgresql.org/docs/current/static/pgstatstatements.html) | Provides a means for tracking execution statistics of all SQL statements executed by a server. See the "pg_stat_statements" section for information about this extension. | 1.6 | 1.7 | 1.8 | 1.9 | 1.10 |

+> | [pg\_visibility](https://www.postgresql.org/docs/current/pgvisibility.html) | Examine the visibility map (VM) and page-level visibility information. | 1.2 | 1.2 | 1.2 | 1.2 | 1.2 |

+> | [pgrowlocks](https://www.postgresql.org/docs/current/static/pgrowlocks.html) | Provides a means for showing row-level locking information. | 1.2 | 1.2 | 1.2 | 1.2 | 1.2 |

+> | [pgstattuple](https://www.postgresql.org/docs/current/static/pgstattuple.html) | Provides a means for showing tuple-level statistics. | 1.5 | 1.5 | 1.5 | 1.5 | 1.5 |

+> | [postgres\_fdw](https://www.postgresql.org/docs/current/static/postgres-fdw.html) | Foreign-data wrapper used to access data stored in external PostgreSQL servers. See the "dblink and postgres_fdw" section for information about this extension.| 1.0 | 1.0 | 1.0 | 1.1 | 1.1 |

+> | [sslinfo](https://www.postgresql.org/docs/current/sslinfo.html) | Information about TLS/SSL certificates. | 1.2 | 1.2 | 1.2 | 1.2 | 1.2 |

+> | [tsm\_system\_rows](https://www.postgresql.org/docs/current/tsm-system-rows.html) | TABLESAMPLE method, which accepts number of rows as a limit. | 1.0 | 1.0 | 1.0 | 1.0 | 1.0 |

+> | [tsm\_system\_time](https://www.postgresql.org/docs/current/tsm-system-time.html) | TABLESAMPLE method, which accepts time in milliseconds as a limit. | 1.0 | 1.0 | 1.0 | 1.0 | 1.0 |

+> | [xml2](https://www.postgresql.org/docs/current/xml2.html) | XPath querying and XSLT. | 1.1 | 1.1 | 1.1 | 1.1 | 1.1 |

+> | **Extension** | **Description** | **PG 11** | **PG 12** | **PG 13** | **PG 14** | **PG 15** |

+> | address\_standardizer | Used to parse an address into constituent elements. Used to support geocoding address normalization step. | 2.5.5 | 3.0.5 | 3.0.5 | 3.1.5 | 3.3.1 |

+> | postgis\_sfcgal | PostGIS SFCGAL functions. | 2.5.5 | 3.0.5 | 3.0.5 | 3.1.5 | 3.3.1 |

+> | postgis\_topology | PostGIS topology spatial types and functions. | 2.5.5 | 3.0.5 | 3.0.5 | 3.1.5 | 3.3.1 |

+### PostgreSQL version 15

+The current minor release is 15.0. Refer to the [PostgreSQL

+documentation](https://www.postgresql.org/docs/release/15.0/) to

+learn more about improvements and fixes in this minor release.

+| [PostgreSQL 11](https://www.postgresql.org/about/news/postgresql-11-released-1894/) | [Features](https://www.postgresql.org/docs/11/release-11.html) | May 7, 2019 | Nov 9, 2023 |

+| [PostgreSQL 12](https://www.postgresql.org/about/news/postgresql-12-released-1976/) | [Features](https://www.postgresql.org/docs/12/release-12.html) | Apr 6, 2021 | Nov 14, 2024 |

+| [PostgreSQL 13](https://www.postgresql.org/about/news/postgresql-13-released-2077/) | [Features](https://www.postgresql.org/docs/13/release-13.html) | Apr 6, 2021 | Nov 13, 2025 |

+| [PostgreSQL 14](https://www.postgresql.org/about/news/postgresql-14-released-2318/) | [Features](https://www.postgresql.org/docs/14/release-14.html) | Oct 1, 2021 | Nov 12, 2026 |

+| [PostgreSQL 15](https://www.postgresql.org/about/news/postgresql-15-released-2526/) | [Features](https://www.postgresql.org/docs/15/release-15.html) | Oct 20, 2022 | Nov 11, 2027 |

+> [!NOTE]

+> Custom role assignments may not always be visible in the Azure portal.

+* [Azure Cosmos DB Table .NET SDK](/dotnet/api/overview/azure/data.tables-readme)

+* [Azure Cosmos DB Table Java SDK](/java/api/overview/azure/data-tables-readme)

+* [Azure Cosmos DB Table Node.js SDK](/javascript/api/overview/azure/data-tables-readme)

+* [Azure Cosmos DB Table SDK for Python](/python/api/azure-data-tables/azure.data.tables)

+For more information on the premium capabilities that Azure Cosmos DB offers, see [Azure Cosmos DB for Table](introduction.md) and [Develop with the API for Table in .NET](quickstart-dotnet.md).

+For these queries to work, you must have an Azure Cosmos DB account and have entity data in the container. Don't have any of those? Complete the [five-minute quickstart](quickstart-dotnet.md) to create an account and populate your database.

+Notifications are sent to the following users:

+- Customers with EA subscriptions

+ - Notifications are sent to the EA notification contacts, EA admin, reservation owners, and the reservation administrator.

+- Customers with Microsoft Customer Agreement (Azure Plan)

+ - Notifications are sent to the reservation owners and the reservation administrator.

+- Cloud Solution Provider and new commerce partners

+ - Emails are sent to the partner notification contact.

+- Individual subscription customers with pay-as-you-go rates

+ - Emails are sent to users who are set up as account administrators, reservation owners, and the reservation administrator.

+- Customers with EA subscriptions

+ - Notifications are sent to the EA notification contacts, EA admin, reservation owners, and the reservation administrator.

+- Customers with Microsoft Customer Agreement (Azure Plan)

+ - Notifications are sent to the reservation owners and the reservation administrator.

+- Cloud Solution Provider and new commerce partners

+ - Emails are sent to the partner notification contact.

+- Individual subscription customers with pay-as-you-go rates

+ - Emails are sent to users who are set up as account administrators, reservation owners, and the reservation administrator.

+Azure savings plans save you money when you have consistent usage of Azure compute resources. An Azure savings plan can help you save money by allowing you to commit to a fixed hourly spend on compute services for one-year or three-year terms. The savings can significantly reduce your resource costs by up to 65% from pay-as-you-go prices. Discount rates per meter vary by commitment term (1-year or 3-year), not commitment amount.

+Azure savings plans save you money when you have consistent usage of Azure compute resources. An Azure savings plan helps you save money by allowing you to commit to a fixed hourly spend on compute services for one-year or three-year terms. A savings plan can significantly reduce your resource costs by up to 65% from pay-as-you-go prices. Discount rates per meter vary by commitment term (1-year or 3-year), not commitment amount.

+You can sort columns in data preview and rearrange columns using drag and drop. Additionally, there is an export button on the top of the data preview panel that you can use to export the preview data to a CSV file for offline data exploration. You can use this feature to export up to 1,000 rows of preview data.

+| [ascii](data-flow-expressions-usage.md#ascii) | Returns the numeric value of the input character. If the input string has more than one character, the numeric value of the first character is returned|

+| [char](data-flow-expressions-usage.md#char) | Returns the ascii character represented by the input number. If number is greater than 256, the result is equivalent to char(number % 256)|

+| [decode](data-flow-expressions-usage.md#decode) | Decodes the encoded input data into a string based on the given charset. A second (optional) argument can be used to specify which charset to use - 'US-ASCII', 'ISO-8859-1', 'UTF-8' (default), 'UTF-16BE', 'UTF-16LE', 'UTF-16'|

+| [encode](data-flow-expressions-usage.md#encode) | Encodes the input string data into binary based on a charset. A second (optional) argument can be used to specify which charset to use - 'US-ASCII', 'ISO-8859-1', 'UTF-8' (default), 'UTF-16BE', 'UTF-16LE', 'UTF-16'|

+<a name="ascii" ></a>

+### <code>ascii</code>

+<code><b>ascii(<i>&lt;Input&gt;</i> : string) => number</b></code><br/><br/>

+Returns the numeric value of the input character. If the input string has more than one character, the numeric value of the first character is returned

+* ``ascii('A') -> 65``

+* ``ascii('a') -> 97``

+<a name="assertErrorMessages" ></a>

+### <code>assertErrorMessages</code>

+<code><b>assertErrorMessages() => map</b></code><br/><br/>

+Returns a map of all error messages for the row with assert ID as the key.

+Examples

+* ``assertErrorMessages() => ['assert1': 'This row failed on assert1.', 'assert2': 'This row failed on assert2.']. In this example, at(assertErrorMessages(), 'assert1') would return 'This row failed on assert1.'``

+___

+<a name="char" ></a>

+### <code>char</code>

+<code><b>char(<i>&lt;Input&gt;</i> : number) => string</b></code><br/><br/>

+Returns the ascii character represented by the input number. If number is greater than 256, the result is equivalent to char(number % 256)

+* ``char(65) -> 'A'``

+* ``char(97) -> 'a'``

+___

+<a name="decode" ></a>

+### <code>decode</code>

+<code><b>decode(<i>&lt;Input&gt;</i> : any, <i>&lt;Charset&gt;</i> : string) => binary</b></code><br/><br/>

+Decodes the encoded input data into a string based on the given charset. A second (optional) argument can be used to specify which charset to use - 'US-ASCII', 'ISO-8859-1', 'UTF-8' (default), 'UTF-16BE', 'UTF-16LE', 'UTF-16'

+* ``decode(array(toByte(97),toByte(98),toByte(99)), 'US-ASCII') -> abc``

+___

+<a name="encode" ></a>

+### <code>encode</code>

+<code><b>encode(<i>&lt;Input&gt;</i> : string, <i>&lt;Charset&gt;</i> : string) => binary</b></code><br/><br/>

+Encodes the input string data into binary based on a charset. A second (optional) argument can be used to specify which charset to use - 'US-ASCII', 'ISO-8859-1', 'UTF-8' (default), 'UTF-16BE', 'UTF-16LE', 'UTF-16'

+* ``encode('abc', 'US-ASCII') -> array(toByte(97),toByte(98),toByte(99))``

+___

+Input string: string, Charset: string) => binary

+- Do not copy data directly into the disks. Copy data to pre-created *BlockBlob*, *PageBlob*, and *AzureFile* folders.

+- To improve performance during data uploads, we recommend that you [enable large file shares on the storage account and increase share capacity to 100 TiB](../../articles/storage/files/storage-how-to-create-file-share.md#enable-large-file-shares-on-an-existing-account). Large file shares are only supported for storage accounts with locally redundant storage (LRS).

+ Title: Create custom Azure security policies in Microsoft Defender for Cloud

+# Create custom Azure security initiatives and policies

+Defender for Cloud gives its customers the ability to prioritize the remediation of vulnerabilities in images that are currently being used within their environment using the [Running container images should have vulnerability findings resolved](https://portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/KubernetesRuntimeVisibilityRecommendationDetailsBlade/assessmentKey/41503391-efa5-47ee-9282-4eff6131462c/showSecurityCenterCommandBar~/false) recommendation.

+- [My subscription has Microsoft Defender for Servers enabled, which machines do I pay for?](#my-subscription-has-microsoft-defender-for-servers-enabled-which-machines-do-i-pay-for)

+### My subscription has Microsoft Defender for Servers enabled, which machines do I pay for?

+When you enable [Microsoft Defender for Servers](defender-for-servers-introduction.md) on a subscription, all machines in that subscription (including machines that are part of PaaS services and reside in this subscription) are billed according to their power state as shown in the following table:

+ | SumoLogic | No | Instructions for setting up SumoLogic to consume data from an event hub are available at [Collect Logs for the Azure Audit App from Event Hubs](https://help.sumologic.com/docs/send-data/collect-from-other-data-sources/azure-monitoring/collect-logs-azure-monitor/). |

+ Title: Manage AWS assessments and standards

+description: Learn how to create custom security assessments and standards for your AWS environment.

+# Manage AWS assessments and standards

+Security standards contain comprehensive sets of security recommendations to help secure your cloud environments. Security teams can use the readily available standards such as AWS CIS 1.2.0, AWS Foundational Security Best Practices, and AWS PCI DSS 3.2.1, or create custom standards, and assessments to meet specific internal requirements.

+There are three types of resources that are needed to create and manage custom assessments:

+- Assessment:

+ - assessment details such as name, description, severity, remediation logic, etc.

+ - assessment logic in KQL

+ - the standard it belongs to

+- Standard: defines a set of assessments

+- Standard assignment: defines the scope, which the standard will evaluate. For example, specific AWS account(s).

+You can either use the built-in regulatory compliance standards or create your own custom standards and assessments.

+## Assign a built-in compliance standard to your AWS account

+**To assign a built-in compliance standard to your AWS account**:

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Navigate to **Microsoft Defender for Cloud** > **Environment settings**.

+1. Select the relevant AWS account.

+1. Select **Standards** > **Add** > **Standard**.

+ :::image type="content" source="media/how-to-manage-assessments-standards/aws-add-standard.png" alt-text="Screenshot that shows you where to navigate to in order to add a AWS standard." lightbox="media/how-to-manage-assessments-standards/aws-add-standard-zoom.png":::

+1. Select a built-in standard from the drop-down menu.

+1. Select **Save**.

+## Create a new custom standard for your AWS account

+**To create a new custom standard for your AWS account**:

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Navigate to **Microsoft Defender for Cloud** > **Environment settings**.

+1. Select the relevant AWS account.

+1. Select **Standards** > **Add** > **Standard**.

+1. Select **New standard**.

+ :::image type="content" source="media/how-to-manage-assessments-standards/new-aws-standard.png" alt-text="Screenshot that shows you where to select a new AWS standard." lightbox="media/how-to-manage-assessments-standards/new-aws-standard.png":::

+1. Enter a name, description and select which assessments you want to add.

+1. Select **Save**.

+## Assign a built-in assessment to your AWS account

+**To assign a built-in assessment to your AWS account**:

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Navigate to **Microsoft Defender for Cloud** > **Environment settings**.

+1. Select the relevant AWS account.

+1. Select **Standards** > **Add** > **Assessment**.

+ :::image type="content" source="media/how-to-manage-assessments-standards/aws-assessment.png" alt-text="Screenshot that shows where to navigate to, to select an AWS assessment." lightbox="media/how-to-manage-assessments-standards/aws-assessment.png":::

+1. Select **Existing assessment**.

+1. Select all relevant assessments from the drop-down menu.

+1. Select the standards from the drop-down menu.

+1. Select **Save**.

+## Create a new custom assessment for your AWS account

+**To create a new custom assessment for your AWS account**:

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Navigate to **Microsoft Defender for Cloud** > **Environment settings**.

+1. Select the relevant AWS account.

+1. Select **Standards** > **Add** > **Assessment**.

+1. Select **New assessment (preview)**.

+ :::image type="content" source="media/how-to-manage-assessments-standards/new-aws-assessment.png" alt-text="Screenshot of the adding a new assessment screen for your AWS account." lightbox="media/how-to-manage-assessments-standards/new-aws-assessment.png":::

+1. Enter a name, severity, and select an assessment from the drop-down menu.

+1. Enter a KQL query that defines the assessment logic.

+ If youΓÇÖd like to create a new query, select the ΓÇÿ[Azure Data Explorer](https://dataexplorer.azure.com/clusters/securitydatastoreus.centralus/databases/DiscoveryMockDataAws)ΓÇÖ link. The explorer will contain mock data on all of the supported native APIs. The data will appear in the same structure as contracted in the API.

+ :::image type="content" source="media/how-to-manage-assessments-standards/azure-data-explorer.png" alt-text="Screenshot that shows where to select to select the Azure Data Explorer link." lightbox="media/how-to-manage-assessments-standards/azure-data-explorer.png":::

+ See the [how to build a query](#how-to-build-a-query) section for more examples.

+1. Select the standards to add to this assessment.

+1. Select **Save**.

+## How to build a query

+The last row of the query should return all the original columns (donΓÇÖt use ΓÇÿprojectΓÇÖ, ΓÇÿproject-away'). End the query with an iff statement that defines the healthy or unhealthy conditions: `| extend HealthStatus = iff([boolean-logic-here], 'UNHEALTHY','HEALTHY')`.

