-> [!NOTE]

-> This feature replaces and supersedes the [claims customization](active-directory-saml-claims-customization.md) offered through the Azure portal. On the same application, if you customize claims using the portal in addition to the Microsoft Graph/PowerShell method detailed in this document, tokens issued for that application will ignore the configuration in the portal. Configurations made through the methods detailed in this document will not be reflected in the portal.

-In the following examples, you create, update, link, and delete policies for service principals. Claims-mapping policies can only be assigned to service principal objects. If you are new to Azure AD, we recommend that you [learn about how to get an Azure AD tenant](quickstart-create-new-tenant.md) before you proceed with these examples.

-When creating a claims-mapping policy, you can also emit a claim from a directory extension attribute in tokens. Use *ExtensionID* for the extension attribute instead of *ID* in the `ClaimsSchema` element. For more info on extension attributes, see [Using directory extension attributes](active-directory-schema-extensions.md).

-> [!NOTE]

-> The [Azure AD PowerShell Module public preview release](https://www.powershellgallery.com/packages/AzureADPreview) is required to configure claims-mapping policies. The PowerShell module is in preview, while the claims mapping and token creation runtime in Azure is generally available. Updates to the preview PowerShell module could require you to update or change your configuration scripts.

- ``` powershell

- ``` powershell

-Next, create a claims mapping policy and assign it to a service principal. See these examples for common scenarios:

-After creating a claims mapping policy, configure your application to acknowledge that tokens will contain customized claims. For more information, read [security considerations](#security-considerations).

- ``` powershell

- ``` powershell

- ``` powershell

- ``` powershell

- > [!WARNING]

- > When you define a claims mapping policy for a directory extension attribute, use the `ExtensionID` property instead of the `ID` property within the body of the `ClaimsSchema` array.

- ``` powershell

