-With Azure Active Directory B2C (Azure AD B2C) [HTML templates](customize-ui-with-html.md), you can craft your users' identity experiences. Your HTML templates can contain only certain HTML tags and attributes. Basic HTML tags, such as <b>, <i>, <u>, <h1>, and <hr> are allowed. More advanced tags such as <script>, and <iframe> are removed for security reasons.

-## Azure Spring Apps

-### Update your outdated Azure Spring Apps SDK to the latest version

-We have identified API calls from an outdated Azure Spring Apps SDK. We recommend upgrading to the latest version for the latest fixes, performance improvements, and new feature capabilities.

-Learn more about the [Azure Spring Apps service](../spring-apps/index.yml).

-### Update Azure Spring Apps API Version

-We have identified API calls from outdated Azure Spring Apps API for resources under this subscription. We recommend switching to the latest Azure Spring Apps API version. You need to update your existing code to use the latest API version. Also, you need to upgrade your Azure SDK and Azure CLI to the latest version. This ensures you receive the latest features and performance improvements.

-Learn more about the [Azure Spring Apps service](../spring-apps/index.yml).

-## Automation

-### Upgrade to Start/Stop VMs v2

-This new version of Start/Stop VMs v2 (preview) provides a decentralized low-cost automation option for customers who want to optimize their VM costs. It offers all of the same functionality as the original version available with Azure Automation, but it is designed to take advantage of newer technology in Azure.

-Learn more about [Automation account - SSV1_Upgrade (Upgrade to Start/Stop VMs v2)](https://aka.ms/startstopv2docs).

-## Azure VMware

-Your HCX version is not latest. New HCX version is available for upgrade. Updating a VMware HCX system installs the latest features, problem fixes, and security patches.

-## Batch

-Your pool is using a deprecated internal component. Please delete and recreate your pool for improved stability and performance.

-### Upgrade to the latest API version to ensure your Batch account remains operational.

-### Delete and recreate your pool using a VM size that will soon be retired

-Your pool is using A8-A11 VMs, which are set to be retired in March 2021. Please delete your pool and recreate it with a different VM size.

-Learn more about [Batch account - RemoveA8_A11Pools (Delete and recreate your pool using a VM size that will soon be retired)](https://aka.ms/batch_a8_a11_retirement_learnmore).

-Your pool is using an image with an imminent expiration date. Please recreate the pool with a new image to avoid potential interruptions. A list of newer images is available via the ListSupportedImages API.

-## Cache for Redis

-### Injecting a cache into a virtual network (VNet) imposes complex requirements on your network configuration. This is a common source of incidents affecting customer applications

-Injecting a cache into a virtual network (VNet) imposes complex requirements on your network configuration. It's difficult to configure the network accurately and avoid affecting cache functionality. It's easy to break the cache accidentally while making configuration changes for other network resources. This is a common source of incidents affecting customer applications

-Learn more about [Redis Cache Server - PrivateLink (Injecting a cache into a virtual network (VNet) imposes complex requirements on your network configuration. This is a common source of incidents affecting customer applications)](https://aka.ms/VnetToPrivateLink).

-### TLS versions 1.0 and 1.1 are known to be susceptible to security attacks, and have other Common Vulnerabilities and Exposures (CVE) weaknesses.

-TLS versions 1.0 and 1.1 are known to be susceptible to security attacks, and have other Common Vulnerabilities and Exposures (CVE) weaknesses. We highly recommend that you configure your cache to use TLS 1.2 only and your application should use TLS 1.2 or later. See https://aka.ms/TLSVersions for more information.

-Learn more about [Redis Cache Server - TLSVersion (TLS versions 1.0 and 1.1 are known to be susceptible to security attacks, and have other Common Vulnerabilities and Exposures (CVE) weaknesses.)](https://aka.ms/TLSVersions).

-## Azure AI services

-### Upgrade to the latest version of the Immersive Reader SDK

-We have identified resources under this subscription using outdated versions of the Immersive Reader SDK. Using the latest version of the Immersive Reader SDK provides you with updated security, performance and an expanded set of features for customizing and enhancing your integration experience.

-Learn more about [Azure AI Immersive Reader](/azure/ai-services/immersive-reader/).

-## Compute

-### Increase the number of compute resources you can deploy by 10 vCPU

-If quota limits are exceeded, new VM deployments will be blocked until quota is increased. Increase your quota now to enable deployment of more resources. Learn More

-Learn more about [Virtual machine - IncreaseQuotaExperiment (Increase the number of compute resources you can deploy by 10 vCPU)](https://aka.ms/SubscriptionServiceLimits).

-### Add Azure Monitor to your virtual machine (VM) labeled as production

-Azure Monitor for VMs monitors your Azure virtual machines (VM) and Virtual Machine Scale Sets at scale. It analyzes the performance and health of your Windows and Linux VMs, and it monitors their processes and dependencies on other resources and external processes. It includes support for monitoring performance and application dependencies for VMs that are hosted on-premises or in another cloud provider.

-Learn more about [Virtual machine - AddMonitorProdVM (Add Azure Monitor to your virtual machine (VM) labeled as production)](/azure/azure-monitor/insights/vminsights-overview).

-### Excessive NTP client traffic caused by frequent DNS lookups and NTP sync for new servers, which happens often on some global NTP servers.

-Excessive NTP client traffic caused by frequent DNS lookups and NTP sync for new servers, which happens often on some global NTP servers. This can be viewed as malicious traffic and blocked by the DDOS service in the Azure environment

-Learn more about [Virtual machine - GetVmlistFortigateNtpIssue (Excessive NTP client traffic caused by frequent DNS lookups and NTP sync for new servers, which happens often on some global NTP servers.)](https://docs.fortinet.com/document/fortigate/6.2.3/fortios-release-notes/236526/known-issues).

-### An Azure environment update has been rolled out that may affect your Checkpoint Firewall.

-The image version of the Checkpoint firewall installed may have been affected by the recent Azure environment update. A kernel panic resulting in a reboot to factory defaults can occur in certain circumstances.

-Learn more about [Virtual machine - NvaCheckpointNicServicing (An Azure environment update has been rolled out that may affect your Checkpoint Firewall.)](https://supportcenter.checkpoint.com/supportcenter/portal).

-### The iControl REST interface has an unauthenticated remote command execution vulnerability.

-This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise. The BIG-IP system in Appliance mode is also vulnerable

-Learn more about [Virtual machine - GetF5vulnK03009991 (The iControl REST interface has an unauthenticated remote command execution vulnerability.)](https://support.f5.com/csp/article/K03009991).

-### NVA Accelerated Networking enabled but potentially not working.

-Desired state for Accelerated Networking is set to ΓÇÿtrueΓÇÖ for one or more interfaces on this VM, but actual state for accelerated networking is not enabled.

-Learn more about [Virtual machine - GetVmListANDisabled (NVA Accelerated Networking enabled but potentially not working.)](../virtual-network/create-vm-accelerated-networking-cli.md).

-### Virtual machines with Citrix Application Delivery Controller (ADC) and accelerated networking enabled may disconnect during maintenance operation

-We have identified that you are running a Network virtual Appliance (NVA) called Citrix Application Delivery Controller (ADC), and the NVA has accelerated networking enabled. The Virtual machine that this NVA is deployed on may experience connectivity issues during a platform maintenance operation. It is recommended that you follow the article provided by the vendor: https://aka.ms/Citrix_CTX331516

-Learn more about [Virtual machine - GetCitrixVFRevokeError (Virtual machines with Citrix Application Delivery Controller (ADC) and accelerated networking enabled may disconnect during maintenance operation)](https://aka.ms/Citrix_CTX331516).

-## Kubernetes

-This cluster's service principal is expired and the cluster will not be healthy until the service principal is updated

-This cluster has not enabled AKS Cluster Autoscaler, and it will not adapt to changing load conditions unless you have other ways to autoscale your cluster

-Some of the subnets for this cluster's node pools are full and cannot take any more worker nodes. Using the Azure CNI plugin requires to reserve IP addresses for each node and all the pods for the node at node provisioning time. If there is not enough IP address space in the subnet, no worker nodes can be deployed. Additionally, the AKS cluster cannot be upgraded if the node subnet is full.

-This cluster is not using ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades

-This cluster has not enabled the Standard tier which includes the Uptime SLA by default, and is limited to an SLO of 99.5%.

-## MySQL

-To support modern security standards, MySQL community edition discontinued the support for communication over Transport Layer Security (TLS) 1.0 and 1.1 protocols. Microsoft will also stop supporting connection over TLSv1 and TLSv1.1 to Azure Database for MySQL - Flexible server soon to comply with the modern security standards. We recommend you upgrade your client driver to support TLSv1.2.

-## Desktop Virtualization

-### Permissions missing for start VM on connect

-We have determined you enabled start VM on connect but didn't grant the Azure Virtual Desktop the rights to power manage VMs in your subscription. As a result your users connecting to host pools won't receive a remote desktop session. Review feature documentation for requirements.

-Learn more about [Host Pool - AVDStartVMonConnect (Permissions missing for start VM on connect)](https://aka.ms/AVDStartVMRequirement).

-### No validation environment enabled

-We have determined that you do not have a validation environment enabled in current subscription. When creating your host pools, you have selected "No" for "Validation environment" in the properties tab. Having at least one host pool with a validation environment enabled ensures the business continuity through Azure Virtual Desktop service deployments with early detection of potential issues.

-Learn more about [Host Pool - ValidationEnvHostPools (No validation environment enabled)](../virtual-desktop/create-validation-host-pool.md).

-### Not enough production environments enabled

-We have determined that too many of your host pools have Validation Environment enabled. In order for Validation Environments to best serve their purpose, you should have at least one, but never more than half of your host pools in Validation Environment. By having a healthy balance between your host pools with Validation Environment enabled and those with it disabled, you will best be able to utilize the benefits of the multistage deployments that Azure Virtual Desktop offers with certain updates. To fix this issue, open your host pool's properties and select "No" next to the "Validation Environment" setting.

-Learn more about [Host Pool - ProductionEnvHostPools (Not enough production environments enabled)](../virtual-desktop/create-host-pools-powershell.md).

-## Azure Cosmos DB

-### Migrate Azure Cosmos DB attachments to Azure Blob Storage

-We noticed that your Azure Cosmos DB collection is using the legacy attachments feature. We recommend migrating attachments to Azure Blob Storage to improve the resiliency and scalability of your blob data.

-Learn more about [Azure Cosmos DB account - CosmosDBAttachments (Migrate Azure Cosmos DB attachments to Azure Blob Storage)](../cosmos-db/attachments.md#migrating-attachments-to-azure-blob-storage).

-### Improve resiliency by migrating your Azure Cosmos DB accounts to continuous backup

-Your Azure Cosmos DB accounts are configured with periodic backup. Continuous backup with point-in-time restore is now available on these accounts. With continuous backup, you can restore your data to any point in time within the past 30 days. Continuous backup may also be more cost-effective as a single copy of your data is retained.

-Learn more about [Azure Cosmos DB account - CosmosDBMigrateToContinuousBackup (Improve resiliency by migrating your Azure Cosmos DB accounts to continuous backup)](../cosmos-db/continuous-backup-restore-introduction.md).

-## Monitor

-We have detected that one or more of your alert rules have invalid queries specified in their condition section. Log alert rules are created in Azure Monitor and are used to run analytics queries at specified intervals. The results of the query determine if an alert needs to be triggered. Analytics queries may become invalid overtime due to changes in referenced resources, tables, or commands. We recommend that you correct the query in the alert rule to prevent it from getting auto-disabled and ensure monitoring coverage of your resources in Azure.

-## Key Vault

-### Create a backup of HSM

-Create a periodic HSM backup to prevent data loss and have ability to recover the HSM in case of a disaster.

-Learn more about [Managed HSM Service - CreateHSMBackup (Create a backup of HSM)](../key-vault/managed-hsm/best-practices.md#create-backups).

-## Data Explorer

-### Reduce the cache policy on your Data Explorer tables

-Reduce the table cache policy to match the usage patterns (query lookback period)

-Learn more about [Data explorer resource - ReduceCacheForAzureDataExplorerTablesOperationalExcellence (Reduce the cache policy on your Data Explorer tables)](https://aka.ms/adxcachepolicy).

-We've detected that one or more of your Application Gateways is unable to obtain a certificate due to misconfigured Key Vault. You should fix this configuration immediately to avoid operational issues with your gateway.

-## SQL Virtual Machine

-### SQL IaaS Agent should be installed in full mode

-Full mode installs the SQL IaaS Agent to the VM to deliver full functionality. Use it for managing a SQL Server VM with a single instance. There is no cost associated with using the full manageability mode. System administrator permissions are required. Note that installing or upgrading to full mode is an online operation, there is no restart required.

-Learn more about [SQL virtual machine - UpgradeToFullMode (SQL IaaS Agent should be installed in full mode)](/azure/azure-sql/virtual-machines/windows/sql-server-iaas-agent-extension-automate-management?tabs=azure-powershell).

-## Storage

-### Prevent hitting subscription limit for maximum storage accounts

-A region can support a maximum of 250 storage accounts per subscription. You have either already reached or are about to reach that limit. If you reach that limit, you will be unable to create any more storage accounts in that subscription/region combination. Please evaluate the recommended action below to avoid hitting the limit.

-Learn more about [Storage Account - StorageAccountScaleTarget (Prevent hitting subscription limit for maximum storage accounts)](https://aka.ms/subscalelimit).

-### Update to newer releases of the Storage Java v12 SDK for better reliability.

-We noticed that one or more of your applications use an older version of the Azure Storage Java v12 SDK to write data to Azure Storage. Unfortunately, the version of the SDK being used has a critical issue that uploads incorrect data during retries (for example, in case of HTTP 500 errors), resulting in an invalid object being written. The issue is fixed in newer releases of the Java v12 SDK.

-Learn more about [Storage Account - UpdateStorageJavaSDK (Update to newer releases of the Storage Java v12 SDK for better reliability.)](/azure/developer/java/sdk/?view=azure-java-stable&preserve-view=true).

-## Subscription

-Deploying an app to a slot first and swapping it into production makes sure that all instances of the slot are warmed up before being swapped into production. This eliminates downtime when you deploy your app. The traffic redirection is seamless, no requests are dropped because of swap operations.

-Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources. This policy adds or replaces the specified tag and value when any resource is created or updated. Existing resources can be remediated by triggering a remediation task. Does not modify tags on resource groups.

-Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources. This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements.

-Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources. This policy audits VMs that do not use managed disks.

-Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources. This policy enables you to specify a set of virtual machine SKUs that your organization can deploy.

-Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources. This policy adds or replaces the specified tag and value from the parent resource group when any resource is created or updated. Existing resources can be remediated by triggering a remediation task.

-## Web

-### Set up staging environments in Azure App Service

-Deploying an app to a slot first and swapping it into production makes sure that all instances of the slot are warmed up before being swapped into production. This eliminates downtime when you deploy your app. The traffic redirection is seamless, no requests are dropped because of swap operations.

-Learn more about [App service - AzureAppService-StagingEnv (Set up staging environments in Azure App Service)](../app-service/deploy-staging-slots.md).

-### Update Service Connector API Version

-We have identified API calls from outdated Service Connector API for resources under this subscription. We recommend switching to the latest Service Connector API version. You need to update your existing code or tools to use the latest API version.

-Learn more about [App service - UpgradeServiceConnectorAPI (Update Service Connector API Version)](/azure/service-connector).

-### Update Service Connector SDK to the latest version

-We have identified API calls from an outdated Service Connector SDK. We recommend upgrading to the latest version for the latest fixes, performance improvements, and new feature capabilities.

-Learn more about [App service - UpgradeServiceConnectorSDK (Update Service Connector SDK to the latest version)](/azure/service-connector).

-## Azure Center for SAP

-### Azure Center for SAP recommendation: All VMs in SAP system should be certified for SAP

-Azure Center for SAP solutions recommendation: All VMs in SAP system should be certified for SAP.

-Learn more about [App Server Instance - VM_0001 (Azure Center for SAP recommendation: All VMs in SAP system should be certified for SAP)](https://launchpad.support.sap.com/#/notes/1928533).

-### Azure Center for SAP recommendation: All VMs in SAP system should be certified for SAP

-Azure Center for SAP solutions recommendation: All VMs in SAP system should be certified for SAP.

-Learn more about [Central Server Instance - VM_0001_ASCS (Azure Center for SAP recommendation: All VMs in SAP system should be certified for SAP)](https://launchpad.support.sap.com/#/notes/1928533).

-### Azure Center for SAP recommendation: All VMs in SAP system should be certified for SAP

-Azure Center for SAP solutions recommendation: All VMs in SAP system should be certified for SAP.

-Learn more about [Database Instance - VM_0001_DB (Azure Center for SAP recommendation: All VMs in SAP system should be certified for SAP)](https://launchpad.support.sap.com/#/notes/1928533).

-Azure Center for SAP recommendation: Ensure all NICs for a system should be attached to the same VNET.

-### Azure Center for SAP recommendation: Swap space on HANA systems should be 2GB

-Azure Center for SAP solutions recommendation: Swap space on HANA systems should be 2GB.

-Learn more about [Database Instance - SwapSpaceForSap (Azure Center for SAP recommendation: Swap space on HANA systems should be 2GB)](https://launchpad.support.sap.com/#/notes/1999997).

-Azure Center for SAP recommendation: Ensure all NICs for a system should be attached to the same VNET.

-Azure Center for SAP recommendation: Ensure all NICs for a system should be attached to the same VNET.