+### Sample KQL queries

+When building a KQL query, you should use the following table structure:

+```kusto

+- TimeStamp

+ 2021-10-07T10:30:21.403732Z

+ - SdksInfo

+ {

+ "AWSSDK.EC2": "3.7.5.2"

+ }

+ - RecordProviderInfo

+ {

+ "CloudName": "AWS",

+ "CspmDiscoveryCloudRoleArn": "arn:aws:iam::123456789123:role/CSPMMonitoring",

+ "Type": "MultiCloudDiscoveryServiceDataCollector",

+ "HierarchyIdentifier": "123456789123",

+ "ConnectorId": "b3113210-63f9-43c5-a6a7-f14a2a5b3cd0"

+ }

+ - RecordOrganizationInfo

+ {

+ "Type": "MyOrganization",

+ "TenantId": "bda8bc53-d9f8-4248-b9a9-3a6c7fe0b92f",

+ "SubscriptionId": "69444886-de6b-40c5-8b43-065f739fffb9",

+ "ResourceGroupName": "MyResourceGroupName"

+ }

+ - CorrelationId

+ 4f5e50e1d92c400caf507036a1237c72

+ - RecordRegionalInfo

+ {

+ "Type": "MultiCloudRegion",

+ "RegionUniqueName": "eu-west-2",

+ "RegionDisplayName": "EU West (London)",

+ "IsGlobalForRecord": false

+ }

+ - RecordIdentifierInfo

+ {

+ "Type": "MultiCloudDiscoveryServiceDataCollector",

+ "RecordNativeCloudUniqueIdentifier": "arn:aws:ec2:eu-west-2:123456789123:elastic-ip/eipalloc-1234abcd5678efef9",

+ "RecordAzureUniqueIdentifier": "/subscriptions/69444886-de6b-40c5-8b43-065f739fffb9/resourcegroups/MyResourceGroupName/providers/Microsoft.Security/securityconnectors/b3113210-63f9-43c5-a6a7-f14a2a5b3cd0/securityentitydata/aws-ec2-elastic-ip-eipalloc-1234abcd5678efef9-eu-west-2",

+ "RecordIdentifier": "eipalloc-1234abcd5678efef9-eu-west-2",

+ "ResourceProvider": "EC2",

+ "ResourceType": "elastic-ip"

+ }

+ - Record

+ {

+ "AllocationId": "eipalloc-1234abcd5678efef9",

+ "AssociationId": "eipassoc-234abcd5678efef90",

+ "CarrierIp": null,

+ "CustomerOwnedIp": null,

+ "CustomerOwnedIpv4Pool": null,

+ "Domain": {

+ "Value": "vpc"

+ },

+ "InstanceId": "i-0a8fcc00493c4625d",

+ "NetworkBorderGroup": "eu-west-2",

+ "NetworkInterfaceId": "eni-34abcd5678efef901",

+ "NetworkInterfaceOwnerId": "123456789123",

+ "PrivateIpAddress": "172.31.21.88",

+ "PublicIp": "19.218.211.431",

+ "PublicIpv4Pool": "amazon",

+ "Tags": [

+ {

+ "Value": "arn:aws:cloudformation:eu-west-2:123456789123:stack/awseb-e-sjuh4tkr7a-stack/4ff15da0-2512-11ec-ab59-023b28e97f64",

+ "Key": "aws:cloudformation:stack-id"

+ },

+ {

+ "Value": "e-sjuh4tkr7a",

+ "Key": "elasticbeanstalk:environment-id"

+ },

+ {

+ "Value": "AWSEBEIP",

+ "Key": "aws:cloudformation:logical-id"

+ },

+ {

+ "Value": "awseb-e-sjuh4tkr7a-stack",

+ "Key": "aws:cloudformation:stack-name"

+ },

+ {

+ "Value": "Mebrennetest3-env",

+ "Key": "elasticbeanstalk:environment-name"

+ },

+ {

+ "Value": "Mebrennetest3-env",

+ "Key": "Name"

+ }

+ ]

+ }

+```

+> [!NOTE]

+> The `Record` field contains the data structure as it is returned from the AWS API. Use this field to define conditions which will determine if the resource is healthy or unhealthy.

+>

+> You can access internal properties of `Record` filed using a dot notation. For example: `| extend EncryptionType = Record.Encryption.Type`.

+**Stopped EC2 instances should be removed after a specified time period**

+

+```kusto

+EC2_Instance

+| extend State = tolower(tostring(Record.State.Name.Value))

+| extend StoppedTime = todatetime(tostring(Record.StateTransitionReason))

+| extend HealthStatus = iff(not(State == 'stopped' and StoppedTime < ago(30d)), 'HEALTHY', 'UNHEALTHY')

+```

+**EC2 subnets should not automatically assign public IP addresses**

+

+```kusto

+EC2_Subnet

+| extend MapPublicIpOnLaunch = tolower(tostring(Record.MapPublicIpOnLaunch))

+| extend HealthStatus = iff(MapPublicIpOnLaunch == 'false' ,'HEALTHY', 'UNHEALTHY')

+```

+**EC2 instances should not use multiple ENIs**

+

+```kusto

+EC2_Instance

+| extend NetworkInterfaces = parse_json(Record)['NetworkInterfaces']

+| extend NetworkInterfaceCount = array_length(parse_json(NetworkInterfaces))

+| extend HealthStatus = iff(NetworkInterfaceCount == 1 ,'HEALTHY', 'UNHEALTHY')

+```

+You can use the following links to learn more about Kusto queries:

+- [KQL quick reference](/azure/data-explorer/kql-quick-reference)

+- [Kusto Query Language (KQL) overview](/azure/data-explorer/kusto/query/)

+- [Must Learn KQL](https://azurecloudai.blog/2021/11/17/must-learn-kql-part-1-tools-and-resources/)

+## Next steps

+In this article, you learned how to manage your assessments and standards in Defender for Cloud.

+> [!div class="nextstepaction"]

+> [Find recommendations that can improve your security posture](review-security-recommendations.md)

+ Title: Manage GCP assessments and standards

+description: Learn how to create custom security assessments and standards for your GCP environment.

+# Manage GCP assessments and standards

+Security standards contain comprehensive sets of security recommendations to help secure your cloud environments. Security teams can use the readily available regulatory standards such as GCP CIS 1.1.0, GCP CIS and 1.2.0, or create custom standards and assessments to meet specific internal requirements.

+There are three types of resources that are needed to create and manage custom assessments:

+- Assessment:

+ - assessment details such as name, description, severity, remediation logic, etc.

+ - assessment logic in KQL

+ - the standard it belongs to

+- Standard: defines a set of assessments

+- Standard assignment: defines the scope, which the standard will evaluate. For example, specific GCP projects.

+You can either use the built-in compliance standards or create your own custom standards and assessments.

+## Assign a built-in compliance standard to your GCP project

+**To assign a built-in compliance standard to your GCP project**:

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Navigate to **Microsoft Defender for Cloud** > **Environment settings**.

+1. Select the relevant GCP project.

+1. Select **Standards** > **Add** > **Standard**.

+ :::image type="content" source="media/how-to-manage-assessments-standards/gcp-standard.png" alt-text="Screenshot that shows you where to navigate to, to add a GCP standard." lightbox="media/how-to-manage-assessments-standards/gcp-standard-zoom.png":::

+1. Select a built-in standard from the drop-down menu.

+ :::image type="content" source="media/how-to-manage-assessments-standards/drop-down-menu.png" alt-text="Screenshot that shows you the standard options you can choose from the drop-down menu." lightbox="media/how-to-manage-assessments-standards/drop-down-menu.png":::

+1. Select **Save**.

+## Create a new custom standard for your GCP project

+**To create a new custom standard for your GCP project**:

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Navigate to **Microsoft Defender for Cloud** > **Environment settings**.

+1. Select the relevant GCP project.

+1. Select **Standards** > **Add** > **Standard**.

+1. Select **New standard**.

+1. Enter a name, description and select which assessments you want to add.

+1. Select **Save**.

+## Assign a built-in assessment to your GCP project

+**To assign a built-in assessment to your GCP project**:

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Navigate to **Microsoft Defender for Cloud** > **Environment settings**.

+1. Select the relevant GCP project.

+1. Select **Standards** > **Add** > **Assessment**.

+ :::image type="content" source="media/how-to-manage-assessments-standards/gcp-assessment.png" alt-text="Screenshot that shows where to navigate to, to select GCP assessment." lightbox="media/how-to-manage-assessments-standards/gcp-assessment.png":::

+1. Select **Existing assessment**.

+1. Select all relevant assessments from the drop-down menu.

+1. Select the standards from the drop-down menu.

+1. Select **Save**.

+## Create a new custom assessment for your GCP project

+**To create a new custom assessment to your GCP project**:

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Navigate to **Microsoft Defender for Cloud** > **Environment settings**.

+1. Select the relevant GCP project.

+1. Select **Standards** > **Add** > **Assessment**.

+1. Select **New assessment (preview)**.

+ :::image type="content" source="media/how-to-manage-assessments-standards/new-assessment.png" alt-text="Screenshot of the new assessment screen for a GCP project." lightbox="media/how-to-manage-assessments-standards/new-assessment.png":::

+1. In the general section, enter a name and severity.

+1. In the query section, select an assessment template from the drop-down menu, or use the following query schema:

+ For example:

+ **Ensure that Cloud Storage buckets have uniform bucket-level access enabled**

+ ```kusto

+ let UnhealthyBuckets = Storage_Bucket

+ extend RetentionPolicy = Record.retentionPolicy

+ where isnull(RetentionPolicy) or isnull(RetentionPolicy.isLocked) or tobool(RetentionPolicy.isLocked)==false

+ project BucketName = RecordIdentifierInfo.CloudNativeResourceName; Logging_LogSink

+ extend Destination = split(Record.destination,'/')[0]

+ where Destination == 'storage.googleapis.com'

+ extend LogBucketName = split(Record.destination,'/')[1]

+ extend HealthStatus = iff(LogBucketName in(UnhealthyBuckets), 'UNHEALTHY', 'HEALTHY')"

+ ```

+ See the [how to build a query](#how-to-build-a-query) section for more examples.

+ 1. Select **Save**.

+## How to build a query

+The last row of the query should return all the original columns (donΓÇÖt use ΓÇÿprojectΓÇÖ, ΓÇÿproject-away). End the query with an iff statement that defines the healthy or unhealthy conditions: `| extend HealthStatus = iff([boolean-logic-here], 'UNHEALTHY','HEALTHY')`.

+### Sample KQL queries

+**Ensure that Cloud Storage buckets have uniform bucket-level access enabled**

+```kusto

+let UnhealthyBuckets = Storage_Bucket

+| extend RetentionPolicy = Record.retentionPolicy

+| where isnull(RetentionPolicy) or isnull(RetentionPolicy.isLocked) or tobool(RetentionPolicy.isLocked)==false

+| project BucketName = RecordIdentifierInfo.CloudNativeResourceName; Logging_LogSink

+| extend Destination = split(Record.destination,'/')[0]

+| where Destination == 'storage.googleapis.com'

+| extend LogBucketName = split(Record.destination,'/')[1]

+| extend HealthStatus = iff(LogBucketName in(UnhealthyBuckets), 'UNHEALTHY', 'HEALTHY')"

+```

+**Ensure VM disks for critical VMs are encrypted**

+```kusto

+Compute_Disk

+| extend DiskEncryptionKey = Record.diskEncryptionKey

+| extend IsVmNotEncrypted = isempty(tostring(DiskEncryptionKey.sha256))

+| extend HealthStatus = iff(IsVmNotEncrypted ,'UNHEALTHY' ,'HEALTHY')"

+```

+**Ensure Compute instances are launched with Shielded VM enabled**

+```kusto

+Compute_Instance

+| extend InstanceName = tostring(Record.id)

+| extend ShieldedVmExist = tostring(Record.shieldedInstanceConfig.enableIntegrityMonitoring) =~ 'true' and tostring(Record.shieldedInstanceConfig.enableVtpm) =~ 'true'

+| extend HealthStatus = iff(ShieldedVmExist, 'HEALTHY', 'UNHEALTHY')"

+```

+You can use the following links to learn more about Kusto queries:

+- [KQL quick reference](/azure/data-explorer/kql-quick-reference)

+- [Kusto Query Language (KQL) overview](/azure/data-explorer/kusto/query/)

+- [Must Learn KQL](https://azurecloudai.blog/2021/11/17/must-learn-kql-part-1-tools-and-resources/)

+## Next steps

+In this article, you learned how to manage your assessments and standards in Defender for Cloud.

+> [!div class="nextstepaction"]

+> [Find recommendations that can improve your security posture](review-security-recommendations.md)

+Once you have set up the Microsoft Security DevOps GitHub action or Azure DevOps extension, you can configure the YAML configuration file to run a single tool or multiple tools. For example, you can set up the action or extension to run Infrastructure as Code (IaC) scanning tools only. This can help reduce pipeline run time.

+- Configure Microsoft Security DevOps for GitHub and/or Azure DevOps based on your source code management system:

+ - [Microsoft Security DevOps GitHub action](github-action.md)

+ - [Microsoft Security DevOps Azure DevOps extension](azure-devops-extension.md).

+- Ensure you have an IaC template in your repository.

+## Configure IaC scanning and view the results in GitHub

+1. (Optional) Add an IaC template to your repository. Skip if you already have an IaC template in your repository.

+ For example, [commit an IaC template to deploy a basic Linux web application](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/webapp-basic-linux) to your repository.