- ``` powershell

- ``` powershell

- ``` powershell

- ``` powershell

-Applications that receive tokens rely on the fact that the claim values are authoritatively issued by Azure AD and cannot be tampered with. However, when you modify the token contents through claims-mapping policies, these assumptions may no longer be correct. Applications must explicitly acknowledge that tokens have been modified by the creator of the claims-mapping policy to protect themselves from claims-mapping policies created by malicious actors. This can be done in one the following ways:

-

-For multi-tenant apps, a custom signing key should be used. Do not set `acceptMappedClaims` in the app manifest. If set up an app in the Azure portal, you get an app registration object and a service principal in your tenant. That app is using the Azure global sign-in key, which cannot be used for customizing claims in tokens. To get custom claims in tokens, create a custom sign-in key from a certificate and add it to service principal. For testing purposes, you can use a self-signed certificate. After configuring the custom signing key, your application code needs to [validate the token signing key](#validate-token-signing-key).

-The following shows the format of the HTTP PATCH request to add a custom signing key to a service principal. The "key" value in the `keyCredentials` property is shortened for readability. The value is base-64 encoded. For the private key, the property usage is "Sign". For the public key, the property usage is "Verify".

-To run this script you need:

-1. The object ID of your application's service principal, found in the **Overview** blade of your application's entry in [Enterprise Applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/) in the Azure portal.

-2. An app registration to sign in a user and get an access token to call Microsoft Graph. Get the application (client) ID of this app in the **Overview** blade of the application's entry in [App registrations](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps) in the Azure portal. The app registration should have the following configuration:

- - A redirect URI of "http://localhost" listed in the **Mobile and desktop applications** platform configuration

- - In **API permissions**, Microsoft Graph delegated permissions **Application.ReadWrite.All** and **User.Read** (make sure you grant Admin consent to these permissions)

- - Cloud Application Administrator

- - Application Administrator

- - Global Administrator

- - public key (typically a .cer file)

- - private key in PKCS#12 format (in .pfx file)

- - password for the private key (pfx file)

-> [!IMPORTANT]

-> The private key must be in PKCS#12 format since Azure AD does not support other format types. Using the wrong format can result in the error "Invalid certificate: Key value is invalid certificate" when using Microsoft Graph to PATCH the service principal with a `keyCredentials` containing the certificate info.

-

-$redirectURL = "http://localhost" # this reply URL is needed for PowerShell Core

-

-

-

- {

- {

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

- $object = [ordered]@{

- keyCredentials = @(

- [ordered]@{

- startDateTime = $startDateTime

- displayName = "CN=fourthcoffeetest"

- [ordered]@{

- startDateTime = $startDateTime

- displayName = "CN=fourthcoffeetest"

- )

- keyId = $guid1

-

-

-

- try

- }

- catch

- Write-Host "StatusCode:" $_.Exception.Response.StatusCode.value__

-

-For single tenant apps, you can set the `acceptMappedClaims` property to `true` in the [application manifest](reference-app-manifest.md). As documented on the [apiApplication resource type](/graph/api/resources/apiapplication#properties), this allows an application to use claims mapping without specifying a custom signing key.

-> [!WARNING]

-> Do not set `acceptMappedClaims` property to `true` for multi-tenant apps, which can allow malicious actors to create claims-mapping policies for your app.

-If you're not using a verified domain, Azure AD will return an `AADSTS501461` error code with message *"AcceptMappedClaims is only supported for a token audience matching the application GUID or an audience within the tenant's verified domains. Either change the resource identifier, or use an application-specific signing key."*

-In MSAL logging is set at application creation using the `.WithLogging` builder modifier. This method takes optional parameters:

-The web API is defined by its `scopes`. Whatever the experience you provide in your application, the pattern to use is:

-1. [Generate an API key](https://help.documo.com/support/solutions/articles/72000513690-how-to-enable-api-and-retrieve-api-key) to use for Azure AD provisioning.

- For "Tenant URL", type https://api.github.com/scim/v2/enterprises/YOUR_ENTERPRISE, replacing YOUR_ENTERPRISE with the name of your enterprise account.

-description: Learn how to configure single sign-on between Azure Active Directory and F5.

-# Tutorial: Configure single sign-on (SSO) between Azure Active Directory and F5

-In this tutorial, you'll learn how to integrate F5 with Azure Active Directory (Azure AD). When you integrate F5 with Azure AD, you can:

-* Control in Azure AD who has access to F5.

-* Enable your users to be automatically signed-in to F5 with their Azure AD accounts.

-* Manage your accounts in one central location - the Azure portal.

-> [!NOTE]

-> F5 BIG-IP APM [Purchase Now](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/f5-networks.f5-big-ip-best?tab=Overview).

-## Prerequisites

-To get started, you need the following items:

-* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

-* F5 single sign-on (SSO) enabled subscription.

-* Deploying the joint solution requires the following license:

- * F5 BIG-IP® Best bundle (or)

- * F5 BIG-IP Access Policy ManagerΓäó (APM) standalone license

- * F5 BIG-IP Access Policy Manager™ (APM) add-on license on an existing BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM).

- * In addition to the above license, the F5 system may also be licensed with:

- * A URL Filtering subscription to use the URL category database

- * An F5 IP Intelligence subscription to detect and block known attackers and malicious traffic

-

- * A network hardware security module (HSM) to safeguard and manage digital keys for strong authentication

-* F5 BIG-IP system is provisioned with APM modules (LTM is optional)

-* Although optional, it is highly recommended to Deploy the F5 systems in a [sync/failover device group](https://techdocs.f5.com/content/techdocs/en-us/bigip-14-1-0/big-ip-device-service-clustering-administration-14-1-0.html) (S/F DG), which includes the active standby pair, with a floating IP address for high availability (HA). Further interface redundancy can be achieved using the Link Aggregation Control Protocol (LACP). LACP manages the connected physical interfaces as a single virtual interface (aggregate group) and detects any interface failures within the group.

-* For Kerberos applications, an on-premises AD service account for constrained delegation. Refer to [F5 Documentation](https://support.f5.com/csp/article/K43063049) for creating a AD delegation account.

-## Access guided configuration

-* Access guided configurationΓÇÖ is supported on F5 TMOS version 13.1.0.8 and above. If your BIG-IP system is running a version below 13.1.0.8, please refer to the **Advanced configuration** section.

-* Access guided configuration presents a completely new and streamlined user experience. This workflow-based architecture provides intuitive, re-entrant configuration steps tailored to the selected topology.

-* Before proceeding to the configuration, upgrade the guided configuration by downloading the latest use case pack from [downloads.f5.com](https://login.f5.com/resource/login.jsp?ctx=719748). To upgrade, follow the below procedure.

- >[!NOTE]

- >The screenshots below are for the latest released version (BIG-IP 15.0 with AGC version 5.0). The configuration steps below are valid for this use case across from 13.1.0.8 to the latest BIG-IP version.

-1. On the F5 BIG-IP Web UI, click on **Access >> Guide Configuration**.

-1. On the **Guided Configuration** page, click on **Upgrade Guided Configuration** on the top left-hand corner.

- 

-1. On the Upgrade Guide Configuration pop screen, select **Choose File** to upload the downloaded use case pack and click on **Upload and Install** button.

- 

-1. When upgrade is completed, click on the **Continue** button.

- 

-## Scenario description

-In this tutorial, you configure and test Azure AD SSO in a test environment.

-* F5 SSO can be configured in three different ways.

-### Key Authentication Scenarios

-* Apart from Azure Active Directory native integration support for modern authentication protocols like Open ID Connect, SAML and WS-Fed, F5 extends secure access for legacy-based authentication apps for both internal and external access with Azure AD, enabling modern scenarios (e.g. password-less access) to these applications. This include:

-* Header-based authentication apps

-* Kerberos authentication apps

-* Anonymous authentication or no inbuilt authentication apps

-* NTLM authentication apps (protection with dual prompts for the user)

-* Forms Based Application (protection with dual prompts for the user)

-## Adding F5 from the gallery

-To configure the integration of F5 into Azure AD, you need to add F5 from the gallery to your list of managed SaaS apps.

-1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

-1. On the left navigation pane, select the **Azure Active Directory** service.

-1. Navigate to **Enterprise Applications** and then select **All Applications**.

-1. To add new application, select **New application**.

-1. In the **Add from the gallery** section, type **F5** in the search box.

-1. Select **F5** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

- Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)

-## Configure and test Azure AD SSO for F5

-Configure and test Azure AD SSO with F5 using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in F5.

-To configure and test Azure AD SSO with F5, perform the following steps:

-1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

-1. **[Configure F5 SSO](#configure-f5-sso)** - to configure the single sign-on settings on application side.

- 1. **[Create F5 test user](#create-f5-test-user)** - to have a counterpart of B.Simon in F5 that is linked to the Azure AD representation of user.

-1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

-## Configure Azure AD SSO

-Follow these steps to enable Azure AD SSO in the Azure portal.

-1. In the Azure portal, on the **F5** application integration page, find the **Manage** section and select **single sign-on**.

-1. On the **Select a single sign-on method** page, select **SAML**.

-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.

- 

-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:

- a. In the **Identifier** text box, type a URL using the following pattern:

- `https://<YourCustomFQDN>.f5.com/`

- b. In the **Reply URL** text box, type a URL using the following pattern:

- `https://<YourCustomFQDN>.f5.com/`

-1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:

- In the **Sign-on URL** text box, type a URL using the following pattern:

- `https://<YourCustomFQDN>.f5.com/`

- > [!NOTE]

- > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [F5 Client support team](https://support.f5.com/csp/knowledge-center/software/BIG-IP?module=BIG-IP%20APM45) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

- 

-1. On the **Set up F5** section, copy the appropriate URL(s) based on your requirement.

- 

-### Create an Azure AD test user

-In this section, you'll create a test user in the Azure portal called B.Simon.

-1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

-1. Select **New user** at the top of the screen.

-1. In the **User** properties, follow these steps:

- 1. In the **Name** field, enter `B.Simon`.

- 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

- 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

- 1. Click **Create**.

-### Assign the Azure AD test user

-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to F5.

-1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

-1. In the applications list, select **F5**.

-1. In the app's overview page, find the **Manage** section and select **Users and groups**.

-1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

-1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

-1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

-1. In the **Add Assignment** dialog, click the **Assign** button.

-## Configure F5 SSO

-### Configure F5 single sign-on for Header Based application

-### Guided Configuration

-1. Open a new web browser window and sign into your F5 (Header Based) company site as an administrator and perform the following steps:

-1. Navigate to **System > Certificate Management > Traffic Certificate Management > SSL Certificate List**. Select **Import** from the right-hand corner. Specify a **Certificate Name** (will be referenced Later in the config). In the **Certificate Source**, select Upload File specify the certificate downloaded from Azure while configuring SAML Single Sign on. Click **Import**.

- 

-

-1. Additionally, you will require **SSL Certificate for the Application Hostname. Navigate to System > Certificate Management > Traffic Certificate Management > SSL Certificate List**. Select **Import** from the right-hand corner. **Import Type** will be **PKCS 12(IIS)**. Specify a **Key Name** (will be referenced Later in the config) and the specify the PFX file. Specify the **Password** for the PFX. Click **Import**.

- >[!NOTE]

- >In the example our app name is `Headerapp.superdemo.live`, we are using a Wild Card Certificate our keyname is `WildCard-SuperDemo.live`.

- 

-1. We will use the Guided Experience to setup the Azure AD Federation and Application Access. Go to ΓÇô F5 BIG-IP **Main** and select **Access > Guided Configuration > Federation > SAML Service Provider**. Click **Next** then click **Next** to begin configuration.

- 

- 

-

-1. Provide a **Configuration Name**. Specify the **Entity ID** (same as what you configured on the Azure AD Application Configuration). Specify the **Host name**. Add a **Description** for reference. Accept the remaining default entries and select and then click **Save & Next**.

- 

-1. In this example we are creating a new Virtual Server as 192.168.30.20 with port 443. Specify the Virtual Server IP address in the **Destination Address**. Select the Client **SSL Profile**, select Create new. Specify previously uploaded application certificate, (the wild card certificate in this example) and the associated key, and then click **Save & Next**.

- >[!NOTE]

- >in this example our Internal webserver is running on port 888 and we want to publish it with 443.

- 

-1. Under **Select method to configure your IdP connector**, specify Metadata, click on Choose File and upload the Metadata XML file downloaded earlier from Azure AD. Specify a unique **Name** for SAML IDP connector. Choose the **Metadata Signing Certificate** which was upload earlier. Click **Save & Next**.

- 

-

-1. Under **Select a Pool**, specify **Create New** (alternatively select a pool it already exists). Let other value be default. Under Pool Servers, type the IP Address under **IP Address/Node Name**. Specify the **Port**. Click **Save & Next**.

- 

-1. On the Single Sign-On Settings screen, select **Enable Single Sign-On**. Under Selected Single Sign-On Type choose **HTTP header-based**. Replace **session.saml.last.Identity** with **session.saml.last.attr.name.Identity** under Username Source ( this variable it set using claims mapping in the Azure AD ). Under SSO Headers.

- * **HeaderName : MyAuthorization**

- * **Header Value : %{session.saml.last.attr.name.Identity}**

- * Click **Save & Next**

- Refer Appendix for complete list of variables and values. You can add more headers as required.

- >[!NOTE]

- >Account Name Is the F5 Delegation Account Created (Check F5 Documentation).

- 

-1. For purposes of this guidance, we will skip endpoint checks. Refer to F5 documentation for details. Select **Save & Next**.

- 

-1. Accept the defaults and click **Save & Next**. Refer F5 documentation for details regarding SAML session management settings.

- 

-1. Review the summary screen and select **Deploy** to configure the BIG-IP. click on **Finish**.

- 

- 

-## Advanced Configuration

-This section is intended to be used if you cannot use the Guided configuration or would like to add/modify additional Parameters. You will require a TLS/SSL certificate for the Application Hostname.

-1. Navigate to **System > Certificate Management > Traffic Certificate Management > SSL Certificate List**. Select **Import** from the right-hand corner. **Import Type** will be **PKCS 12(IIS)**. Specify a **Key Name** (will be referenced Later in the config) and the specify the PFX file. Specify the **Password** for the PFX. Click **Import**.

- >[!NOTE]

- >In the example our app name is `Headerapp.superdemo.live`, we are using a Wild Card Certificate our keyname is `WildCard-SuperDemo.live`.

-

- 

-### Adding a new Web Server to BigIP-F5

-1. Click on **Main > IApps > Application Services > Application > Create**.

-1. Provide the **Name** and under **Template** choose **f5.http**.

-

- 

-1. We will publish our HeaderApp2 externally as HTTPS in this case, **how should the BIG-IP system handle SSL Traffic**? we specify **Terminate SSL from Client, Plaintext to servers (SSL Offload)**. Specify your Certificate and Key under **Which SSL certificate do you want to use?** and **Which SSL private key do you want to use?**. Specify the Virtual Server IP under **What IP Address do you want to use for the Virtual Server?**.

- * **Specify other details**

- * FQDN

- * Specify exiting app pool or create a new one.

- * If creating a new App Server specify **internal IP Address** and **port number**.

- 

-1. Click **Finished**.

- 