-## Attestation

-### Update Attestation API Version

-We have identified API calls from outdated Attestation API for resources under this subscription. We recommend switching to the latest Attestation API versions. You need to update your existing code to use the latest API version. This ensures you receive the latest features and performance improvements.

-Learn more about [Attestation provider - UpgradeAttestationAPI (Update Attestation API Version)](/rest/api/attestation).

-## Azure VMware Solution

-### vSAN capacity utilization has crossed critical threshold

-Your vSAN capacity utilization has reached 75%. The cluster utilization is required to remain below the 75% critical threshold for SLA compliance. Add new nodes to VSphere cluster to increase capacity or delete VMs to reduce consumption or adjust VM workloads

-Learn more about [AVS Private cloud - vSANCapacity (vSAN capacity utilization has crossed critical threshold)](../azure-vmware/concepts-private-clouds-clusters.md).

-## Azure Cache for Redis

-### Improve your Cache and application performance when running with high network bandwidth

-Cache instances perform best when not running under high network bandwidth which may cause them to become unresponsive, experience data loss, or become unavailable. Apply best practices to reduce network bandwidth or scale to a different size or sku with more capacity.

-Learn more about [Redis Cache Server - RedisCacheNetworkBandwidth (Improve your Cache and application performance when running with high network bandwidth)](https://aka.ms/redis/recommendations/bandwidth).

-### Improve your Cache and application performance when running with many connected clients

-Cache instances perform best when not running under high server load which may cause them to become unresponsive, experience data loss, or become unavailable. Apply best practices to reduce the server load or scale to a different size or sku with more capacity.

-Learn more about [Redis Cache Server - RedisCacheConnectedClients (Improve your Cache and application performance when running with many connected clients)](https://aka.ms/redis/recommendations/connections).

-### Improve your Cache and application performance when running with high server load

-Cache instances perform best when not running under high server load which may cause them to become unresponsive, experience data loss, or become unavailable. Apply best practices to reduce the server load or scale to a different size or sku with more capacity.

-Learn more about [Redis Cache Server - RedisCacheServerLoad (Improve your Cache and application performance when running with high server load)](https://aka.ms/redis/recommendations/cpu).

-### Improve your Cache and application performance when running with high memory pressure

-Cache instances perform best when not running under high memory pressure which may cause them to become unresponsive, experience data loss, or become unavailable. Apply best practices to reduce used memory or scale to a different size or sku with more capacity.

-Learn more about [Redis Cache Server - RedisCacheUsedMemory (Improve your Cache and application performance when running with high memory pressure)](https://aka.ms/redis/recommendations/memory).

-### Improve your Cache and application performance when memory rss usage is high.

-Cache instances perform best when not running under high memory pressure which may cause them to become unresponsive, experience data loss, or become unavailable. Apply best practices to reduce used memory or scale to a different size or sku with more capacity.

-Learn more about [Redis Cache Server - RedisCacheUsedMemoryRSS (Improve your Cache and application performance when memory rss usage is high.)](https://aka.ms/redis/recommendations/memory).

-### Improve your Cache and application performance when memory rss usage is high.

-Cache instances perform best when not running under high memory pressure which may cause them to become unresponsive, experience data loss, or become unavailable. Apply best practices to reduce used memory or scale to a different size or sku with more capacity.

-Learn more about [Redis Cache Server - RedisCacheUsedMemoryRSSHigh (Improve your Cache and application performance when memory rss usage is high.)](https://aka.ms/redis/recommendations/memory).

-### Improve your Cache and application performance when running with high network bandwidth

-Cache instances perform best when not running under high network bandwidth which may cause them to become unresponsive, experience data loss, or become unavailable. Apply best practices to reduce network bandwidth or scale to a different size or sku with more capacity.

-Learn more about [Redis Cache Server - RedisCacheNetworkBandwidthHigh (Improve your Cache and application performance when running with high network bandwidth)](https://aka.ms/redis/recommendations/bandwidth).

-### Improve your Cache and application performance when running with high memory pressure

-Cache instances perform best when not running under high memory pressure which may cause them to become unresponsive, experience data loss, or become unavailable. Apply best practices to reduce used memory or scale to a different size or sku with more capacity.

-Learn more about [Redis Cache Server - RedisCacheUsedMemoryHigh (Improve your Cache and application performance when running with high memory pressure)](https://aka.ms/redis/recommendations/memory).

-### Improve your Cache and application performance when running with many connected clients

-Cache instances perform best when not running under high server load which may cause them to become unresponsive, experience data loss, or become unavailable. Apply best practices to reduce the server load or scale to a different size or sku with more capacity.

-Learn more about [Redis Cache Server - RedisCacheConnectedClientsHigh (Improve your Cache and application performance when running with many connected clients)](https://aka.ms/redis/recommendations/connections).

-### Improve your Cache and application performance when running with high server load

-Cache instances perform best when not running under high server load which may cause them to become unresponsive, experience data loss, or become unavailable. Apply best practices to reduce the server load or scale to a different size or sku with more capacity.

-Learn more about [Redis Cache Server - RedisCacheServerLoadHigh (Improve your Cache and application performance when running with high server load)](https://aka.ms/redis/recommendations/cpu).

-### Cache instances perform best when the host machines where client application runs is able to keep up with responses from the cache.

-Cache instances perform best when the host machines where client application runs is able to keep up with responses from the cache. If client host machine is running hot on memory, CPU or network bandwidth, the cache responses will not reach your application fast enough and could result in higher latency.

-Learn more about [Redis Cache Server - UnresponsiveClient (Cache instances perform best when the host machines where client application runs is able to keep up with responses from the cache.)](/azure/azure-cache-for-redis/cache-troubleshoot-client).

-## CDN

-### Upgrade SDK version recommendation

-The latest version of Azure Front Door Standard and Premium Client Library or SDK contains fixes to issues reported by customers and proactively identified through our QA process. The latest version also carries reliability and performance optimization in addition to new features that can improve your overall experience using Azure Front Door Standard and Premium.

-Learn more about [Front Door Profile - UpgradeCDNToLatestSDKLanguage (Upgrade SDK version recommendation)](https://aka.ms/afd/tiercomparison).

-## Azure AI services

-### 429 Throttling Detected on this resource

-We observed that there have been 1,000 or more 429 throttling errors on this resource in a one day timeframe. Consider enabling autoscale to better handle higher call volumes and reduce the number of 429 errors.

-Learn more about [Azure AI services autoscale](/azure/ai-services/autoscale?tabs=portal).

-### Upgrade to the latest Azure AI Language SDK version

-Upgrade to the latest SDK version to get the best results in terms of model quality, performance and service availability. Also there are new features available as new endpoints starting from V3.0 such as personally identifiable information recognition, Entity recognition and entity linking available as separate endpoints. In terms of changes in preview endpoints we have Opinion Mining in SA endpoint, redacted text property in personally identifiable information endpoint.

-Learn more about [Azure AI Language](/azure/ai-services/language-service/language-detection/overview).

-## Communication services

-### Use recommended version of Chat SDK

-Azure Communication Services Chat SDK can be used to add rich, real-time chat to your applications. Update to the recommended version of Chat SDK to ensure the latest fixes and features.

-Learn more about [Communication service - UpgradeChatSdk (Use recommended version of Chat SDK)](../communication-services/concepts/chat/sdk-features.md).

-### Use recommended version of Resource Manager SDK

-Resource Manager SDK can be used to provision and manage Azure Communication Services resources. Update to the recommended version of Resource Manager SDK to ensure the latest fixes and features.

-Learn more about [Communication service - UpgradeResourceManagerSdk (Use recommended version of Resource Manager SDK)](../communication-services/quickstarts/create-communication-resource.md?pivots=platform-net&tabs=windows).

-### Use recommended version of Identity SDK

-Azure Communication Services Identity SDK can be used to manage identities, users, and access tokens. Update to the recommended version of Identity SDK to ensure the latest fixes and features.

-Learn more about [Communication service - UpgradeIdentitySdk (Use recommended version of Identity SDK)](../communication-services/concepts/sdk-options.md).

-### Use recommended version of SMS SDK

-Azure Communication Services SMS SDK can be used to send and receive SMS messages. Update to the recommended version of SMS SDK to ensure the latest fixes and features.

-Learn more about [Communication service - UpgradeSmsSdk (Use recommended version of SMS SDK)](/azure/communication-services/concepts/telephony-sms/sdk-features).

-### Use recommended version of Phone Numbers SDK

-Azure Communication Services Phone Numbers SDK can be used to acquire and manage phone numbers. Update to the recommended version of Phone Numbers SDK to ensure the latest fixes and features.

-Learn more about [Communication service - UpgradePhoneNumbersSdk (Use recommended version of Phone Numbers SDK)](../communication-services/concepts/sdk-options.md).

-### Use recommended version of Calling SDK

-Azure Communication Services Calling SDK can be used to enable voice, video, screen-sharing, and other real-time communication. Update to the recommended version of Calling SDK to ensure the latest fixes and features.

-Learn more about [Communication service - UpgradeCallingSdk (Use recommended version of Calling SDK)](../communication-services/concepts/voice-video-calling/calling-sdk-features.md).

-### Use recommended version of Call Automation SDK

-Azure Communication Services Call Automation SDK can be used to make and manage calls, play audio, and configure recording. Update to the recommended version of Call Automation SDK to ensure the latest fixes and features.

-Learn more about [Communication service - UpgradeServerCallingSdk (Use recommended version of Call Automation SDK)](../communication-services/concepts/voice-video-calling/call-automation-apis.md).

-### Use recommended version of Network Traversal SDK

-Azure Communication Services Network Traversal SDK can be used to access TURN servers for low-level data transport. Update to the recommended version of Network Traversal SDK to ensure the latest fixes and features.

-Learn more about [Communication service - UpgradeTurnSdk (Use recommended version of Network Traversal SDK)](../communication-services/concepts/sdk-options.md).

-## Compute

-We have identified sdk calls from outdated API for resources under this subscription. We recommend switching to the latest sdk versions. This ensures you receive the latest features and performance improvements.

-We have determined that your VMs are located in a region different or far from where your users are connecting from, using Azure Virtual Desktop. This may lead to prolonged connection response times and will impact overall user experience on Azure Virtual Desktop.

-We have noticed your Standard HDD disk is approaching performance targets. Azure premium SSDs deliver high-performance and low-latency disk support for virtual machines with IO-intensive workloads. Give your disk performance a boost by upgrading your Standard HDD disk to Premium SSD disk. Upgrading requires a VM reboot, which will take three to five minutes.

-We have detected that Accelerated Networking is not enabled on VM resources in your existing deployment that may be capable of supporting this feature. If your VM OS image supports Accelerated Networking as detailed in the documentation, make sure to enable this free feature on these VMs to maximize the performance and latency of your networking workloads in cloud

-We noticed that you are using SSD disks while also using Standard HDD disks on the same VM. Standard HDD managed disks are generally recommended for dev-test and backup; we recommend you use Premium SSDs or Standard SSDs for production. Premium SSDs deliver high-performance and low-latency disk support for virtual machines with IO-intensive workloads. Standard SSDs provide consistent and lower latency. Upgrade your disk configuration today for improved latency, reliability, and availability. Upgrading requires a VM reboot, which will take three to five minutes.

-Production virtual machines need production disks if you want to get the best performance. We see that you are running a production level virtual machine, however, you are using a low performing disk with standard HDD. Upgrading your disks that are attached to your production disks, either Standard SSD or Premium SSD, will benefit you with a more consistent experience and improvements in latency.

-### Accelerated Networking may require stopping and starting the VM

-We have detected that Accelerated Networking is not engaged on VM resources in your existing deployment even though the feature has been requested. In rare cases like this, it may be necessary to stop and start your VM, at your convenience, to re-engage AccelNet.

-Learn more about [Virtual machine - AccelNetDisengaged (Accelerated Networking may require stopping and starting the VM)](../virtual-network/create-vm-accelerated-networking-cli.md#enable-accelerated-networking-on-existing-vms).

-### Take advantage of Ultra Disk low latency for your log disks and improve your database workload performance.

-Ultra disk is available in the same region as your database workload. Ultra disk offers high throughput, high IOPS, and consistent low latency disk storage for your database workloads: For Oracle DBs, you can now use either 4k or 512E sector sizes with Ultra disk depending on your Oracle DB version. For SQL server, leveraging Ultra disk for your log disk might offer more performance for your database. See instructions here for migrating your log disk to Ultra disk.

-### Upgrade the size of your virtual machines close to resource exhaustion

-We analyzed data for the past 7 days and identified virtual machines (VMs) with high utilization across different metrics (i.e., CPU, Memory, and VM IO). Those VMs may experience performance issues since they are nearing/at their SKU's limits. Consider upgrading their SKU to improve performance.

-Learn more about [Virtual machine - Improve the performance of highly used VMs using Azure Advisor](https://aka.ms/aa_resizehighusagevmrec_learnmore)

-## Kubernetes

-## DataFactory

-### Review your throttled Data Factory Triggers

-A high volume of throttling has been detected in an event-based trigger that runs in your Data Factory resource. This is causing your pipeline runs to drop from the run queue. Review the trigger definition to resolve issues and increase performance.

-Learn more about [Data factory trigger - ADFThrottledTriggers (Review your throttled Data Factory Triggers)](https://aka.ms/adf-create-event-trigger).

-## MariaDB

-Our internal telemetry shows that the server may be constrained because it is approaching limits for the currently provisioned storage values. This may result in degraded performance or in the server being moved to read-only mode. To ensure continued performance, we recommend increasing the provisioned storage amount or turning ON the "Auto-Growth" feature for automatic storage increases

-Our internal telemetry shows that the CPU has been running under high utilization for an extended period of time over the last 7 days. High CPU utilization may lead to slow query performance. To improve performance, we recommend moving to a larger compute size.

-Our internal telemetry shows that the server may be unable to support the connection requests because of the maximum supported connections for the given SKU. This may result in a large number of failed connections requests which adversely affect the performance. To improve performance, we recommend moving to higher memory SKU by increasing vCore or switching to Memory-Optimized SKUs.

-Our internal telemetry shows that there is high churn in the buffer pool for this server which can result in slower query performance and increased IOPS. To improve performance, review your workload queries to identify opportunities to minimize memory consumed. If no such opportunity found, then we recommend moving to higher SKU with more memory or increase storage size to get more IOPS.

-Our internal telemetry shows that the server's audit logs may have been lost over the past day. This can occur when your server is experiencing a CPU heavy workload or a server generates a large number of audit logs over a short period of time. We recommend only logging the necessary events required for your audit purposes using the following server parameters: audit_log_events, audit_log_exclude_users, audit_log_include_users. If the CPU usage on your server is high due to your workload, we recommend increasing the server's vCores to improve performance.

-## MySQL

-Our internal telemetry shows that the server may be constrained because it is approaching limits for the currently provisioned storage values. This may result in degraded performance or in the server being moved to read-only mode. To ensure continued performance, we recommend increasing the provisioned storage amount or turning ON the "Auto-Growth" feature for automatic storage increases

-Our internal telemetry shows that the server may be unable to support the connection requests because of the maximum supported connections for the given SKU. This may result in a large number of failed connections requests which adversely affect the performance. To improve performance, we recommend moving to a higher memory SKU by increasing vCore or switching to Memory-Optimized SKUs.

-Our internal telemetry shows that the CPU has been running under high utilization for an extended period of time over the last 7 days. High CPU utilization may lead to slow query performance. To improve performance, we recommend moving to a larger compute size.

-Our internal telemetry shows that there is high churn in the buffer pool for this server which can result in slower query performance and increased IOPS. To improve performance, review your workload queries to identify opportunities to minimize memory consumed. If no such opportunity found, then we recommend moving to higher SKU with more memory or increase storage size to get more IOPS.

-Our internal telemetry shows that you may have a read intensive workload running, which results in resource contention for this server. This may lead to slow query performance for the server. To improve performance, we recommend you add a read replica, and offload some of your read workloads to the replica.

-Our internal telemetry indicates that your application connecting to MySQL server may not be managing connections efficiently. This may result in unnecessary resource consumption and overall higher application latency. To improve connection management, we recommend that you reduce the number of short-lived connections and eliminate unnecessary idle connections. This can be done by configuring a server side connection-pooler, such as ProxySQL.

-Our internal telemetry shows that the server's audit logs may have been lost over the past day. This can occur when your server is experiencing a CPU heavy workload or a server generates a large number of audit logs over a short period of time. We recommend only logging the necessary events required for your audit purposes using the following server parameters: audit_log_events, audit_log_exclude_users, audit_log_include_users. If the CPU usage on your server is high due to your workload, we recommend increasing the server's vCores to improve performance.

-Our internal telemetry indicates that your MySQL server may be incurring unnecessary I/O overhead due to low temporary-table parameter settings. This may result in unnecessary disk-based transactions and reduced performance. We recommend that you increase the 'tmp_table_size' and 'max_heap_table_size' parameter values to reduce the number of disk-based transactions.

-Our internal telemetry indicates that your application connecting to MySQL server may not be managing connections efficiently. This may result in higher application latency. To improve connection latency, we recommend that you enable connection redirection. This can be done by enabling the connection redirection feature of the PHP driver.

-Our internal telemetry shows that the server may be constrained because it is approaching limits for the currently provisioned storage values. This may result in degraded performance or in the server being moved to read-only mode. To ensure continued performance, we recommend increasing the provisioned storage amount.

-Our telemetry indicates that your Flexible Server is exceeding the connection limits associated with your current SKU. A large number of failed connection requests may adversely affect server performance. To improve performance, we recommend increasing the number of vCores or switching to a higher SKU.