+ :::image type="content" source="media/tutorial-iac-vulnerabilities/deploy-json.png" alt-text="Screenshot that shows where the azuredeploy.json file is located.":::

+ ```json

+1. Confirm the Microsoft Security DevOps scan completed:

+ 1. Select **Actions**.

+ 2. Select the workflow to see the results.

+1. Navigate to **Security** > **Code scanning alerts** to view the results of the scan (filter by tool as needed to see just the IaC findings).

+## Configure IaC scanning and view the results in Azure DevOps

+1. Sign in to [Azure DevOps](https://dev.azure.com/).

+1. Select the desired project

+1. Select **Pipeline**.

+1. Select the pipeline where the Microsoft Security DevOps Azure DevOps Extension is configured.

+1. **Edit** the pipeline configuration YAML file adding the following lines:

+1. (Optional) Add an IaC template to your repository. Skip if you already have an IaC template in your repository.

+1. Select **Save** to commit directly to the main branch or Create a new branch for this commit.

+## View details and remediation information on IaC rules included with Microsoft Security DevOps

+### PowerShell-based rules

+> PowerShell-based rules are included by our integration with [PSRule for Azure](https://aka.ms/ps-rule-azure/rules). The tool will evaluate all rules under the [Security pillar](https://azure.github.io/PSRule.Rules.Azure/en/rules/module/#security).

+JSON-based rules for ARM templates and bicep files are provided by [Template-Analyzer](https://github.com/Azure/template-analyzer#template-best-practice-analyzer-bpa). Below are details on template-analyzer's rules and remediation details.

+> [!NOTE]

+> Severity levels are scaled from 1 to 3. Where 1 = High, 2 = Medium, 3 = Low.

+Remote debugging requires inbound ports to be opened on an API app. These ports become easy targets for compromise from various internet-based attacks. If you no longer need to use remote debugging, it should be turned off.

+**Recommendation**: To [enforce FTPS](../app-service/deploy-ftp.md?tabs=portal#enforce-ftps) in the [Microsoft.Web/sites/config resource properties](/azure/templates/microsoft.web/sites/config-web?tabs=json#SiteConfig), add (or update) the *ftpsState* property, setting its value to `"FtpsOnly"` or `"Disabled"` if you don't need FTPS enabled.

+**Recommendation**: To [use HTTPS to ensure, server/service authentication and protect data in transit from network layer eavesdropping attacks](../app-service/configure-ssl-bindings.md#enforce-https) in the [Microsoft.Web/Sites resource properties](/azure/templates/microsoft.web/sites?tabs=json#siteproperties-object), add (or update) the *httpsOnly* property, setting its value to `true`.

+**Recommendation**: To [enforce the latest TLS version](../app-service/configure-ssl-bindings.md#enforce-tls-versions) in the [Microsoft.Web/sites/config resource properties](/azure/templates/microsoft.web/sites/config-web?tabs=json#SiteConfig), add (or update) the *minTlsVersion* property, setting its value to `1.2`.

+Remote debugging requires inbound ports to be opened on a function app. These ports become easy targets for compromise from various internet-based attacks. If you no longer need to use remote debugging, it should be turned off.

+Remote debugging requires inbound ports to be opened on a web application. These ports become easy targets for compromise from various internet-based attacks. If you no longer need to use remote debugging, it should be turned off.

+Set the protocols property to only include HTTPS.

+In this tutorial you learned how to configure the Microsoft Security DevOps GitHub Action and Azure DevOps Extension to scan for Infrastructure as Code (IaC) security misconfigurations and how to view the results.

+Learn how to [connect your Azure DevOps](quickstart-onboard-devops.md) to Defender for Cloud.

+1. From the **Unhealthy resources** tab, select the resources that you want to implement the recommendation on, and select **Fix**.

+ > The implications are listed in the grey box in the **Fixing resources** window that opens after clicking **Fix**. They list what changes happen when proceeding with the **Fix**.

+You can configure the Microsoft Security DevOps tools on Azure Pipelines and GitHub workflows to enable the following security scans:

+| [CredScan](https://secdevtools.azurewebsites.net/helpcredscan.html) (Azure DevOps Only) | Credential Scanner (also known as CredScan) is a tool developed and maintained by Microsoft to identify credential leaks such as those in source code and configuration files common types: default passwords, SQL connection strings, Certificates with private keys| Not Open Source |

+ |--|--|

+ |Accounts with owner permissions on Azure resources should be MFA enabled|6240402e-f77c-46fa-9060-a7ce53997754|

+ |Accounts with write permissions on Azure resources should be MFA enabled|c0cb17b2-0607-48a7-b0e0-903ed22de39b|

+ |Accounts with read permissions on Azure resources should be MFA enabled|dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c|

+ |Guest accounts with owner permissions on Azure resources should be removed|20606e75-05c4-48c0-9d97-add6daa2109a|

+ |Guest accounts with write permissions on Azure resources should be removed|0354476c-a12a-4fcc-a79d-f0ab7ffffdbb|

+ |Guest accounts with read permissions on Azure resources should be removed|fde1c0c9-0fd2-4ecc-87b5-98956cbc1095|

+ |Blocked accounts with owner permissions on Azure resources should be removed|050ac097-3dda-4d24-ab6d-82568e7a50cf|

+ |Blocked accounts with read and write permissions on Azure resources should be removed| 1ff0b4c9-ed56-4de6-be9c-d7ab39645926 ||

+| None | None |

+| Message | CyberX platform name: The sensor name.<br /> Microsoft Defender for IoT Alert: The title of the alert.<br /> Type: The type of the alert. Can be **Protocol Violation**, **Policy Violation**, **Malware**, **Anomaly**, or **Operational**.<br /> Severity: The severity of the alert. Can be **Warning**, **Minor**, **Major**, or **Critical**.<br /> Source: The source device name.<br /> Source IP: The source device IP address.<br /> Protocol (Optional): The detected source protocol.<br /> Address (Optional): Source protocol address.<br /> Destination: The destination device name.<br /> Destination IP: The IP address of the destination device.<br /> Protocol (Optional): The detected destination protocol.<br /> Address (Optional): The destination protocol address.<br /> Message: The message of the alert.<br /> Alert group: The alert group associated with the alert. |<br /> UUID (Optional): The UUID the alert. |

+Business considerations may require that you apply your existing IoT sensors to a different subscription than the one youΓÇÖre currently using. To do this, you'll need to onboard a new plan to the new subscription, register the sensors under the new subscription, and then remove them from the previous subscription.

+Billing changes will take effect one hour after cancellation of the previous subscription, and will be reflected on the next month's bill. Devices will be synchronized from the sensor to the new subscription automatically. Manual edits made in the portal will not be migrated. New alerts created by the sensor will be created under the new subscription, and existing alerts in the old subscription can be closed in bulk.

+**For OT sensors**:

+1. In the Azure portal, [onboard a new plan for OT networks](#onboard-a-defender-for-iot-plan-for-ot-networks) to the new subscription you want to use.

+1. Create a new activation file by [following the steps to onboard an OT sensor](onboard-sensors.md#onboard-ot-sensors).

+ - Replicate site and sensor hierarchy as is.

+ - For sensors monitoring overlapping network segments, create the activation file under the same zone. Identical devices that are detected in more than one sensor in a zone, will be merged into one device.

+1. [Upload a new activation file](how-to-manage-individual-sensors.md#upload-new-activation-files) for your sensors under the new subscription.

+1. Delete the sensor identities from the previous subscription. For more information, see [Sensor management options from the Azure portal](how-to-manage-sensors-on-the-cloud.md#sensor-management-options-from-the-azure-portal).

+1. If relevant, [cancel the Defender for IoT plan](#cancel-a-defender-for-iot-plan-from-a-subscription) from the previous subscription.

+**For Enterprise IoT sensors**:

+1. In Defender for Endpoint, [onboard a new plan for Enterprise IoT networks](#onboard-a-defender-for-iot-plan-for-enterprise-iot-networks) to the new subscription you want to use.

+1. In the Azure portal, [follow the steps to register an Enterprise IoT sensor](tutorial-getting-started-eiot-sensor.md#register-an-enterprise-iot-sensor) under the new subscription.

+1. Log into your sensor and run the activation command you saved when registering the sensor under the new subscription.

+1. Delete the sensor identities from the previous subscription. For more information, see [Sensor management options from the Azure portal](how-to-manage-sensors-on-the-cloud.md#sensor-management-options-from-the-azure-portal).

+1. If relevant, [cancel the Defender for IoT plan](#cancel-a-defender-for-iot-plan-from-a-subscription) from the previous subscription.

+> [!NOTE]

+> If the previous subscription was connected to Microsoft Sentinel, you will need to connect the new subscription to Microsoft Sentinel and remove the old subscription. For more information, see [Connect Microsoft Defender for IoT with Microsoft Sentinel](/azure/sentinel/iot-solution).

+| HTTPS | TCP | Out | 443 | Access to Azure | Sensor |OT network sensors connect to Azure to provide alert and device data and sensor health messages, access threat intelligence packages, and more. Connected Azure services include IoT Hub, Blob Storage, Event Hubs, and the Microsoft Download Center.<br><br>**For OT sensor versions 22.x**: Download the list from the **Sites and sensors** page in the Azure portal. Select an OT sensor with software versions 22.x or higher, or a site with one or more supported sensor versions. Then, select **More options > Download endpoint details**. For more information, see [Sensor management options from the Azure portal](how-to-manage-sensors-on-the-cloud.md#sensor-management-options-from-the-azure-portal).<br><br>**For OT sensor versions 10.x**: `*.azure-devices.net`<br> `*.blob.core.windows.net`<br> `*.servicebus.windows.net`<br> `download.microsoft.com`|

+ - [.NET](/dotnet/api/overview/azure/messaging.eventgrid-readme#install-the-package)

+ > * To stop evaluating remaining rules if a specific rule is met, check **Stop evaluating remaining rule**. If this option is checked then all remaining rules in the Rule Set will not be executed regardless if the matching conditions were met.

+> [!NOTE]

+> Policy definitions that use the **Disabled** effect have the default compliance state **Compliant** after assignment.

+An alternative to the **Disabled** effect is **enforcementMode**, which is set on the policy assignment.

+When **enforcementMode** is **Disabled**_**, resources are still evaluated. Logging, such as Activity

+[HDInsight 3.6 to 4.0 troubleshooting guide for Hive workloads](/azure/hdinsight/interactive-query/interactive-query-troubleshoot-migrate-36-to-40) provides answers to common issues faced when migrating Hive workloads from HDInsight 3.6 to HDInsight 4.0.

+* [HDInsight 4.0 Announcement](/azure/hdinsight/hdinsight-version-release)

+* [HDInsight 4.0 deep dive](https://azure.microsoft.com/blog/deep-dive-into-azure-hdinsight-4-0/)

+ :::image type="content" source="./media/apache-hadoop-linux-create-cluster-get-started-portal/azure-portal-cluster-review-create-hadoop.png" alt-text="Screenshot showing HDInsight Linux get started cluster summary." border="true":::

+ :::image type="content" source="./media/apache-hadoop-linux-create-cluster-get-started-portal/cluster-settings-overview.png" alt-text="Screenshot showing HDInsight Linux get started cluster settings" border="true.":::

+ :::image type="content" source="./media/apache-hadoop-linux-create-cluster-get-started-portal/hdinsight-linux-get-started-open-cluster-dashboard.png" alt-text="Screenshot showing HDInsight Linux get started cluster dashboard." border="true":::

+For more information, see how to [Set up HDInsight clusters with a custom Ambari DB](/azure/hdinsight/hdinsight-custom-ambari-db)

+For more information, see how to [Migrate HDInsight cluster to a newer version](/azure/hdinsight/hdinsight-upgrade-cluster)

+* [Enterprise security in Azure HDInsight](./domain-joined/hdinsight-security-overview.md)

+> This step isn't reversible. Run this only on a copy of the metastore.

+ > SQL Syntax in these scripts isn't necessarily compatible to other client tools. For example, [SSMS](/sql/ssms/download-sql-server-management-studio-ssms) and [Query Editor on Azure Portal](/azure/azure-sql/database/connect-query-portal) require keyword `GO` after each command.

+* If the metastore contains tables residing in multiple Storage Accounts, you need to add those Storage Accounts to the new cluster to access those tables. See [add extra Storage Accounts to HDInsight](../hdinsight-hadoop-add-storage.md).

+### 6. Class not found error with `MultiDelimitSerDe`

+**Problem**

+In certain situations when running a Hive query, you might receive `java.lang.ClassNotFoundException` stating `org.apache.hadoop.hive.contrib.serde2.MultiDelimitSerDe` class isn't found. This error occurs when customer migrates from HDInsight 3.6 to HDInsight 4.0. The SerDe class `org.apache.hadoop.hive.contrib.serde2.MultiDelimitSerDe`, which is a part of `hive-contrib-1.2.1000.2.6.5.3033-1.jar` in HDInsight 3.6 is removed and we're using `org.apache.hadoop.hive.serde2.MultiDelimitSerDe` class, which is a part of `hive-exec jar` in HDI-4.0. `hive-exec jar` will load to HS2 by default when we start the service.

+**STEPS TO TROUBLESHOOT**

+1. Check if any JAR under a folder (likely that it supposed to be under Hive libraries folder, which is `/usr/hdp/current/hive/lib` in HDInsight) contains this class or not.

+1. Check for the class `org.apache.hadoop.hive.contrib.serde2.MultiDelimitSerDe` and `org.apache.hadoop.hive.serde2.MultiDelimitSerDe` as mentioned in the solution.

+**Solution**

+1. Although a JAR file is a binary file, you can still use `grep` command with `-Hrni` switches as below to search for a particular class name

+ ```

+ grep -Hrni "org.apache.hadoop.hive.contrib.serde2.MultiDelimitSerDe" /usr/hdp/current/hive/lib

+ ```

+1. If it couldn't find the class, it will return no output. If it finds the class in a JAR file, it will return the output

+1. Below is the example took from HDInsight 4.x cluster

+ ```

+ sshuser@hn0-alters:~$ grep -Hrni "org.apache.hadoop.hive.serde2.MultiDelimitSerDe" /usr/hdp/4.1.9.7/hive/lib/

+ Binary file /usr/hdp/4.1.9.7/hive/lib/hive-exec-3.1.0.4.1-SNAPSHOT.jar matches

+ ```

+1. From the above output, we can confirm that no jar contains the class `org.apache.hadoop.hive.contrib.serde2.MultiDelimitSerDe` and hive-exec jar contains `org.apache.hadoop.hive.serde2.MultiDelimitSerDe`.

+1. Try to create the table with row format DerDe as `ROW FORMAT SERDE org.apache.hadoop.hive.serde2.MultiDelimitSerDe`

+1. This command will fix the issue. If you've already created the table, you can rename it using the below commands

+ ```

+ Hive => ALTER TABLE TABLE_NAME SET SERDE 'org.apache.hadoop.hive.serde2.MultiDelimitSerDe'