-1. Ensure the App Properties can be modified. Click **Main > IApps > Application

- 

-1. At this point you should be able to browse the virtual Server.

-### Configuring F5 as SP and Azure as IDP

-1. Click **Access > Federation> SAML Service Provider > Local SP Service > click create or + sign**.

- 

-1. Specify Details for the Service Provider Service. Specify **Name** representing F5 SP Configuration. Specify **Entity ID** (generally same as application URL).

- 

- 

- 

- 

- 

- 

-### Create Idp Connector

-1. Click **Bind/Unbind IdP Connectors** button, select **Create New IdP Connector** and choose From **Metadata** option then perform the following steps:

-

- 

- a. Browse to metadata.xml file downloaded from Azure AD and specify an **Identity Provider Name**.

- b. Click **ok**.

- c. The connector is created, and certificate is ready automatically from the metadata xml file.

-

- 

- d. Configure F5BIG-IP to send all request to Azure AD.

- e. Click **Add New Row**, choose **AzureIDP** (as created in previous steps, specify

- f. **Matching Source = %{session.server.landinguri}**

- g. **Matching Value = /***

- h. Click **update**

- i. Click **OK**

- j. **SAML IDP setup is completed**

-

- 

-### Configure F5 Policy to redirect users to Azure SAML IDP

-1. To configure F5 Policy to redirect users to Azure SAML IDP, perform the following steps:

- a. Click **Main > Access > Profile/Policies > Access Profiles**.

- b. Click on the **Create** button.

- 

-

- c. Specify **Name** (HeaderAppAzureSAMLPolicy in the example).

- d. You can customize other settings please refer to F5 Documentation.

- 

- 

- e. Click **Finished**.

- f. Once the Policy creation is completed, click on the Policy and go to the **Access Policy** Tab.

- 

-

- g. Click on the **Visual Policy editor**, edit **Access Policy for Profile** link.

- h. Click on the + Sign in the Visual Policy editor and choose **SAML Auth**.

- 

- 

-

- i. Click **Add Item**.

- j. Under **Properties** specify **Name** and under **AAA Server** select the previously configured SP, click **SAVE**.

-

- 

- k. The basic Policy is ready you can customize the policy to incorporate additional sources/attribute stores.

- 

-

- l. Ensure you click on the **Apply Access Policy** link on the top.

-### Apply Access Profile to the Virtual Server

-1. Assign the access profile to the Virtual Server in order for F5 BIG-IP APM to apply the profile settings to incoming traffic and run the previously defined access policy.

- a. Click **Main** > **Local Traffic** > **Virtual Servers**.

- 

-

- b. Click on the virtual server, scroll to **Access Policy** section, in the **Access Profile** drop down and select the SAML Policy created (in the example HeaderAppAzureSAMLPolicy)

- c. Click **update**

-

- 

- d. create an F5 BIG-IP iRule® to extract the custom SAML attributes from the incoming assertion and pass them as HTTP headers to the backend test application. Click **Main > Local Traffic > iRules > iRule List > click create**

- 

-

- e. Paste the F5 BIG-IP iRule text below into the Definition window.

- 

-

- when RULE_INIT {

- set static::debug 0

- }

- when ACCESS_ACL_ALLOWED {

- set AZUREAD_USERNAME [ACCESS::session data get "session.saml.last.attr.name.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]

- if { $static::debug } { log local0. "AZUREAD_USERNAME = $AZUREAD_USERNAME" }

- if { !([HTTP::header exists "AZUREAD_USERNAME"]) } {

- HTTP::header insert "AZUREAD_USERNAME" $AZUREAD_USERNAME

- }

- set AZUREAD_DISPLAYNAME [ACCESS::session data get "session.saml.last.attr.name.http://schemas.microsoft.com/identity/claims/displayname"]

- if { $static::debug } { log local0. "AZUREAD_DISPLAYNAME = $AZUREAD_DISPLAYNAME" }

- if { !([HTTP::header exists "AZUREAD_DISPLAYNAME"]) } {

- HTTP::header insert "AZUREAD_DISPLAYNAME" $AZUREAD_DISPLAYNAME

- }

- set AZUREAD_EMAILADDRESS [ACCESS::session data get "session.saml.last.attr.name.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]

- if { $static::debug } { log local0. "AZUREAD_EMAILADDRESS = $AZUREAD_EMAILADDRESS" }

- if { !([HTTP::header exists "AZUREAD_EMAILADDRESS"]) } {

- HTTP::header insert "AZUREAD_EMAILADDRESS" $AZUREAD_EMAILADDRESS }}

- **Sample output below**

- 

-

-### Create F5 test user

-In this section, you create a user called B.Simon in F5. Work with [F5 Client support team](https://support.f5.com/csp/knowledge-center/software/BIG-IP?module=BIG-IP%20APM45) to add the users in the F5 platform. Users must be created and activated before you use single sign-on.

-## Test SSO

-In this section, you test your Azure AD single sign-on configuration with following options.

-#### SP initiated:

-* Click on **Test this application** in Azure portal. This will redirect to F5 Sign on URL where you can initiate the login flow.

-* Go to F5 Sign-on URL directly and initiate the login flow from there.

-#### IDP initiated:

-* Click on **Test this application** in Azure portal and you should be automatically signed in to the F5 for which you set up the SSO

-You can also use Microsoft My Apps to test the application in any mode. When you click the F5 tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the F5 for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-> [!NOTE]

-> F5 BIG-IP APM [Purchase Now](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/f5-networks.f5-big-ip-best?tab=Overview).

-## Next steps

-Once you configure F5 you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-* A valid introdus API Token. A guide on how to generate Token, can be found [here](https://help.introdus.dk/en/articles/2011815-introdus-open-api).

-description: Learn how to configure single sign-on between Azure Active Directory and Oracle PeopleSoft - Protected by F5 BIG-IP APM.

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Oracle PeopleSoft - Protected by F5 BIG-IP APM

-In this tutorial, you'll learn how to integrate Oracle PeopleSoft - Protected by F5 BIG-IP APM with Azure Active Directory (Azure AD). When you integrate Oracle PeopleSoft - Protected by F5 BIG-IP APM with Azure AD, you can:

-* Control in Azure AD who has access to Oracle PeopleSoft - Protected by F5 BIG-IP APM.

-* Enable your users to be automatically signed-in to Oracle PeopleSoft - Protected by F5 BIG-IP APM with their Azure AD accounts.

-* Manage your accounts in one central location - the Azure portal.

-* This tutorial covers instructions for Oracle PeopleSoft ELM.

-## Prerequisites

-To get started, you need the following items:

-1. An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

-1. Oracle PeopleSoft - Protected by F5 BIG-IP APM single sign-on (SSO) enabled subscription.

-1. Deploying the joint solution requires the following license:

- 1. F5 BIG-IP® Best bundle (or)

- 2. F5 BIG-IP Access Policy ManagerΓäó (APM) standalone license

- 3. F5 BIG-IP Access Policy Manager™ (APM) add-on license on an existing BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM).

- 4. In addition to the above license, the F5 system may also be licensed with:

- * A URL Filtering subscription to use the URL category database.

- * An F5 IP Intelligence subscription to detect and block known attackers and malicious traffic.

- * A network hardware security module (HSM) to safeguard and manage digital keys for strong authentication.

-1. F5 BIG-IP system is provisioned with APM modules (LTM is optional).

-1. Although optional, it is highly recommended to Deploy the F5 systems in a [sync/failover device group](https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/big-ip-device-service-clustering-administration-14-1-0.html) (S/F DG), which includes the active standby pair, with a floating IP address for high availability (HA). Further interface redundancy can be achieved using the Link Aggregation Control Protocol (LACP). LACP manages the connected physical interfaces as a single virtual interface (aggregate group) and detects any interface failures within the group.

-## Scenario description

-In this tutorial, you configure and test Azure AD SSO in a test environment.

-* Oracle PeopleSoft - Protected by F5 BIG-IP APM supports **SP and IDP** initiated SSO.

-## Add Oracle PeopleSoft - Protected by F5 BIG-IP APM from the gallery

-To configure the integration of Oracle PeopleSoft - Protected by F5 BIG-IP APM into Azure AD, you need to add Oracle PeopleSoft - Protected by F5 BIG-IP APM from the gallery to your list of managed SaaS apps.

-1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

-1. On the left navigation pane, select the **Azure Active Directory** service.

-1. Navigate to **Enterprise Applications** and then select **All Applications**.

-1. To add new application, select **New application**.

-1. In the **Add from the gallery** section, type **Oracle PeopleSoft - Protected by F5 BIG-IP APM** in the search box.

-1. Select **Oracle PeopleSoft - Protected by F5 BIG-IP APM** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

- Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)

-## Configure and test Azure AD SSO for Oracle PeopleSoft - Protected by F5 BIG-IP APM

-Configure and test Azure AD SSO with Oracle PeopleSoft - Protected by F5 BIG-IP APM using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Oracle PeopleSoft - Protected by F5 BIG-IP APM.

-To configure and test Azure AD SSO with Oracle PeopleSoft - Protected by F5 BIG-IP APM, perform the following steps:

-1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

-1. **[Configure Oracle PeopleSoft-Protected by F5 BIG-IP APM SSO](#configure-oracle-peoplesoft-protected-by-f5-big-ip-apm-sso)** - to configure the single sign-on settings on application side.

- 1. **[Create Oracle PeopleSoft-Protected by F5 BIG-IP APM test user](#create-oracle-peoplesoft-protected-by-f5-big-ip-apm-test-user)** - to have a counterpart of B.Simon in Oracle PeopleSoft - Protected by F5 BIG-IP APM that is linked to the Azure AD representation of user.

-1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

-## Configure Azure AD SSO

-Follow these steps to enable Azure AD SSO in the Azure portal.

-1. In the Azure portal, on the **Oracle PeopleSoft - Protected by F5 BIG-IP APM** application integration page, find the **Manage** section and select **single sign-on**.

-1. On the **Select a single sign-on method** page, select **SAML**.

-1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

- 

-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:

- a. In the **Identifier** text box, type a URL using the following pattern:

- `https://<FQDN>.peoplesoft.f5.com`

- b. In the **Reply URL** text box, type a URL using the following pattern:

- `https://<FQDN>.peoplesoft.f5.com/saml/sp/profile/post/acs`

- c. In the **Logout URL** text box, type a URL using the following pattern:

- `https://<FQDN>.peoplesoft.f5.com/saml/sp/profile/redirect/slr`

-1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:

- In the **Sign-on URL** text box, type a URL using the following pattern:

- `https://<FQDN>.peoplesoft.f5.com/`

- > [!NOTE]

- >These values are not real. Update these values with the actual Sign-On URL, Identifier, Reply URL and Logout URL. Contact [Oracle PeopleSoft - Protected by F5 BIG-IP APM Client support team](https://support.f5.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

-1. Oracle PeopleSoft - Protected by F5 BIG-IP APM application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

- 

-1. In addition to above, Oracle PeopleSoft - Protected by F5 BIG-IP APM application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.

-

- | Name | Source Attribute|

- | | |

- | EMPLID | user.employeeid |

-1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, Download the **Federation Metadata XML** and the **Certificate (Base64)** and save it on your computer.

- 

-### Create an Azure AD test user

-In this section, you'll create a test user in the Azure portal called B.Simon.

-1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

-1. Select **New user** at the top of the screen.

-1. In the **User** properties, follow these steps:

- 1. In the **Name** field, enter `B.Simon`.

- 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

- 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

- 1. Click **Create**.

-### Assign the Azure AD test user

-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Oracle PeopleSoft - Protected by F5 BIG-IP APM.

-1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

-1. In the applications list, select **Oracle PeopleSoft - Protected by F5 BIG-IP APM**.

-1. In the app's overview page, find the **Manage** section and select **Users and groups**.

-1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

-1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

-1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

-1. In the **Add Assignment** dialog, click the **Assign** button.

-## Configure Oracle PeopleSoft-Protected by F5 BIG-IP APM SSO

-### F5 SAML SP Configuration

-Import the Metadata Certificate into the F5 which will be used later in the setup process. Navigate to **System > Certificate Management > Traffic Certificate Management > SSL Certificate List**. Select **Import** from the right-hand corner.

-

-#### Setup the SAML IDP Connector

-1. Navigate to **Access > Federation > SAML: Service Provider > External Idp Connectors** and click **Create > From Metadata**.

- 

-1. In the following page, click on **Browse** to upload the xml file.

-1. Give a valid name in the **Identity Provider Name** textbox and then click on **OK**.

- 

-1. Perform the required steps in the **Security Settings** tab and then click on **OK**.

- 

-#### Setup the SAML SP

-1. Navigate to **Access > Federation > SAML Service Provider > Local SP Services** and click **Create**. Complete the following information and click **OK**.

- * Name: `<Name>`

- * Entity ID: `https://<FQDN>.peoplesoft.f5.com`

- * SP Name Settings

- * Scheme: `https`

- * Host: `<FQDN>.peoplesoft.f5.com`

- * Description: `<Description>`

- 

-1. Select the SP Configuration, PeopleSoftAppSSO, and **Click Bind/UnBind IdP Connectors**.

-Click on **Add New Row** and Select the **External IdP connector** created in previous step, click **Update**, and then click **OK**.

- 

-## Configuring Application

-### Create a new Pool

-1. Navigate to **Local Traffic > Pools > Pool List**, click **Create**, complete the following information and click **Finished**.

- * Name: `<Name>`

- * Description: `<Description>`

- * Health Monitors: `http`

- * Address: `<Address>`

- * Service Port: `<Service Port>`

- 

-### Create a new Client SSL profile

-Navigate to **Local Traffic > Profiles > SSL > Client > +**, complete the following information and click **Finished**.

-* Name: `<Name>`

-* Certificate: `<Certificate>`

-* Key: `<Key>`

-

-### Create a new Virtual Server

-1. Navigate to **Local Traffic > Virtual Servers > Virtual Server List > +**, complete the following information and click **Finished**.

- * Name: `<Name>`

- * Destination Address/Mask: `<Address>`

- * Service Port: Port 443 HTTPS

- * HTTP Profile (Client): http

- 

-1. Fill the following values in the below page:

- * SSL Profile (Client): `<SSL Profile>`

- * Source Address Translation: Auto Map

- * Access Profile: `<Access Profile>`

- * Default Pool: `<Pool>`

- 

-## Setting up PeopleSoft application to support F5 Big-IP APM as the single sign-on solution

->[!Note]

-> Reference https://docs.oracle.com/cd/E12530_01/oam.1014/e10356/people.htm

-1. Logon to Peoplesoft Console `https://<FQDN>.peoplesoft.f5.com/:8000/psp/ps/?cmd=start` using Admin credentials(Example: PS/PS).

- 

-1. In the PeopleSoft application, create **OAMPSFT** as a new user profile and associate a low security role such as **PeopleSoft User**.

-Navigate to **Peopletools > Security > User Profiles > User Profiles** to create a new user profile, for example: **OAMPSFT** and Add **Peoplesoft User**.

- 

-1. Access the web profile and enter **OAMPSFT** as the public access **user ID**.

- 

-1. From the **PeopleTools Application Designer**, open the **FUNCLIB_LDAP** record.

- 

-1. Update the user Header with **PS_SSO_UID** for **OAMSSO_AUTHENTICATION** function.

-In the **getWWWAuthConfig()** function, replace the value that is assigned to the **&defaultUserId** with the **OAMPSFT** that we defined in the Web profile. Save the record definition.

- 

-1. Access the **Signon PeopleCode** page (PeopleTools, Security, Security Objects, Signon PeopleCode) and enable the **OAMSSO_AUTHENTICATION** functionΓÇöthe Signon PeopleCode for Oracle Access Manager single signon.

- 

-## Setting up F5 Big-IP APM to populate ΓÇ£PS_SSO_UIDΓÇ¥ HTTP Header with the PeopleSoft User ID

-### Configuring Per-Request Policy

-1. Navigate to **Access > Profile/Policies > Per-Request Policies**, click **Create**, complete the following information and click **Finished**.

- * Name: `<Name>`

- * Profile Type: All

- * Languages: `<Language>`

- 

-1. Click **Edit** Per-Request Policy `<Name>`

- 

- `Header Name: <Header Name>`

- `Header Value: <Header Value>`

-### Assign Per-Request Policy to the Virtual Server

-Navigate to **Local Traffic > Virtual Servers > Virtual Server List > PeopleSoftApp**

-Specify `<Name>` as Per-Request Policy

-

-## Setting up F5 Big-IP APM to support Single Logout from PeopleSoft application

-To add single logout support for all PeopleSoft users,please follow these steps:

-1. Determine the correct logout URL for PeopleSoft portal

- * To determine the address that the PeopleSoft application uses to end a user session, you need to open the portal using any web browser and enable browser debug tools, as shown in the example below:

- 

- * Find the element with the `PT_LOGOUT_MENU` id and save the URL path with the query parameters. In our example, we got the following value: `/psp/ps/?cmd=logout`

-1. Create LTM iRule that will redirect the user to the APM logout URL: `/my.logout.php3`

- * Navigate to **Local Traffic > iRule**, click **Create**, complete the following information and click **Finished**.