-Our internal telemetry shows that the CPU has been running under high utilization for an extended period of time over the last 7 days. High CPU utilization may lead to slow query performance. To improve performance, we recommend moving to a larger compute size.

-Our internal telemetry indicates that your MySQL server may be incurring unnecessary I/O overhead due to low temporary-table parameter settings. This may result in unnecessary disk-based transactions and reduced performance. We recommend that you increase the 'tmp_table_size' and 'max_heap_table_size' parameter values to reduce the number of disk-based transactions.

-Our internal telemetry shows that there is high memory usage for this server which can result in slower query performance and increased IOPS. To improve performance, please review your workload queries to identify opportunities to minimize memory consumed. If no such opportunity found, then we recommend moving to higher SKU with more memory or increase storage size to get more IOPS.

-Our internal telemetry shows that you may have a read intensive workload running, which results in resource contention for this server. This may lead to slow query performance for the server. To improve performance, we recommend you add a read replica, and offload some of your read workloads to the replica.

-## PostgreSQL

-Our internal telemetry shows that the configuration work_mem is too small for your PostgreSQL server which is resulting in disk spilling and degraded query performance. To improve this, we recommend increasing the work_mem limit for the server which will help to reduce the scenarios when the sort or hash happens on disk, thereby improving the overall query performance.

-### Scale the storage limit for PostgreSQL server

-Our internal telemetry shows that the server may be constrained because it is approaching limits for the currently provisioned storage values. This may result in degraded performance or in the server being moved to read-only mode. To ensure continued performance, we recommend increasing the provisioned storage amount or turning ON the "Auto-Growth" feature for automatic storage increases

-Learn more about [PostgreSQL server - OrcasPostgreSqlStorageLimit (Scale the storage limit for PostgreSQL server)](https://aka.ms/postgresqlstoragelimits).

-### Distribute data in server group to distribute workload among nodes

-It looks like the data has not been distributed in this server group but stays on the coordinator. For full Hyperscale (Citus) benefits distribute data on worker nodes in this server group.

-Learn more about [Hyperscale (Citus) server group - OrcasPostgreSqlCitusDistributeData (Distribute data in server group to distribute workload among nodes)](https://go.microsoft.com/fwlink/?linkid=2135201).

-### Rebalance data in Hyperscale (Citus) server group to distribute workload among worker nodes more evenly

-It looks like the data is not well balanced between worker nodes in this Hyperscale (Citus) server group. In order to use each worker node of the Hyperscale (Citus) server group effectively rebalance data in this server group.

-Learn more about [Hyperscale (Citus) server group - OrcasPostgreSqlCitusRebalanceData (Rebalance data in Hyperscale (Citus) server group to distribute workload among worker nodes more evenly)](https://go.microsoft.com/fwlink/?linkid=2148869).

-Our internal telemetry shows that the server may be unable to support the connection requests because of the maximum supported connections for the given SKU. This may result in a large number of failed connections requests which adversely affect the performance. To improve performance, we recommend moving to higher memory SKU by increasing vCore or switching to Memory-Optimized SKUs.

-Our internal telemetry shows that there is high churn in the buffer pool for this server which can result in slower query performance and increased IOPS. To improve performance, review your workload queries to identify opportunities to minimize memory consumed. If no such opportunity found, then we recommend moving to higher SKU with more memory or increase storage size to get more IOPS.

-Our internal telemetry shows that you may have a read intensive workload running, which results in resource contention for this server. This may lead to slow query performance for the server. To improve performance, we recommend you add a read replica, and offload some of your read workloads to the replica.

-Our internal telemetry shows that the CPU has been running under high utilization for an extended period of time over the last 7 days. High CPU utilization may lead to slow query performance. To improve performance, we recommend moving to a larger compute size.

-Our internal telemetry indicates that your PostgreSQL server may not be managing connections efficiently. This may result in unnecessary resource consumption and overall higher application latency. To improve connection management, we recommend that you reduce the number of short-lived connections and eliminate unnecessary idle connections. This can be done by configuring a server side connection-pooler, such as PgBouncer.

-Our internal telemetry indicates that your PostgreSQL server has been configured to output VERBOSE error logs. This can be useful for troubleshooting your database, but it can also result in reduced database performance. To improve performance, we recommend that you change the log_error_verbosity parameter to the DEFAULT setting.

-Our internal telemetry indicates that your PostgreSQL server has been configured to track query statistics using the pg_stat_statements module. While useful for troubleshooting, it can also result in reduced server performance. To improve performance, we recommend that you change the pg_stat_statements.track parameter to NONE.

-Our internal telemetry indicates that your PostgreSQL database has been configured to track query performance using the pg_qs.query_capture_mode parameter. While troubleshooting, we suggest setting the pg_qs.query_capture_mode parameter to TOP or ALL. When not troubleshooting, we recommend that you set the pg_qs.query_capture_mode parameter to NONE.

-Our internal telemetry shows that the server may be constrained because it is approaching limits for the currently provisioned storage values. This may result in degraded performance or in the server being moved to read-only mode. To ensure continued performance, we recommend increasing the provisioned storage amount.

-### Optimize logging settings by setting LoggingCollector to -1

-### Optimize logging settings by setting LogDuration to OFF

-### Optimize logging settings by setting LogStatement to NONE

-### Optimize logging settings by setting ReplaceParameter to OFF

-### Optimize logging settings by setting LoggingCollector to OFF

-Our internal telemetry shows that one or more nodes in the server group may be constrained because they are approaching limits for the currently provisioned storage values. This may result in degraded performance or in the server being moved to read-only mode. To ensure continued performance, we recommend increasing the provisioned disk space.

-Our internal telemetry indicates that you have log_statement enabled, for better performance, set it to NONE

-Our internal telemetry shows that the configuration work_mem is too small for your PostgreSQL server which is resulting in disk spilling and degraded query performance. To improve this, we recommend increasing the work_mem limit for the server which will help to reduce the scenarios when the sort or hash happens on disk, thereby improving the overall query performance.

-Our internal telemetry suggests that you can improve storage performance by enabling Intelligent tuning

-Our internal telemetry indicates that you have log_duration enabled, for better performance, set it to OFF

-Our internal telemetry indicates that you have log_min_duration enabled, for better performance, set it to -1

-Our internal telemetry indicates that you have pg_qs.query_capture_mode enabled, for better performance, set it to NONE

-Our Internal telemetry indicates that you can improve PostgreSQL performance by enabling PGBouncer

-Our internal telemetry indicates that you have log_error_verbosity enabled, for better performance, set it to DEFAULT

-Our internal telemetry shows that one or more nodes in the server group may be constrained because they are approaching limits for the currently provisioned storage values. This may result in degraded performance or in the server being moved to read-only mode. To ensure continued performance, we recommend increasing the provisioned disk space.

-Consider our new offering Azure Database for PostgreSQL Flexible Server that provides richer capabilities such as zone resilient HA, predictable performance, maximum control, custom maintenance window, cost optimization controls and simplified developer experience. Learn more.

-Our internal telemetry shows that there is high churn in the buffer pool for this server which can result in slower query performance and increased IOPS. To improve performance, please review your workload queries to identify opportunities to minimize memory consumed. If no such opportunity found, then we recommend moving to higher SKU with more memory or increase storage size to get more IOPS.

-## DesktopVirtualization

-### Improve user experience and connectivity by deploying VMs closer to userΓÇÖs location.

-We have determined that your VMs are located in a region different or far from where your users are connecting from, using Azure Virtual Desktop. This may lead to prolonged connection response times and will impact overall user experience on Azure Virtual Desktop. When creating VMs for your host pools, you should attempt to use a region closer to the user. Having close proximity ensures continuing satisfaction with the Azure Virtual Desktop service and a better overall quality of experience.

-Learn more about [Host Pool - RegionProximityHostPools (Improve user experience and connectivity by deploying VMs closer to userΓÇÖs location.)](../virtual-desktop/connection-latency.md).

-### Change the max session limit for your depth first load balanced host pool to improve VM performance

-Depth first load balancing uses the max session limit to determine the maximum number of users that can have concurrent sessions on a single session host. If the max session limit is too high, all user sessions will be directed to the same session host and this may cause performance and reliability issues. Therefore, when setting a host pool to have depth first load balancing, you should also set an appropriate max session limit according to the configuration of your deployment and capacity of your VMs. To fix this, open your host pool's properties and change the value next to the "Max session limit" setting.

-Learn more about [Host Pool - ChangeMaxSessionLimitForDepthFirstHostPool (Change the max session limit for your depth first load balanced host pool to improve VM performance )](../virtual-desktop/configure-host-pool-load-balancing.md).

-## Azure Cosmos DB

-### Configure your Azure Cosmos DB query page size (MaxItemCount) to -1

-You are using the query page size of 100 for queries for your Azure Cosmos DB container. We recommend using a page size of -1 for faster scans.

-Learn more about [Azure Cosmos DB account - CosmosDBQueryPageSize (Configure your Azure Cosmos DB query page size (MaxItemCount) to -1)](/azure/cosmos-db/sql-api-query-metrics#max-item-count).

-### Add composite indexes to your Azure Cosmos DB container

-Your Azure Cosmos DB containers are running ORDER BY queries incurring high Request Unit (RU) charges. It is recommended to add composite indexes to your containers' indexing policy to improve the RU consumption and decrease the latency of these queries.

-Learn more about [Azure Cosmos DB account - CosmosDBOrderByHighRUCharge (Add composite indexes to your Azure Cosmos DB container)](../cosmos-db/index-policy.md#composite-indexes).

-### Optimize your Azure Cosmos DB indexing policy to only index what's needed

-Your Azure Cosmos DB containers are using the default indexing policy, which indexes every property in your documents. Because you're storing large documents, a high number of properties get indexed, resulting in high Request Unit consumption and poor write latency. To optimize write performance, we recommend overriding the default indexing policy to only index the properties used in your queries.

-Learn more about [Azure Cosmos DB account - CosmosDBDefaultIndexingWithManyPaths (Optimize your Azure Cosmos DB indexing policy to only index what's needed)](../cosmos-db/index-policy.md).

-### Use hierarchical partition keys for optimal data distribution

-This account has a custom setting that allows the logical partition size in a container to exceed the limit of 20 GB. This setting was applied by the Azure Cosmos DB team as a temporary measure to give you time to re-architect your application with a different partition key. It is not recommended as a long-term solution, as SLA guarantees are not honored when the limit is increased. You can now use hierarchical partition keys (preview) to re-architect your application. The feature allows you to exceed the 20 GB limit by setting up to three partition keys, ideal for multi-tenant scenarios or workloads that use synthetic keys.

-Learn more about [Azure Cosmos DB account - CosmosDBHierarchicalPartitionKey (Use hierarchical partition keys for optimal data distribution)](https://devblogs.microsoft.com/cosmosdb/hierarchical-partition-keys-private-preview/).

-### Configure your Azure Cosmos DB applications to use Direct connectivity in the SDK

-We noticed that your Azure Cosmos DB applications are using Gateway mode via the Azure Cosmos DB .NET or Java SDKs. We recommend switching to Direct connectivity for lower latency and higher scalability.

-Learn more about [Azure Cosmos DB account - CosmosDBGatewayMode (Configure your Azure Cosmos DB applications to use Direct connectivity in the SDK)](/azure/cosmos-db/performance-tips#networking).

-### Enhance Performance by Scaling Up for Optimal Resource Utilization

-Maximizing the efficiency of your system's resources is crucial for maintaining top-notch performance. Our system closely monitors CPU usage, and when it crosses the 90% threshold over a 12-hour period, a proactive alert is triggered. This alert not only informs Azure Cosmos DB for MongoDB vCore users of the elevated CPU consumption but also provides valuable guidance on scaling up to a higher tier. By upgrading to a more robust tier, you can unlock improved performance and ensure your system operates at its peak potential.

-Learn more about [Scaling and configuring Your Azure Cosmos DB for MongoDB vCore cluster](../cosmos-db/mongodb/vcore/how-to-scale-cluster.md)

-## HDInsight

-### Unsupported Kubernetes version is detected

-Unsupported Kubernetes version is detected. Ensure Kubernetes cluster runs with a supported version.

-Learn more about [HDInsight Cluster Pool - UnsupportedHiloAKSVersionIsDetected (Unsupported Kubernetes version is detected)](https://aka.ms/aks-supported-versions).

-### Reads happen on most recent data

-More than 75% of your read requests are landing on the memstore. That indicates that the reads are primarily on recent data. This suggests that even if a flush happens on the memstore, the recent file needs to be accessed and that file needs to be in the cache.

-Learn more about [HDInsight cluster - HBaseMemstoreReadPercentage (Reads happen on most recent data)](../hdinsight/hbase/apache-hbase-advisor.md).

-### Consider using Accelerated Writes feature in your HBase cluster to improve cluster performance.

-You are seeing this advisor recommendation because HDInsight team's system log shows that in the past 7 days, your cluster has encountered the following scenarios:

- 1. High WAL sync time latency

- 2. High write request count (at least 3 one hour windows of over 1000 avg_write_requests/second/node)

-These conditions are indicators that your cluster is suffering from high write latencies. This could be due to heavy workload performed on your cluster.

-To improve the performance of your cluster, you may want to consider utilizing the Accelerated Writes feature provided by Azure HDInsight HBase. The Accelerated Writes feature for HDInsight Apache HBase clusters attaches premium SSD-managed disks to every RegionServer (worker node) instead of using cloud storage. As a result, provides low write-latency and better resiliency for your applications.

-To read more on this feature, please visit link:

-Learn more about [HDInsight cluster - AccWriteCandidate (Consider using Accelerated Writes feature in your HBase cluster to improve cluster performance.)](../hdinsight/hbase/apache-hbase-accelerated-writes.md).

-### More than 75% of your queries are full scan queries.

-More than 75% of the scan queries on your cluster are doing a full region/table scan. Modify your scan queries to avoid full region or table scans.

-Learn more about [HDInsight cluster - ScanQueryTuningcandidate (More than 75% of your queries are full scan queries.)](../hdinsight/hbase/apache-hbase-advisor.md).

-### Check your region counts as you have blocking updates.

-Region counts needs to be adjusted to avoid updates getting blocked. It might require a scale up of the cluster by adding new nodes.

-Learn more about [HDInsight cluster - RegionCountCandidate (Check your region counts as you have blocking updates.)](../hdinsight/hbase/apache-hbase-advisor.md).

-### Consider increasing the flusher threads

-The flush queue size in your region servers is more than 100 or there are updates getting blocked frequently. Tuning of the flush handler is recommended.

-Learn more about [HDInsight cluster - FlushQueueCandidate (Consider increasing the flusher threads)](../hdinsight/hbase/apache-hbase-advisor.md).

-### Consider increasing your compaction threads for compactions to complete faster

-The compaction queue in your region servers is more than 2000 suggesting that more data requires compaction. Slower compactions can impact read performance as the number of files to read are more. More files without compaction can also impact the heap usage related to how files interact with Azure file system.

-Learn more about [HDInsight cluster - CompactionQueueCandidate (Consider increasing your compaction threads for compactions to complete faster)](/azure/hdinsight/hbase/apache-hbase-advisor).

-## Automanage

-### Update Automanage to the latest API Version

-We have identified sdk calls from outdated API for resources under this subscription. We recommend switching to the latest sdk versions. This ensures you receive the latest features and performance improvements.

-Learn more about [Machine - Azure Arc - UpdateToLatestApiHci (Update Automanage to the latest API Version)](/azure/automanage/reference-sdk).

-## KeyVault

-### Update Key Vault SDK Version

-New Key Vault Client Libraries are split to keys, secrets, and certificates SDKs, which are integrated with recommended Azure Identity library to provide seamless authentication to Key Vault across all languages and environments. It also contains several performance fixes to issues reported by customers and proactively identified through our QA process.<br><br>**PLEASE DISMISS:**<br>If Key Vault is integrated with Azure Storage, Disk or other Azure services which can use old Key Vault SDK and when all your current custom applications are using .NET SDK 4.0 or above.

-Learn more about [Key vault - UpgradeKeyVaultSDK (Update Key Vault SDK Version)](../key-vault/general/client-libraries.md).

-### Update Key Vault SDK Version

-New Key Vault Client Libraries are split to keys, secrets, and certificates SDKs, which are integrated with recommended Azure Identity library to provide seamless authentication to Key Vault across all languages and environments. It also contains several performance fixes to issues reported by customers and proactively identified through our QA process.

-> [!IMPORTANT]

-> Please be aware that you can only remediate recommendation for custom applications you have access to. Recommendations can be shown due to integration with other Azure services like Storage, Disk encryption, which are in process to update to new version of our SDK. If you use .NET 4.0 in all your applications please dismiss.

-Learn more about [Managed HSM Service - UpgradeKeyVaultMHSMSDK (Update Key Vault SDK Version)](../key-vault/general/client-libraries.md).

-## Data Exporer

-### Right-size Data Explorer resources for optimal performance.

-This recommendation surfaces all Data Explorer resources which exceed the recommended data capacity (80%). The recommended action to improve the performance is to scale to the recommended configuration shown.

-Learn more about [Data explorer resource - Right-size ADX resource (Right-size Data Explorer resources for optimal performance.)](https://aka.ms/adxskuperformance).

-### Review table cache policies for Data Explorer tables

-This recommendation surfaces Data Explorer tables with a high number of queries that look back beyond the configured cache period (policy). (You'll see the top 10 tables by query percentage that access out-of-cache data). The recommended action to improve the performance: Limit queries on this table to the minimal necessary time range (within the defined policy). Alternatively, if data from the entire time range is required, increase the cache period to the recommended value.