+ Backend DB => UPDATE SERDES SET SLIB='org.apache.hadoop.hive.serde2.MultiDelimitSerDe' where SLIB='org.apache.hadoop.hive.contrib.serde2.MultiDelimitSerDe';

+ ```

+The update command is to update the details manually in the backend DB and the alter command is used to alter the table with the new SerDe class from beeline or Hive.

+1. Navigate to the policy named **HIVE** and export the policy to a json file.

+1. Make sure that all users referred to in the exported policy json exist in the new cluster. If a user is referred to in the policy json but doesn't exist in the new cluster, either add the user to the new cluster or remove the reference from the policy.

+1. Navigate to the **Ranger Service Manager** panel in your HDInsight 4.0 cluster.

+1. Navigate to the policy named **HIVE** and import the ranger policy json from step 2.

+* See [Extra configuration using Hive Warehouse Connector](./apache-hive-warehouse-connector.md) for sharing the metastore between Spark and Hive for ACID tables.

+* [**Request Units (RUs)**](../../cosmos-db/concepts-limits.md) - You can configure up to 100,000 RUs in the portal for Azure API for FHIR. You'll need a minimum of 400 RUs or 40 RUs/GB, whichever is larger. If you need more than 100,000 RUs, you can put in a support ticket to have the RUs increased. The maximum available is 1,000,000. In addition, we support [autoscaling of RUs](autoscale-azure-api-fhir.md).

+ Title: Choosing a method of deployment for the MedTech service in Azure - Azure Health Data Services

+Using a Quickstart template with Azure portal is the easiest and fastest deployment method because it automates most of your configuration with the touch of a **Deploy to Azure** button. This button automatically generates the following configurations and resources: managed identity RBAC roles, a provisioned workspace and namespace, an Event Hubs instance, a Fast Healthcare Interoperability Resources (FHIR&#174;) service instance, and a MedTech service instance. All you need to add are post-deployment device mapping, destination mapping, and a shared access policy key. This method simplifies your deployment, but doesn't allow for much customization.

+For more information about the Quickstart template and the Deploy to Azure button, see [Deploy the MedTech service with a Quickstart template](deploy-02-new-button.md).

+For more information about Using an ARM template with Azure PowerShell and Azure CLI, see [Using Azure PowerShell and Azure CLI to deploy the MedTech service using Azure Resource Manager templates](deploy-08-new-ps-cli.md).

+The manual deployment method uses Azure portal to implement each deployment task individually. There are no shortcuts. Because you'll be able to see all the details of how to complete the sequence of each task, this procedure can be beneficial if you need to customize or troubleshoot your deployment process. This is the most complex method, but it provides valuable technical information and developmental options that will enable you to fine-tune your deployment precisely.

+For more information about manual deployment with portal, see [Overview of how to manually deploy the MedTech service using the Azure portal](deploy-03-new-manual.md).

+There are six different steps of the MedTech service PaaS. Only the first four apply to deployment. All the methods of deployment will implement each of these four steps. However, the QuickStart template method will automatically implement part of step 1 and all of step 2. The other two methods will have to implement all of the steps individually. Here's a summary of each of the four deployment steps:

+- Create RBAC roles contributor and user access administrator or owner. This feature is automatically done in the QuickStart template method with the Deploy to Azure button, but it isn't included in manual or PowerShell/CLI method and need to be implemented individually.

+The QuickStart template method with the Deploy to Azure button automatically provides all these steps, but they aren't included in the manual or the PowerShell/CLI method and must be completed individually.

+> [!div class="nextstepaction"]

+> [What is MedTech service?](iot-connector-overview.md).

+- You must have the appropriate RBAC roles for the subscription resources you want to use. The roles required for a user to complete the provisioning would be Contributor AND User Access Administrator OR Owner. The Contributor role allows the user to provision resources, and the User Access Administrator role allows the user to grant access so resources can send data between them. The Owner role can perform both. For more information, see [Azure role-based access control (RBAC)](/azure/cloud-adoption-framework/ready/considerations/roles).

+After you obtain the required prerequisites, the next phase of deployment is to create a workspace and provision instances of the Event Hubs service, FHIR service, and MedTech service. You must also give the Event Hubs permission to read data from your device and give the MedTech service permission to read and write to the FHIR service. There are four parts of this provisioning process.

+After you've fulfilled the prerequisites and provisioned your services, the next phase of deployment is to configure MedTech services to ingest data, set up device mappings, and set up destination mappings. These configuration settings will ensure that the data can be translated from your device to Observations in the FHIR service. There are four parts in this configuration process.

+MedTech service must be configured to ingest data it will receive from an event hub. First you must begin the official deployment process at the Azure portal. For more information about deploying MedTech service using the Azure portal, see [Overview of how to manually deploy the MedTech service using the Azure portal](deploy-03-new-manual.md) and [Prerequisites for manually deploying the MedTech service using the Azure portal](deploy-03-new-manual.md).

+You must configure MedTech to map it to the device you want to receive data from. Each device has unique settings that MedTech service must use. For more information on how to use Device mappings, see [How to use Device mappings](how-to-use-device-mappings.md).

+- Azure Health Data Services provides an open source tool you can use called [IoMT Connector Data Mapper](https://github.com/microsoft/iomt-fhir/tree/main/tools/data-mapper). The IoMT Connector Data Mapper will help you map your device's data structure to a form that MedTech can use. For more information on device content mapping, see [Device Content Mapping](https://github.com/microsoft/iomt-fhir/blob/main/docs/Configuration.md#device-content-mapping).

+- When you're deploying MedTech service, you must set specific device mapping properties. For more information on device mapping properties, see [Configure the Device mapping properties](deploy-05-new-config.md).

+If you've completed the prerequisites, provisioning, and configuration, you're now ready to deploy the MedTech service. Create and deploy your MedTech service by following the procedures at [Create your MedTech service](deploy-06-new-deploy.md).

+When MedTech service is deployed and connected to the Event Hubs and FHIR services, it's ready to process data from a device and translate it into a FHIR service Observation. There are three parts of the sending process.

+The data is sent to an Event Hubs instance so that it can wait until MedTech service is ready to receive it. The data transfer needs to be asynchronous because it's sent over the Internet and delivery times can't be precisely measured. Normally the data won't sit on an event hub longer than 24 hours.

+If the processing was successful and you didn't get any error messages, your device data is now a FHIR service [Observation](http://hl7.org/fhir/observation.html) resource.

+For more information on the data flow through MedTech, see [MedTech service data flow](iot-data-flow.md).

+You can verify that the data was processed correctly by checking to see if there's now a new Observation resource in the FHIR service. If the data isn't mapped or if the mapping isn't authored properly, the data will be skipped. If there are any problems, check the [device mapping](how-to-use-device-mappings.md) or the [FHIR destination mapping](how-to-use-fhir-mappings.md).

+You can verify that the data is correctly persisted into the FHIR service by using the [MedTech service metrics](how-to-configure-metrics.md) in the Azure portal.

+> [!div class="nextstepaction"]

+> [Deploy the MedTech service in the Azure portal](deploy-iot-connector-in-azure.md)

+ Title: Configure the MedTech service metrics - Azure Health Data Services

+description: This article explains how to display MedTech service metrics.

+# How to configure the MedTech service metrics

+In this article, you'll learn how to configure the [MedTech service](iot-connector-overview.md) metrics in the Azure portal. You'll also learn how to pin the MedTech service metrics tile to an Azure portal dashboard for later viewing.

+The MedTech service metrics can be used to help determine the health and performance of your MedTech service and can be useful with troubleshooting and seeing patterns and/or trends with your MedTech service.

+## Metric types for the MedTech service

+This table shows the available MedTech service metrics and the information that the metrics are capturing and displaying within the Azure portal:

+Metric category|Metric name|Metric description|

+|--|--|--|

+|Availability|IotConnector Health Status|The overall health of the MedTech service.|

+|Errors|Total Error Count|The total number of errors.|

+|Latency|Average Group Stage Latency|The average latency of the group stage. The [group stage](iot-data-flow.md#group) performs buffering, aggregating, and grouping on normalized messages.|

+|Latency|Average Normalize Stage Latency|The average latency of the normalized stage. The [normalized stage](iot-data-flow.md#normalize) performs normalization on raw incoming messages.|

+|Traffic|Number of Fhir resources saved|The total number of Fast Healthcare Interoperability Resources (FHIR&#174;) resources [updated or persisted](iot-data-flow.md#persist) by the MedTech service.|

+|Traffic|Number of Incoming Messages|The number of received raw [incoming messages](iot-data-flow.md#ingest) (for example, the device events) from the configured source event hub.|

+|Traffic|Number of Measurements|The number of normalized value readings received by the FHIR [transformation stage](iot-data-flow.md#transform) of the MedTech service.|

+|Traffic|Number of Message Groups|The number of groups that have messages aggregated in the designated time window.|

+|Traffic|Number of Normalized Messages|The number of normalized messages.|

+## Configure the MedTech service metrics

+1. Within your Azure Health Data Services workspace, select **MedTech service** under **Services**.

+ :::image type="content" source="media\iot-metrics-display\workspace-displayed-with-connectors-button.png" alt-text="Screenshot of select the MedTech service within the workspace." lightbox="media\iot-metrics-display\workspace-displayed-with-connectors-button.png":::

+2. Select the MedTech service that you would like to display metrics for. For this example, we'll select a MedTech service named **mt-azuredocsdemo**. You'll be selecting a MedTech service within your own Azure Health Data Services workspace.

+ :::image type="content" source="media\iot-metrics-display\select-medtech-service.png" alt-text="Screenshot of select the MedTech service you would like to display metrics for." lightbox="media\iot-metrics-display\select-medtech-service.png":::

+3. Select **Metrics** within the MedTech service page.

+ :::image type="content" source="media\iot-metrics-display\select-metrics-under-monitoring.png" alt-text="Screenshot of select the Metrics option within your MedTech service." lightbox="media\iot-metrics-display\select-metrics-under-monitoring.png":::

+4. The MedTech service metrics page will open allowing you to use the drop-down menus to view and select the metrics that are available for the MedTech service.

+ :::image type="content" source="media\iot-metrics-display\select-metrics-to-display.png" alt-text="Screenshot the MedTech service metrics page with drop-down menus." lightbox="media\iot-metrics-display\select-metrics-to-display.png":::

+5. Select the metrics combinations that you want to display for your MedTech service. For this example, we'll be choosing the following selections:

+ * **Scope** = Your MedTech service name (**Default**)

+ * **Metric Namespace** = Standard metrics (**Default**)

+ * **Metric** = The MedTech service metrics you want to display. For this example, we'll choose **Number of Incoming Messages**.

+ * **Aggregation** = How you would like to display the metrics. For this example, we'll choose **Count**.

+6. You can now see your MedTech service metrics for **Number of Incoming Messages** displayed on the MedTech service metrics page.

+ :::image type="content" source="media\iot-metrics-display\select-metrics-being-displayed.png" alt-text="Screenshot of select metrics to display." lightbox="media\iot-metrics-display\select-metrics-being-displayed.png":::

+7. You can add more metrics for your MedTech service by selecting **Add metric**.

+ :::image type="content" source="media\iot-metrics-display\select-add-metric.png" alt-text="Screenshot of select Add metric to add more MedTech service metrics." lightbox="media\iot-metrics-display\select-add-metric.png":::

+8. Then select the metrics that you would like to add to your MedTech service.

+ :::image type="content" source="media\iot-metrics-display\select-more-metrics.png" alt-text="Screenshot of select more metrics to add to your MedTech service." lightbox="media\iot-metrics-display\select-more-metrics.png":::

+ > [!IMPORTANT]

+ > If you leave the MedTech service metrics page, the metrics settings for your MedTech service are lost and will have to be recreated. If you would like to save your MedTech service metrics for future viewing, you can pin them to an Azure portal dashboard as a tile.

+ >

+ > To learn how to to create an Azure portal dashboard and pin tiles, see [How to create an Azure portal dashboard and pin tiles](how-to-configure-metrics.md#how-to-create-an-azure-portal-dashboard-and-pin-tiles)

+

+ > [!TIP]

+ > To learn more about advanced metrics display and sharing options, see [Getting started with Azure Metrics Explorer](/azure/azure-monitor/essentials/metrics-getting-started)

+## How to create an Azure portal dashboard and pin tiles

+To learn how to create an Azure portal dashboard and pin tiles, see [Create a dashboard in the Azure portal](/azure/azure-portal/azure-portal-dashboards)

+## Next steps

+To learn how to enable the MedTech service diagnostic settings to export logs and metrics to another location (for example: an Azure storage account) for audit, backup, or troubleshooting, see

+> [!div class="nextstepaction"]

+> [How to enable diagnostic settings for the MedTech service](how-to-enable-diagnostic-settings.md)

+(FHIR&#174;) is a registered trademark of Health Level Seven International, registered in the U.S. Trademark Office and is used with their permission.

+ Title: How to enable the MedTech service diagnostic settings - Azure Health Data Services

+description: This article explains how to configure the MedTech service diagnostic settings.

+# How to enable diagnostic settings for the MedTech service

+In this article, you'll learn how to enable the diagnostic settings for the MedTech service to export logs to different destinations (for example: to [Azure storage](/azure/storage/) or an [Azure event hub](/azure/event-hubs/)) for audit, analysis, or backup.

+## Create a diagnostic setting for the MedTech service

+1. To enable metrics export for your MedTech service, select **MedTech service** in your workspace under **Services**.

+

+ :::image type="content" source="media/iot-diagnostic-settings/select-medtech-service-in-workspace.png" alt-text="Screenshot of select the MedTech service within workspace." lightbox="media/iot-diagnostic-settings/select-medtech-service-in-workspace.png":::

+2. Select the MedTech service that you want to enable a diagnostic setting for. For this example, we'll be using a MedTech service named **mt-azuredocsdemo**. You'll be selecting a MedTech service within your own Azure Health Data Services workspace.

+

+ :::image type="content" source="media/iot-diagnostic-settings/select-medtech-service.png" alt-text="Screenshot of select the MedTech service for exporting metrics." lightbox="media/iot-diagnostic-settings/select-medtech-service.png":::

+3. Select the **Diagnostic settings** option under **Monitoring**.

+ :::image type="content" source="media/iot-diagnostic-settings/select-diagnostic-settings.png" alt-text="Screenshot of select the Diagnostic settings." lightbox="media/iot-diagnostic-settings/select-diagnostic-settings.png":::

+4. Select the **+ Add diagnostic setting** option.

+ :::image type="content" source="media/iot-diagnostic-settings/add-diagnostic-settings.png" alt-text="Screenshot of select the + Add diagnostic setting." lightbox="media/iot-diagnostic-settings/add-diagnostic-settings.png":::

+5. The **+ Add diagnostic setting** page will open, requiring configuration inputs from you.

+ 1. Enter a display name in the **Diagnostic setting name** box. For this example, we'll name it **MedTech_service_All_Logs_and_Metrics**. You'll enter a display name of your own choosing.

+

+ 2. Under **Logs**, select the **AllLogs** option.

+

+ 3. Under **Metrics**, select the **AllMetrics** option.

+ > [!Note]

+ > To view a complete list of MedTech service metrics associated with **AllMetrics**, see [Supported metrics with Azure Monitor](../../azure-monitor/essentials/metrics-supported.md#microsofthealthcareapisworkspacesiotconnectors).

+ 4. Under **Destination details**, select the destination you want to use for your exported MedTech service metrics. In this example, we've selected an Azure storage account named **azuredocsdemostorage**. You'll select a destination of your own choosing.

+

+ > [!Important]

+ > Each **Destination details** selection requires that certain resources (for example, an existing Azure storage account) be created and available before the selection can be successfully configured. Choose each selection to see which resources are required.

+ Metrics can be exported to the following destinations:

+ |Destination|Description|

+ |--|--|

+ |Log Analytics workspace|Metrics are converted to log form. Sending the metrics to the Azure Monitor Logs store (which is searchable via Log Analytics) enables you to integrate them into queries, alerts, and visualizations with existing log data.|

+ |Azure storage account|Archiving logs and metrics to an Azure storage account is useful for audit, static analysis, or backup. Compared to Azure Monitor Logs and a Log Analytics workspace, Azure storage is less expensive, and logs can be kept there indefinitely.|

+ |Azure event hub|Sending logs and metrics to an event hub allows you to stream data to external systems such as third-party Security Information and Event Managements (SIEMs) and other Log Analytics solutions.|

+ |Azure Monitor partner integrations|Specialized integrations between Azure Monitor and other non-Microsoft monitoring platforms. Useful when you're already using one of the partners.|

+ 5. Select the **Save** option to save your diagnostic setting selections.

+

+ :::image type="content" source="media/iot-diagnostic-settings/select-all-logs-and-metrics.png" alt-text="Screenshot of diagnostic setting and required fields." lightbox="media/iot-diagnostic-settings/select-all-logs-and-metrics.png":::

+6. Once you've selected the **Save** option, the page will display a message that the diagnostic setting for your MedTech service has been saved successfully.