- ```text

- Name: `<Name>`

- Definition:

- _when HTTP_REQUEST {

- switch -glob -- [HTTP::URI] {

- `/psp/ps/?cmd=logout` {

- HTTP::redirect `/my.logout.php3`

- }

- }

- }_

- ```

-1. Assign the created iRule to the Virtual Server

- * Navigate to **Local Traffic > Virtual Servers > Virtual Server List > PeopleSoftApp > Resources**. Click the **Manage…** button:

- * Specify `<Name>` as Enabled iRule and click **Finished**.

- 

- * Give the **Name** textbox value as `<Name>`

- 

-### Create Oracle PeopleSoft-Protected by F5 BIG-IP APM test user

-In this section, you create a user called B.Simon in Oracle PeopleSoft-Protected by F5 BIG-IP APM. Work with [Oracle PeopleSoft-Protected by F5 BIG-IP APM support team](https://support.f5.com) to add the users in the Oracle PeopleSoft-Protected by F5 BIG-IP APM platform. Users must be created and activated before you use single sign-on.

-## Test SSO

-In this section, you test your Azure AD single sign-on configuration with following options.

-#### SP initiated:

-* Click on **Test this application** in Azure portal. This will redirect to Oracle PeopleSoft-Protected by F5 BIG-IP APM Sign on URL where you can initiate the login flow.

-* Go to Oracle PeopleSoft-Protected by F5 BIG-IP APM Sign-on URL directly and initiate the login flow from there.

-#### IDP initiated:

-* Click on **Test this application** in Azure portal and you should be automatically signed in to the Oracle PeopleSoft-Protected by F5 BIG-IP APM for which you set up the SSO.

-You can also use Microsoft My Apps to test the application in any mode. When you click the Oracle PeopleSoft-Protected by F5 BIG-IP APM tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Oracle PeopleSoft-Protected by F5 BIG-IP APM for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Next steps

-Once you configure Oracle PeopleSoft-Protected by F5 BIG-IP APM you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-A drawback with the traditional CNI is the exhaustion of pod IP addresses as the AKS cluster grows, resulting in the need to rebuild the entire cluster in a bigger subnet. The new dynamic IP allocation capability in Azure CNI solves this problem by allotting pod IPs from a subnet separate from the subnet hosting the AKS cluster. It offers the following benefits:

-[WebAssembly (WASM)][wasm] is a binary format that is optimized for fast download and maximum execution speed in a WASM runtime. A WASM runtime is designed to run on a target architecture and execute WebAssemblies in a sandbox, isolated from the host computer, at near-native performance. By default, WebAssemblies can't access resources on the host outside of the sandbox unless it is explicitly allowed, and they can't communicate over sockets to access things environment variables or HTTP traffic. The [WebAssembly System Interface (WASI)][wasi] standard defines an API for WASM runtimes to provide access to WebAssemblies to the environment and resources outside the host using a capabilities model. [Krustlet][krustlet] is an open-source project that allows WASM modules to be run on Kubernetes. Krustlet creates a kubelet that runs on nodes with a WASM/WASI runtime. AKS allows you to create node pools that run WASM assemblies using nodes with WASM/WASI runtimes and Krustlets.

-This article uses [Helm 3][helm] to install the *nginx* chart on a supported version of Kubernetes. Make sure that you are using the latest release of Helm and have access to the *bitnami* Helm repository. The steps outlined in this article may not be compatible with previous versions of the Helm chart or Kubernetes.

-You must also have the following resource installed:

-* The latest version of the Azure CLI.

-* The `aks-preview` extension version 0.5.34 or later

-* You can't run WebAssemblies and containers in the same node pool.

-* Only the WebAssembly(WASI) runtime is available, using the Wasmtime provider.

-* Krustlet doesn't work with Azure CNI at this time. For more information, see the [CNI Support for Kruslet GitHub issue][krustlet-cni-support].

-* Krustlet doesn't provide networking configuration for WebAssemblies. The WebAssembly manifest must provide the networking configuration, such as IP address.

- --workload-runtime wasmwasi

-az aks nodepool show -g myResourceGroup --cluster-name myAKSCluster -n mywasipool

-{

- ...

- "name": "mywasipool",

- ..

- "workloadRuntime": "WasmWasi"

-}

-For a WASM/WASI node pool, verify the taint is set to `kubernetes.io/arch=wasm32-wagi:NoSchedule` and `kubernetes.io/arch=wasm32-wagi:NoExecute`, which will prevent container pods from being scheduled on this node pool. Also, you should see nodeLabels to be `kubernetes.io/arch: wasm32-wasi`, which prevents WASM pods from being scheduled on regular container(OCI) node pools.

-> [!NOTE]

-> The taints for a WASI node pool are not visible using `az aks nodepool list`. Use `kubectl` to verify the taints are set on the nodes in the WASI node pool.

-NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME

-aks-mywasipool-12456878-vmss000000 Ready agent 9m 1.0.0-alpha.1 WASINODE_IP <none> <unknown> <unknown> mvp

-aks-nodepool1-12456878-vmss000000 Ready agent 13m v1.20.9 NODE1_IP <none> Ubuntu 18.04.6 LTS 5.4.0-1059-azure containerd://1.4.9+azure

-Save the value of *WASINODE_IP* as it is used in later step.

-Use `kubectl describe node` to show the labels and taints on a node in the WASI node pool. The following example shows the details of *aks-mywasipool-12456878-vmss000000*.

- kubernetes.io/arch=wasm32-wagi

-Taints: kubernetes.io/arch=wasm32-wagi:NoExecute

- kubernetes.io/arch=wasm32-wagi:NoSchedule

-## Running WASM/WASI Workload

-To run a workload on a WASM/WASI node pool, add a node selector and tolerations to your deployment. For example:

-...

-spec:

- kubernetes.io/arch: "wasm32-wagi"

- tolerations:

- - key: "node.kubernetes.io/network-unavailable"

- operator: "Exists"

- effect: "NoSchedule"

- - key: "kubernetes.io/arch"

- operator: "Equal"

- value: "wasm32-wagi"

- effect: "NoExecute"

- - key: "kubernetes.io/arch"

- operator: "Equal"

- value: "wasm32-wagi"

- effect: "NoSchedule"

-...

-```

-To run a sample deployment, create a `wasi-example.yaml` file using the following YAML definition:

-```yml

-apiVersion: v1

-kind: Pod

- name: krustlet-wagi-demo

- labels:

- app: krustlet-wagi-demo

- annotations:

- alpha.wagi.krustlet.dev/default-host: "0.0.0.0:3001"

- alpha.wagi.krustlet.dev/modules: |

- {

- "krustlet-wagi-demo-http-example": {"route": "/http-example", "allowed_hosts": ["https://api.brigade.sh"]},

- "krustlet-wagi-demo-hello": {"route": "/hello/..."},

- "krustlet-wagi-demo-error": {"route": "/error"},

- "krustlet-wagi-demo-log": {"route": "/log"},

- "krustlet-wagi-demo-index": {"route": "/"}

- }

-spec:

- hostNetwork: true

- kubernetes.io/arch: wasm32-wagi

- containers:

- - image: webassembly.azurecr.io/krustlet-wagi-demo-http-example:v1.0.0

- imagePullPolicy: Always

- name: krustlet-wagi-demo-http-example

- - image: webassembly.azurecr.io/krustlet-wagi-demo-hello:v1.0.0

- imagePullPolicy: Always

- name: krustlet-wagi-demo-hello

- - image: webassembly.azurecr.io/krustlet-wagi-demo-index:v1.0.0

- imagePullPolicy: Always

- name: krustlet-wagi-demo-index

- - image: webassembly.azurecr.io/krustlet-wagi-demo-error:v1.0.0

- imagePullPolicy: Always

- name: krustlet-wagi-demo-error

- - image: webassembly.azurecr.io/krustlet-wagi-demo-log:v1.0.0

- imagePullPolicy: Always

- name: krustlet-wagi-demo-log

- tolerations:

- - key: "node.kubernetes.io/network-unavailable"

- operator: "Exists"

- effect: "NoSchedule"

- - key: "kubernetes.io/arch"

- operator: "Equal"

- value: "wasm32-wagi"

- effect: "NoExecute"

- - key: "kubernetes.io/arch"

- operator: "Equal"

- value: "wasm32-wagi"

- effect: "NoSchedule"

-Use `kubectl` to run your example deployment:

-kubectl apply -f wasi-example.yaml

-> [!NOTE]

-> The pod for the example deployment may stay in the *Registered* status. This behavior is expected, and you and proceed to the next step.

-Create `values.yaml` using the example yaml below, replacing *WASINODE_IP* with the value from the earlier step.

-serverBlock: |-

- server {

- listen 0.0.0.0:8080;

- location / {

- proxy_pass http://WASINODE_IP:3001;

- }

- }

-Using [Helm][helm], add the *bitnami* repository and install the *nginx* chart with the `values.yaml` file you created in the previous step. Installing NGINX with the above `values.yaml` creates a reverse proxy to the example deployment, allowing you to access it using an external IP address.

->[!NOTE]

-> The following example pulls a public container image from Docker Hub. We recommend that you set up a pull secret to authenticate using a Docker Hub account instead of making an anonymous pull request. To improve reliability when working with public content, import and manage the image in a private Azure container registry. [Learn more about working with public images.][dockerhub-callout]

-```console

-helm repo add bitnami https://charts.bitnami.com/bitnami

-helm repo update

-helm install hello-wasi bitnami/nginx -f values.yaml

-Use `kubectl get service` to display the external IP address of the *hello-wasi-ngnix* service.

-$ kubectl get service

-NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE

-hello-wasi-nginx LoadBalancer 10.0.58.239 EXTERNAL_IP 80:32379/TCP 112s

-kubernetes ClusterIP 10.0.0.1 <none> 443/TCP 145m

-```

-Verify the example deployment is running by the `curl` command against the `/hello` path of *EXTERNAL_IP*.

-```azurecli-interactive

-curl EXTERNAL_IP/hello

-The follow example output confirms the example deployment is running.

-$ curl EXTERNAL_IP/hello

-hello world

-> [!NOTE]

-> To publish the service on your own domain, see [Azure DNS][azure-dns-zone] and the [external-dns][external-dns] project.

-To remove NGINX, use `helm delete`.

-```console

-helm delete hello-wasi

-```

-kubectl delete -f wasi-example.yaml

-### W-2

-### General document

-| [prebuilt-read](concept-read.md#data-extraction) | Γ£ô | Γ£ô | | | Γ£ô | | | |

-| [prebuilt-layout](concept-layout.md#data-extraction) | Γ£ô | | Γ£ô | Γ£ô | Γ£ô | Γ£ô | | |

-| [prebuilt-invoice](concept-invoice.md#field-extraction) | Γ£ô | | Γ£ô | Γ£ô | Γ£ô | | Γ£ô | Γ£ô |

-| [prebuilt-receipt](concept-receipt.md#field-extraction) | Γ£ô | | | | Γ£ô | | | Γ£ô |

-| [prebuilt-idDocument](concept-id-document.md#field-extractions) | Γ£ô | | | | Γ£ô | | | Γ£ô |

-| [prebuilt-businessCard](concept-business-card.md#field-extractions) | Γ£ô | | | | Γ£ô | | | Γ£ô |

-| [Custom](concept-custom.md#compare-model-features) | Γ£ô | | Γ£ô | Γ£ô | Γ£ô | | | Γ£ô |

-* [Learn how to process your own forms and documents](quickstarts/try-sample-label-tool.md) with our [Form Recognizer sample tool](https://fott-2-1.azurewebsites.net/)

-* Complete a [Form Recognizer quickstart](/azure/applied-ai-services/form-recognizer/how-to-guides/v2-1-sdk-rest-api) and get started creating a document processing app in the development language of your choice.

-keywords: Docker, container, images

-keywords: on-premises, Docker, container, identify

-|Angika (Devanagiri) | `anp`| Korean | `ko` |

-|Awadhi-Hindi (Devanagiri) | `awa`| Kosraean | `kos`|

-|Belarusian (Cyrillic) | `be`, `be-cyrl`|Kurukh (Devanagiri) | `kru`|

-|Bhojpuri-Hindi (Devanagiri) | `bho`| Lakota | `lkt` |

-|Bodo (Devanagiri) | `brx`| Lithuanian | `lt` |

-|Bulgarian | `bg`|Mahasu Pahari (Devanagiri) | `bfz`|

-|Catalan |`ca`|Malto (Devanagiri) | `kmj`

-|Chhattisgarhi (Devanagiri)| `hne`| Mongolian (Cyrillic) | `mn`|

-|Dhimal (Devanagiri) | `dhi`| Ossetic | `os`|

-|Dogri (Devanagiri) | `doi`|Pashto | `ps`|

-|French | `fr` |Sadri (Devanagiri) | `sck` |

-|Gondi (Devanagiri) | `gon`| Serbian (Latin) | `sr`, `sr-latn`|

-|Greenlandic | `kl` | Sherpa (Devanagiri) | `xsr` |

-|Gurung (Devanagiri) | `gvr`| Sirmauri (Devanagiri) | `srx`|

-|Halbi (Devanagiri) | `hlb`| Slovak | `sk`|

-|Jaunsari (Devanagiri) | `Jns`|Urdu | `ur`|

-|Kangri (Devanagiri) | `xnr`|Uzbek (Latin) | `uz` |

- :::image type="content" source="media/managed-identities/access-denied.png" alt-text="Screenshot of a access denied error.":::

-This article contains a quick reference and the **detailed description** of Azure Form Recognizer service Quotas and Limits for all [pricing tiers](https://azure.microsoft.com/pricing/details/form-recognizer/). It also contains some best practices to avoid request throttling.