-Learn more about [Data explorer resource - UpdateCachePoliciesForAdxTables (Review table cache policies for Data Explorer tables)](https://aka.ms/adxcachepolicy).

-### Reduce Data Explorer table cache policy for better performance

-Reducing the table cache policy will free up unused data from the resource's cache and improve performance.

-Learn more about [Data explorer resource - ReduceCacheForAzureDataExplorerTablesToImprovePerformance (Reduce Data Explorer table cache policy for better performance)](https://aka.ms/adxcachepolicy).

-## Networking

-### Configure DNS Time to Live to 60 seconds

-Time to Live (TTL) affects how recent of a response a client will get when it makes a request to Azure Traffic Manager. Reducing the TTL value means that the client will be routed to a functioning endpoint faster in the case of a failover. Configure your TTL to 60 seconds to route traffic to a health endpoint as quickly as possible.

-Learn more about [Traffic Manager profile - ProfileTTL (Configure DNS Time to Live to 60 seconds)](https://aka.ms/Um3xr5).

-### Configure DNS Time to Live to 20 seconds

-Time to Live (TTL) affects how recent of a response a client will get when it makes a request to Azure Traffic Manager. Reducing the TTL value means that the client will be routed to a functioning endpoint faster in the case of a failover. Configure your TTL to 20 seconds to route traffic to a health endpoint as quickly as possible.

-Learn more about [Traffic Manager profile - FastFailOverTTL (Configure DNS Time to Live to 20 seconds)](https://aka.ms/Ngfw4r).

-### Configure DNS Time to Live to 60 seconds

-Time to Live (TTL) affects how recent of a response a client will get when it makes a request to Azure Traffic Manager. Reducing the TTL value means that the client will be routed to a functioning endpoint faster in the case of a failover. Configure your TTL to 60 seconds to route traffic to a health endpoint as quickly as possible.

-Learn more about [Traffic Manager profile - ProfileTTL (Configure DNS Time to Live to 60 seconds)](https://aka.ms/Um3xr5).

-You have been using over 90% of your procured circuit bandwidth recently. If you exceed your allocated bandwidth, you will experience an increase in dropped packets sent over ExpressRoute. Upgrade your circuit bandwidth to maintain performance if your bandwidth needs remain this high.

-### Consider increasing the size of your VNet Gateway SKU to address consistently high CPU use

-Under high traffic load, the VPN gateway may drop packets due to high CPU.

-Learn more about [Virtual network gateway - HighCPUVNetGateway (Consider increasing the size of your VNet Gateway SKU to address consistently high CPU use)](https://aka.ms/HighCPUP2SVNetGateway).

-### Consider increasing the size of your VNet Gateway SKU to address high P2S use

-Each gateway SKU can only support a specified count of concurrent P2S connections. Your connection count is close to your gateway limit, so additional connection attempts may fail.

-Learn more about [Virtual network gateway - HighP2SConnectionsVNetGateway (Consider increasing the size of your VNet Gateway SKU to address high P2S use)](https://aka.ms/HighP2SConnectionsVNetGateway).

-### Make sure you have enough instances in your Application Gateway to support your traffic

-Your Application Gateway has been running on high utilization recently and under heavy load, you may experience traffic loss or increase in latency. It is important that you scale your Application Gateway according to your traffic and with a bit of a buffer so that you are prepared for any traffic surges or spikes and minimizing the impact that it may have in your QoS. Application Gateway v1 SKU (Standard/WAF) supports manual scaling and v2 SKU (Standard_v2/WAF_v2) support manual and autoscaling. In case of manual scaling, increase your instance count and if autoscaling is enabled, make sure your maximum instance count is set to a higher value so Application Gateway can scale out as the traffic increases

-Learn more about [Application gateway - HotAppGateway (Make sure you have enough instances in your Application Gateway to support your traffic)](https://aka.ms/hotappgw).

-## SQL

-### Create statistics on table columns

-We have detected that you are missing table statistics which may be impacting query performance. The query optimizer uses statistics to estimate the cardinality or number of rows in the query result which enables the query optimizer to create a high quality query plan.

-Learn more about [SQL data warehouse - CreateTableStatisticsSqlDW (Create statistics on table columns)](https://aka.ms/learnmorestatistics).

-### Remove data skew to increase query performance

-We have detected distribution data skew greater than 15%. This can cause costly performance bottlenecks.

-Learn more about [SQL data warehouse - DataSkewSqlDW (Remove data skew to increase query performance)](https://aka.ms/learnmoredataskew).

-### Update statistics on table columns

-We have detected that you do not have up-to-date table statistics which may be impacting query performance. The query optimizer uses up-to-date statistics to estimate the cardinality or number of rows in the query result which enables the query optimizer to create a high quality query plan.

-Learn more about [SQL data warehouse - UpdateTableStatisticsSqlDW (Update statistics on table columns)](https://aka.ms/learnmorestatistics).

-### Scale up to optimize cache utilization with SQL Data Warehouse

-We have detected that you had high cache used percentage with a low hit percentage. This indicates high cache eviction which can impact the performance of your workload.

-Learn more about [SQL data warehouse - SqlDwIncreaseCacheCapacity (Scale up to optimize cache utilization with SQL Data Warehouse)](https://aka.ms/learnmoreadaptivecache).

-### Scale up or update resource class to reduce tempdb contention with SQL Data Warehouse

-We have detected that you had high tempdb utilization which can impact the performance of your workload.

-Learn more about [SQL data warehouse - SqlDwReduceTempdbContention (Scale up or update resource class to reduce tempdb contention with SQL Data Warehouse)](https://aka.ms/learnmoretempdb).

-### Convert tables to replicated tables with SQL Data Warehouse

-We have detected that you may benefit from using replicated tables. When using replicated tables, this will avoid costly data movement operations and significantly increase the performance of your workload.

-Learn more about [SQL data warehouse - SqlDwReplicateTable (Convert tables to replicated tables with SQL Data Warehouse)](https://aka.ms/learnmorereplicatedtables).

-### Split staged files in the storage account to increase load performance

-We have detected that you can increase load throughput by splitting your compressed files that are staged in your storage account. A good rule of thumb is to split compressed files into 60 or more to maximize the parallelism of your load.

-Learn more about [SQL data warehouse - FileSplittingGuidance (Split staged files in the storage account to increase load performance)](https://aka.ms/learnmorefilesplit).

-### Increase batch size when loading to maximize load throughput, data compression, and query performance

-We have detected that you can increase load performance and throughput by increasing the batch size when loading into your database. You should consider using the COPY statement. If you are unable to use the COPY statement, consider increasing the batch size when using loading utilities such as the SQLBulkCopy API or BCP - a good rule of thumb is a batch size between 100K to 1M rows.

-Learn more about [SQL data warehouse - LoadBatchSizeGuidance (Increase batch size when loading to maximize load throughput, data compression, and query performance)](https://aka.ms/learnmoreincreasebatchsize).

-### Co-locate the storage account within the same region to minimize latency when loading

-We have detected that you are loading from a region that is different from your SQL pool. You should consider loading from a storage account that is within the same region as your SQL pool to minimize latency when loading data.

-Learn more about [SQL data warehouse - ColocateStorageAccount (Co-locate the storage account within the same region to minimize latency when loading)](https://aka.ms/learnmorestoragecolocation).

-## Storage

-### Use "Put Blob" for blobs smaller than 256 MB

-When writing a block blob that is 256 MB or less (64 MB for requests using REST versions before 2016-05-31), you can upload it in its entirety with a single write operation using "Put Blob". Based on your aggregated metrics, we believe your storage account's write operations can be optimized.

-Learn more about [Storage Account - StorageCallPutBlob (Use \""Put Blob\"" for blobs smaller than 256 MB)](https://aka.ms/understandblockblobs).

-### Upgrade your Storage Client Library to the latest version for better reliability and performance

-The latest version of Storage Client Library/ SDK contains fixes to issues reported by customers and proactively identified through our QA process. The latest version also carries reliability and performance optimization in addition to new features that can improve your overall experience using Azure Storage.

-Learn more about [Storage Account - UpdateStorageDataMovementSDK (Upgrade your Storage Client Library to the latest version for better reliability and performance)](https://aka.ms/AA5wtca).

-### Upgrade to Standard SSD Disks for consistent and improved performance

-Because you are running IaaS virtual machine workloads on Standard HDD managed disks, we wanted to let you know that a Standard SSD disk option is now available for all Azure VM types. Standard SSD disks are a cost-effective storage option optimized for enterprise workloads that need consistent performance. Upgrade your disk configuration today for improved latency, reliability, and availability. Upgrading requires a VM reboot, which will take three to five minutes.

-Learn more about [Storage Account - StandardSSDForNonPremVM (Upgrade to Standard SSD Disks for consistent and improved performance)](/azure/virtual-machines/windows/disks-types#standard-ssd).

-### Use premium performance block blob storage

-One or more of your storage accounts has a high transaction rate per GB of block blob data stored. Use premium performance block blob storage instead of standard performance storage for your workloads that require fast storage response times and/or high transaction rates and potentially save on storage costs.

-Learn more about [Storage Account - PremiumBlobStorageAccount (Use premium performance block blob storage)](https://aka.ms/usePremiumBlob).

-### Convert Unmanaged Disks from Standard HDD to Premium SSD for performance

-We have noticed your Unmanaged HDD Disk is approaching performance targets. Azure premium SSDs deliver high-performance and low-latency disk support for virtual machines with IO-intensive workloads. Give your disk performance a boost by upgrading your Standard HDD disk to Premium SSD disk. Upgrading requires a VM reboot, which will take three to five minutes.

-Learn more about [Storage Account - UMDHDDtoPremiumForPerformance (Convert Unmanaged Disks from Standard HDD to Premium SSD for performance)](/azure/virtual-machines/windows/disks-types#premium-ssd).

-## Subscription

-### Experience more predictable, consistent latency with a private connection to Azure

-Improve the performance, privacy, and reliability of your business-critical apps by extending your on-premises networks to Azure with Azure ExpressRoute. Establish private ExpressRoute connections directly from your WAN, through a cloud exchange facility, or through POP and IPVPN connections.

-Learn more about [Subscription - AzureExpressRoute (Experience more predictable, consistent latency with a private connection to Azure)](/azure/expressroute/expressroute-howto-circuit-portal-resource-manager).

-## Synapse

-### Tables with Clustered Columnstore Indexes (CCI) with less than 60 million rows

-Clustered columnstore tables are organized in data into segments. Having high segment quality is critical to achieving optimal query performance on a columnstore table. Segment quality can be measured by the number of rows in a compressed row group.

-Learn more about [Synapse workspace - SynapseCCIGuidance (Tables with Clustered Columnstore Indexes (CCI) with less than 60 million rows)](https://aka.ms/AzureSynapseCCIGuidance).

-### Update SynapseManagementClient SDK Version

-New SynapseManagementClient is using .NET SDK 4.0 or above.

-Learn more about [Synapse workspace - UpgradeSynapseManagementClientSDK (Update SynapseManagementClient SDK Version)](https://aka.ms/UpgradeSynapseManagementClientSDK).

-## Web

-### Move your App Service Plan to PremiumV2 for better performance

-Your app served more than 1000 requests per day for the past 3 days. Your app may benefit from the higher performance infrastructure available with the Premium V2 App Service tier. The Premium V2 tier features Dv2-series VMs with faster processors, SSD storage, and doubled memory-to-core ratio when compared to the previous instances. Learn more about upgrading to Premium V2 from our documentation.

-Learn more about [App service - AppServiceMoveToPremiumV2 (Move your App Service Plan to PremiumV2 for better performance)](https://aka.ms/ant-premiumv2).

-### Check outbound connections from your App Service resource

-Your app has opened too many TCP/IP socket connections. Exceeding ephemeral TCP/IP port connection limits can cause unexpected connectivity issues for your apps.

-Learn more about [App service - AppServiceOutboundConnections (Check outbound connections from your App Service resource)](https://aka.ms/antbc-socket).

-## SAP on Azure Workloads

-### For improved file system performance in HANA DB with ANF, optimize tcp_wmem OS parameter

-The parameter net.ipv4.tcp_wmem specifies minimum, default, and maximum send buffer sizes that are used for a TCP socket. Set the parameter as per SAP note: 302436 to certify HANA DB to run with ANF and improve file system performance. The maximum value should not exceed net.core.wmem_max parameter

-Learn more about [Database Instance - WriteBuffersAllocated (For improved file system performance in HANA DB with ANF, optimize tcp_wmem OS parameter)](https://launchpad.support.sap.com/#/notes/3024346).

-In HANA DB with ANF storage type, the maximum write socket buffer, defined by the parameter, net.core.wmem_max must be set large enough to handle outgoing network packets. This configuration certifies HANA DB to run with ANF and improves file system performance. See SAP note: 3024346

-The parameter net.ipv4.tcp_rmem specifies minimum, default, and maximum receive buffer sizes used for a TCP socket. Set the parameter as per SAP note 3024346 to certify HANA DB to run with ANF and improve file system performance. The maximum value should not exceed net.core.rmem_max parameter

-In HANA DB with ANF storage type, the maximum read socket buffer, defined by the parameter, net.core.rmem_max must be set large enough to handle incoming network packets. This configuration certifies HANA DB to run with ANF and improves file system performance. See SAP note: 3024346.

-The parameter net.core.netdev_max_backlog specifies the size of the receiver backlog queue, used if a Network interface receives packets faster than the kernel can process. Set the parameter as per SAP note: 3024346. This configuration certifies HANA DB to run with ANF and improves file system performance.

-Enable the TCP window scaling parameter as per SAP note: 302436. This configuration certifies HANA DB to run with ANF and improves file system performance in HANA DB with ANF in SAP workloads

-Disable IPv6 as per recommendation for SAP on Azure for HANA DB with ANF to improve file system performance

-Learn more about [Database Instance - DisableIPv6Protocol (For improved file system performance in HANA DB with ANF, disable IPv6 protocol in OS)](/azure/virtual-machines/workloads/sap/sap-hana-scale-out-standby-netapp-files-suse#:~:text=Create%20configuration%20file%20/etc/sysctl.d/ms%2Daz.conf%20with%20Microsoft%20for%20Azure%20configuration%20settings).

-The parameter net.ipv4.tcp_slow_start_after_idle disables the need to scale-up incrementally the TCP window size for TCP connections which were idle for some time. By setting this parameter to zero as per SAP note: 302436, the maximum speed is used from beginning for previously idle TCP connections

-To prevent the kernel from using SYN cookies in a situation where lots of connection requests are sent in a short timeframe and to prevent a warning about a potential SYN flooding attack in the system log, the size of the SYN backlog should be set to a reasonably high value. See SAP note 2382421

-Learn more about [Database Instance - TCPMaxSynBacklog (For improved file system performance in HANA DB with ANF optimize tcp_max_syn_backlog OS parameter)](/azure/virtual-machines/workloads/sap/sap-hana-scale-out-standby-netapp-files-suse#:~:text=Create%20configuration%20file%20/etc/sysctl.d/ms%2Daz.conf%20with%20Microsoft%20for%20Azure%20configuration%20settings).

-Enable the tcp_sack parameter as per SAP note: 302436. This configuration certifies HANA DB to run with ANF and improves file system performance in HANA DB with ANF in SAP workloads

-Disable the tcp_timestamps parameter as per SAP note: 302436. This configuration certifies HANA DB to run with ANF and improves file system performance in high-availability scenarios for HANA DB with ANF in SAP workloads

-Enable the tcp_timestamps parameter as per SAP note: 302436. This configuration certifies HANA DB to run with ANF and improves file system performance in HANA DB with ANF in SAP workloads

-The parameter net.ipv4.tcp_moderate_rcvbuf enables TCP to perform receive buffer auto-tuning, to automatically size the buffer (no greater than tcp_rmem to match the size required by the path for full throughput. Enable this parameter as per SAP note: 302436 for improved file system performance

-Set the parameter sunrpc.tcp_slot_table_entries to 128 as per recommendation for improved file system performance in HANA DB with ANF in SAP workloads

-Learn more about [Database Instance - TCPSlotTableEntries (To improve file system performance in HANA DB with ANF, optimize sunrpc.tcp_slot_table_entries)](/azure/virtual-machines/workloads/sap/sap-hana-scale-out-standby-netapp-files-suse#:~:text=Create%20configuration%20file%20/etc/sysctl.d/ms%2Daz.conf%20with%20Microsoft%20for%20Azure%20configuration%20settings).

-### All disks in LVM for /hana/data volume should be of the same type to ensure high performance in HANA DB

-If multiple disk types are selected in the /hana/data volume, performance of HANA DB in SAP workloads might get restricted. Ensure all HANA Data volume disks are of the same type and are configured as per recommendation for SAP on Azure

-Learn more about [Database Instance - HanaDataDiskTypeSame (All disks in LVM for /hana/data volume should be of the same type to ensure high performance in HANA DB)](/azure/virtual-machines/workloads/sap/hana-vm-operations-storage#:~:text=Configuration%20for%20SAP%20/hana/data%20volume).

-### Stripe size for /hana/data should be 256 kb for improved performance of HANA DB in SAP workloads

-If you are using LVM or mdadm to build stripe sets across several Azure premium disks, you need to define stripe sizes. Based on experience with recentLinux versions, Azure recommends using stripe size of 256 kb for /hana/data filesystem for better performance of HANA DB

-Learn more about [Database Instance - HanaDataStripeSize (Stripe size for /hana/data should be 256 kb for improved performance of HANA DB in SAP workloads)](/azure/virtual-machines/workloads/sap/hana-vm-operations-storage#:~:text=As%20stripe%20sizes%20the%20recommendation%20is%20to%20use).