+ :::image type="content" source="media/iot-diagnostic-settings/diagnostic-settings-successfully-saved.png" alt-text="Screenshot of a successful diagnostic setting save." lightbox="media/iot-diagnostic-settings/diagnostic-settings-successfully-saved.png":::

+ > [!Note]

+ > It might take up to 15 minutes for the first MedTech service metrics to display in the destination of your choice.

+7. To view your saved diagnostic setting, select **Diagnostic settings**.

+ :::image type="content" source="media/iot-diagnostic-settings/select-diagnostic-settings-banner.png" alt-text="Screenshot of Diagnostic settings option to view the saved diagnostic setting." lightbox="media/iot-diagnostic-settings/select-diagnostic-settings-banner.png":::

+8. The **Diagnostic settings** page will open, displaying your newly created diagnostic setting for your MedTech service. You'll have the ability to:

+

+ 1. **Edit setting**: Edit or delete your saved MedTech service diagnostic setting.

+ 2. **+ Add diagnostic setting**: Create more diagnostic settings for your MedTech service (for example: you may also want to send your MedTech service metrics to another destination like a Logs Analytics workspace).

+ :::image type="content" source="media/iot-diagnostic-settings/view-and-edit-diagnostic-settings.png" alt-text="Screenshot of Diagnostic settings options." lightbox="media/iot-diagnostic-settings/view-and-edit-diagnostic-settings.png":::

+

+ > [!TIP]

+ > For more information about how to work with diagnostic settings, see [Diagnostic settings in Azure Monitor](/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal).

+ >

+ > For more information about how to work with diagnostic logs, see the [Overview of Azure platform logs](../../azure-monitor/essentials/platform-logs-overview.md).

+## Next steps

+To view the frequently asked questions (FAQs) about the MedTech service, see

+>[!div class="nextstepaction"]

+>[MedTech service FAQs](iot-connector-faqs.md)

+ Title: How to use MedTech service metrics tab - Azure Health Data Services

+description: This article explains how to use MedTech service metrics tab.

+# How to use the MedTech service monitoring tab

+In this article, you'll learn how to use the [MedTech service](iot-connector-overview.md) monitoring tab in the Azure portal. The monitoring tab provides access to crucial MedTech service metrics. These metrics can be used in assessing the health and performance of your MedTech service and can be useful with troubleshooting and seeing patterns and/or trends with your MedTech service.

+## Use the MedTech service monitoring tab

+1. Within your Azure Health Data Services workspace, select **MedTech service** under **Services**.

+ :::image type="content" source="media\iot-monitoring-tab\workspace-displayed-with-connectors-button.png" alt-text="Screenshot of select the MedTech service within the workspace." lightbox="media\iot-monitoring-tab\workspace-displayed-with-connectors-button.png":::

+2. Select the MedTech service that you would like to display metrics for. For this example, we'll select a MedTech service named **mt-azuredocsdemo**. You'll be selecting a MedTech service within your own Azure Health Data Services workspace.

+ :::image type="content" source="media\iot-monitoring-tab\select-medtech-service.png" alt-text="Screenshot of select the MedTech service you would like to display metrics for." lightbox="media\iot-monitoring-tab\select-medtech-service.png":::

+3. Select **Monitoring** tab within the MedTech service page.

+ :::image type="content" source="media\iot-monitoring-tab\select-monitoring-tab.png" alt-text="Screenshot of select the Metrics option within your MedTech service." lightbox="media\iot-monitoring-tab\select-monitoring-tab.png":::

+4. The MedTech service monitoring tab will open displaying a subset of the supported MedTech service metrics. By default, the **Show data for last** option is set to 1 hour. To adjust the time duration, select the **Show data for last option**, select the time period you would like to view, and select **Apply**. Select the down arrow in the **Traffic** MedTech service metrics tile to display the next set of MedTech service traffic metrics.

+ :::image type="content" source="media\iot-monitoring-tab\display-metrics-tile.png" alt-text="Screenshot the MedTech service monitoring tab with drop-down menus." lightbox="media\iot-monitoring-tab\display-metrics-tile.png":::

+5. Select the pin icon to pin the tile to an Azure portal dashboard of your choosing.

+ :::image type="content" source="media\iot-monitoring-tab\pin-metrics-to-dashboard.png" alt-text="Screenshot the MedTech service monitoring tile with red box around the pin icon." lightbox="media\iot-monitoring-tab\pin-metrics-to-dashboard.png":::

+ > [!IMPORTANT]

+ > If you leave the MedTech service monitoring tab, any customized settings you have made to the monitoring settings are lost and will have to be recreated. If you would like to save your customizations for future viewing, you can pin them to an Azure portal dashboard as a tile.

+ >

+ > To learn how to customize and save metrics settings to an Azure portal dashboard and tile, see [How to configure the MedTech service metrics](how-to-configure-metrics.md).

+ > [!TIP]

+ > To learn more about advanced metrics display and sharing options, see [Getting started with Azure Metrics Explorer](/azure/azure/azure/azure-monitor/essentials/metrics-getting-started)

+## Available metrics for the MedTech service

+This table shows the available MedTech service metrics and the information that the metrics are capturing. The metrics in **bold** are the metrics displayed within the **Monitoring** tab:

+Metric category|Metric name|Metric description|

+|--|--|--|

+|Availability|IotConnector Health Status|The overall health of the MedTech service.|

+|Errors|**Total Error Count**|The total number of errors.|

+|Latency|**Average Group Stage Latency**|The average latency of the group stage. The [group stage](iot-data-flow.md#group) performs buffering, aggregating, and grouping on normalized messages.|

+|Latency|**Average Normalize Stage Latency**|The average latency of the normalized stage. The [normalized stage](iot-data-flow.md#normalize) performs normalization on raw incoming messages.|

+|Traffic|Number of Fhir resources saved|The total number of Fast Healthcare Interoperability Resources (FHIR&#174;) resources [updated or persisted](iot-data-flow.md#persist) by the MedTech service.|

+|Traffic|**Number of Incoming Messages**|The number of received raw [incoming messages](iot-data-flow.md#ingest) (for example, the device events) from the configured source event hub.|

+|Traffic|**Number of Measurements**|The number of normalized value readings received by the FHIR [transformation stage](iot-data-flow.md#transform) of the MedTech service.|

+|Traffic|**Number of Message Groups**|The number of groups that have messages aggregated in the designated time window.|

+|Traffic|**Number of Normalized Messages**|The number of normalized messages.|

+## Next steps

+To learn how to configure the MedTech service metrics, see

+> [!div class="nextstepaction"]

+> [How to configure the MedTech service metrics](how-to-configure-metrics.md)

+To learn how to configure the MedTech service diagnostic settings to export logs to another location (for example: an Azure storage account) for audit, backup, or troubleshooting, see

+> [!div class="nextstepaction"]

+> [How to enable diagnostic settings for the MedTech service](how-to-enable-diagnostic-settings.md)

+(FHIR&#174;) is a registered trademark of Health Level Seven International, registered in the U.S. Trademark Office and is used with their permission.

+> Having access to MedTech service metrics is essential for monitoring and troubleshooting. MedTech service assists you to do these actions through [Metrics](how-to-configure-metrics.md).

+> Having access to MedTech service Metrics is essential for monitoring and troubleshooting. MedTech service assists you to do these actions through [Metrics](how-to-configure-metrics.md).

+>[How to enable diagnostic settings for the MedTech service](./../healthcare-apis/iot/how-to-enable-diagnostic-settings.md)

+ - Consider configuring large file shares on the storage account. During imports to Azure Files, if a file share doesn't have enough free space, auto splitting the data to multiple Azure file shares is no longer supported, and the copy will fail. For instructions, see [Configure large file shares on a storage account](../storage/files/storage-how-to-create-file-share.md?tabs=azure-portal#enable-large-file-shares-on-an-existing-account).

+> In the latest version of the Azure Import/Export tool for files (2.2.0.300), if a file share doesn't have enough free space, the data is no longer auto split to multiple Azure file shares. Instead, the copy fails, and you'll be contacted by Support. You'll need to either configure large file shares on the storage account or move around some data to make space in the share. For more information, see [Configure large file shares on a storage account](../storage/files/storage-how-to-create-file-share.md?tabs=azure-portal#enable-large-file-shares-on-an-existing-account).

+* [IoT Plug and Play (PnP)](../iot-develop/overview-iot-plug-and-play.md) devices *may* use the payload to send their model ID when they register with DPS. You can find examples of this usage in the PnP samples in the SDK or sample repositories. For example, [C# PnP thermostat](https://github.com/Azure/azure-iot-sdk-csharp/blob/main/iothub/device/samples/solutions/PnpDeviceSamples/Thermostat/Program.cs) or [Node.js PnP temperature controller](https://github.com/Azure/azure-iot-sdk-node/blob/main/device/samples/javascript/pnp_temperature_controller.js).

+Intel-based VMware ESXi [6.7](https://docs.vmware.com/en/VMware-vSphere/6.7/vsphere-esxi-67-installation-setup-guide.pdf) and [7.0](https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-vcenter-server-70-release-notes.html) versions can host Azure IoT Edge for Linux on Windows on top of a Windows virtual machine. Read [VMware KB2009916](https://kb.vmware.com/s/article/2009916) for more information on VMware ESXi nested virtualization support.

+| .NET | [ReadD2cMessages .NET](https://github.com/Azure/azure-iot-sdk-csharp/tree/main/iothub/device/samples/getting%20started/ReadD2cMessages) |

+* If you want to route your device-to-cloud messages to custom endpoints, see [Use message routes and custom endpoints for device-to-cloud messages](iot-hub-devguide-messages-read-custom.md).

+ :::image type="content" source="media/iot-hub-how-to-order-connection-state-events/event-grid-setup.png" alt-text="Screenshot of the setup we'll create for this article. This setup shows how all services and devices are connected." lightbox="media/iot-hub-how-to-order-connection-state-events/event-grid-setup.png":::

+To sign in to the virtual machine, follow the instructions in [Connect and sign in to an Azure virtual machine running Linux](/azure/virtual-machines/linux-vm-connect) or [Connect and sign in to an Azure virtual machine running Windows](../../virtual-machines/windows/connect-logon.md).

+To sign in to the virtual machine, follow the instructions in [Connect and sign in to an Azure Windows virtual machine](../../virtual-machines/windows/connect-logon.md) or [Connect and sign in to an Azure Linux virtual machine](/azure/virtual-machines/linux-vm-connect).

+To sign in to the virtual machine, follow the instructions in [Connect and sign in to an Azure virtual machine running Linux](/azure/virtual-machines/linux-vm-connect) or [Connect and sign in to an Azure virtual machine running Windows](../../virtual-machines/windows/connect-logon.md).

+**Azure Lab Services** lets you create labs whose infrastructure is managed by Azure. The service itself handles all the infrastructure management, from spinning up virtual machines (VMs) to handling errors and scaling the infrastructure. Azure Lab Services was designed with three major personas in mind: [administrators, educators, and students](classroom-labs-concepts.md#user-profiles). After an IT administrator creates a lab plan, an educator can quickly set up a lab for the class. Educators specify the number and type of VMs needed, configures the template VM, and adds users to the class. Once a user registers to the class, the user can access the VM to do exercises for the class.

+To access your Azure Load Testing resource from the Azure Pipelines workflow, you first create a service connection in your Azure DevOps project. The service connection creates an Azure Active Directory [service principal](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). This service principal represents your Azure Pipelines workflow in Azure Active Directory.

+To access your Azure Load Testing resource from the GitHub Actions workflow, you first create an Azure Active Directory [service principal](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). This service principal represents your GitHub Actions workflow in Azure Active Directory.

+On the first CI/CD workflow run, it creates a new Azure Load Testing resource in your Azure subscription by using the *ARMTemplate/template.json* Azure Resource Manager (ARM) template. Learn more about [ARM templates](/azure/azure-resource-manager/templates/overview).

+ Title: Create Consumption workflows faster with prebuilt templates

+description: To quickly build a Consumption logic app workflow, start with a prebuilt template in Azure Logic Apps.

+# Create a Consumption logic app workflow from a prebuilt template

+To get you started creating workflows quickly, Azure Logic Apps provides prebuilt templates for logic app workflows that follow commonly used patterns.

+> [!NOTE]

+>

+> Workflow templates and the workflow template gallery are currently available only for Consumption logic app workflows.

+## Template categories

+| Template type | Description |

+| - | -- |

+| Enterprise cloud | For integrating Azure Blob Storage, Dynamics CRM, Salesforce, and Box. Also includes other connectors for your enterprise cloud needs. For example, you can use these templates to organize business leads or back up your corporate file data. |

+| Personal productivity | For improving personal productivity. You can use these templates to set daily reminders, turn important work items into to-do lists, and automate lengthy tasks down to a single user-approval step. |

+| Consumer cloud | For integrating social media services such as Twitter, Slack, and email. Useful for strengthening social media marketing initiatives. These templates also include tasks such as cloud copying, which increases productivity by saving time on traditionally repetitive tasks. |

+| Enterprise integration pack | For configuring validate, extract, transform, enrich, and route (VETER) pipelines. Also for receiving an X12 EDI document over AS2 and transforming it to XML, and for handling X12, EDIFACT, and AS2 messages. |

+| Protocol pattern | For implementing protocol patterns such as request-response over HTTP and integrations across FTP and SFTP. Use these templates as provided, or build on them for complex protocol patterns. |

+- Basic understanding about how to build a logic app workflow. For more information, see [Create your first Consumption logic app workflow](quickstart-create-first-logic-app-workflow.md).

+## Create a Consumption workflow from a template

+1. In the [Azure portal](https://portal.azure.com), from the home page, select **Create a resource** > **Integration** > **Logic App**.

+ :::image type="content" source="./media/logic-apps-create-logic-apps-from-templates/azure-portal-create-logic-app.png" alt-text="Screenshot showing the Azure portal. On the navigation menu, 'Integration' is selected. Under 'Popular Azure services', 'Logic App' is selected.":::

+1. On the **Create Logic App** page, enter the following values:

+ | Setting | Value | Description |

+ | - | -- | -- |

+ | **Plan type** | **Consumption** or **Standard** | Select **Consumption** to create a Consumption logic app workflow from a template. |

+ :::image type="content" source="./media/logic-apps-create-logic-apps-from-templates/logic-app-settings.png" alt-text="Screenshot showing the 'Create Logic App' page with example property values provided and the 'Consumption' plan type selected.":::

+1. When deployment is complete, select **Go to resource**. The designer opens and shows a page with an introduction video. Under the video, you can find templates for common logic app workflow patterns.

+ :::image type="content" source="./media/logic-apps-create-logic-apps-from-templates/choose-logic-app-template.png" alt-text="Screenshot showing the designer. Under 'Templates,' three templates are visible. The templated named 'Delete old Azure blobs' is selected.":::

+ :::image type="content" source="./media/logic-apps-create-logic-apps-from-templates/logic-app-choose-prebuilt-template.png" alt-text="Screenshot showing information about the 'Delete old Azure blobs' template, including a description and a diagram that shows a recurring schedule.":::

+1. To continue with the selected template, select **Use this template**.

+ - Sign in with your credentials to systems or services that are referenced by the template.

+ - Create connections for any systems or services that are referenced by the template. To create a connection, provide a name for your connection, and if necessary, select the resource that you want to use.

+ > [!NOTE]

+ >

+ > Many templates include connectors that have required properties that are prepopulated. Other templates

+ > require that you provide values before you can properly deploy the logic app resource. If you try to

+ > deploy without completing the missing property fields, you get an error message.

+1. After you set up the required connections, select **Continue**.

+ :::image type="content" source="./media/logic-apps-create-logic-apps-from-templates/logic-app-create-connection.png" alt-text="Screenshot showing designer with connection to Azure Blob Storage. The 'Continue' button is selected.":::

+ The designer opens and displays your workflow.

+ >

+ > To return to the template viewer, select **Templates** on the designer toolbar. This action

+ > discards any unsaved changes, so a warning message appears to confirm your request.

+1. Continue building your workflow.

+1. When you're ready, save your workflow, which automatically publishes your logic app resource live to Azure. On the designer toolbar, select **Save**.

+ :::image type="content" source="./media/logic-apps-create-logic-apps-from-templates/logic-app-save.png" alt-text="Screenshot showing the designer with top part of a workflow. On the toolbar, 'Save' is selected.":::

+## Update a Consumption workflow with a template

+1. In the [Azure portal](https://portal.azure.com), go to your Consumption logic app resource.

+1. On the resource navigation menu, select **Logic app designer**.

+ :::image type="content" source="./media/logic-apps-create-logic-apps-from-templates/logic-app-update-existing-with-template.png" alt-text="Screenshot showing the designer with top part of a workflow visible. On the toolbar, 'Templates' is selected.":::

+ :::image type="content" source="./media/logic-apps-create-logic-apps-from-templates/choose-logic-app-template.png" alt-text="Screenshot showing the template gallery. Under 'Templates,' three templates are visible. The template named 'Delete old Azure blobs' is selected.":::

+ :::image type="content" source="./media/logic-apps-create-logic-apps-from-templates/logic-app-choose-prebuilt-template.png" alt-text="Screenshot showing information about the 'Delete old Azure blobs' template with a description and diagram that shows a recurring schedule.":::

+1. To continue with the selected template, select **Use this template**.

+ - Sign in with your credentials to systems or services that are referenced by the template.