-For the usage with [Form Recognizer SDK](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true), [Form Recognizer REST API](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true), [Form Recognizer Studio](quickstarts/try-v3-form-recognizer-studio.md) and [Sample Labeling Tool](https://fott-2-1.azurewebsites.net/).

-With the latest preview release, Form Recognizer's Read (OCR), Layout, and Custom template models support 134 new languages including Greek, Latvian, Serbian, Thai, Ukrainian, and Vietnamese, along with several Latin and Cyrillic languages, making it a total of 299 supported languages across the most recent GA and the new preview versions. Please refer to the [supported languages](language-support.md) page to see all supported languages.

-### Region expansion for training custom neural models

-Training custom neural models is now supported in six additional regions.

-For a complete list of regions where training is supported see [custom neural models](concept-custom-neural.md).

- * [**prebuilt-read**](concept-read.md). Enhanced support for single characters, handwritten dates, amounts, names, other entities commonly found in receipts and invoices as well as improved processing of digital PDF documents.

-> Applies To: Windows PowerShell 5.1

-Once you get started authoring configurations,

-you can quickly create "scenarios" that manage

-groups of settings.

-Examples would be:

-If you are interested in sharing this work with others,

-the best option is to package the configuration as a

-[Composite Resource](/powershell/dsc/resources/authoringresourcecomposite).

-Creating composite resources for the first time can be overwhelming.

-> [!NOTE]

-> This article refers to a solution that is maintained by the Open Source community.

-> Support is only available in the form of GitHub collaboration, not from Microsoft.

-## Community project: CompositeResource

-A community maintained solution named

-[CompositeResource](https://github.com/microsoft/compositeresource)

-has been created to resolve this challenge.

-CompositeResource automates the process of creating a new module from your configuration.

-You start by

-[dot sourcing](https://devblogs.microsoft.com/scripting/how-to-reuse-windows-powershell-functions-in-scripts/)

-the configuration script on your workstation (or build server)

-so it is loaded in memory.

-Next, rather than running the configuration to generate a MOF file,

-use the function provided by the CompositeResource module to automate a conversion.

-The cmdlet will load the contents of your configuration,

-get the list of parameters,

-and generate a new module with everything you need.

-Once you have generated a module,

-you can increment the version and add release notes each time you make changes

-and publish it to your own

-Once you have created a composite resource module containing your configuration

-(or multiple configurations),

-you can use them in the

-[Composable Authoring Experience](./compose-configurationwithcompositeresources.md)

-in Azure,

-or add them to

-[DSC Configuration scripts](/powershell/dsc/configurations/configurations)

-to generate MOF files

-and

-[upload the MOF files to Azure Automation](./tutorial-configure-servers-desired-state.md#create-and-upload-a-configuration-to-azure-automation).

-Then register your servers from either

-[on-premises](./automation-dsc-onboarding.md#enable-physicalvirtual-linux-machines)

-or [in Azure](./automation-dsc-onboarding.md#enable-azure-vms)

-to pull configurations.

-The latest update to the project has also published

-[runbooks](https://www.powershellgallery.com/packages?q=DscGallerySamples)

-for Azure Automation to automate the process of importing configurations

-from the PowerShell Gallery.

-To try out automating creation of composite resources for DSC, visit the

-[PowerShell Gallery](https://www.powershellgallery.com/packages/compositeresource/)

-and download the solution or click "Project Site"

-to view the

-[documentation](https://github.com/microsoft/compositeresource).

-| Consumption | `DOCKER\|mcr.microsoft.com/azure-functions/mesh:4.11.2-node18` |

-| Premium/Dedicated | `DOCKER\|mcr.microsoft.com/azure-functions/node:4.11.2-node18-appservice` |

-[`linuxFxVersion`]: functions-app-settings.md#linuxfxversion

-Ensure that your email filtering is configured appropriately. Emails are sent from the following email addresses:

-|PEBytesIn|Yes|Bytes In|Count|Total|Total number of Bytes Out|No Dimensions|

-|Failed to download the vault credential file. (ID: 403) | <ul><li> Try downloading the vault credentials by using a different browser, or take these steps: <ul><li> Start Internet Explorer. Select F12. </li><li> Go to the **Network** tab and clear the cache and cookies. </li> <li> Refresh the page.<br></li></ul> <li> Check if the subscription is disabled/expired.<br></li> <li> Check if any firewall rule is blocking the download. <br></li> <li> Ensure you haven't exhausted the limit on the vault (50 machines per vault).<br></li> <li> Ensure the user has the Azure Backup permissions that are required to download vault credentials and register a server with the vault. See [Use Azure role-based access control to manage Azure Backup recovery points](backup-rbac-rs-vault.md).</li></ul> |

-| **Supported Resources** | Recovery Services vault |

-| **Supported Regions** | East US, East US 2, Central US, South Central US, North Central US, West Central US, West US, West US 2, West US 3, Canada East, Canada Central, North Europe, West Europe, UK West, UK South, France Central, France South, Sweden Central, Sweden South, East Asia, South East Asia, Japan East, Japan West, Korea Central, Korea South, Australia East, Australia Central, Australia Central 2, Australia South East, South Africa North, South Africa West, UAE North, UAE Central, Brazil South East, Brazil South, Switzerland North, Switzerland West, Norway East, Norway West, Germany North, Germany West Central, West India, Central India, South India, Jio India West, Jio India Central. |

-| Monitor overall backup health | - **Resource Health**: You can monitor the health of your Recovery Services vault and troubleshoot events causing the resource health issues. [Learn more](../service-health/resource-health-overview.md). You can view the health history and identify events affecting the health of your resource. You can also trigger alerts related to the resource health events. <br><br> - **Azure Monitor Metrics**: Azure Backup also offers the above health metrics via Azure Monitor, which provides you more granular details about the health of your backups. This also allows you to configure alerts and notifications on these metrics. [Learn more](./metrics-overview.md). |

-A thumbnail is a reduced-size representation of an image. Thumbnails are used to represent images and other data in a more economical, layout-friendly way. The Computer Vision API uses smart cropping to create intuitive image thumbnails that include the key objects in the image.

-The Computer Vision smart-cropping utility takes a given aspect ratio (or several) and returns the bounding box coordinates (in pixels) of the region(s) identified. Your app can then crop and return the image using those coordinates.

-1. Install notation with plugin support from the [release version](https://github.com/notaryproject/notation/releases/)

- curl -Lo notation.tar.gz https://github.com/notaryproject/notation/releases/download/v0.9.0-alpha.1/notation_0.9.0-alpha.1_linux_amd64.tar.gz

-2. Install the notation Azure Key Vault plugin for remote signing and verification

- https://github.com/Azure/notation-azure-kv/releases/download/v0.3.1-alpha.1/notation-azure-kv_0.3.1-alpha.1_Linux_amd64.tar.gz

-3. List the available plugins and verify that the plugin is available

-1. Configure AKV resource names

-2. Configure ACR and image resource names

-1. Create a certificate policy file

-1. Create the certificate

-1. Get the Key ID for the certificate

-4. Download public certificate

-5. Add the Key ID to the keys and certs

-6. List the keys and certs to confirm

-1. Build and push a new image with ACR Tasks

-2. Authenticate with your individual Azure AD identity to use an ACR token

-3. Sign the container image

-ACR support for ORAS artifacts enables a linked graph of supply chain artifacts that can be viewed through the ORAS CLI or the Azure CLI

-1. Signed images can be view with the ORAS CLI

-1. List the manifest details for the container image

-[Enforce policy to only deploy signed container images to Azure Kubernetes Service (AKS) utilizing **ratify** and **gatekeeper**.](https://github.com/Azure/notation-azure-kv/blob/main/docs/nv2-sign-verify-aks.md)

-# What is Cost Management + Billing?

-By using the Microsoft cloud, you can significantly improve the technical performance of your business workloads. It can also reduce your costs and the overhead required to manage organizational assets. However, the business opportunity creates a risk because of the potential for waste and inefficiencies that are introduced into your cloud deployments. Cost Management + Billing is a suite of tools provided by Microsoft that help you analyze, manage, and optimize the costs of your workloads. Using the suite helps ensure that your organization is taking advantage of the benefits provided by the cloud.

-You can think of your Azure workloads like the lights in your home. When you leave to go out for the day, are you leaving the lights on? Could you use different bulbs that are more efficient to help reduce your monthly energy bill? Do you have more lights in one room than are needed? You can use Cost Management + Billing to apply a similar thought process to the workloads used by your organization.

-With Azure products and services, you only pay for what you use. As you create and use Azure resources, youΓÇÖre charged for the resources. Because of the deployment ease for new resources, the costs of your workloads can jump significantly without proper analysis and monitoring. You use Cost Management + Billing features to:

-To learn more about how to approach cost management as an organization, take a look at the [Cost Management best practices](./costs/cost-mgt-best-practices.md) article.

-

-## Understand Azure Billing

-Azure Billing features are used to review your invoiced costs and manage access to billing information. In larger organizations, procurement and finance teams usually conduct billing tasks.

-A billing account is created when you sign up to use Azure. You use your billing account to manage your invoices, payments, and track costs. You can have access to multiple billing accounts. For example, you might have signed up for Azure for your personal projects. So, you might have an individual Azure subscription with a billing account. You could also have access through your organization's Enterprise Agreement or Microsoft Customer Agreement. For each scenario, you would have a separate billing account.

-### Billing accounts

-The Azure portal currently supports the following types of billing accounts:

-## Understand Cost Management

-Although related, billing differs from cost management. Billing is the process of invoicing customers for goods or services and managing the commercial relationship.

-Cost Management shows organizational cost and usage patterns with advanced analytics. Reports in Cost Management show the usage-based costs consumed by Azure services and third-party Marketplace offerings. Costs are based on negotiated prices and factor in reservation and Azure Hybrid Benefit discounts. Collectively, the reports show your internal and external costs for usage and Azure Marketplace charges. **Other charges, such as support and taxes aren't yet shown in reports**. The reports help you understand your spending and resource use and can help find spending anomalies. Predictive analytics are also available. Cost Management uses Azure management groups, budgets, and recommendations to show clearly how your expenses are organized and how you might reduce costs.

-You can use the Azure portal or various APIs for export automation to integrate cost data with external systems and processes. Automated billing data export and scheduled reports are also available.

-Watch the Cost Management overview video for a quick overview about how Cost Management can help you save money in Azure. To watch other videos, visit the [Cost Management YouTube channel](https://www.youtube.com/c/AzureCostManagement).