-Set the OS parameter vm.swappiness to 10 as per recommendation for improved file system performance in HANA DB with ANF in SAP workloads

-Learn more about [Database Instance - VmSwappiness (To improve file system performance in HANA DB with ANF, optimize the parameter vm.swappiness)](/azure/virtual-machines/workloads/sap/sap-hana-scale-out-standby-netapp-files-suse#:~:text=Create%20configuration%20file%20/etc/sysctl.d/ms%2Daz.conf%20with%20Microsoft%20for%20Azure%20configuration%20settings).

-Disable the reverse path filter linux OS parameter, net.ipv4.conf.all.rp_filter as per recommendation for improved file system performance in HANA DB with ANF in SAP workloads

-Learn more about [Database Instance - DisableIPV4Conf (To improve file system performance in HANA DB with ANF, disable net.ipv4.conf.all.rp_filter)](/azure/virtual-machines/workloads/sap/sap-hana-scale-out-standby-netapp-files-suse#:~:text=Create%20configuration%20file%20/etc/sysctl.d/ms%2Daz.conf%20with%20Microsoft%20for%20Azure%20configuration%20settings).

-### If using Ultradisk, the IOPS for /hana/data volume should be >=7000 for better HANA DB performance

-IOPS of at least 7000 in /hana/data volume is recommended for SAP workloads when using Ultradisk. Select the disk type for /hana/data volume as per this requirement to ensure high performance of the DB

-Learn more about [Database Instance - HanaDataIOPS (If using Ultradisk, the IOPS for /hana/data volume should be >=7000 for better HANA DB performance)](/azure/virtual-machines/workloads/sap/hana-vm-operations-storage#azure-ultra-disk-storage-configuration-for-sap-hana:~:text=1%20x%20P6-,Azure%20Ultra%20disk%20storage%20configuration%20for%20SAP%20HANA,-Another%20Azure%20storage).

-Set the OS parameter tcp_max_slot_table_entries to 128 as per SAP note: 302436 for improved file transfer performance in HANA DB with ANF in SAP workloads

-Read activity of at least 400 MB/sec for /hana/data for 16 MB and 64 MB I/O sizes is recommended for SAP workloads on Azure. Select the disk type for /hana/data as per this requirement to ensure high performance of the DB and to meet minimum storage requirements for SAP HANA

-### Read/write performance of /hana/log volume should be >=250 MB/sec for better performance in HANA DB

-Read/Write activity of at least 250 MB/sec for /hana/log for 1 MB I/O size is recommended for SAP workloads on Azure. Select the disk type for /hana/log volume as per this requirement to ensure high performance of the DB and to meet minimum storage requirements for SAP HANA

-Learn more about [Database Instance - HanaLogReadWriteVolume (Read/write performance of /hana/log volume should be >=250 MB/sec for better performance in HANA DB)](/azure/virtual-machines/workloads/sap/hana-vm-operations-storage#:~:text=Read/write%20on%20/hana/log%20of%20250%20MB/sec%20with%201%20MB%20I/O%20sizes).

-### If using Ultradisk, the IOPS for /hana/log volume should be >=2000 for better performance in HANA DB

-IOPS of at least 2000 in /hana/log volume is recommended for SAP workloads when using Ultradisk. Select the disk type for /hana/log volume as per this requirement to ensure high performance of the DB

-Learn more about [Database Instance - HanaLogIOPS (If using Ultradisk, the IOPS for /hana/log volume should be >=2000 for better performance in HANA DB)](/azure/virtual-machines/workloads/sap/hana-vm-operations-storage#azure-ultra-disk-storage-configuration-for-sap-hana:~:text=1%20x%20P6-,Azure%20Ultra%20disk%20storage%20configuration%20for%20SAP%20HANA,-Another%20Azure%20storage).

-### All disks in LVM for /hana/log volume should be of the same type to ensure high performance in HANA DB

-If multiple disk types are selected in the /hana/log volume, performance of HANA DB in SAP workloads might get restricted. Ensure all HANA Data volume disks are of the same type and are configured as per recommendation for SAP on Azure

-Learn more about [Database Instance - HanaDiskLogVolumeSameType (All disks in LVM for /hana/log volume should be of the same type to ensure high performance in HANA DB)](/azure/virtual-machines/workloads/sap/hana-vm-operations-storage#:~:text=For%20the%20/hana/log%20volume.%20the%20configuration%20would%20look%20like).

-### Stripe size for /hana/log should be 64 kb for improved performance of HANA DB in SAP workloads

-If you are using LVM or mdadm to build stripe sets across several Azure premium disks, you need to define stripe sizes. To get enough throughput with larger I/O sizes, Azure recommends using stripe size of 64 kb for /hana/log filesystem for better performance of HANA DB

-Learn more about [Database Instance - HanaLogStripeSize (Stripe size for /hana/log should be 64 kb for improved performance of HANA DB in SAP workloads)](/azure/virtual-machines/workloads/sap/hana-vm-operations-storage#:~:text=As%20stripe%20sizes%20the%20recommendation%20is%20to%20use).

-### You are close to exceeding storage quota of 2GB. Create a Standard search service

-### You are close to exceeding storage quota of 50MB. Create a Basic or Standard search service

-### You are close to exceeding your available storage quota. Add more partitions if you need more storage

-The data disks used by Kafka brokers in your HDInsight cluster are almost full. When that happens, the Apache Kafka broker process can't start and fails because of the disk full error. To mitigate, find the retention time for every topic, back up the files that are older and restart the brokers.

-### Creation of clusters under custom VNet requires more permission

-Your clusters with custom VNet were created without VNet joining permission. Ensure that the users who perform create operations have permissions to the Microsoft.Network/virtualNetworks/subnets/join action before September 30, 2023.

-The HDInsight service has attempted to apply a critical certificate update on all your running clusters. However, one or more policies in your subscription are preventing HDInsight service from creating or modifying network resources associated with your clusters and applying this update. Remove or update your policy assignment to allow HDInsight service to create or modify network resources such as load balancer, network interface and public IP address, associated with your clusters. Do this before January 21, 2021 05:00 PM UTC when the HDInsight team is performing updates between January 21, 2021 05:00 PM UTC and January 23, 2021 05:00 PM UTC. To verify the policy update, you can try to create network resources in the same resource group and subnet where your cluster is. Failure to apply this update might result in your clusters becoming unhealthy and unusable. You can also drop and recreate your cluster before January 25, 2021 to prevent the cluster from becoming unhealthy and unusable. The HDInsight service sends another notification if we failed to apply the update to your clusters.

-Virtual machines that don't have replication enabled to another region aren't resilient to regional outages. Replicating the machines drastically reduce any adverse business impact during the time of an Azure region outage. We highly recommend enabling replication of all the business critical virtual machines from the following list so that in an event of an outage, you can quickly bring up your machines in remote Azure region.

-In order for a session host to deploy and register to Azure Virtual Desktop properly, you need to add a set of URLs to the allowed list, in case your virtual machine runs in a restricted environment. After visiting the "Learn More" link, you see the minimum list of URLs you need to unblock to have a successful deployment and functional session host. For specific URL(s) missing from allowed list, you might also search your application event log for event 3702.

-### Replication - Add a primary key to the table that currently does not have one

-### High Availability - Add primary key to the table that currently does not have one

-### Availability might be impacted from high memory fragmentation. Increase fragmentation memory reservation to avoid potential impact

-Fragmentation and memory pressure can cause availability incidents during a failover or management operations. Increasing reservation of memory for fragmentation helps in reducing the cache failures when running under high memory pressure. Memory for fragmentation can be increased via maxfragmentationmemory-reserved setting available in advanced settings blade.

-Learn more about [Redis Cache Server - RedisCacheMemoryFragmentation (Availability might be impacted from high memory fragmentation. Increase fragmentation memory reservation to avoid potential impact.)](https://aka.ms/redis/recommendations/memory-policies).

-Our internal telemetry indicates that your PostgreSQL server might have inactive logical replication slots. THIS NEEDS IMMEDIATE ATTENTION. Inactive logical replication can result in degraded server performance and unavailability due to WAL file retention and buildup of snapshot files. To improve performance and availability, we STRONGLY recommend that you IMMEDIATELY take action. Either delete the inactive replication slots, or start consuming the changes from these slots so that the slots' Log Sequence Number (LSN) advances and is close to the current LSN of the server.

-Our internal telemetry indicates that your PostgreSQL flexible server might have inactive logical replication slots. THIS NEEDS IMMEDIATE ATTENTION. Inactive logical replication slots can result in degraded server performance and unavailability due to WAL file retention and buildup of snapshot files. To improve performance and availability, we STRONGLY recommend that you IMMEDIATELY take action. Either delete the inactive replication slots, or start consuming the changes from these slots so that the slots' Log Sequence Number (LSN) advances and is close to the current LSN of the server.

-We noticed that your Azure Cosmos DB container is configured with the Lazy indexing mode, which might impact the freshness of query results. We recommend switching to Consistent mode.

-### Upgrade Edge Device Runtime to a supported version for Iot Hub

-Some or all of your Edge devices are using outdated versions and we recommend you upgrade to the latest supported version of the runtime. See the details in the link given.

-Learn more about [IoT hub - UpgradeEdgeSdk (Upgrade Edge Device Runtime to a supported version for Iot Hub)](https://aka.ms/IOTEdgeSDKCheck).

-To mitigate the impact of Log4j 2 vulnerability, we recommend these steps:

-Learn more about [Application gateway - AppGwLog4JCVEGenericNotification (Additional protection to mitigate Log4j2 vulnerability (CVE-2021-44228))](https://aka.ms/log4jcve).

-### Update VNet permission of Application Gateway users

-The corosync token_retransmits_before_loss_const determines how many token retransmits the system attempts before timeout in HA clusters. Set the totem.token_retransmits_before_loss_const to 10 as per recommendation for ASCS HA setup.

-### Ensure that there is one instance of fence_azure_arm in Pacemaker configuration for ASCS HA setup

-The fence_azure_arm is an I/O fencing agent for Azure Resource Manager. Ensure that there's one instance of fence_azure_arm in the pacemaker configuration for ASCS HA setup. The fence_azure_arm requirement is applicable if you're using Azure fence agent for fencing with either managed identity or service principal.

-Learn more about [Central Server Instance - FenceAzureArmHAASCSSLE (Ensure that there's one instance of fence_azure_arm in Pacemaker configuration for ASCS HA setup)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

-Disable TCP timestamps on VMs placed behind Azure Load Balancer. Enabled TCP timestamps cause the health probes to fail due to TCP packets being dropped by the VM's guest OS TCP stack. Dropped TCP packets cause the load balancer to mark the endpoint as down.

-The corosync token_retransmits_before_loss_const determines how many token retransmits are attempted before timeout in HA clusters. Set the totem.token_retransmits_before_loss_const to 10 as per recommendation for HANA DB HA setup.

-### Set the expected votes parameter to 2 in the cluster cofiguration in HA enabled SAP workloads

-Set the expected votes parameter to 2 in the cluster cofiguration in HA enabled SAP workloads.

-Learn more about [Database Instance - ExpectedVotesSuseHDB (Set the expected votes parameter to 2 in the cluster cofiguration in HA enabled SAP workloads)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

-### Ensure that there is one instance of fence_azure_arm in Pacemaker configuration for HANA DB HA setup

-The fence_azure_arm is an I/O fencing agent for Azure Resource Manager. Ensure that there's one instance of fence_azure_arm in the pacemaker configuration for HANA DB HA setup. The fence_azure-arm instance requirement is applicable if you're using Azure fence agent for fencing with either managed identity or service principal.

-Learn more about [Database Instance - FenceAzureArmSuseHDB (Ensure that there's one instance of fence_azure_arm in Pacemaker configuration for HANA DB HA setup)](/azure/virtual-machines/workloads/sap/sap-hana-high-availability).

-Disable TCP timestamps on VMs placed behind Azure Load Balancer. Enabled TCP timestamps cause the health probes to fail due to TCP packets being dropped by the VM's guest OS TCP stack. Dropped TCP packets cause the load balancer to mark the endpoint as down.

-Enabling cross region restore for your geo-redundant vaults

-Enable backups for your virtual machines and secure your data

-Configure blob backup

-Keep your information and applications safe with robust, one click backup from Azure. Activate Azure Backup to get cost-effective protection for a wide range of workloads including VMs, SQL databases, applications, and file shares.

-After enabling the soft delete option, deleted data transitions to a soft deleted state instead of being permanently deleted. When data is overwritten, a soft deleted snapshot is generated to save the state of the overwritten data. You can configure the amount of time soft deleted data is recoverable before it permanently expires.

-To avoid data or functionality loss in the event of a regional or zonal disaster, implement common disaster recovery techniques such as cross region replication or cross zone replication for your Azure NetApp Files volumes

-Your App reached >90% CPU over the last couple of days. High CPU utilization can lead to runtime issues with your apps, to solve this you could scale out your app.

-You have deployed your application multiple times over the last week. Deployment slots help you manage changes and help you reduce deployment impact to your production web app.

-You have deployed your application multiple times over the last week. Deployment slots help you manage changes and help you reduce deployment impact to your production web app.

-We identified the following thread that resulted in an unhandled exception for your App and the application code must be fixed to prevent impact to application availability. A crash happens when an exception in your code terminates the process.

-We identified your application is running in 32-bit and the memory is reaching the 2GB limit. Consider switching to 64-bit processes so you can take advantage of the extra memory available in your Web Worker role. This action triggers a web app restart, so schedule accordingly.

-The combined bandwidth used by all the Free SKU Static Web Apps in this subscription is exceeding the monthly limit of 100GB. Consider upgrading these apps to Standard SKU to avoid throttling.

-### Supported file formats

-| `mov`, `mp4`, `m4a`, `3gp`, `3g2`, `mj2` | QuickTime / MOV |

-| `mpegts` | MPEG-TS (MPEG-2 Transport Stream) |

-| `rawvideo` | raw video |

-| `rm` | RealMedia |

-| `rtsp` | RTSP input |

-### Supported codecs

-| `rawvideo` | raw video |

-| `h265` | HEVC

-To begin, you need to create an index to store and organize the video files and their metadata. The example below demonstrates how to create an index named "my-video-index."

-Next, you can add video files to the index with their associated metadata. The example below demonstrates how to add two video files to the index using SAS URLs to provide access.

-After you add video files to the index, the ingestion process starts. It might take some time depending on the size and number of files. To ensure the ingestion is complete before performing searches, you can use the **Get Ingestion** call to check the status. Wait for this call to return `"state" = "Completed"` before proceeding to the next step.

-To perform a search using the "vision" feature, specify the query text and any desired filters.

-To perform a search using the "speech" feature, provide the query text and any desired filters.

-A separate routing domain is created in the Azure Networking stack for the pod's private CIDR space, which creates an Overlay network for direct communication between pods. There's no need to provision custom routes on the cluster subnet or use an encapsulation method to tunnel traffic between pod, which provides connectivity performance between pods on par with VMs in a VNet.

-You can configure ingress connectivity to the cluster using an ingress controller, such as Nginx or [HTTP application routing](./http-application-routing.md).

-To keep up with application demands in Azure Kubernetes Service (AKS), you may need to adjust the number of nodes that run your workloads. The cluster autoscaler component watches for pods in your cluster that can't be scheduled because of resource constraints. When the cluster autoscaler detects issues, it scales up the number of nodes in the node pool to meet the application demand. It also regularly checks nodes for a lack of running pods and scales down the number of nodes as needed.

-With cluster autoscaler enabled, when the node pool size is lower than the minimum or greater than the maximum it applies the scaling rules. Next, the autoscaler waits to take effect until a new node is needed in the node pool or until a node may be safely deleted from the current node pool. For more information, see [How does scale-down work?](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-scale-down-work)

-The cluster autoscaler may be unable to scale down if pods can't move, such as in the following situations:

-> You can manually scale your cluster after disabling the cluster autoscaler using the [`az aks scale`][az-aks-scale] command. If you use the horizontal pod autoscaler, that feature continues to run with the cluster autoscaler disabled, but pods may end up unable to be scheduled if all node resources are in use.

-You can also configure more granular details of the cluster autoscaler by changing the default values in the cluster-wide autoscaler profile. For example, a scale down event happens after nodes are under-utilized after 10 minutes. If you have workloads that run every 15 minutes, you may want to change the autoscaler profile to scale down under-utilized nodes after 15 or 20 minutes. When you enable the cluster autoscaler, a default profile is used unless you specify different settings. The cluster autoscaler profile has the following settings you can update:

- :::image type="content" source="media/autoscaler/autoscaler-logs.png" alt-text="Screenshot of Log Analytics logs.":::

-> Once you rotate the key, the old key (key1) expires after 24 hours. This means that both the old key (key1) and the new key (key2) are valid within the 24-hour period. If you want to invalidate the old key (key1) immediately, you need to rotate the OIDC key twice. Then key2 and key3 are valid, and key1 is invalid.

-By default, the Issuer is set to use the base URL `https://{region}.oic.prod-aks.azure.com/{uuid}`, where the value for `{region}` matches the location the AKS cluster is deployed in. The value `{uuid}` represents the OIDC key.

-## Which Windows operating systems are supported?

-AKS uses Windows Server 2019 and Windows Server 2022 as the host OS version and only supports process isolation. Container images built by using other Windows Server versions are not supported. For more information, see [Windows container version compatibility][windows-container-compat]. For Kubernetes version 1.25 and higher, Windows Server 2022 is the default operating system. Windows Server 2019 is being retired after Kubernetes version 1.32 reaches end of life (EOL) and won't be supported in future releases. For more information about this retirement, see the [AKS release notes][aks-release-notes].