+ - Create connections for any systems or services that are referenced by the template. To create a connection, provide a name for your connection, and if necessary, select the resource that you want to use.

+ >

+ > Many templates include connectors that have required properties that are prepopulated. Other templates

+ > require that you provide values before you can properly deploy the logic app resource. If you try to

+ > deploy without completing the missing property fields, you get an error message.

+ :::image type="content" source="./media/logic-apps-create-logic-apps-from-templates/logic-app-create-connection-designer.png" alt-text="Screenshot showing the designer with a connection to Azure Blob Storage. The 'Continue' button is selected.":::

+ The designer opens and displays your workflow.

+1. Continue building your workflow.

+ >

+ > If you haven't saved your changes, you can discard your work and return to

+ > your previous workflow. On the designer toolbar, select **Discard**.

+1. When you're ready, save your workflow, which automatically publishes your logic app resource live to Azure. On the designer toolbar, select **Save**.

+ :::image type="content" source="./media/logic-apps-create-logic-apps-from-templates/logic-app-save.png" alt-text="Screenshot showing the designer with top part of a workflow visible. On the toolbar, 'Save' is selected.":::

+ Model(name=model_name, path='heart-classifier-mlflow/model', type=AssetTypes.MLFLOW_MODEL)

+> [!NOTE]

+> The model used in this tutorial is an MLflow model. However, the steps apply for both MLflow models and custom models.

+ Model(name=model_name, path=model_path, type=AssetTypes.CUSTOM_MODEL)

+ path: heart-classifier-mlflow/data

+ data_path = "heart-classifier-mlflow/data"

+ Model(name=model_name, path='bart-text-summarization/model', type=AssetTypes.CUSTOM_MODEL)

+- When a job is interrupted, it is resubmitted to run again. Rescheduling is done at the mini batch level, regardless of the progress. No checkpointing capability is provided.

+- Rescheduling is done at the mini-batch level, regardless of the progress. No checkpointing capability is provided.

+> [!WARNING]

+> In the cases where the entire cluster is preempted (or running on a single-node cluster), the job will be cancelled as there is no capacity available for it to run. Resubmitting will be required in this case.

+Notebooks and Python scripts are stored in the default storage account of your workspace in Azure file share. These files are located under your ΓÇ£User filesΓÇ¥ directory. This storage makes it easy to share notebooks between compute instances. The storage account also keeps your notebooks safely preserved when you stop or delete a compute instance.

+## Create

+Follow the steps in the [Quickstart: Create workspace resources you need to get started with Azure Machine Learning](quickstart-create-resources.md) to create a basic compute instance.

+For more options, see [create a new compute instance](how-to-create-manage-compute-instance.md?tabs=azure-studio#create).

+Other ways to create a compute instance:

+* Directly from the integrated notebooks experience.

+Compute instances can be used as a [training compute target](concept-compute-target.md#training-compute-targets) similar to Azure Machine Learning [compute training clusters](how-to-create-attach-compute-cluster.md). But a compute instance has only a single node, while a compute cluster can have more nodes.

+* [Quickstart: Create workspace resources you need to get started with Azure Machine Learning](quickstart-create-resources.md).

+1. Scale up to larger data, or do [distributed training](how-to-train-distributed-gpu.md) by using one of these [training compute targets](#training-compute-targets).

+1. After your model is ready, deploy it to a web hosting environment with one of these [deployment compute targets](#compute-targets-for-inference).

+## Training compute targets

+## Compute targets for inference

+The fastest way to create a compute cluster is to follow the [Quickstart: Create workspace resources you need to get started with Azure Machine Learning](quickstart-create-resources.md).

+Or use the following examples to create a compute cluster with more options:

+Learn how to create and manage a [compute instance](concept-compute-instance.md) in your Azure Machine Learning workspace.

+Use a compute instance as your fully configured and managed development environment in the cloud. For development and testing, you can also use the instance as a [training compute target](concept-compute-target.md#training-compute-targets). A compute instance can run multiple jobs in parallel and has a job queue. As a development environment, a compute instance can't be shared with other users in your workspace.

+The fastest way to create a compute instance is to follow the [Quickstart: Create workspace resources you need to get started with Azure Machine Learning](quickstart-create-resources.md).

+Or use the following examples to create a compute instance with more options:

+Use a compute instance as your fully configured and managed development environment in the cloud. For development and testing, you can also use the instance as a [training compute target](concept-compute-target.md#training-compute-targets) or for an [inference target](concept-compute-target.md#compute-targets-for-inference). A compute instance can run multiple jobs in parallel and has a job queue. As a development environment, a compute instance can't be shared with other users in your workspace.

+ - **View Dataset Properties**. Lets you view metadata associated with a specific dataset. If you have multiple versions of a dataset, you can choose to only view the dataset properties of a specific version by expanding the dataset node and performing the same steps described in this section on the version of interest.

+For more information, see [training compute targets](concept-compute-target.md#training-compute-targets).

+For more information, see [compute targets for inference](concept-compute-target.md#compute-targets-for-inference).

+ Title: Train with MLflow Projects (Preview)

+# Train ML models with MLflow Projects and Azure Machine Learning (Preview)

+For more information about training compute targets, see [Training compute targets](../concept-compute-target.md#training-compute-targets). For more information about deployment compute targets, see [Deployment targets](../concept-compute-target.md#compute-targets-for-inference).

+ * **Choose a remote ML compute cluster**: If you are training with larger datasets like in production training creating models which need longer trains, remote compute will provide much better end-to-end time performance because `AutoML` will parallelize trains across the cluster's nodes. On a remote compute, the start-up time for the internal infrastructure will add around 1.5 minutes per child run, plus additional minutes for the cluster infrastructure if the VMs are not yet up and running.[Azure Machine Learning Managed Compute](../concept-compute-target.md#azure-machine-learning-compute-managed) is a managed service that enables the ability to train machine learning models on clusters of Azure virtual machines. Compute instance is also supported as a compute target.

+In Azure Machine Learning, the term __compute__ (or __compute target__) refers to the machines or clusters that do the computational steps in your machine learning pipeline. See [compute targets for model training](../concept-compute-target.md#training-compute-targets) for a full list of compute targets and [Create compute targets](../how-to-create-attach-compute-studio.md) for how to create and attach them to your workspace. The process for creating and or attaching a compute target is the same whether you're training a model or running a pipeline step. After you create and attach your compute target, use the `ComputeTarget` object in your [pipeline step](#steps).

+Use a compute instance as your fully configured and managed development environment in the cloud. For development and testing, you can also use the instance as a [training compute target](../concept-compute-target.md#training-compute-targets) or for an [inference target](../concept-compute-target.md#compute-targets-for-inference). A compute instance can run multiple jobs in parallel and has a job queue. As a development environment, a compute instance can't be shared with other users in your workspace.

+### DeepSpeed example

+**Linux VMs in Azure** | Some VMs might require changes so that they can run in Azure.<br/><br/> For Linux, Azure Migrate makes the changes automatically for these operating systems:<br/> - Red Hat Enterprise Linux 8, 7.9, 7.8, 7.7, 7.6, 7.5, 7.4, 7.3, 7.2, 7.1, 7.0, 6.x <br/> - Cent OS 8.x, 7.7, 7.6, 7.5, 7.4, 6.x</br> - SUSE Linux Enterprise Server 15 SP0, 15 SP1, 12, 11 SP4, 11 SP3<br/>- Ubuntu 20.04, 19.04, 19.10, 14.04LTS, 16.04LTS, 18.04LTS<br/> - Debian 10, 9, 8, 7<br/> - Oracle Linux 8, 7.7-CI, 7.7, 6<br/> For other operating systems, you make the [required changes](prepare-for-migration.md#verify-required-changes-before-migrating) manually.

+- Red Hat Enterprise Linux 8.x, 7.9, 7.8, 7.7, 7.6, 7.5, 7.4, 7.3, 7.2, 7.1, 7.0, 6.x (Azure Linux VM agent is also installed automatically during migration)

+Unsupported boot type | Azure does not support UEFI boot type for VMs with the Windows Server 2003/Windows Server 2003 R2/Windows Server 2008/Windows Server 2008 R2 operating systems. Check the list of operating systems that support UEFI-based machines [here](./common-questions-server-migration.md#which-operating-systems-are-supported-for-migration-of-uefi-based-machines-to-azure).

+Conditionally endorsed Linux OS | Azure endorses only [selected Linux OS versions](../virtual-machines/linux/endorsed-distros.md). Consider upgrading the server before you migrate to Azure. [Learn more](#linux-vms-are-conditionally-ready-in-an-azure-vm-assessment).

+Unknown operating system | The operating system of the VM was specified as **Other** in vCenter Server. This behavior blocks Azure Migrate from verifying the Azure readiness of the VM. Ensure that the operating system is [supported](./migrate-support-matrix-vmware-migration.md#azure-vm-requirements) by Azure before you migrate the server.

+Unsupported bit version | VMs with a 32-bit operating system might boot in Azure, but we recommend that you upgrade to 64-bit before you migrate to Azure.

+VM not found for the required storage performance | The storage performance (input/output operations per second (IOPS) and throughput) required for the server exceeds Azure VM support. Reduce storage requirements for the server before migration.

+One or more unsuitable disks | One or more disks attached to the VM don't meet Azure requirements.<br><br> Azure Migrate: Discovery and assessment assesses the disks based on the disk limits for Ultra disks (64 TB).<br><br> For each disk attached to the VM, make sure that the size of the disk is < 64 TB (supported by Ultra SSD disks).<br><br> If it isn't, reduce the disk size before you migrate to Azure, or use multiple disks in Azure and [stripe them together](../virtual-machines/premium-storage-performance.md#disk-striping) to get higher storage limits. Make sure that the performance (IOPS and throughput) needed by each disk is supported by [Azure managed virtual machine disks](../azure-resource-manager/management/azure-subscription-service-limits.md#storage-limits).

+Disk size exceeds limit | Azure Migrate: Discovery and assessment supports disks with up to 64 TB size (Ultra disks). Shrink disks to less than 64 TB before migration, or use multiple disks in Azure and [stripe them together](../virtual-machines/premium-storage-performance.md#disk-striping) to get higher storage limits.

+No VM size found for offer currency Reserved Instance (RI) | Server marked **not suitable** because the VM size wasn't found for the selected combination of RI, offer, and currency. Edit the assessment properties to choose the valid combinations and recalculate the assessment.

+Unsupported OS | Support for certain Operating System versions has been deprecated by VMware and the assessment recommends you to upgrade the operating system before migrating to Azure VMware Solution. [Learn more](https://www.vmware.com/resources/compatibility/search.php?deviceCategory=software).

+In the case of VMware and Hyper-V VMs, an Azure VM assessment marks Linux VMs as **conditionally ready** because of a known gap.

+- Since Azure endorses only specific versions of Linux, the Linux VMs are currently marked as **conditionally ready** in an Azure VM assessment.

+For physical servers, the operating system minor version information should be available. If it isn't available, contact Microsoft Support. For servers in a VMware environment, Azure Migrate uses the operating system information specified for the VM in the vCenter Server. But vCenter Server doesn't provide the minor version for operating systems. To discover the minor version, set up [application discovery](./how-to-discover-applications.md). For Hyper-V VMs, operating system minor version discovery isn't supported.

+- If the assessment is **Performance-based**, based on effective CPU and memory utilization (50% of 4 cores * 1.3 = 2.6 cores and 50% of 8 GB memory * 1.3 = 5.2 GB memory), the cheapest VM SKU of 4 cores (nearest supported core count) and 8 GB of memory (nearest supported memory size) is recommended.

+- If all of the performance counters are missing, ensure the port access requirements for assessment are met. Learn more about the port access requirements for [VMware](./migrate-support-matrix-vmware.md#port-access-requirements), [Hyper-V](./migrate-support-matrix-hyper-v.md#port-access), and [physical](./migrate-support-matrix-physical.md#port-access) assessments.

+For **Performance-based** assessment, the assessment report export says **PercentageOfCoresUtilizedMissing** or **PercentageOfMemoryUtilizedMissing** when the Azure Migrate appliance can't collect performance data for the on-premises servers. Make sure to check:

+- If all of the performance counters are missing, ensure that outbound connections on port 443 (HTTPS) are allowed.

+- The assessment isn't able to collect the performance data for some or all the servers in the assessment period. For a high confidence rating, ensure that:

+ - The connection status of agents in Azure Migrate is **Connected**. Also check the last heartbeat.

+ - For Azure SQL assessments, Azure Migrate connection status for all SQL instances is **Connected** in the discovered SQL instance pane.

+By design, in Hyper-V if maximum memory provisioned is less than what is required by the VM, the assessment will show memory utilization to be more than 100%.

+An Azure VM assessment continuously collects performance data of on-premises servers and uses it to recommend the VM SKU and disk SKU in Azure. [Learn more](concepts-assessment-calculation.md#calculate-sizing-performance-based) about how performance-based data is collected.

+No. Currently, both Azure Migrate and Azure Site Recovery don't support migration to Ultra disks. [Learn more](../virtual-machines/disks-enable-ultra-ssd.md?tabs=azure-portal#deploy-an-ultra-disk) about deploying an Ultra disk.

+IOPS to be provisioned = (Throughput discovered) * 1024/256

+This result is possible because not all VM sizes that support Ultra disks are present in all Ultra disk supported regions. Change the target assessment region to get the VM size for this server.

+Your assessment was created with an Azure region that has been deprecated and hence the **Edit** and **Recalculate** buttons are disabled. You can [create a new assessment](how-to-create-assessment.md) with any of the valid target locations. [Learn more](concepts-assessment-calculation.md#whats-in-an-azure-vm-assessment).

+This issue can happen if the physical server has Hyper-V virtualization enabled. On these servers, Azure Migrate currently discovers both the physical and virtual network adapters. As a result, the number of network adapters discovered is higher than the actual number. The Azure VM assessment picks an Azure VM that can support the required number of network adapters, which can potentially result in an oversized VM. [Learn more](./concepts-assessment-calculation.md#calculating-sizing) about the impact of the number of network adapters on sizing. This product gap will be addressed going forward.

+The readiness category might be incorrectly marked as **Not ready** in the case of a physical server that has Hyper-V virtualization enabled. On these servers, because of a product gap, Azure Migrate currently discovers both the physical and virtual adapters. As a result, the number of network adapters discovered is higher than the actual number. In both **As on-premises** and **Performance-based** assessments, the Azure VM assessment picks an Azure VM that can support the required number of network adapters. If the number of network adapters is discovered to be higher than 32, the maximum number of NICs supported on Azure VMs, the server will be marked **Not ready**. [Learn more](./concepts-assessment-calculation.md#calculating-sizing) about the impact of number of NICs on sizing.

+- For VMware VMs, by default, it's the operating system data provided by the vCenter Server.

+ - For VMware Linux VMs, if application discovery is enabled, the OS details are fetched from the guest VM. To check which OS details are in the assessment, go to the **Discovered servers** view, and hover over the value in the **Operating system** column. In the text that pops up, you'd be able to see whether the OS data you see is gathered from the vCenter Server or from the guest VM by using the VM credentials.

+- For Hyper-V VMs, the operating system data is gathered from the Hyper-V host.

+ > Verify deprecated [sql_mode](https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_sql_mode) values and remove/deselect them from your current Flexible Server 5.7 using Server Parameters Blade on your Azure Portal to avoid deployment failure.

+ > [sql_mode](https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_sql_mode) with values NO_AUTO_CREATE_USER, NO_FIELD_OPTIONS, NO_KEY_OPTIONS and NO_TABLE_OPTIONS are no longer supported in MySQL 8.0.

+>Verify deprecated [sql_mode](https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_sql_mode) values and remove/deselect them from your current Flexible Server 5.7 using Server Parameters Blade on your Azure Portal to avoid deployment failure.

+ Title: Tutorial - Monitor network communication between two virtual machine scale sets by using the Azure portal

+description: In this tutorial, you'll learn how to monitor network communication between two virtual machine scale sets by using the Azure Network Watcher connection monitor capability.

+# Customer intent: I need to monitor communication between a virtual machine scale set and another VM. If the communication fails, I need to know why, so that I can resolve the problem.

+# Tutorial: Monitor network communication between two virtual machine scale sets by using the Azure portal

+Successful communication between a virtual machine scale set and an endpoint, such as another virtual machine (VM), can be critical for your organization. Sometimes, the introduction of configuration changes can break communication. In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Create a virtual machine scale set and a VM.

+> * Monitor communication between a scale set and a VM by using Connection Monitor.

+> * Generate alerts on Connection Monitor metrics.

+> * Diagnose a communication problem between two VMs, and learn how to resolve it.

+> This tutorial uses Connection Monitor. To experience enhanced connectivity monitoring, try the updated version of [Connection Monitor](connection-monitor-overview.md).