->[!VIDEO https://www.youtube.com/embed/el4yN5cHsJ0]

-### Plan and control expenses

-The ways that Cost Management help you plan for and control your costs include: Cost analysis, budgets, recommendations, and exporting cost management data.

-You use cost analysis to explore and analyze your organizational costs. You can view aggregated costs by organization to understand where costs are accrued and to identify spending trends. And you can see accumulated costs over time to estimate monthly, quarterly, or even yearly cost trends against a budget.

-Budgets help you plan for and meet financial accountability in your organization. They help prevent cost thresholds or limits from being surpassed. Budgets can also help you inform others about their spending to proactively manage costs. And with them, you can see how spending progresses over time.

-Recommendations show how you can optimize and improve efficiency by identifying idle and underutilized resources. Or, they can show less expensive resource options. When you act on the recommendations, you change the way you use your resources to save money. To act, you first view cost optimization recommendations to view potential usage inefficiencies. Next, you act on a recommendation to modify your Azure resource use to a more cost-effective option. Then you verify the action to make sure that the change you make is successful.

-If you use external systems to access or review cost management data, you can easily export the data from Azure. And you can set a daily scheduled export in CSV format and store the data files in Azure storage. Then, you can access the data from your external system.

-### Additional Azure tools

-Azure has other tools that aren't a part of the Cost Management + Billing feature set. However, they play an important role in the cost management process. To learn more about these tools, see the following links.

-Once you've upgraded your account, you get charged pay-as-you-go rates for using services that aren't included for free with your Azure free account. Only certain tiers within a service are included for free. To learn about services included with your free account, see the [Azure free account FAQ](https://azure.microsoft.com/free/free-account-faq/). You can check your service usage in the Azure portal. To learn more, see [Plan and control expenses](../cost-management-billing-overview.md#plan-and-control-expenses).

-| SQL Server | Azure SQL DB | [DAMT](https://marketplace.visualstudio.com/items?itemName=ms-databasemigration.data-access-migration-toolkit) / [DMA](/sql/dma/dma-overview) | [Azure SQL Migration extension](/azure/dms/articles/dms/migration-using-azure-data-studio)<br/>[DMA](/sql/dma/dma-overview)<br/>[Cloud Atlas*](https://www.unifycloud.com/cloud-migration-tool/)<br/>[Cloudamize*](https://www.cloudamize.com/) | [DEA](https://www.microsoft.com/download/details.aspx?id=54090)<br/>[Cloudamize*](https://www.cloudamize.com/) |

-| SQL Server | Azure SQL DB MI | [DAMT](https://marketplace.visualstudio.com/items?itemName=ms-databasemigration.data-access-migration-toolkit) / [DMA](/sql/dma/dma-overview) | [Azure SQL Migration extension](/azure/dms/articles/dms/migration-using-azure-data-studio)<br/>[DMA](/sql/dma/dma-overview)<br/>[Cloud Atlas*](https://www.unifycloud.com/cloud-migration-tool/)<br/>[Cloudamize*](https://www.cloudamize.com/) | [DEA](https://www.microsoft.com/download/details.aspx?id=54090)<br/>[Cloudamize*](https://www.cloudamize.com/) |

-| SQL Server | Azure SQL VM | [DAMT](https://marketplace.visualstudio.com/items?itemName=ms-databasemigration.data-access-migration-toolkit) / [DMA](/sql/dma/dma-overview) | [Azure SQL Migration extension](/azure/dms/articles/dms/migration-using-azure-data-studio)<br/>[DMA](/sql/dma/dma-overview)<br/>[Cloud Atlas*](https://www.unifycloud.com/cloud-migration-tool/)<br/>[Cloudamize*](https://www.cloudamize.com/) | [DEA](https://www.microsoft.com/download/details.aspx?id=54090)<br/>[Cloudamize*](https://www.cloudamize.com/) |

-| RDS SQL | Azure SQL DB, MI, VM | [DAMT](https://marketplace.visualstudio.com/items?itemName=ms-databasemigration.data-access-migration-toolkit) / [DMA](/sql/dma/dma-overview) | [Azure SQL Migration extension](/azure/dms/articles/dms/migration-using-azure-data-studio)<br/>[DMA](/sql/dma/dma-overview) | [DEA](https://www.microsoft.com/download/details.aspx?id=54090) |

-| SQL Server | Azure SQL DB | [SQL Server dacpac extension](/sql/azure-data-studio/extensions/sql-server-dacpac-extension)<br/>[DMA](/sql/dma/dma-overview)<br/>[DMS](https://azure.microsoft.com/services/database-migration/)<br/>[Cloudamize*](https://www.cloudamize.com/) | [Azure SQL Migration extension](/azure/dms/articles/dms/migration-using-azure-data-studio)<br/>[DMA](/sql/dma/dma-overview)<br/>[DMS](https://azure.microsoft.com/services/database-migration/)<br/>[Cloudamize*](https://www.cloudamize.com/) | [Cloudamize*](https://www.cloudamize.com/)<br/>[Attunity*](https://www.attunity.com/products/replicate/)<br/>[Striim*](https://www.striim.com/partners/striim-for-microsoft-azure/) |

-| SQL Server | Azure SQL DB MI | [Azure SQL Migration extension](/azure/dms/articles/dms/migration-using-azure-data-studio)<br/>[DMS](https://azure.microsoft.com/services/database-migration/)<br/>[Cloudamize*](https://www.cloudamize.com/) | [Azure SQL Migration extension](/azure/dms/articles/dms/migration-using-azure-data-studio)<br/>[DMS](https://azure.microsoft.com/services/database-migration/)<br/>[Cloudamize*](https://www.cloudamize.com/) | [Azure SQL Migration extension](/azure/dms/articles/dms/migration-using-azure-data-studio)<br/>[DMS](https://azure.microsoft.com/services/database-migration/)<br/>[Cloudamize*](https://www.cloudamize.com/)<br/>[Attunity*](https://www.attunity.com/products/replicate/)<br/>[Striim*](https://www.striim.com/partners/striim-for-microsoft-azure/) |

-| SQL Server | Azure SQL VM | [Azure SQL Migration extension](/azure/dms/articles/dms/migration-using-azure-data-studio)<br/>[DMA](/sql/dma/dma-overview)<br/>[DMS](https://azure.microsoft.com/services/database-migration/)<br>[Cloudamize*](https://www.cloudamize.com/) | [Azure SQL Migration extension](/azure/dms/articles/dms/migration-using-azure-data-studio)<br/>[DMA](/sql/dma/dma-overview)<br/>[DMS](https://azure.microsoft.com/services/database-migration/)<br>[Cloudamize*](https://www.cloudamize.com/) | [Azure SQL Migration extension](/azure/dms/articles/dms/migration-using-azure-data-studio)<br/>[Cloudamize*](https://www.cloudamize.com/)<br/>[Attunity*](https://www.attunity.com/products/replicate/)<br/>[Striim*](https://www.striim.com/partners/striim-for-microsoft-azure/) |

-| RDS SQL | Azure SQL DB | [SQL Server dacpac extension](/sql/azure-data-studio/extensions/sql-server-dacpac-extension)<br/>[DMA](/sql/dma/dma-overview)<br/>[DMS](https://azure.microsoft.com/services/database-migration/) | [Azure SQL Migration extension](/azure/dms/articles/dms/migration-using-azure-data-studio)<br/>[DMA](/sql/dma/dma-overview)<br/>[DMS](https://azure.microsoft.com/services/database-migration/) | [Attunity*](https://www.attunity.com/products/replicate/)<br/>[Striim*](https://www.striim.com/partners/striim-for-microsoft-azure/) |

-| RDS SQL | Azure SQL VM | [Azure SQL Migration extension](/azure/dms/articles/dms/migration-using-azure-data-studio)<br/>[DMA](/sql/dma/dma-overview)<br/>[DMS](https://azure.microsoft.com/services/database-migration/) | [Azure SQL Migration extension](/azure/dms/articles/dms/migration-using-azure-data-studio)<br/>[DMA](/sql/dma/dma-overview)<br/>[DMS](https://azure.microsoft.com/services/database-migration/) | [Azure SQL Migration extension](/azure/dms/articles/dms/migration-using-azure-data-studio)<br/>[Attunity*](https://www.attunity.com/products/replicate/)<br/>[Striim*](https://www.striim.com/partners/striim-for-microsoft-azure/) |

-* Create a target [Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart).

-* For a tutorial showing you how to create an Azure SQL Database using the Azure portal, PowerShell, or AZ CLI commands, see [Create a single database - Azure SQL Database](/azure-sql/database/single-database-create-quickstart).

-* For information about Azure SQL Database, see [What is Azure SQL Database](/azure-sql/database/sql-database-paas-overview).

-* For information about connecting to Azure SQL Database, see [Connect applications](/azure-sql/database/connect-query-content-reference-guide).

-Deploy-EflowVm -vSwitchType "External" -vSwitchName "EFLOW-Ext"

-Deploy-EflowVm -vSwitchType "External" -vSwitchName "EFLOW-Ext" -ip4Address "192.168.0.2" -ip4GatewayAddress "192.168.0.1" -ip4PrefixLength "24"

-ws.update(v1_legacy_mode=false)

-#### Specify component run-time environment

-You'll need to modify the runtime environment in which your component runs.

-The above code creates an object of `Environment` class, which represents the runtime environment in which the component runs.

-The `conda.yaml` file contains all packages used for the component like following:

-#### Specify component run-time environment

-* The `environment` section contains a docker image and a conda yaml file.

-#### Specify component run-time environment

-The score component uses the same image and conda.yaml file as the train component. The source file is in the [sample repository](https://github.com/Azure/azureml-examples/blob/main/sdk/python/jobs/pipelines/2e_image_classification_keras_minist_convnet/train/conda.yaml).

-Due to datastore access limitation, if your inference pipeline contains **Import Data** or **Export Data** component, they'll be auto-removed when deploy to real-time endpoint.

-## Prerequisites

- [!INCLUDE [flexible-server-free-trial-note](../includes/flexible-server-free-trial-note.md)]

-We are going to use environment variables to limit typing mistakes, and to make it easier for you to customize the following configuration for your specific needs.

-Set up those environment variables by using the following commands:

-AZ_RESOURCE_GROUP=database-workshop

-AZ_DATABASE_NAME= flexibleserverdb

-AZ_LOCATION=<YOUR_AZURE_REGION>

-AZ_MYSQL_USERNAME=demo

-AZ_MYSQL_PASSWORD=<YOUR_MYSQL_PASSWORD>

-AZ_LOCAL_IP_ADDRESS=<YOUR_LOCAL_IP_ADDRESS>

- | jq

-> [!NOTE]

-> We use the `jq` utility, which is installed by default on [Azure Cloud Shell](https://shell.azure.com/) to display JSON data and make it more readable.

-> If you don't like that utility, you can safely remove the `| jq` part of all the commands we'll use.

-The first thing we'll create is a managed MySQL server.

-In [Azure Cloud Shell](https://shell.azure.com/), run the following script:

- --sku-name Standard_B1ms \

- --storage-size 5120 \

- --admin-user $AZ_MYSQL_USERNAME \

- --admin-password $AZ_MYSQL_PASSWORD \

- --public-access $AZ_LOCAL_IP_ADDRESS

- | jq

-Make sure your enter \<YOUR-IP-ADDRESS\> in order to access the server from your local machine. This command creates a Burstable Tier MySQL flexible server suitable for development.

-The MySQL server that you created has a empty database called **flexibleserverdb**. We will use this database for this article.

-Using your favorite IDE, create a new Java project, and add a `pom.xml` file in its root directory:

- <version>8.0.20</version>

-This file is an [Apache Maven](https://maven.apache.org/) that configures our project to use:

-Create a *src/main/resources/application.properties* file, and add:

-```properties

-url=jdbc:mysql://$AZ_DATABASE_NAME.mysql.database.azure.com:3306/demo?serverTimezone=UTC

-user=demo

-password=$AZ_MYSQL_PASSWORD

-> We append `?serverTimezone=UTC` to the configuration property `url`, to tell the JDBC driver to use the UTC date format (or Coordinated Universal Time) when connecting to the database. Otherwise, our Java server would not use the same date format as the database, which would result in an error.

-We will use a *src/main/resources/`schema.sql`* file in order to create a database schema. Create that file, with the following content:

-Create a *src/main/java/DemoApplication.java* file, that contains:

- /*

- Todo todo = new Todo(1L, "configuration", "congratulations, you have set up JDBC correctly!", true);

- */

-This Java code will use the *application.properties* and the *schema.sql* files that we created earlier, in order to connect to the MySQL server and create a schema that will store our data.