-## Can I run Windows only clusters in AKS?

-The master nodes (the control plane) in an AKS cluster are hosted by the AKS service. You won't be exposed to the operating system of the nodes hosting the master components. All AKS clusters are created with a default first node pool, which is Linux-based. This node pool contains system services that are needed for the cluster to function. We recommend that you run at least two nodes in the first node pool to ensure the reliability of your cluster and the ability to do cluster operations. The first Linux-based node pool can't be deleted unless the AKS cluster itself is deleted.

-In some cases, if you are planning to run Windows-based workloads on an AKS cluster, you should consider deploying a Linux node pool for the following reasons:

-## What network plug-ins are supported?

-AKS clusters with Windows node pools must use the Azure Container Networking Interface (Azure CNI) (advanced) networking model. Kubenet (basic) networking is not supported. For more information on the differences in network models, see [Network concepts for applications in AKS][azure-network-models]. The Azure CNI network model requires extra planning and consideration for IP address management. For more information on how to plan and implement Azure CNI, see [Configure Azure CNI networking in AKS][configure-azure-cni].

-Windows nodes on AKS clusters also have [Direct Server Return (DSR)][dsr] enabled by default when Calico is enabled.

-# Extend the developer portal with custom features

-|[Create and upload custom widget](#create-and-upload-custom-widget) | - Developer solution for more advanced widget use cases<br/><br/>- Requires local implementation in React, Vue, or plain TypeScript<br/><br/>- Widget scaffold and tools provided to help developers create widget and upload to developer portal<br/><br/>- Supports workflows for source control, versioning, and code reuse<br/><br/> |

-For more advanced widget use cases, API Management provides a scaffold and tools to help developers create a widget and upload it to the developer portal.

-### Prerequisites

-## Next steps

-This article is a reference for the monitoring data collected by App Configuration. See [Monitoring App Configuration](monitor-app-configuration.md) for a walk through on to collect and analyze monitoring data for App Configuration.

-| Http Incoming Request Count | The supported dimensions are the **HttpStatusCode**, **AuthenticationScheme**, and **Endpoint** of each request. **AuthenticationScheme** can be filtered by AAD or HMAC authentication. |

-| Http Incoming Request Duration | The supported dimensions are the **HttpStatusCode**, **AuthenticationScheme**, and **Endpoint** of each request. **AuthenticationScheme** can be filtered by AAD or HMAC authentication. |

-Configuration stores have limits on the requests that they may serve. Any requests that exceed an allotted quota for a configuration store will receive an HTTP 429 (Too Many Requests) response.

-The service may identify situations other than throttling that need a client retry (ex: 503 Service Unavailable). In all such cases, the `retry-after-ms` response header will be provided. To increase robustness, the client is advised to follow the suggested interval and perform a retry.

- - If you haven't connected a cluster yet, use our [quickstart](quickstart-connect-cluster.md).

- - [Upgrade your agents](agent-upgrade.md#manually-upgrade-agents) to the latest version.

- | Endpoint | Port |

- |-|-|

- |`*.servicebus.windows.net` | 443 |

- |`guestnotificationservice.azure.com`, `*.guestnotificationservice.azure.com` | 443 |

- > [!NOTE]

- > To translate the `*.servicebus.windows.net` wildcard into specific endpoints, use the command `\GET https://guestnotificationservice.azure.com/urls/allowlist?api-version=2020-01-01&location=<location>`. Within this command, the region must be specified for the `<location>` placeholder.

- - If you haven't connected a cluster yet, use our [quickstart](quickstart-connect-cluster.md).

- - [Upgrade your agents](agent-upgrade.md#manually-upgrade-agents) to the latest version.

- | Endpoint | Port |

- |-|-|

- |`*.servicebus.windows.net` | 443 |

- |`guestnotificationservice.azure.com`, `*.guestnotificationservice.azure.com` | 443 |

-

- > [!NOTE]

- > To translate the `*.servicebus.windows.net` wildcard into specific endpoints, use the command `\GET https://guestnotificationservice.azure.com/urls/allowlist?api-version=2020-01-01&location=<location>`. Within this command, the region must be specified for the `<location>` placeholder.

- - If you are using Kubernetes native ClusterRoleBinding or RoleBinding for authorization checks on the cluster, with the `kubeconfig` file pointing to the `apiserver` of your cluster for direct access, you can create one mapped to the Microsoft Entra entity (service principal or user) that needs to access this cluster. Example:

- - If you are using Azure RBAC for authorization checks on the cluster, you can create an Azure role assignment mapped to the Microsoft Entra entity. Example:

- - If you are using Kubernetes native ClusterRoleBinding or RoleBinding for authorization checks on the cluster, with the `kubeconfig` file pointing to the `apiserver` of your cluster for direct access, you can create one mapped to the Microsoft Entra entity (service principal or user) that needs to access this cluster. Example:

- - If you are using [Azure RBAC for authorization checks](azure-rbac.md) on the cluster, you can create an Azure role assignment mapped to the Microsoft Entra entity. Example:

- ```azurecli

-When making requests to the Kubernetes cluster, if the Microsoft Entra entity used is a part of more than 200 groups, you may see the following error:

-When making requests to the Kubernetes cluster, if the Microsoft Entra service principal used is a part of more than 200 groups, you may see the following error:

-| September 2023| **Windows** <ul><li>Fix issue with high CPU usage due to excessive Windows Event Logs subscription reset</li><li>Reduce fluentbit resource usage by limiting tracked files older than 3 days and limiting logging to errors only</li><li>Fix race-condition where resource_id is unavailable when agent is restarted</li><li>Fix race-condition when AMA vm-extension is provisioned involving disable command</li><li>Update MetricExtension version to 2.2023.721.1630</li><li>Update Troubleshooter to v1.5.14 </li></ul>|1.20.0| None |

-> If both autoinstrumentation monitoring and manual SDK-based instrumentation are detected, only the manual instrumentation settings will be honored. This is to prevent duplicate data from being sent. To learn more about this, check out the [troubleshooting section](#troubleshooting) in this article.

-This article is part of the scenario [Recommendations for configuring Azure Monitor](best-practices.md). It describes planning that you should consider before starting your implementation. This ensures that the configuration options you choose meet your particular business requirements.

-If you're not already familiar with monitoring concepts, start with the [Cloud monitoring guide](/azure/cloud-adoption-framework/manage/monitor) which is part of the [Microsoft Cloud Adoption Framework for Azure](/azure/cloud-adoption-framework/). That guide defines high-level concepts of monitoring and provides guidance for defining requirements for your monitoring environment and supporting processes. This article will refer to sections of that guide that are relevant to particular planning steps.

-A core goal of your monitoring strategy will be minimizing costs. Some data collection and features in Azure Monitor have no cost while other have costs based on their particular configuration, amount of data collected, or frequency that they're run. The articles in this scenario will identify any recommendations that include a cost, but you should be familiar with Azure Monitor pricing as you design your implementation for cost optimization. See the following for details and guidance on Azure Monitor pricing:

-Before you design and implement any monitoring solution, you should establish a monitoring strategy so that you understand the goals and requirements of your plan. The strategy defines your particular requirements, the configuration that best meets those requirements, and processes to leverage the monitoring environment to maximize your applications' performance and reliability. The configuration options that you choose for Azure Monitor should be consistent with your strategy.

-See [Cloud monitoring guide: Formulate a monitoring strategy](/azure/cloud-adoption-framework/strategy/monitoring-strategy) for a number of factors that you should consider when developing a monitoring strategy. You should also refer to [Monitoring strategy for cloud deployment models](/azure/cloud-adoption-framework/manage/monitor/cloud-models-monitor-overview) which will assist in comparing completely cloud based monitoring with a hybrid model.

- You won't necessarily configure complete monitoring for all of your cloud resources but instead focus on your critical applications and the components they depend on. This will not only reduce your monitoring costs but also reduce the complexity of your monitoring environment. See [Cloud monitoring guide: Collect the right data](/azure/cloud-adoption-framework/manage/monitor/data-collection) for guidance on defining the data that you require.

-As you configure your monitoring environment, you need to determine which users should have access to monitoring data and which users need to be notified when an issue is detected. These may be application and resource owners, or you may have a centralized monitoring team. This information will determine how you configure permissions for data access and notifications for alerts. You may also require custom workbooks to present particular sets of information to different users.

-Your organization may have SLAs that define your commitments for performance and uptime of your applications. These SLAs may determine how you need to configure time sensitive features of Azure Monitor such as alerts. You will also need to understand [data latency in Azure Monitor](logs/data-ingestion-time.md) since this will affect the responsiveness of monitoring scenarios and your ability to meet SLAs.

-Azure Monitor is designed to address Health and Status monitoring. A complete monitoring solution will typically involve multiple Azure services and potentially other products. Other monitoring objectives, which may require additional solutions, are described in the Cloud Monitoring Guide in [primary monitoring objectives](/azure/cloud-adoption-framework/strategy/monitoring-strategy#formulate-monitoring-requirements).

-The following sections describe other services and products that you may use in conjunction with Azure Monitor. This scenario currently doesn't include guidance on implementing these solutions so you should refer to their documentation.

-You may have an existing investment in System Center Operations Manager for monitoring on-premises resources and workloads running on your virtual machines. You may choose to [migrate this monitoring to Azure Monitor](azure-monitor-operations-manager.md) or continue to use both products together in a hybrid configuration. See [Cloud monitoring guide: Monitoring platforms overview](/azure/cloud-adoption-framework/manage/monitor/platform-overview) for a comparison of the two products. See [Monitoring strategy for cloud deployment models](/azure/cloud-adoption-framework/manage/monitor/cloud-models-monitor-overview) for guidance on using the two in a hybrid configuration and on determining the most appropriate model for your environment.

-Azure Monitor Logs is based on Azure Data Explorer. A Log Analytics workspace is roughly the equivalent of a database in Azure Data Explorer. Tables are structured the same, and both use KQL.

-The [Logs Ingestion API](logs-ingestion-api-overview.md) in Azure Monitor allows you to send custom data to a Log Analytics workspace. This tutorial uses Azure Resource Manager templates (ARM templates) to walk through configuration of the components required to support the API and then provides a sample application using both the REST API and client libraries for [.NET](/dotnet/api/overview/azure/Monitor.Ingestion-readme), [Java](/java/api/overview/azure/monitor-ingestion-readme), [JavaScript](/javascript/api/overview/azure/monitor-ingestion-readme), and [Python](/python/api/overview/azure/monitor-ingestion-readme).

-5. [Give the AD application access to the DCR](#assign-permissions-to-a-dcr).

-description: Describes how to import Bicep namespaces.

-# Import Bicep namespaces

-This article describes the syntax you use to import user-defined data types and the Bicep namespaces including the Bicep extensibility providers.

-## Import user-defined data types (Preview)

-[Bicep version 0.21.1 or newer](./install.md) is required to use this feature. The experimental flag `compileTimeImports` must be enabled from the [Bicep config file](./bicep-config.md#enable-experimental-features).

-The syntax for importing [user-defined data type](./user-defined-data-types.md) is:

-import {<user-defined-data-type-name>, <user-defined-data-type-name>, ...} from '<bicep-file-name>'

-or with wildcard syntax:

-import * as <namespace> from '<bicep-file-name>'

-You can mix and match the two preceding syntaxes.

-Only user-defined data types that bear the [@export() decorator](./user-defined-data-types.md#import-types-between-bicep-files-preview) can be imported. Currently, this decorator can only be used on [`type`](./user-defined-data-types.md) statements.

-Imported types can be used anywhere a user-defined type might be, for example, within the type clauses of type, param, and output statements.

-myTypes.bicep

-type myString = string

-type myInt = int

-import * as myImports from 'myTypes.bicep'

-import {myInt} from 'myTypes.bicep'

-param exampleString myImports.myString = 'Bicep'

-param exampleInt myInt = 3

-output outString myImports.myString = exampleString

-output outInt myInt = exampleInt

-## Import namespaces and extensibility providers

-The syntax for importing the namespaces is:

-* The function can't call other user-defined functions.

-Refer to the table below to find details about resolution dates or possible workarounds. For more information about the different feature enhancements and bug fixes in Azure VMware Solution, see [What's New](azure-vmware-solution-platform-updates.md).

-| When first logging into the vSphere Client, the **Cluster-n: vSAN health alarms are suppressed** alert is active in the vSphere Client | 2021 | This should be considered an informational message, since Microsoft manages the service. Select the **Reset to Green** link to clear it. | 2021 |

-|Connectivity to BareMetal (BM) in a local VNet| Yes |

-|Connectivity to BM in a peered VNet (Same region)|Yes |

-|Connectivity to BM in a peered VNet\* (Cross region or global peering)\*|No |

-|Connectivity from on-premises to a BM in a spoke VNet over ExpressRoute gateway and VNet peering with gateway transit|Yes |

-|Connectivity from on-premises to a BM in a spoke VNet over VPN gateway and VNet peering with gateway transit| Yes |

-|[User-defined routes (UDRs)](../../../virtual-network/virtual-networks-udr-overview.md#user-defined) on NC2 on Azure-delegated subnets|No|

-# Using Cloud Shell in an Azure virtual network

-By default, Cloud Shell sessions run in a container in a Microsoft network that's separate from your

-resources. Commands run inside the container can't access resources in a private virtual network.

-For example, you can't use SSH to connect from Cloud Shell to a virtual machine that only has a

-private IP address, or use `kubectl` to connect to a Kubernetes cluster that has locked down access.

-To provide access to your private resources, you can deploy Cloud Shell into an Azure Virtual

-Network that you control. This is referred to as _VNET isolation_.

-## Benefits to VNET isolation with Azure Cloud Shell

-Deploying Azure Cloud Shell in a private VNET offers several benefits:

-## Things to consider before deploying Azure Cloud Shell in a VNET

- scenario, one hybrid connection is used for each administrator while they're using Cloud Shell.

- The connection is automatically closed when the Cloud Shell session ends.

-![Illustration of Cloud Shell isolated VNET architecture.][03]

- the customers subscription. For stricter security, you can allow users to launch Cloud Shell only

- authenticate and launch Cloud Shell.

- isolation. Resources such as virtual machines and services are directly accessible from Cloud

- Shell without the need to assign a public IP address.

- network. The storage account provides the file share used by Cloud Shell users.

-# Deploy Azure Cloud Shell in a virtual network with quickstart templates

-Before you can deploy Azure Cloud Shell in a virtual network (VNet) configuration using the

-quickstart templates, there are several prerequisites to complete before running the templates.

-This document guides you through the process to complete the configuration.

-## Steps to deploy Azure Cloud Shell in a virtual network

-This article walks you through the following steps to deploy Azure Cloud Shell in a virtual network:

-1. Register resource providers

-1. Collect the required information

-1. Create the virtual networks using the **Azure Cloud Shell - VNet** ARM template

-1. Create the virtual network storage account using the **Azure Cloud Shell - VNet storage** ARM

- template

-1. Configure and use Azure Cloud Shell in a virtual network

-Azure Cloud Shell needs access to certain Azure resources. That access is made available through

-Depending when your tenant was created, some of these providers might already be registered.

-To see all resource providers, and the registration status for your subscription:

-1. Select the subscription you want to view.

-1. Select the **Microsoft.CloudShell** resource provider register from the provider list.

-1. Select **Register** to change the status from **unregistered** to **Registered**.

- [![Screenshot of selecting resource providers in the Azure portal.][98]][98a]

-There are several pieces of information that you need to collect before you can deploy Azure Cloud.

-You can use the default Azure Cloud Shell instance to gather the required information and create the

-necessary resources. You should create dedicated resources for the Azure Cloud Shell VNet

-deployment. All resources must be in the same Azure region and contained in the same resource group.

- Cloud Shell VNet deployment

- template

-You can create the resource group using the Azure portal, Azure CLI, or Azure PowerShell. For more

-information, see the following articles:

-You can create the virtual network using the Azure portal, Azure CLI, or Azure PowerShell. For more

-information, see the following articles:

-> When setting the Container subnet address prefix for the Cloud Shell subnet it's important to

-> consider the number of Cloud Shell sessions you need to run concurrently. If the number of Cloud

-> Shell sessions exceeds the available IP addresses in the container subnet, users of those sessions

-> can't connect to Cloud Shell. Increase the container subnet range to accommodate your specific

-> needs. For more information, see the _Change Network Settings_ section of

-> [Add, change, or delete a virtual network subnet][07]

-### Azure Container Instance ID

-The **Azure Container Instance ID** is a unique value for every tenant. You use this identifier in

-the [quickstart templates][07] to configure virtual network for Cloud Shell.

-1. Sign in to the [Azure portal][09]. From the **Home** screen, select **Microsoft Entra ID**. If

- the icon isn't displayed, enter `Microsoft Entra ID` in the top search bar.

-1. In the left menu, select **Overview** and enter `azure container instance service` into the

-1. In the results under **Enterprise applications**, select the **Azure Container Instance Service**.

-1. Find **ObjectID** listed as a property on the **Overview** page for **Azure Container Instance

- Service**.

-1. You use this ID in the quickstart template for virtual network.

-## 3. Create the virtual network using the ARM template

-network. The template creates three subnets under the virtual network created earlier. You might

-choose to change the supplied names of the subnets or use the defaults. The virtual network, along

-with the subnets, require valid IP address assignments. You need at least one IP address for the

-Relay subnet and enough IP addresses in the container subnet to support the number of concurrent

-sessions you expect to use.

-The ARM template requires specific information about the resources you created earlier, along with

-naming information for new resources. This information is filled out along with the prefilled

-Information needed for the template:

- Shell VNet

- created by the template

-| Subscription | Defaults to the current subscription context.<br>For this example, we're using `Contoso (carolb)` |

-| Resource group | Enter the name of the resource group from the prerequisite information.<br>For this example, we're using `rg-cloudshell-eastus`. |

-| Region | Prefilled with your default region.<br>For this example, we're using `East US`. |

-| Existing VNET Name | Fill in the value from the prerequisite information you gathered.<br>For this example, we're using `vnet-cloudshell-eastus`. |

-| Relay Namespace Name | Create a name that you want to assign to the Relay resource created by the template.<br>For this example, we're using `arn-cloudshell-eastus`. |

-| Nsg Name | Enter the name of the Network Security Group (NSG). The deployment creates this NSG and assigns an access rule to it. |

-| Azure Container Instance OID | Fill in the value from the prerequisite information you gathered.<br>For this example, we're using `8fe7fd25-33fe-4f89-ade3-0e705fcf4370`. |

-| Container Subnet Name | Defaults to `cloudshellsubnet`. Enter the name of the subnet for your container. |

-| Container Subnet Address Prefix | For this example, we use `10.1.0.0/16`, which provides 65,543 IP addresses for Cloud Shell instances. |

-| Relay Subnet Name | Defaults to `relaysubnet`. Enter the name of the subnet containing your relay. |

-| Relay Subnet Address Prefix | For this example, we use `10.0.2.0/24`. |

-| Storage Subnet Name | Defaults to `storagesubnet`. Enter the name of the subnet containing your storage. |

-| Storage Subnet Address Prefix | For this example, we use `10.0.3.0/24`. |

-| Private Endpoint Name | Defaults to `cloudshellRelayEndpoint`. Enter the name of the subnet containing your container. |

-| Tag Name | Defaults to `{"Environment":"cloudshell"}`. Leave unchanged or add more tags. |

-| Location | Defaults to `[resourceGroup().location]`. Leave unchanged. |

-Once the form is complete, select **Review + Create** and deploy the network ARM template to your

-## 4. Create the virtual network storage using the ARM template

-The ARM template requires specific information about the resources you created earlier, along

-Information needed for the template:

- quickstart template

- quickstart template

-| Subscription | Defaults to the current subscription context.<br>For this example, we're using `Contoso (carolb)` |

-| Resource group | Enter the name of the resource group from the prerequisite information.<br>For this example, we're using `rg-cloudshell-eastus`. |

-| Region | Prefilled with your default region.<br>For this example, we're using `East US`. |

-| Existing VNET Name | For this example, we're using `vnet-cloudshell-eastus`. |

-| Existing Storage Subnet Name | Fill in the name of the resource created by the network template. |

-| Existing Container Subnet Name | Fill in the name of the resource created by the network template. |

-| Storage Account Name | Create a name for the new storage account.<br>For this example, we're using `myvnetstorage1138`. |

-| File Share Name | Defaults to `acsshare`. Enter the name of the file share want to create. |

-| Resource Tags | Defaults to `{"Environment":"cloudshell"}`. Leave unchanged or add more tags. |

-| Location | Defaults to `[resourceGroup().location]`. Leave unchanged. |

-Once the form is complete, select **Review + Create** and deploy the network ARM template to your

-## 5. Configuring Cloud Shell to use a virtual network

-After you have deployed your private Cloud Shell instance, each Cloud Shell user must change their

-If you have used the default Cloud Shell before deploying the private instance, you must reset your

-user settings.

-1. Open Cloud Shell

-1. Select **Reset user settings** then select **Reset**

-[![Screenshot of Cloud Shell storage dialog box.][97]][97a]

-1. Choose your preferred shell experience (Bash or PowerShell)

-1. Select **Show advanced settings**

-1. Choose the **Subscription** containing your private Cloud Shell instance.

-1. Choose the **Region** containing your private Cloud Shell instance.

-1. Select the **Resource group** name containing your private Cloud Shell instance. If you have

- selected the correct resource group, the **Virtual network**, **Network profile**, and **Relay

- namespace** should be automatically populated with the correct values.

-1. Enter the name for the **File share** you created with the storage template.

-You must complete the Cloud Shell configuration steps for each user that needs to use the new

-private Cloud Shell instance.

-The implementation of end-of-call survey logs represents an augmented functionality within ACS (Azure Communication Services), enabling Contoso to submit surveys to gather customers' subjective feedback on their calling experience. This approach aims to supplement the assessment of call quality beyond objective metrics such as audio and video bitrate, jitter, and latency, which may not fully capture whether a customer had a satisfactory or unsatisfactory experience. By leveraging Azure logs to publish and examine survey data, Contoso gains insights for analysis and identification of areas that require improvement. These survey results serve as a valuable resource for Azure Communication Services to continuously monitor and enhance quality and reliability. For more details about [End of call survey](../../../concepts/voice-video-calling/end-of-call-survey-concept.md)

- "OperationVersion": "2022-03-31-preview",

- "OperationVersion": "2022-03-31-preview",

- "OperationVersion": "2022-03-31-preview",

- "OperationVersion": "2022-02-01",

- "OperationVersion": "2022-03-31-preview",

- "OperationVersion": "2022-03-31-preview",

-| `participantTenantId` | The ID of the Microsoft tenant associated with the identity of the participant. The tenant can either be the Azure tenant that owns the ACS resource or the Microsoft tenant of an M365 identity. This field is used to guide cross-tenant redaction.

-|`participantType` | Description of the participant as a combination of its client (Azure Communication Services (ACS) or Teams), and its identity, (ACS or Microsoft 365). Possible values include: ACS (ACS identity and ACS SDK), Teams (Teams identity and Teams client), ACS as Teams external user (ACS identity and ACS SDK in Teams call or meeting), and ACS as Microsoft 365 user (M365 identity and ACS client).

-description: Provides a how-to guide for connecting ACS to Azure AI services.

-The dataflow diagram depicts a canonical scenario where a Teams user is added to an ongoing ACS call for expert consultation.

-1. Contoso Contact CenterΓÇÖs SBC is already configured with ACS Direct Routing where this add participant request is processed.

-1. Contoso Contact Center provider has implemented a web service, using ACS Call Automation that receives the ΓÇ£add ParticipantΓÇ¥ request.

-1. With Teams interop built into ACS Call Automation, ACS then uses the Teams userΓÇÖs ObjectId to add them to the call. The Teams user receives the incoming call notification. They accept and join the call.

-Azure Communication Services Call Automation can be used to build calling workflows for customer service scenarios, as depicted in the high-level architecture. You can answer inbound calls or make outbound calls. Execute actions like playing a welcome message, connecting the customer to a live agent on an ACS Calling SDK client app to answer the incoming call request. With support for ACS PSTN or Direct Routing, you can then connect this workflow back to your contact center.

-With the release of ACS Call Automation Recognize action, developers can now enhance their IVR or contact center applications to recognize user input. One of the most common scenarios of recognition is playing a message for the user, which prompts them to provide a response that then gets recognized by the application, once recognized the application then carries out a corresponding action. Input from callers can be received in several ways, which include DTMF (user input via the digits on their calling device), speech or a combination of both DTMF and speech.

-With the release of ACS Call Automation Recognize action, developers can now enhance their IVR or contact center applications to recognize user input. One of the most common scenarios of recognition is playing a message for the user which prompts them to provide a response that then gets recognized by the application, once recognized the application then carries out a corresponding action. Input from callers can be received in several ways which include DTMF (user input via the digits on their calling device), speech or a combination of both DTMF and speech.

-Call flows in ACS are based on the Session Description Protocol (SDP) RFC 4566 offer and answer model over HTTPS. Once the callee accepts an incoming call, the caller and callee agree on the session parameters.

-ACS media traffic between two endpoints participating in ACS audio, video, and application sharing, utilizes SRTP to encrypt the media stream. Cryptographic keys are negotiated between the two endpoints over a signaling protocol which uses TLS 1.2 and AES-256 (in GCM mode) encrypted UDP/TCP channel.

-description: This document covers definitions of acs email metrics available in the Azure portal.

-In scenarios where there's a Teams user on a Teams client or a Microsoft 365 user with Azure Communication Services SDKs in the call, the developer can use Teams caption. This allows developers to work with the Teams captioning technology that may already be familiar with today. With Teams captions developers are limited to what their Teams license allows. Basic captions allow only one spoken and one caption language for the call. With Teams premium license developers can use the translation functionality offered by Teams to provide one spoken language for the call and translated caption languages on a per user basis. In a Teams interop scenario, captions enabled through ACS follows the same policies that are defined in Teams for [meetings](/powershell/module/skype/set-csteamsmeetingpolicy) and [calls](/powershell/module/skype/set-csteamscallingpolicy).

-Use Teams ΓÇô Organizations using ACS and Teams can use Teams closed captions to improve their applications by providing closed captions capabilities to users. Those organizations can keep using Microsoft Teams for all calls and meetings without third party applications providing this capability.

-## Sample architecture of ACS user using captions in a Teams meeting

-## Sample architecture of an ACS user using captions in a meeting with a Microsoft 365 user on ACS SDK

-| [Manage ACS call recording](../../voice-video-calling/call-recording.md) | ❌ |

-| *Provider* | Join the appointment | Teams | Teams | ACS Calling & Chat |

-| *Consumer* | Schedule an appointment | Bookings | Bookings | ACS Rooms |

-| *Consumer*| Be reminded of an appointment | Bookings | Bookings | ACS SMS |

-| *Consumer*| Join the appointment | Teams or virtual appointments | ACS Calling & Chat | ACS Calling & Chat |

-Chrome version 115 for Android introduced a regression when making video calls - the result of this bug is a user making a call on ACS with this version of Chrome will have no outgoing video in Group and ACS-MS Teams calls.

-The iOS 16 release has introduced a bug that can stop the ACS audio\video call when using Safari mobile browser. Apple is aware of this issue and is looking for a fix on their side. The impact could be that an ACS call might stop working during a call and the only resolution to get it working again is to have the end customer restart their phone.

-Occasionally, a user in an ACS call may not be able to hear the audio from remote participants.

-On Android Chrome, if a user joins ACS call several times, the incoming audio can also disappear. The user is not able to hear the audio from other participants until the page is refreshed. We've fixed this issue in SDK 1.10.1-beta.1, and improved the audio resource usage.

-On Android Chrome, if a user is on an ACS call and puts the browser into background for one minute. The microphone will lose access and the other participants in the call won't hear the audio from the user. Once the user brings the browser to foreground, microphone is available again. Related chromium bugs [here](https://bugs.chromium.org/p/chromium/issues/detail?id=1027446) and [here](https://bugs.chromium.org/p/webrtc/issues/detail?id=10940)

-The problem can occur if a mobile user leaves the ACS group call without using the Call.hangUp() API. When a mobile user closes the browser or refreshes the webpage without hang up, other participants in the group call will still see this mobile user on the participant list for about 60 seconds.

-The problem can occur if a user in an ACS call with iOS Safari, and switches to other app for a while. After the user returns back to the browser,

-On iOS, for example, while on an ACS call, if a PSTN call comes in, then a microphoneMutedUnexepectedly bad UFD will be raised and audio will stop flowing in the ACS call and the call will be marked as muted. Once the PSTN call is over, the user will have to go and unmute the ACS call for audio to start flowing again in the ACS call. In the case of Android Chrome when a PSTN call comes in, audio will stop flowing in the ACS call and the ACS call will not be marked as muted. In this case, there is no microphoneMutedUnexepectedly UFD event. Once the PSTN call is finished, Android Chrome will regain audio automatically and audio will start flowing normally again in the ACS call.