+> As of July 1, 2021, you can't add new connection monitors in Connection Monitor (classic) but you can continue to use earlier versions that were created prior to that date. To minimize service disruption to your current workloads, [migrate from Connection Monitor (classic) to the latest Connection Monitor](migrate-to-connection-monitor-from-connection-monitor-classic.md) in Azure Network Watcher before February 29, 2024.

+Before you begin, if you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+In the following sections, you create a virtual machine scale set.

+### Create a load balancer

+[Azure Load Balancer](../load-balancer/load-balancer-overview.md) distributes incoming traffic among healthy virtual machine instances.

+First, create a public standard load balancer by using the Azure portal. The name and public IP address you create are automatically configured as the load balancer's front end.

+1. In the search box, type **load balancer** and then, under **Marketplace** in the search results, select **Load balancer**.

+1. On the **Basics** pane of the **Create load balancer** page, do the following:

+ | Setting | Value |

+ | | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **Create new** and then, in the box, type **myVMSSResourceGroup**.|

+ | Name | Enter **myLoadBalancer**. |

+ | Region | Select **East US**. |

+ | Type | Select **Public**. |

+ | SKU | Select **Standard**. |

+ | Public IP address | Select **Create new**. |

+ | Public IP address name | Enter **myPip**. |

+ | Assignment| Select **Static**. |

+ | Availability zone | Select **Zone-redundant**. |

+1. Select **Review + create**.

+### Create a virtual machine scale set

+1. Type **Scale set** in the search box. In the results, under **Marketplace**, select **Virtual machine scale sets**.

+1. On the **Virtual machine scale sets** pane, select **Create**.

+ The **Create a virtual machine scale set** page opens.

+1. On the **Basics** pane, under **Project details**, ensure that the correct subscription is selected, and then select **myVMSSResourceGroup** in the resource group list.

+1. For **Name**, type **myScaleSet**.

+1. For **Region**, select a region that's close to your area.

+1. Under **Orchestration**, for **Orchestration mode**, ensure that the **Uniform** option is selected.

+1. For **Image**, select a marketplace image. In this example, we've chosen *Ubuntu Server 18.04 LTS*.

+1. Enter your username, and then select the authentication type you prefer.

+ - A **Password** must be at least 12 characters long and contain three of the following: a lowercase character, an uppercase character, a number, and a special character. For more information, see [username and password requirements](../virtual-machines/windows/faq.yml#what-are-the-password-requirements-when-creating-a-vm-).

+ - If you select a Linux OS disk image, you can instead choose **SSH public key**. Provide only your public key, such as *~/.ssh/id_rsa.pub*. You can use the Azure Cloud Shell from the portal to [create and use SSH keys](../virtual-machines/linux/mac-create-ssh-keys.md).

+1. Select **Next**.

+1. For **Load balancing options**, select **Azure load balancer**.

+1. For **Select a load balancer**, select **myLoadBalancer**, which you created earlier.

+1. For **Select a backend pool**, select **Create new**, type **myBackendPool**, and then select **Create**.

+1. When you're done, select **Review + create**.

+After the scale set has been created, enable the Network Watcher extension in the scale set by doing the following:

+1. Under **Settings**, select **Extensions**.

+1. Select **Add extension**, and then select **Network Watcher Agent for Windows**, as shown in the following image:

+ :::image type="content" source="./media/connection-monitor/nw-agent-extension.png" alt-text="Screenshot that shows the Network Watcher extension addition.":::

+1. Under **Network Watcher Agent for Windows**, select **Create**.

+1. Under **Install extension**, select **OK**.

+1. Under **Extensions**, select **OK**.

+## Create the VM

+Complete the steps in the "Create the first VM" section of [Tutorial: Monitor network communication between two virtual machines by using the Azure portal](./connection-monitor.md#create-the-first-vm), but **with the following changes**:

+|:|||

+| 1 | Select a version of **Ubuntu Server**. | |

+| 3 | Name | Enter **myVm2**. |

+| 3 | Authentication type | Paste your SSH public key or select **Password**, and then enter a password. |

+| 3 | Resource group | Select **Use existing**, and then select **myResourceGroup**. |

+| 6 | Extensions | Select **Network Watcher Agent for Linux**. |

+The VM takes a few minutes to deploy. Wait for it to finish deploying before you continue with the remaining steps.

+1. On the left pane, in the **Monitoring** section, select **Connection monitor**.

+ You'll see a list of the connection monitors that were created in Connection Monitor. To see the connection monitors that were created in the classic Connection Monitor, select the **Connection monitor** tab.

+ :::image type="content" source="./media/connection-monitor-2-preview/cm-resource-view.png" alt-text="Screenshot that lists the connection monitors that were created in Connection Monitor.":::

+

+1. On the **Connection Monitor** dashboard, at the upper left, select **Create**.

+

+1. On the **Basics** pane, enter information for your connection monitor:

+ a. **Connection Monitor Name**: Enter a name for your connection monitor. Use the standard naming rules for Azure resources.

+ b. **Subscription**: Select a subscription for your connection monitor.

+ c. **Region**: Select a region for your connection monitor. You can select only the source VMs that are created in this region.

+ d. **Workspace configuration**: Your workspace holds your monitoring data. Do either of the following:

+ * To use the default workspace, select the checkbox.

+ * To choose a custom workspace, clear the checkbox, and then select the subscription and region for your custom workspace.

+ :::image type="content" source="./media/connection-monitor-2-preview/create-cm-basics.png" alt-text="Screenshot that shows the 'Basics' pane in Connection Monitor.":::

+

+1. Select **Next: Test groups**.

+1. Add sources, destinations, and test configurations in your test groups. To learn about setting up test groups, see [Create test groups in Connection Monitor](#create-test-groups-in-a-connection-monitor).

+ :::image type="content" source="./media/connection-monitor-2-preview/create-tg.png" alt-text="Screenshot that shows the 'Test groups' pane in Connection Monitor.":::

+1. At the bottom of the pane, select **Next: Create Alerts**. To learn about creating alerts, see [Create alerts in Connection Monitor](#create-alerts-in-connection-monitor).

+ :::image type="content" source="./media/connection-monitor-2-preview/create-alert.png" alt-text="Screenshot that shows the 'Create alerts' pane.":::

+1. At the bottom of the pane, select **Next: Review + create**.

+1. On the **Review + create** pane, review the basic information and test groups before you create the connection monitor. If you need to edit the connection monitor, you can do so by going back to the respective panes.

+ :::image type="content" source="./media/connection-monitor-2-preview/review-create-cm.png" alt-text="Screenshot that shows the 'Review + create' pane in Connection Monitor.":::

+ > The **Review + create** pane shows the cost per month during the Connection Monitor stage. Currently, the **Current Cost/Month** column shows no charge. When Connection Monitor becomes generally available, this column will show a monthly charge.

+1. When you're ready to create the connection monitor, at the bottom of the **Review + create** pane, select **Create**.

+ > [!NOTE]

+ > Connection Monitor now supports the auto-enabling of monitoring extensions for Azure and non-Azure endpoints, thus eliminating the need for manual installation of monitoring solutions during the creation of Connection Monitor.

+In the Azure portal, to create a test group in a connection monitor, do the following:

+1. **Disable test group**: You can select this checkbox to disable monitoring for all sources and destinations that the test group specifies. This selection is cleared by default.

+1. **Name**: Name your test group.

+1. **Sources**: You can specify both Azure VMs and on-premises machines as sources if agents are installed on them. To learn about installing an agent for your source, see [Install monitoring agents](./connection-monitor-overview.md#install-monitoring-agents).

+

+ You can drill down from the **Subscription** level to other levels in the hierarchy:

+ **Subscription** > **Resource group** > **Virtual network** > **Subnet** > **VMs with agents**

+ You can also change the **Group by** selector to start the tree from any other level. For example, if you group by virtual network, you see the VMs that have agents in the hierarchy **Virtual network** > **Subnet** > **VMs with agents**.

+ When you select a virtual network, subnet, a single VM or a virtual machine scale set the corresponding resource ID is set as the endpoint. By default, all VMs in the selected virtual network or subnet participate in monitoring. To reduce the scope, either select specific subnets or agents or change the value of the scope property.

+ :::image type="content" source="./media/connection-monitor-2-preview/add-sources-1.png" alt-text="Screenshot that shows the 'Add Sources' pane and the Azure endpoints, including the 'VMSS' pane, in Connection Monitor.":::

+

+ 1. If you need to add Network Performance Monitor to your workspace, get it from [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/solarwinds.solarwinds-orion-network-performance-monitor?tab=Overview). For information about how to add Network Performance Monitor, see [Monitoring solutions in Azure Monitor](../azure-monitor/insights/solutions.md). For information about how to configure agents for on-premises machines, see [Agents for on-premises machines](connection-monitor-overview.md#agents-for-on-premises-machines).

+

+ 1. Under **Create Connection Monitor**, on the **Basics** pane, the default region is selected. If you change the region, you can choose agents from workspaces in the new region. You can select one or more agents or subnets. In the **Subnet** view, you can select specific IPs for monitoring. If you add multiple subnets, a custom on-premises network named **OnPremises_Network_1** will be created. You can also change the **Group by** selector to group by agents.

+ :::image type="content" source="./media/connection-monitor-2-preview/add-non-azure-sources.png" alt-text="Screenshot that shows the 'Add Sources' pane and the 'Non-Azure endpoints' pane in Connection Monitor.":::

+1. To choose recently used endpoints, you can use the **Recent endpoint** pane.

+

+ You need not choose the endpoints with monitoring agents enabled only. You can select Azure or non-Azure endpoints without the agent enabled and proceed with the creation of Connection Monitor. During the creation process, the monitoring agents for the endpoints will be automatically enabled.

+ :::image type="content" source="./media/connection-monitor-2-preview/unified-enablement.png" alt-text="Screenshot that shows the 'Add Sources' pane and the 'Non-Azure endpoints' pane in Connection Monitor with unified enablement.":::

+

+1. When you finish setting up sources, select **Done** at the bottom of the pane. You can still edit basic properties like the endpoint name by selecting the endpoint in the **Create Test Group** view.

+1. **Destinations**: You can monitor connectivity to an Azure VM, an on-premises machine, or any endpoint (a public IP, URL, or FQDN) by specifying it as a destination. In a single test group, you can add Azure VMs, on-premises machines, Office 365 URLs, Dynamics 365 URLs, and custom endpoints.

+ * To choose Azure VMs as destinations, select the **Azure endpoints** tab. By default, the Azure VMs are grouped into a subscription hierarchy that's in the region that you selected under **Create Connection Monitor** on the **Basics** pane. You can change the region and choose Azure VMs from the new region. Then you can drill down from the **Subscription** level to other levels in the hierarchy, just as you can when you set the source Azure endpoints.

+ You can select virtual networks, subnets, or single VMs, as you can when you set the source Azure endpoints. When you select a virtual network, subnet, or single VM, the corresponding resource ID is set as the endpoint. By default, all VMs in the selected virtual network or subnet that have the Network Watcher extension participate in monitoring. To reduce the scope, either select specific subnets or agents or change the value of the scope property.

+ :::image type="content" source="./media/connection-monitor-2-preview/add-azure-dests1.png" alt-text="<Screenshot that shows the 'Add Destinations' pane and the 'Azure endpoints' pane.>":::

+ :::image type="content" source="./media/connection-monitor-2-preview/add-azure-dests2.png" alt-text="<Screenshot that shows the 'Add Destinations' pane at the Subscription level.>":::

+

+ * To choose non-Azure agents as destinations, select the **Non-Azure endpoints** tab. By default, agents are grouped into workspaces by region. All these workspaces have Network Performance Monitor configured.

+

+ If you need to add Network Performance Monitor to your workspace, get it from Azure Marketplace. For information about how to add Network Performance Monitor, see [Monitoring solutions in Azure Monitor](../azure-monitor/insights/solutions.md). For information about how to configure agents for on-premises machines, see [Agents for on-premises machines](connection-monitor-overview.md#agents-for-on-premises-machines).

+ Under **Create Connection Monitor**, on the **Basics** pane, the default region is selected. If you change the region, you can choose agents from workspaces in the new region. You can select one or more agents or subnets. In the **Subnet** view, you can select specific IPs for monitoring. If you add multiple subnets, a custom on-premises network named **OnPremises_Network_1** will be created.

+ :::image type="content" source="./media/connection-monitor-2-preview/add-non-azure-dest.png" alt-text="Screenshot that shows the 'Add Destinations' pane and the 'Non-Azure endpoints' pane.":::

+ * To choose public endpoints as destinations, select the **External Addresses** tab. The list of endpoints includes Office 365 test URLs and Dynamics 365 test URLs, grouped by name. You also can choose endpoints that were created in other test groups in the same connection monitor.

+

+ To add an endpoint, in the upper-right corner, select **Add Endpoint**. Then provide an endpoint name and URL, IP, or FQDN.

+ :::image type="content" source="./media/connection-monitor-2-preview/add-endpoints.png" alt-text="Screenshot that shows where to add public endpoints as destinations in Connection Monitor.":::

+ * To choose recently used endpoints, go to the **Recent endpoint** pane.

+1. When you finish choosing destinations, select **Done**. You can still edit basic properties, such as the endpoint name, by selecting the endpoint in the **Create Test Group** view.

+1. **Test configurations**: You can add one or more test configurations to a test group. Create a new test configuration by using the **New configuration** pane. Or add a test configuration from another test group in the same Connection Monitor from the **Choose existing** pane.

+ a. **Test configuration name**: Name the test configuration.

+ b. **Protocol**: Select **TCP**, **ICMP**, or **HTTP**. To change HTTP to HTTPS, select **HTTP** as the protocol, and then select **443** as the port.

+ c. **Create TCP test configuration**: This checkbox appears only if you select **HTTP** in the **Protocol** list. Select this checkbox to create another test configuration that uses the same sources and destinations that you specified elsewhere in your configuration. The new test configuration is named **\<name of test configuration>_networkTestConfig**.

+ d. **Disable traceroute**: This checkbox applies when the protocol is TCP or ICMP. Select this box to stop sources from discovering topology and hop-by-hop RTT.

+ e. **Destination port**: You can provide a destination port of your choice.

+ f. **Listen on port**: This checkbox applies when the protocol is TCP. Select this checkbox to open the chosen TCP port if it's not already open.

+ g. **Test Frequency**: In this list, specify how frequently sources will ping destinations on the protocol and port that you specified.

+

+ You can choose 30 seconds, 1 minute, 5 minutes, 15 minutes, or 30 minutes. Select **custom** to enter another frequency that's between 30 seconds and 30 minutes. Sources will test connectivity to destinations based on the value that you choose. For example, if you select 30 seconds, sources will check connectivity to the destination at least once in every 30-second period.

+ h. **Success Threshold**: You can set thresholds on the following network parameters:

+

+ * **Checks failed**: Set the percentage of checks that can fail when sources check connectivity to destinations by using the criteria that you specified. For the TCP or ICMP protocol, the percentage of failed checks can be equated to the percentage of packet loss. For HTTP protocol, this value represents the percentage of HTTP requests that received no response.

+

+ * **Round trip time**: Set the RTT, in milliseconds, for how long sources can take to connect to the destination over the test configuration.

+

+ :::image type="content" source="./media/connection-monitor-2-preview/add-test-config.png" alt-text="Screenshot that shows where to set up a test configuration in Connection Monitor.":::

+

+1. **Test Groups**: You can add one or more Test Groups to a Connection Monitor. These test groups can consist of multiple Azure or non-Azure endpoints.

+ For selected Azure VMs or Azure virtual machine scale sets and non-Azure endpoints without monitoring extensions, the extension for Azure VMs and the Network Performance Monitor solution for non-Azure endpoints will be auto-enabled after the creation of Connection Monitor begins.

+

+ If the selected virtual machine scale set is set for manual upgrade, you'll have to upgrade the scale set after the Network Watcher extension installation. Doing so lets you continue setting up the Connection Monitor with virtual machine scale sets as endpoints. If the virtual machine scale set is set to auto-upgrade, you don't need to worry about upgrading after the installation of the Network Watcher extension.

+ In the previously mentioned scenario, you can consent to an auto-upgrade of virtual machine scale sets with auto-enabling of the Network Watcher extension during the creation of Connection Monitor for virtual machine scale sets with manual upgrading. This approach eliminates the need to manually upgrade the virtual machine scale set after you install the Network Watcher extension.

+ :::image type="content" source="./media/connection-monitor-2-preview/consent-vmss-auto-upgrade.png" alt-text="Screenshot that shows where to set up a test group and consent for an auto-upgrade of the virtual machine scale set in Connection Monitor.":::

+In the Azure portal, to create alerts for a connection monitor, specify values for these fields:

+* **Create alert**: You can select this checkbox to create a metric alert in Azure Monitor. When you select this checkbox, the other fields will be enabled for editing. Additional charges for the alert will be applicable, based on the [pricing for alerts](https://azure.microsoft.com/pricing/details/monitor/).

+* **Scope** > **Resource** > **Hierarchy**: These values are automatically filled, based on the values specified on the **Basics** pane.