-In this file, you can see that we commented methods to insert, read, update and delete data: we will code those methods in the rest of this article, and you will be able to uncomment them one after each other.

-```

-```

-Let's read the data previously inserted, to validate that our code works correctly.

-```

-Let's update the data we previously inserted.

-```

-Finally, let's delete the data we previously inserted.

-```

-mysql -h $AZ_DATABASE_NAME.mysql.database.azure.com --user $CURRENT_USERNAME@$AZ_DATABASE_NAME --enable-cleartext-plugin --password=`az account get-access-token --resource-type oss-rdbms --output tsv --query accessToken` < create_ad_user.sql

-We recommend that the domain name, as seen by the browser, is the same as the host name which Application Gateway uses to direct traffic to the Azure Spring Apps back end. This recommendation provides the best experience when using Application Gateway to expose applications hosted in Azure Spring Apps and residing in a virtual network. If the domain exposed by Application Gateway is different from the domain accepted by Azure Spring Apps, cookies and generated redirect URLs (for example) can be broken.

-We recommend that the domain name, as seen by the browser, is the same as the host name which Application Gateway uses to direct traffic to the Azure Spring Apps back end. This recommendation provides the best experience when using Application Gateway to expose applications hosted in Azure Spring Apps and residing in a virtual network. If the domain exposed by Application Gateway is different from the domain accepted by Azure Spring Apps, cookies and generated redirect URLs (for example) can be broken.

-Azure already provides different load-balance solutions. There are three options to integrate Azure Spring Apps with Azure load-balance solutions:

-2. Integrate Azure Spring Apps with Azure App Gateway

-3. Integrate Azure Spring Apps with Azure Front Door

-1. Follow instructions [How to add custom domain to Azure Spring Apps](./tutorial-custom-domain.md).

-1. Add above custom domain binding to traffic manager to Azure Spring Apps corresponding app service and upload SSL certificate there.

- 

-1. The key point is to select *Yes* for **Pick host name from backend HTTP settings** option.

-### Configure Http Setting

-1. Select **Http Settings** then **Add** to add an HTTP setting.

-1. **Override with new host name:** select *Yes*.

-1. **Host name override**: select **Pick host name from backend target**.

-### Configure Rewrite Set

-1. Select **Rewrites** then **Rewrite set** to add a rewrite set.

-1. Select the routing rules that route requests to Azure Spring Apps public endpoints.

-1. On **Rewrite rule configuration** tab, select **Add rewrite rule**.

-1. **Rewrite type**: select **Request Header**

-1. **Action type**: select **Delete**

-1. **Header name**: select **Common header**

-1. **Common Header**: select **X-Forwarded-Proto**

- 

-To integrate with Azure Spring Apps service and configure backend pool, use the following steps:

-1. **Add backend pool**.

-1. Specify the backend endpoint by adding host.

-1. Specify **backend host type** as *custom host*.

-1. Input FQDN of your Azure Spring Apps public endpoints in **backend host name**.

-1. Accept the **backend host header** default, which is the same as **backend host name**.

- az elastic-san volume-group update -e $sanName -g $resourceGroupName --name $volumeGroupName --network-acls "{virtualNetworkRules:[{id:/subscriptions/subscriptionID/resourceGroups/RGName/providers/Microsoft.Network/virtualNetworks/vnetName/subnets/default, action:Allow}]}"

-The following table contains the Azure RBAC permissions related to this configuration:

-description: Provides an overview of factors to consider and steps to follow to use Azure as a storage target and recovery location for Veeam Backup and Recovery

-# Backup to Azure with Veeam

-This article helps you integrate a Veeam infrastructure with Azure Blob storage. It includes prerequisites, considerations, implementation, and operational guidance. This article addresses using Azure as an offsite backup target and a recovery site if a disaster occurs, which prevents normal operation within your primary site.

-> [!NOTE]

-> Veeam also offers a lower recovery time objective (RTO) solution, Veeam Backup & Replication with support for Azure VMware Solution workloads. This solution lets you have a standby VM that can help you recover more quickly in the event of a disaster in an Azure production environment. Veeam also offers Direct Restore to Microsoft Azure and other dedicated tools to back up Azure and Office 365 resources. These capabilities are outside the scope of this document.

-## Reference architecture

-The following diagram provides a reference architecture for on-premises to Azure and in-Azure deployments.

-

-Your existing Veeam deployment can easily integrate with Azure by adding an Azure storage account, or multiple accounts, as a cloud backup repository. Veeam also allows you to recover backups from on-premises within Azure giving you a recovery-on-demand site in Azure.

-## Veeam interoperability matrix

-| Workload | GPv2 and Blob Storage | Cool tier support | Archive tier support | Data Box Family support |

-|--|--|--|-|-|

-| On-premises VMs/data | v10a | v10a | N/A | 10a^* |

-| Azure VMs | v10a | v10a | N/A | 10a^* |

-| Azure Blob | v10a | v10a | N/A | 10a^* |

-| Azure Files | v10a | v10a | N/A | 10a^* |

-Veeam has offered support for above Azure features in older versions of their product as well, for optimal experience leveraging the latest product version is strongly recommended.

-^*Veeam Backup and Replication support REST API only for Azure Data Box. Therefore, Azure Data Box Disk is not supported. Please see details for Data Box support [here](https://helpcenter.veeam.com/docs/backup/hyperv/osr_adding_data_box.html?ver=110).

-## Before you begin

-A little upfront planning will help you use Azure as an offsite backup target and recovery site.

-### Get started with Azure

-Microsoft offers a framework to follow to get you started with Azure. The [Cloud Adoption Framework](/azure/architecture/cloud-adoption/) (CAF) is a detailed approach to enterprise digital transformation and comprehensive guide to planning a production grade cloud adoption. The CAF includes a step-by-step [Azure Setup Guide](/azure/cloud-adoption-framework/ready/azure-setup-guide/) to help you get up and running quickly and securely. You can find an interactive version in the [Azure portal](https://portal.azure.com/?feature.quickstart=true#blade/Microsoft_Azure_Resources/QuickstartCenterBlade). You'll find sample architectures, specific best practices for deploying applications, and free training resources to put you on the path to Azure expertise.

-### Consider the network between your location and Azure

-Whether using cloud resources to run production, test and development, or as a backup target and recovery site, it's important to understand your bandwidth needs for initial backup seeding and for ongoing day-to-day transfers.

-Azure Data Box provides a way to transfer your initial backup baseline to Azure without requiring more bandwidth. This is useful if the baseline transfer is estimated to take longer than you can tolerate. You can use the Data Transfer estimator when you create a storage account to estimate the time required to transfer your initial backup.

-

-Remember, you'll require enough network capacity to support daily data transfers within the required transfer window (backup window) without impacting production applications. This section outlines the tools and techniques that are available to assess your network needs.

-#### Determine how much bandwidth you'll need

-Multiple assessment options are available to determine change rate and total backup set size for the initial baseline transfer to Azure. Here are some examples of assessment and reporting tools:

-#### Determine unutilized internet bandwidth

-It's important to know how much typically unutilized bandwidth (or *headroom*) you have available on a day-to-day basis. This helps you assess whether you can meet your goals for:

-Use the following methods to identify the bandwidth headroom that your backups to Azure are free to consume.

- - [Solarwinds Bandwidth Analyzer Pack](https://www.solarwinds.com/network-bandwidth-analyzer-pack?CMP=ORG-BLG-DNS)

- - [Paessler PRTG](https://www.paessler.com/bandwidth_monitoring)

- - [Cisco Network Assistant](https://www.cisco.com/c/en/us/products/cloud-systems-management/network-assistant/https://docsupdatetracker.net/index.html)

- - [WhatsUp Gold](https://www.whatsupgold.com/network-traffic-monitoring)

-### Choose the right storage options

-When you use Azure as a backup target, you'll make use of [Azure Blob storage](../../../../blobs/storage-blobs-introduction.md). Blob storage is Microsoft's object storage solution. Blob storage is optimized for storing massive amounts of unstructured data, which is data that does not adhere to any data model or definition. Additionally, Azure Storage is durable, highly available, secure, and scalable. You can select the right storage for your workload to provide the [level of resiliency](../../../../common/storage-redundancy.md) to meet your internal SLAs. Blob storage is a pay-per-use service. You're [charged monthly](../../../../blobs/access-tiers-overview.md#pricing-and-billing) for the amount of data stored, accessing that data, and in the case of cool and archive tiers, a minimum required retention period. The resiliency and tiering options applicable to backup data are summarized in the following tables.

-**Blob storage resiliency options:**

-| |Locally-redundant |Zone-redundant |Geo-redundant |Geo-zone-redundant |

-||||||

-|**Effective # of copies** | 3 | 3 | 6 | 6 |

-|**# of availability zones** | 1 | 3 | 2 | 4 |

-|**# of region**s | 1 | 1 | 2 | 2 |

-|**Manual failover to secondary region** | N/A | N/A | Yes | Yes |

-**Blob storage tiers:**

-| | Hot tier |Cool tier | Archive tier |

-| -- | -- | -- | -- |

-| **Availability** | 99.9% | 99% | Offline |

-| **Usage charges** | Higher storage costs, Lower access, and transaction costs | Lower storage costs, higher access, and transaction costs | Lowest storage costs, highest access, and transaction costs |

-| **Minimum data retention required** | NA | 30 days | 180 days |

-| **Latency (time to first byte)** | Milliseconds | Milliseconds | Hours |

-#### Sample backup to Azure cost model

-With pay-per-use can be daunting to customers who are new to the cloud. While you pay for only the capacity used, you do also pay for transactions (read and or writes) and [egress for data](https://azure.microsoft.com/pricing/details/bandwidth/) read back to your on-premises environment when [Azure Express Route direct local or Express Route unlimited data plan](https://azure.microsoft.com/pricing/details/expressroute/) are in use where data egress from Azure is included. You can use the [Azure Pricing Calculator](https://azure.microsoft.com/pricing/calculator/) to perform "what if" analysis. You can base the analysis on list pricing or on [Azure Storage Reserved Capacity pricing](../../../../../cost-management-billing/reservations/save-compute-costs-reservations.md), which can deliver up to 38% savings. Here's an example pricing exercise to model the monthly cost of backing up to Azure. This is only an example. *Your pricing may vary due to activities not captured here.*

-|Cost factor |Monthly cost |

-|||

-|100 TB of backup data on cool storage |$1556.48 |

-|2 TB of new data written per day x 30 days |$42 in transactions |

-|Monthly estimated total |$1598.48 |

-|||

-|One time restore of 5 TB to on-premises over public internet | $527.26 |

-> [!Note]

-> This estimate was generated in the Azure Pricing Calculator using East US Pay-as-you-go pricing and is based on the Veeam default of 512 kb chunk size for WAN transfers. This example may not be applicable towards your requirements.

-## Implementation guidance

-This section provides a brief guide for how to add Azure Storage to an on-premises Veeam deployment. For detailed guidance and planning considerations, we recommend you take a look at the following Veeam Guidance for their [Capacity Tier](https://helpcenter.veeam.com/docs/backup/vsphere/capacity_tier.html?ver=110).

-1. Open the Azure portal, and search for **Storage Accounts**. You can also click on the default service icon.

- 

- 

-2. Select **Create** to add an account. Select or create a resource group, provide a unique name, choose the region, select **Standard** performance, always leave account kind as **Storage V2**, choose the replication level which meets your SLAs, and the default tier your backup software will apply. An Azure Storage account makes hot, cool, and archive tiers available within a single account and Veeam policies allow you to use multiple tiers to effectively manage the lifecycle of your data.

- 

-3. Keep the default networking and data protection options for now. Do **not** enable Soft Delete for Storage Accounts storing Veeam capacity tiers.

- 4. Next, we recommend the default settings from the **Advanced** screen for backup to Azure use cases.

- 

-5. Add tags for organization if you use tagging, and create your account.

-6. Two quick steps are all that are now required before you can add the account to your Veeam environment. Navigate to the account you created in the Azure portal and select **Containers** under the **Blob service** menu. Add a container and choose a meaningful name. Then, navigate to the **Access keys** item under **Settings** and copy the **Storage account name** and one of the two access keys. You will need the container name, account name, and access key in the next steps.

- 

- 

- > [!Note]

- > Veeam Backup and Replication offers additional options to connect to Azure. For the use case of this article, using Microsoft Azure Blob Storage as a backup target, using the above method is the recommended best practice.

-7. *(Optional)* You can add more layers of security to your deployment.

- 1. Configure role-based access to limit who can make changes to your storage account. For more information, see [Built-in roles for management operations](../../../../common/authorization-resource-provider.md#built-in-roles-for-management-operations).

- 1. Restrict access to the account to specific network segments with [storage firewall settings](../../../../common/storage-network-security.md) to prevent access attempts from outside your corporate network.

- 

- 1. Set a [delete lock](../../../../../azure-resource-manager/management/lock-resources.md) on the account to prevent accidental deletion of the storage account.

- 

- 1. Configure additional [security best practices](../../../../../storage/blobs/security-recommendations.md).

-8. In the Veaam Backup and Replication Management Console, navigate to **Backup Infrastructure** -> right-click in the overview pane and select **Add Backup Repository** to open the configuration wizard. In the dialog box, select **Object storage** -> **Microsoft Azure Blob Storage** -> **Azure Blob Storage**.

- 

- 

- 

-9. Next, specify a name and a description of your new Blob storage repository.

- 

-10. In the next step, add the credentials to access your Azure storage account. Select **Microsoft Azure Storage Account** in the Cloud Credential Manager, and enter your storage account name and access key. Select **Azure Global** in the region selector, and any gateway server if applicable.

- 

- > [!Note]

- > If you choose not to use a Veeam gateway server, make sure that all scale-out repository extents have direct internet access.

-11. On the container register, select your Azure Storage container and select or create a folder to store your backups in. You can also define a soft limit on the overall storage capacity to be used by Veeam, which is recommended. Review the displayed information in the summary section and complete the configuration tool. You can now select the new repository in your backup job configuration.

- 

- 

-## Operational guidance

-### Azure alerts and performance monitoring

-It is advisable to monitor both your Azure resources and Veeam's ability to leverage them as you would with any storage target you rely on to store your backups. A combination of Azure Monitor and Veeam's monitoring capabilities (the **Statistics** tab in the **Jobs** node of the Veeam Management Console or more advanced options like Veeam One Reporter) will help you keep your environment healthy.

-#### Azure portal

-Azure provides a robust monitoring solution in the form of [Azure Monitor](../../../../../azure-monitor/essentials/monitor-azure-resource.md). You can [configure Azure Monitor](../../../../blobs/monitor-blob-storage.md) to track Azure Storage capacity, transactions, availability, authentication, and more. The full reference of metrics tracked may be found [here](../../../../blobs/monitor-blob-storage-reference.md). A few useful metrics to track are BlobCapacity - to make sure you remain below the maximum [storage account capacity limit](../../../../common/scalability-targets-standard-account.md), Ingress and Egress - to track the amount of data being written to and read from your Azure storage account, and SuccessE2ELatency - to track the roundtrip time for requests to and from Azure Storage and your MediaAgent.

-You can also [create log alerts](../../../../../service-health/alerts-activity-log-service-notifications-portal.md) to track Azure Storage service health and view the [Azure status dashboard](https://azure.status.microsoft/status) at any time.

-#### Veeam reporting

-### How to open support cases

-When you need help with your backup to Azure solution, you should open a case with both Veeam and Azure. This helps our support organizations to collaborate, if necessary.

-#### To open a case with Veeam

-On the [Veeam customer support site](https://www.veeam.com/support.html), sign in, and open a case.

-To understand the support options available to you by Veeam, see the [Veeam Customer Support Policy](https://www.veeam.com/veeam_software_support_policy_ds.pdf).

-You may also call to open a case: [Worldwide support numbers](https://www.veeam.com/contacts.html?ad=in-text-link#support-numbers)

-#### To open a case with Azure

-In the [Azure portal](https://portal.azure.com) search for **support** in the search bar at the top. Select **Help + support** -> **New Support Request**.

-> [!NOTE]

-> When you open a case, be specific that you need assistance with Azure Storage or Azure Networking. Do not specify Azure Backup. Azure Backup is the name of an Azure service and your case will be routed incorrectly.

-### Links to relevant Veeam documentation

-See the following Veeam documentation for further detail:

-### Marketplace offerings

-You can continue to use the Veeam solution you know and trust to protect your workloads running on Azure. Veeam has made it easy to deploy their solution in Azure and protect Azure Virtual Machines and many other Azure services.

-## Next steps

-See the following resources on the Veeam website for information about specialized usage scenarios:

-If your Resource health shows that your dedicated SQL pool (formerly SQL DW) instance is paused or scaling, follow the guidance to resume your instance.

-

-```azurecli

-```azurecli

-> [!NOTE]

-> [The Azure Blob Storage SFTP feature](../../../storage/blobs/secure-file-transfer-protocol-support.md) is currently in preview.

-> [!NOTE]

-> The [Azure Blob Storage SFTP feature](../../../storage/blobs/secure-file-transfer-protocol-support.md) is currently in preview.

-The SNAT connection count metric shows you the number of new SNAT connections within a specified time frame.

-To view the number of attempted and failed connections:

-Reasons for why you may see failed connections:

-### Alerts for SNAT port usage

-Use the total **SNAT connection count** metric and alerts for when you're nearing the limits of available SNAT ports.

-3. From the signal list, select **Total SNAT Connection Count**.

-4. From the **Operator** drop-down menu, select **Less than or equal to**.

-5. From the **Aggregation type** drop-down menu, select **Total**.

-6. In the **Threshold value** box, enter a percentage value that the Total SNAT connection count must drop below before an alert is fired. When deciding what threshold value to use, keep in mind how much you've scaled out your NAT gateway outbound connectivity with public IP addresses. For more information, see [Scale NAT gateway](./nat-gateway-resource.md#scalability).

-7. From the **Unit** drop-down menu, select **Count**.

-8. From the **Aggregation granularity (Period)** drop-down menu, select a time period over which you would like the SNAT connection count to be measured.

->SNAT exhaustion on your NAT gateway resource is uncommon. If you see SNAT exhaustion, your NAT gateway's idle timeout timer may be holding on to SNAT ports too long or your may need to scale with additional public IPs. To troubleshoot these kinds of issues, refer to the NAT gateway [troubleshooting guide](./troubleshoot-nat.md).

- In other words, when Traffic Routing Policy is configured on a Virtual WAN hub, the Virtual WAN will advertise a **default** route to all spokes, Gateways and Network Virtual Appliances (deployed in the hub or spoke). This includes the **Network Virtual Appliance** that is the next hop for the Itnernet Traffic routing policy.

-When an ExpressRoute circuit is connected to virtual hub, the Microsoft Edge routers are the first node for communication between on-premises and Azure. These edge routers communicate with the Virtual WAN ExpressRoute gateways that, in turn, learn routes from the virtual hub router that controls all routes between any gateways in Virtual WAN. The Microsoft Edge routers process virtual hub ExpressRoute routes with higher preference over routes learned from on-premises.

-### When there's an ExpressRoute circuit connected as a bow-tie to a Virtual WAN hub and a non Virtual WAN (customer-managed) VNet, what is the path for the non Virtual WAN VNet to reach the Virtual WAN hub?

-### Can hubs be created in different resource group in Virtual WAN?

-> The user will need to have an **owner** or **contributor** role to see an accurate status of the hub router version. If a user is assigned a **reader** role to the Virtual WAN resource, then Azure portal will display to that user that the hub router needs to be upgraded to the latest version, even if the hub is already on the latest version.

-1. In the **Basics** tab of the **Create a WAF policy** page, enter or select the following information, accept the defaults for the remaining settings, and then select **Review + create**:

- | Front Door SKU | Select between basic, standard and premium SKU. |

- | Subscription | Select your Front Door subscription name.|

-1. In the **Association** tab of the **Create a WAF policy** page, select **+ Associate a Front Door profile**, enter the following settings, and then select **Add**:

-When you create a WAF policy, by the default WAF policy is in **Detection** mode. In **Detection** mode, WAF doesn't block any requests, instead, requests matching the WAF rules are logged at WAF logs.

-Azure-managed Default Rule Set is enabled by default. Current default version is DefaultRuleSet_1.0. From WAF **Managed rules**, **Assign**, recently available ruleset Microsoft_DefaultRuleSet_1.1 is available in the drop-down list.

-> [Learn more about Azure Front Door Standard/Premium](../../frontdoor/standard-premium/overview.md)

-

- 

- 

- 

- :::image type="content" source="../media/application-gateway-web-application-firewall-portal/application-gateway-create-rule-listener.png" alt-text="Screenshot showing Create new application gateway: listener." lightbox="../media/application-gateway-web-application-firewall-portal/application-gateway-create-rule-listener.png":::

- :::image type="content" source="../media/application-gateway-web-application-firewall-portal/application-gateway-create-backend-setting.png" alt-text="Screenshot showing Create new application gateway, Backend setting." lightbox="../media/application-gateway-web-application-firewall-portal/application-gateway-create-backend-setting.png":::

- :::image type="content" source="../media/application-gateway-web-application-firewall-portal/application-gateway-create-rule-backends.png" alt-text="Screenshot showing Create new application gateway: routing rule." lightbox="../media/application-gateway-web-application-firewall-portal/application-gateway-create-rule-backends.png":::

- - **Username**: Enter a name for the administrator user name.

-1. On the **Monitoring** tab, set **Boot diagnostics** to **Disable**. Accept the other defaults and then select **Review + create**.

- 

-1. Find the public IP address for the application gateway on its **Overview** page.

-