+* **Condition name**: The alert is created on the `Test Result(preview)` metric. When the result of the connection monitor test is a failing result, the alert rule will fire.

+* **Action group name**: You can enter your email directly or you can create alerts via action groups. If you enter your email directly, an action group with the name **NPM Email ActionGroup** is created. The email ID is added to that action group. If you choose to use action groups, you need to select a previously created action group. To learn how to create an action group, see [Create action groups in the Azure portal](../azure-monitor/alerts/action-groups.md). After the alert is created, you can [manage your alerts](../azure-monitor/alerts/alerts-metric.md#view-and-manage-with-azure-portal).

+* **Alert rule name**: The name of the connection monitor.

+* **Enable rule upon creation**: Select this checkbox to enable the alert rule based on the condition. Disable this checkbox if you want to create the rule without enabling it.

+After you've completed all the steps, the process will proceed with a unified enabling of monitoring extensions for all endpoints without monitoring agents enabled, followed by the creation of the connection monitor.

+After the creation process is successful, it takes about 5 minutes for the connection monitor to be displayed on the dashboard.

+## Virtual machine scale set coverage

+Currently, Connection Monitor provides default coverage for the scale set instances that are selected as endpoints. This means that only a default percentage of all the added scale set instances would be randomly selected to monitor connectivity from the scale set to the endpoint.

+As a best practice, to avoid loss of data because of a downscaling of instances, we recommend that you select *all* instances in a scale set while you're creating a test group, instead of selecting a particular few for monitoring your endpoints.

+When you no longer need the resources, delete the resource group and all the resources it contains:

+1. In the **Search** box at the top of the Azure portal, enter **myResourceGroup** and then, in the search results list, select it.

+1. Select **Delete resource group**.

+1. For **Resource group name**, enter **myResourceGroup**, and then select **Delete**.

+In this tutorial, you learned how to monitor a connection between a virtual machine scale set and a VM. You learned that a network security group rule prevented communication to a VM.

+To learn about all the different responses a connection monitor can return, see [response types](network-watcher-connectivity-overview.md#response). You can also monitor a connection between a VM, a fully qualified domain name, a uniform resource identifier, or an IP address. See also:

+* [Analyze monitoring data and set alerts](./connection-monitor-overview.md#analyze-monitoring-data-and-set-alerts)

+* [Diagnose problems in your network](./connection-monitor-overview.md#diagnose-issues-in-your-network)

+ Title: Process Synthetic Aperture Radar (SAR) data - Azure Orbital Analytics

+description: View a reference architecture that enables processing SAR/Remote Sensing data on Azure by using Apache Spark on Azure Synapse.

+# Process Synthetic Aperture Radar (SAR) data in Azure

+ - [Argo](https://argoproj.github.io/)

+tar -xvzf DRL-IPOPP_4.1.tar.gz --directory $INSTALL_DIR

+ if getattr(pa,'provisioning_state') == "Failed" :

+ if getattr(pa,'provisioning_state') == "Failed" :

+1. In the [Azure portal](https://portal.azure.com), select **Azure Active Directory** and create an App Registration in the tenant. Provide a web URL in the **Redirect URI**.

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-scan-app-registration.png" alt-text="Screenshot how to create App in AAD.":::

+2. Take note of Client ID(App ID).

+

+1. Create an App Registration in your Azure Active Directory tenant. Provide a web URL in the **Redirect URI**.

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-scan-app-registration.png" alt-text="Screenshot how to create App in AAD.":::

+2. Take note of Client ID(App ID).

+## Machine Learning based classifications

+## Person's Name

+## Person's Address

+Person's address classification is used to detect full address stored in a single column containing the following elements: House number, Street Name, City, State, Country, Zip Code. Person's Address classifier uses machine learning model that is trained on the global addresses data set in English language.

+This classifier consists of the most common ethnic groups. For a reference list, see this [article](https://en.wikipedia.org/wiki/List_of_contemporary_ethnic_groups).

+This entity is included in the EU Driver's License Number sensitive information type. It's also available as a stand-alone sensitive information type entity.

+- A digit that is not 0 or 1

+This type entity is included in the EU Driver's License Number sensitive information type. It's also available as a stand-alone sensitive information type entity.

+nine or ten digits containing optional backslash

+- nine digits like ddddddddd won't match.

+- 10 digit number, for example, +1 nxx-nxx-xxxx

+- Optional four digit extension

+Five digit U.S. Zip code and an optional four digit code separated by a hyphen (-).

+When converting a triangular mesh, for instance from an .fbx file, all parameters from the schema above do affect the outcome. The parameters are explained in detail now:

+> For FBX, E57, PLY, LAS, LAZ and XYZ files these settings are set to `true` by default. For all other file types, the default is `false`.

+* `gammaToLinearVertex` - similar to triangular meshes, this flag indicates whether point colors should be converted from gamma space to linear space. Default value for point cloud formats (E57, PLY, LAS, LAZ and XYZ) is true.

+[Autodesk 3ds Max](https://www.autodesk.de/products/3ds-max) has distinct object cloning modes called **`Copy`**, **`Instance`**, and **`Reference`** that behave differently regarding instancing in the exported `.fbx` file.

+In these use cases, the models often have high detail within a small volume. The renderer is heavily optimized to handle such cases well. However, most of the optimizations mentioned in the previous use case don't apply here:

+Azure Remote Rendering allows you to render complex models. To achieve maximum performance, the data must be preprocessed to be in an optimal format. Depending on the amount of data, this step might take a while. It would be impractical, if this time was spent during model loading. Also, it would be wasteful to repeat this process for multiple sessions.

+There are minor differences between the formats regarding material property conversion, as listed in chapter [material mapping for model formats](../../reference/material-mapping.md).

+* **LAS**, **LAZ** : In case color data isn't present, the intensity attribute is used as color.

+### WMR vs. OpenXR

+In Unity 2019 and Unity 2020, you can still choose between the WMR (Windows Mixed Reality) and OpenXR plugin. WMR has been deprecated for Unity 2021 and onwards. A known limitation of the WMR version is that it doesn't work in linear color space.

+You'll need to train a Form Recognizer model with your input forms before you use this skill. Follow the [cURL quickstart](/azure/applied-ai-services/form-recognizer/how-to-guides/v2-1-sdk-rest-api) to learn how to train a model. You can use the sample forms provided in that quickstart, or you can use your own data. Once the model is trained, copy its ID value to a secure location.

+* [Map enriched fields](cognitive-search-output-field-mapping.md)

+When you start a session, the search service creates a copy of the skillset, indexer, and a data source containing a single document that will be used to test the skillset. All session state will be saved to a new blob container created by the Azure Cognitive Search service in an Azure Storage account that you provide. The name of the generated container has a prefix of "ms-az-cognitive-search-debugsession". The Azure Storage flow to choose the target storage account where the debug session data is exported always requests a container to be chosen by the user. This is omitted by default to avoid debug session data to be exported by mistake to a customer created container that may have data not related to the debug session.

+A debug session can be canceled while it's executing using the **Cancel** button. If you hit the **Cancel** button you should be able to analyze partial results.

+It is expected for a debug session to take longer to execute than the indexer since it goes through extra processing.

+Custom skills can be more challenging to debug because the code runs externally, so the debug session can't be used to debug them. This section describes how to locally debug your Custom Web API skill, debug session, Visual Studio Code and [ngrok](https://ngrok.com/docs). This technique works with custom skills that execute in [Azure Functions](../azure-functions/functions-overview.md) or any other Web Framework that runs locally (for example, [FastAPI](https://fastapi.tiangolo.com/)).

+As an alternative to this connector, if your scenario has any of those requirements, you could use the [Push API/SDK](search-what-is-data-import.md) or consider [Azure Data Factory](../data-factory/connector-azure-cosmos-db.md) with an [Azure Cognitive Search index](../data-factory/connector-azure-search.md) as the sink.

+Any customer using Azure Infrastructure as a Service (IaaS) features can achieve encryption at rest for their IaaS VMs and disks through Azure Disk Encryption. For more information on Azure Disk encryption, see [Azure Disk Encryption for Linux VMs](../../virtual-machines/linux/disk-encryption-overview.md) or [Azure Disk Encryption for Windows VMs](../../virtual-machines/windows/disk-encryption-overview.md).

+ - [Post a message in a Microsoft Teams channel](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SentinelSOARessentials/Playbooks/Post-Message-Teams)

+ - [Post a message in a Slack channel](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SentinelSOARessentials/Playbooks/Post-Message-Slack)

+Microsoft Sentinel is empowered by the components that send data to your workspace, and is made stronger through integrations with other Microsoft services. Any logs ingested into products such as Microsoft Defender for Cloud Apps, Microsoft Defender for Endpoint, and Microsoft Defender for Identity allow these services to create detections, and in turn provide those detections to Microsoft Sentinel. Logs can also be ingested directly into Microsoft Sentinel to provide a fuller picture of events and incidents.

+- [Create Resource Manager parameter file](/azure/azure-resource-manager/templates/parameter-files)

+- [Parameters in ARM templates](/azure/azure-resource-manager/templates/parameters)

+Microsoft Sentinel's [Microsoft 365 Defender](/microsoft-365/security/mtp/microsoft-threat-protection) connector with incident integration allows you to stream all Microsoft 365 Defender incidents and alerts into Microsoft Sentinel, and keeps the incidents synchronized between both portals. Microsoft 365 Defender incidents include all their alerts, entities, and other relevant information, and they group together, and are enriched by, alerts from Microsoft 365 Defender's component services **Microsoft Defender for Endpoint**, **Microsoft Defender for Identity**, **Microsoft Defender for Office 365**, and **Microsoft Defender for Cloud Apps**, as well as alerts from other services such as **Microsoft Purview Data Loss Prevention (DLP)** and **Azure Active Directory Identity Protection (AADIP)**.

+The connector also lets you stream **advanced hunting** events from *all* of the above Defender components into Microsoft Sentinel, allowing you to copy those Defender components' advanced hunting queries into Microsoft Sentinel, enrich Sentinel alerts with the Defender components' raw event data to provide additional insights, and store the logs with increased retention in Log Analytics.

+ # [Defender for Identity](#tab/MDI)

+ # [Defender for Cloud Apps](#tab/MDCA)

+ # [Defender alerts](#tab/MDA)

+In this document, you learned how to integrate Microsoft 365 Defender incidents, and advanced hunting event data from Microsoft Defender component services, into Microsoft Sentinel, using the Microsoft 365 Defender connector. To learn more about Microsoft Sentinel, see the following articles:

+> - Use community resources, such as the [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries), to find additional queries and data sources.

+| **See how queries apply to your environment** | Select the **Run all queries (Preview)** button, or select a subset of queries using the checkboxes to the left of each row and select the **Run selected queries (Preview)** button. <br><br>Running your queries can take anywhere from a few seconds to many minutes, depending on how many queries are selected, the time range, and the amount of data that is being queried. |

+1. Add a filter in the query on the command line to contain only instances of cscript.exe.

+ You can also create an incident from one or more bookmarks, or add one or more bookmarks to an existing incident. Select a checkbox to the left of any bookmarks you want to use, and then select **Incident actions** > **Create new incident** or **Add to existing incident**. Triage and investigate the incident like any other.

+The following table describes some methods of using Jupyter notebooks to help your processes in Microsoft Sentinel:

+- **Azure Active Directory Identity Protection (AADIP)** ([Learn more](/defender-cloud-apps/aadip-integration))

+Once the Microsoft 365 Defender integration is connected, the connectors for all the integrated components and services (Defender for Endpoint, Defender for Identity, Defender for Office 365, Defender for Cloud Apps, Azure Active Directory Identity Protection) will be automatically connected in the background if they weren't already. If any component licenses were purchased after Microsoft 365 Defender was connected, the alerts and incidents from the new product will still flow to Microsoft Sentinel with no additional configuration or charge.

+- To avoid creating duplicate incidents for the same alerts, we recommend that customers turn off all **Microsoft incident creation rules** for Microsoft 365 Defender-integrated products (Defender for Endpoint, Defender for Identity, Defender for Office 365, Defender for Cloud Apps, and Azure Active Directory Identity Protection) when connecting Microsoft 365 Defender. This can be done by disabling incident creation in the connector page. Keep in mind that if you do this, any filters that were applied by the incident creation rules will not be applied to Microsoft 365 Defender incident integration.

+| **DstProcessId**| Optional | String | The process ID (PID) of the process that terminated the network session.<br><br>Example: `48610176` <br><br>**Note**: The type is defined as *string* to support varying systems, but on Windows and Linux this value must be numeric. <br><br>If you are using a Windows or Linux machine and used a different type, make sure to convert the values. For example, if you used a hexadecimal value, convert it to a decimal value. |

+| **DstProcessGuid** | Optional | String | A generated unique identifier (GUID) of the process that terminated the network session. <br><br> Example: `EF3BD0BD-2B74-60C5-AF5C-010000001E00` |

+- Added the fields `NetworkConnectionHistory`, `SrcVlanId`, `DstVlanId`, `InnerVlanId`, and `OuterVlanId`.

+In order to install, update or delete solutions in content hub, you need the **Template Spec Contributor** role at the resource group level. See [Azure RBAC built in roles](/azure/role-based-access-control/built-in-roles#template-spec-contributor) for details on this role.

+- [Join the H-ISAC](https://h-isac.org/) to get the credentials to access this feed.

+- Find and enable incident enrichment playbooks for [ReversingLabs](https://www.reversinglabs.com/products/file-reputation-service) in the [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ReversingLabs/Playbooks/ReversingLabs-EnrichFileHash).

+- [Microsoft 365 Defender now integrates Azure Active Directory Identity Protection (AADIP)](#microsoft-365-defender-now-integrates-azure-active-directory-identity-protection-aadip)

+- [Out of the box anomaly detection on the SAP audit log (Preview)](#out-of-the-box-anomaly-detection-on-the-sap-audit-log-preview)

+### Microsoft 365 Defender now integrates Azure Active Directory Identity Protection (AADIP)

+As of **October 24, 2022**, [Microsoft 365 Defender](/microsoft-365/security/defender/) will be integrating [Azure Active Directory Identity Protection (AADIP)](../active-directory/identity-protection/index.yml) alerts and incidents. Customers can choose between two levels of integration:

+- **Selective alerts** (default) includes only alerts chosen by Microsoft security researchers, mostly of Medium and High severities.

+- **All alerts** includes all AADIP alerts of any severity.

+This integration can't be disabled.

+Microsoft Sentinel customers (who are also AADIP subscribers) with [Microsoft 365 Defender integration](microsoft-365-defender-sentinel-integration.md) enabled will automatically start receiving AADIP alerts and incidents in their Microsoft Sentinel incidents queue. Depending on your configuration, this may affect you as follows:

+- If you already have your AADIP connector enabled in Microsoft Sentinel, and you've enabled incident creation, you may receive duplicate incidents. To avoid this, you have a few choices, listed here in descending order of preference:

+ | Preference | Action in Microsoft 365 Defender | Action in Microsoft Sentinel |

+ | - | - | - |

+ | **1** | Keep the default AADIP integration of **Selective alerts**. | Disable any [**Microsoft Security** analytics rules](detect-threats-built-in.md) that create incidents from AADIP alerts. |

+ | **2** | Choose the **All alerts** AADIP integration. | Create automation rules to automatically close incidents with unwanted alerts.<br><br>Disable any [**Microsoft Security** analytics rules](detect-threats-built-in.md) that create incidents from AADIP alerts. |

+ | **3** | Don't use Microsoft 365 Defender for AADIP alerts:<br>Choose either option for AADIP integration. | Create automation rules to close all incidents where <br>- the *incident provider* is `Microsoft 365 Defender` and <br>- the *alert provider* is `Azure Active Directory Identity Protection`. <br><br>Leave enabled those [**Microsoft Security** analytics rules](detect-threats-built-in.md) that create incidents from AADIP alerts. |

+- If you don't have your [AADIP connector](data-connectors-reference.md#azure-active-directory-identity-protection) enabled, you must enable it. Be sure **not** to enable incident creation on the connector page. If you don't enable the connector, you may receive AADIP incidents without any data in them.

+- If you're first enabling your Microsoft 365 Defender connector now, the AADIP connection will be made automatically behind the scenes. You won't need to do anything else.

+> Deployment of Service Fabric applications with managed identities are supported starting with API version `"2019-06-01-preview"`. You can also use the same API version for application type, application type version and service resources. The minimum supported Service Fabric runtime is 6.5 CU2. In addition, the build / package environment should also have the SF .Net SDK at CU2 or higher

+ By default, Standard HDD managed disks are created in Azure. Select **Customize** to customize the type of Managed disks. Choose the type of disk based on the business requirement. Ensure to [choose the appropriate disk type](../virtual-machines/disks-types.md#disk-type-comparison) based on the IOPS of the source machine disks. For pricing information, see [managed disk pricing](https://azure.microsoft.com/pricing/details/managed-disks/).