-In case camera is on and an interruption occurs, ACS call may or may not lose the camera. If lost then camera will be marked as off and user will have to go turn it back on after the interruption has released the camera.

-### Excessive use of certain APIs like mute/unmute will result in throttling on ACS infrastructure

-As a result of the mute/unmute API call, ACS infrastructure informs other participants in the call about the state of audio of a local participant who invoked mute/unmute, so that participants in the call know who is muted/unmuted.

-Excessive use of mute/unmute will be blocked in ACS infrastructure. That will happen if the participant (or application on behalf of participant) will attempt to mute/unmute continuously, every second, more than 15 times in a 30-second rolling window.

-| ListRooms | Lists all the Rooms for an ACS Resource. |

-The main benefits the solution will provide to ACS customers can be summarized on the below:

-*Contoso, a marketing company, wants to launch a large SMS campaign to promote a product. Contoso checks the current carrier details for the different numbers he is targeting with this campaign to estimate the cost based on what ACS is charging him.*

-Vlad dials your toll-free number (that you acquired from Communication Service) from his mobile phone. Your service application (built with Call Automation SDK) receives the call, and invokes the logic to redirect the call to a mobile phone number of Abraham using ACS direct routing. Abraham picks up the call and they talk with Vlad for 5 minutes.

-One of the typical jobs that may be required from you is mapping ACS users to users coming from Contoso user database or identity provider. This is usually achieved by adding an extra column or field in Contoso user DB or Identity Provider. However, given the characteristics of the Raw ID (stable, globally unique, and deterministic), you may as well choose it as a primary key for the user storage.

-ACS toll-free numbers are enabled to receive messages from short codes. However, short codes are not typically enabled to send messages to toll-free numbers. If your messages from short codes to ACS toll-free numbers are failing, check with your short code provider if the short code is enabled to send messages to toll-free numbers.

-For general inbound call management use [Call Automation SDKs](../call-automation/incoming-call-notification.md) to build an application that listens for and manage inbound calls placed to a phone number or received via ACS direct routing.

- "resourceId": <string>, // stable resource id of the ACS resource recording

-\* Starting from ACS Web Calling SDK version [1.16.3](https://github.com/Azure/Communication/blob/master/releasenotes/acs-javascript-calling-library-release-notes.md#1163-stable-2023-08-24)

-> This document delves into the Data Channel feature present in the ACS Calling SDK.

-**Pre-call readiness** ΓÇô By using the pre-call checks ACS provides,

- of ACS running in a browser, see: [How to detect if an application using Azure Communication Services' SDK is active in multiple tabs of a browser](../../how-tos/calling-sdk/is-sdk-active-in-multiple-tabs.md).

-| Media traffic | Range of Azure public cloud IP addresses 20.202.0.0/16 The range provided above is the range of IP addresses on either Media processor or ACS TURN service. | UDP 3478 through 3481, TCP ports 443 |

-Simulcast is a feature that allows a publisher, in this case the ACS calling SDK, to send different qualities of the same video to the SFU. The SFU then forwards the most suitable quality to each other endpoint on a call, based on their bandwidth, CPU, and resolution preferences. This way, the publisher can save resources and the subscribers can receive the best possible quality. The SFU doesn't change the video quality, it only selects which one to forward.

-Simulcast streaming from a web endpoint supports a maximum two video qualities. There aren't API controls needed to enable Simulcast for ACS. Simulcast is enabled and available for all video calls.

-The Video Constraints API is a powerful tool that enables developers to control the video quality from within their video calls. With this API, developers can set maximum video resolutions, frame rate, and bitrate used so that the call is optimized for the user's device and network conditions. The ACS video engine is optimized to allow the video quality to change dynamically based on devices ability and network quality. But there might be certain scenarios where you would want to have tighter control of the video quality that end users experience. For instance, there may be situations where the highest video quality is not a priority, or you may want to limit the video bandwidth usage in the application. To support those use cases, you can use the Video Constraints API to have tighter control over video quality.

-ACS Web Calling SDK supports setting the maximum video resolution, framerate, or bitrate that a client sends. The sender video constraints are supported on Desktop browsers (Chrome, Edge, Firefox) and when using iOS Safari mobile browser or Android Chrome mobile browser.

-The Azure Communication Calling SDK allows you to create video effects that other users on a call are able to see. For example, for a user doing ACS calling using the WebJS SDK you can now enable that the user can turn on background blur. When the background blur is enabled, a user can feel more comfortable in doing a video call that the output video just shows a user, and all other content is blurred.

-var callerIdNumber = new PhoneNumberIdentifier("+16044561234"); // This is the ACS provisioned phone number for the caller

-PhoneNumberIdentifier callerIdNumber = new PhoneNumberIdentifier("+18001234567"); // This is the ACS provisioned phone number for the caller

- sourceCallIdNumber: { phoneNumber: "+18888888888" } // This is the ACS provisioned phone number for the caller

-) # This is the ACS provisioned phone number for the caller

- SourceCallerIdNumber = new PhoneNumberIdentifier("+16044561234"), // This is the ACS provisioned phone number for the caller

-PhoneNumberIdentifier callerIdNumber = new PhoneNumberIdentifier("+18001234567"); // This is the ACS provisioned phone number for the caller

- sourceCallIdNumber: { phoneNumber: "+18888888888" }, // This is the ACS provisioned phone number for the caller

-) # This is the ACS provisioned phone number for the caller

-var callerIdNumber = new PhoneNumberIdentifier("+16044561234"); // This is the ACS provisioned phone number for the caller

-PhoneNumberIdentifier callerIdNumber = new PhoneNumberIdentifier("+16044561234"); // This is the ACS provisioned phone number for the caller

-) # This is the ACS provisioned phone number for the caller

-var callerIdNumber = new PhoneNumberIdentifier("+16044561234"); // This is the ACS provisioned phone number for the caller

-PhoneNumberIdentifier callerIdNumber = new PhoneNumberIdentifier("+16044561234"); // This is the ACS provisioned phone number for the caller

-const callerIdNumber = { phoneNumber: "+16044561234" }; // This is the ACS provisioned phone number for the caller

-) # This is the ACS provisioned phone number for the caller

-When your application no longer wishes to receive DTMF tones from the participant anymore, you can use the `StopContinuousDtmfRecognitionAsync` method to let ACS know to stop detecting DTMF tones.

-ACS provides you with a `SequenceId` as part of the `ContinuousDtmfRecognitionToneReceived` event, which your application can use to reconstruct the order in which the participant entered the DTMF tones.

-If youΓÇÖre interested in abilities to allow participants to mute/unmute themselves on the call when theyΓÇÖve joined with ACS Client Libraries, you can use our [mute/unmute function](../../../communication-services/how-tos/calling-sdk/manage-calls.md) provided through our Calling Library.

-> Call transcription state is only available from Teams meetings. Currently there's no support for call transcription state for ACS to ACS calls.

-description: Steps on how to integrate CallKit with ACS Calling SDK

- CallKit Integration in the ACS iOS SDK handles interaction with CallKit for us. To perform any call operations like mute/unmute, hold/resume, we only need to call the API on the ACS SDK.

- When the app receives incoming push notification payload, we need to call `handlePush` to process it. ACS Calling SDK will raise the `IncomingCall` event.

-The feature is currently supported only for ACS Rooms call type and teams meeting call type

-#Customer intent: As a developer, I want to manage calls with the acs sdks so that I can create a calling application that manages calls.

-#Customer intent: As a developer, I want to manage video calls with the acs sdks so that I can create a calling application that provides video capabilities.

-#Customer intent: As a developer, I want to enable push notifications with the acs sdks so that I can create a calling application that provides push notifications to its users.

- "Message": "Great to connect with ACS events",

-ACS supports using Managed Identity to authenticate with the service. By using Managed Identity, you can eliminate the need to manage your own access tokens and credentials.

-Assigning a user-assigned identity to your ACS resource requires that you first create the identity and then add its resource identifier to your Communication service resource.

-## Managed Identity using ACS management SDKs

-Managed Identity can also be assigned to your ACS resource using the Azure Communication Management SDKs.

-For Node.js apps and JavaScript functions, samples on how to create or update your ACS resource with a managed identity can be found in the [Azure Communication Management Developer Samples for JavaScript](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/communication/arm-communication/samples-dev/communicationServicesCreateOrUpdateSample.ts)

-For Python apps and functions, Code Samples on how to create or update your ACS resource with a managed identity can be found in the [Azure Communication Management Developer Samples for Python](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/communication/azure-mgmt-communication/generated_samples/communication_services/create_or_update_with_system_assigned_identity.py)

-For Java apps and functions, Code Samples on how to create or update your ACS resource with a managed identity can be found in the [Azure Communication Management Developer Samples for Java](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/communication/azure-resourcemanager-communication/src/samples/java/com/azure/resourcemanager/communication/generated/CommunicationServicesCreateOrUpdateSamples.java).

-For Golang apps and functions, Code Samples on how to create or update your ACS resource with a managed identity can be found in the [Azure Communication Management Developer Samples for Golang](https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/resourcemanager/communication/armcommunication/services_client_example_test.go).

-Validating entire FQDN is helpful if you're a service provider and don't want to validate your base domain ownership with every customer. For example if you're running SBCs `customer1.acs.adatum.biz`, `customer2.acs.adatum.biz`, and `customer3.acs.adatum.biz`, you don't need to validate `acs.adatum.biz` for every Communication resource, instead you validate the entire FQDN each time. This option provides more granular security approach.

-1. When the resource details are verified, a bot ID is shown in the **Bot ACS Id** column. You can use the bot ID to represent the bot in a chat thread by using the Communication Services Chat AddParticipant API. After you add the bot to a chat as participant, the bot starts to receive chat-related activities, and it can respond in the chat thread.

-Try the [chat bot demo app](https://github.com/Azure/communication-preview/tree/master/samples/AzureBotService-Sample-App) for a 1:1 chat between a chat user and a bot via the BotFramework WebChat UI component.

-description: Learn about adding and removing sender addresses in Azure Communication Services using the ACS Management Client Libraries

-# Quickstart: How to add and remove sender addresses in Azure Communication Services using the ACS Management Client Libraries

-In this quick start, you will learn how to add and remove sender addresses in Azure Communication Services using the ACS Management Client Libraries.

-ACS Group Calls and ACS Rooms are typically made up of multiple participants. We define these as multi-source inputs. They can be used in layouts as a single input or destructured to reference a single participant.

-ACS Group Call json:

-ACS Rooms Input json:

-Unlike multi-source inputs, single source inputs reference a single media source. If the single source input is from a multi-source input such as an ACS group call or rooms, it will reference the multi-source input's ID in the `call` property. The following are examples of single source inputs:

-ACS Group Call json:

-ACS Rooms Output json:

- "Message": "Great to connect with ACS events",

-Communication Services UI Library renders a full chat experience right in your application. It takes care of connecting to ACS chat services, and updates participant's presence automatically. As a developer, you need to worry about where in your app's user experience you want the chat experience to launch and only create the ACS resources as required.

-description: Provides a quick start for developers to get audio streams through media streaming APIs from ACS calls.

-description: Quickstart tutorial for ACS Web Calling SDK push notifications

-The Chat SDK is designed to work with Microsoft Teams seamlessly. Specifically, Chat SDK provides a solution to receive file attachments sent by users from Microsoft Teams. Currently this feature is only available in the Chat SDK for JavaScript. Please note that sending file attachments from ACS user to Teams user is not currently supported, see the current capabilities of [Teams Interop Chat](../../concepts/interop/guest/capabilities.md) for details.

-| DTMF Support in ACS UI SDK | Allows touch tone entry | ❌ | ✔️ |

-In an Azure Communication Service Chat ("ACS Chat"), we can enable file sharing between communication users. Note, ACS Chat is different from the Teams Interoperability Chat ("Interop Chat"). If you want to enable file sharing in an Interop Chat, refer to [Add file sharing with UI Library in Teams Interoperability Chat](./file-sharing-tutorial-interop-chat.md).

-In a Teams Interoperability Chat ("Interop Chat"), we can enable file sharing between Azure Communication Service end users and Teams users. Note, Interop Chat is different from the Azure Communication Service Chat ("ACS Chat"). If you want to enable file sharing in an ACS Chat, refer to [Add file sharing with UI Library in Azure Communication Service Chat](./file-sharing-tutorial-acs-chat.md). Currently, the Azure Communication Service end user is only able to receive file attachments from the Teams user. Please refer to [UI Library Use Cases](../concepts/ui-library/ui-library-use-cases.md) to learn more.

-

-

-

-

-**Explanation to code above**: The first line import the interface for the `CommunicationIdentityClient`. The connection string in the second line can be found in your Azure Communication Services resource in the Azure portal. The `ACSEndpoint` is the URL of the ACS resource that was created.

-| *Provider* | Join the appointment | Teams | Teams | ACS Calling & Chat |

-| *Consumer* | Schedule an appointment | Bookings | Bookings | ACS Rooms |

-| *Consumer*| Be reminded of an appointment | Bookings | Bookings | ACS SMS |

-| *Consumer*| Join the appointment | Teams or virtual appointments | ACS Calling & Chat | ACS Calling & Chat |

-5. The users communicate with each other using voice, video, and text chat in a meeting. Specifically, Teams chat interoperability enables Teams user to send inline images or file attachments directly to ACS users seamlessly.

-* 3000 users in the 25001-100000 tier

-> [!TIP]

-> If you receive a quote through Microsoft Volume Licensing, pricing may be presented as aggregated so that the values are easily readable (for example showing the per-user meters in groups of 10 or 100 rather than the pricing for individual users). This does not impact the way you will be billed.

-If you choose to deploy the Number Management Portal by selecting the API Bridge option, you'll also be charged for the Number Management Portal. Fees work in the same way as the other meters: a service fee meter and a per-user meter. The number of users charged for the Number Management Portal is always the same as the number of users charged on the other Azure Communications Gateway meters.

-In the workload profiles environment, user-defined routes (UDRs) and securing outbound traffic with a firewall are supported. When using an external workload profiles environment, inbound traffic to Container Apps that use external ingress routes through the public IP that exists in the [managed resource group](./networking.md#workload-profiles-environment-1) rather than through your subnet. This means that locking down inbound traffic via NSG or Firewall on an external workload profiles environment is not supported. For more information, see [Networking in Azure Container Apps environments](./networking.md#user-defined-routes-udr).

-The following tables describe how to configure a collection of NSG allow rules.

->[!NOTE]

-> The subnet associated with a Container App Environment on the Consumption only environment requires a CIDR prefix of `/23` or larger. On the workload profiles environment (preview), a `/27` or larger is required.

-| Protocol | Port | ServiceTag | Description |

-|--|--|--|--|

-| Any | \* | Infrastructure subnet address space | Allow communication between IPs in the infrastructure subnet. This address is passed as a parameter when you create an environment. For example, `10.0.0.0/21`. |

-| Any | \* | AzureLoadBalancer | Allow the Azure infrastructure load balancer to communicate with your environment. |

-### Outbound with service tags

-The following service tags are required when using NSGs on the Consumption only environment:

-| Protocol | Port | ServiceTag | Description

-|--|--|--|--|

-| UDP | `1194` | `AzureCloud.<REGION>` | Required for internal AKS secure connection between underlying nodes and control plane. Replace `<REGION>` with the region where your container app is deployed. |

-| TCP | `9000` | `AzureCloud.<REGION>` | Required for internal AKS secure connection between underlying nodes and control plane. Replace `<REGION>` with the region where your container app is deployed. |

-| TCP | `443` | `AzureMonitor` | Allows outbound calls to Azure Monitor. |

-The following service tags are required when using NSGs on the workload profiles environment:

->[!Note]

-> If you are using Azure Container Registry (ACR) with NSGs configured on your virtual network, create a private endpoint on your ACR to allow Container Apps to pull images through the virtual network.

-| Protocol | Port | Service Tag | Description

-|--|--|--|--|

-| TCP | `443` | `MicrosoftContainerRegistry` | This is the service tag for container registry for microsoft containers. |

-| TCP | `443` | `AzureFrontDoor.FirstParty` | This is a dependency of the `MicrosoftContainerRegistry` service tag. |

-### Outbound with wild card IP rules

-The following IP rules are required when using NSGs on both the Consumption only environment and the workload profiles environment:

-| Protocol | Port | IP | Description |

-|--|--|--|--|

-| TCP | `443` | \* | Allowing all outbound on port `443` provides a way to allow all FQDN based outbound dependencies that don't have a static IP. |

-| UDP | `123` | \* | NTP server. |

-| TCP | `5671` | \* | Container Apps control plane. |

-| TCP | `5672` | \* | Container Apps control plane. |

-| Any | \* | Infrastructure subnet address space | Allow communication between IPs in the infrastructure subnet. This address is passed as a parameter when you create an environment. For example, `10.0.0.0/21`. |

-For more information on networking concepts in Container Apps, see [Networking Environment in Azure Container Apps](./networking.md).

-1. Select **Review + create**. After validation finishes, select **Create**. The validation step may take a few minutes to complete.

-* Currently Azure Synapse Link can be enabled, in preview, in continuous backup database accounts. The opposite situation isn't supported yet, it is not possible to turn on continuous backup in Synapse Link enabled database accounts. And analytical store isn't included in backups. For more information about backup and analytical store, see [analytical store backup](analytical-store-introduction.md#backup).

-In Azure Cosmos DB for PostgreSQL, a row is stored in a shard if the hash of the value in the distribution column falls within the shard's hash range. Shards with the same hash range are always placed on the same node. Rows with equal distribution column values are always on the same node across tables.

-Consider the following tables that might be part of a multi-tenant web

-description: Learn about distributed tables, reference tables, local tables, and shards.

-# Distributed data in Azure Cosmos DB for PostgreSQL

-This article outlines the three table types in Azure Cosmos DB for PostgreSQL.

-It shows how distributed tables are stored as shards, and the way that shards are placed on nodes.

-## Table types

-There are three types of tables in a cluster, each

-used for different purposes.

-### Type 1: Distributed tables

-The first type, and most common, is distributed tables. They

-appear to be normal tables to SQL statements, but they're horizontally

-partitioned across worker nodes. What this means is that the rows

-of the table are stored on different nodes, in fragment tables called

-shards.

-Azure Cosmos DB for PostgreSQL runs not only SQL but DDL statements throughout a cluster.

-Changing the schema of a distributed table cascades to update

-all the table's shards across workers.

-#### Distribution column

-Azure Cosmos DB for PostgreSQL uses algorithmic sharding to assign rows to shards. The assignment is made deterministically based on the value

-of a table column called the distribution column. The cluster

-administrator must designate this column when distributing a table.

-Making the right choice is important for performance and functionality.

-### Type 2: Reference tables

-A reference table is a type of distributed table whose entire contents are

-concentrated into a single shard. The shard is replicated on every worker and

-the coordinator. Queries on any worker can access the reference information

-locally, without the network overhead of requesting rows from another node.

-Reference tables have no distribution column because there's no need to

-distinguish separate shards per row.

-Reference tables are typically small and are used to store data that's

-relevant to queries running on any worker node. An example is enumerated

-values like order statuses or product categories.

-### Type 3: Local tables

-When you use Azure Cosmos DB for PostgreSQL, the coordinator node you connect to is a regular PostgreSQL database. You can create ordinary tables on the coordinator and choose not to shard them.

-A good candidate for local tables would be small administrative tables that don't participate in join queries. An example is a users table for application sign-in and authentication.

-## Shards

-The previous section described how distributed tables are stored as shards on

-worker nodes. This section discusses more technical details.

-The `pg_dist_shard` metadata table on the coordinator contains a

-row for each shard of each distributed table in the system. The row

-matches a shard ID with a range of integers in a hash space

-(shardminvalue, shardmaxvalue).

-```sql

-SELECT * from pg_dist_shard;

- logicalrelid | shardid | shardstorage | shardminvalue | shardmaxvalue

-++--++

- github_events | 102026 | t | 268435456 | 402653183

- github_events | 102027 | t | 402653184 | 536870911

- github_events | 102028 | t | 536870912 | 671088639

- github_events | 102029 | t | 671088640 | 805306367

- (4 rows)

-```

-If the coordinator node wants to determine which shard holds a row of

-`github_events`, it hashes the value of the distribution column in the

-row. Then the node checks which shard\'s range contains the hashed value. The

-ranges are defined so that the image of the hash function is their

-disjoint union.

-### Shard placements

-Suppose that shard 102027 is associated with the row in question. The row

-is read or written in a table called `github_events_102027` in one of

-the workers. Which worker? That's determined entirely by the metadata

-tables. The mapping of shard to worker is known as the shard placement.

-The coordinator node

-rewrites queries into fragments that refer to the specific tables

-like `github_events_102027` and runs those fragments on the

-appropriate workers. Here's an example of a query run behind the scenes to find the node holding shard ID 102027.

-```sql

-SELECT

- shardid,

- node.nodename,

- node.nodeport

-FROM pg_dist_placement placement

-JOIN pg_dist_node node

- ON placement.groupid = node.groupid

- AND node.noderole = 'primary'::noderole

-WHERE shardid = 102027;

-```

-```output

-ΓöîΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓö¼ΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓö¼ΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÉ

-Γöé shardid Γöé nodename Γöé nodeport Γöé

-Γö£ΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓö╝ΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓö╝ΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöñ

-Γöé 102027 Γöé localhost Γöé 5433 Γöé

-ΓööΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓö┤ΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓö┤ΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÇΓöÿ

-```

-## Next steps

-workers and accumulates their results. Applications are not able to connect

-directly to workers.

-Azure Cosmos DB for PostgreSQL allows the database administrator to *distribute* tables,

-storing different rows on different worker nodes. Distributed tables are the

-key to Azure Cosmos DB for PostgreSQL performance. Failing to distribute tables leaves them entirely

-on the coordinator node and cannot take advantage of cross-machine parallelism.

-required data lives on a single node or multiple. The coordinator decides what

-There are three types of tables in a cluster, each

-A good candidate for local tables would be small administrative tables that don't participate in join queries. An example is a users table for application sign-in and authentication.

-If you need to upgrade the Citus version only, you can do so by using an in-place upgrade. For instance, you may want to upgrade Citus 11.0 to Citus 11.3 on your PostgreSQL 14 cluster without upgrading Postgres version.

-* Table shards may disappear in your SQL client. Their visibility

- is now controlled by

-> [shards](concepts-distributed-data.md#shards) from existing nodes

-[shards](concepts-distributed-data.md#shards). Rebalancing moves shards from existing nodes to the new ones. Azure Cosmos DB for PostgreSQL offers

-In the multi-tenant use case, we can determine which worker node contains the

-tables, you may see error messages with hints like, "add a filter to the

-Azure Cosmos DB for PostgreSQL gives you the power to distribute tables across multiple

-* By contrast, the **worker** nodes store the actual data and do the computation.

- shines: multi-tenant SaaS, real-time operational analytics, and high

-2. Based on the workload, identify the optimal shard key for the distributed

-3. Update the database schema and application queries to make them go fast

-> offer all the functions listed below.

-#### Return Value

-#### Return Value

-#### Return Value

-#### Return Value

-#### Return Value

-#### Return Value

-#### Return Value

-newly inserted data. Existing chunks of data won't be changed and may have

-newly inserted data. Existing stripes of data won't be changed and may have

-#### Return Value

-#### Return Value

-#### Return Value

-#### Return Value

-#### Return Value

-#### Return Value

-#### Return Value

-#### Return Value

-#### Return Value

-#### Return Value

-#### Return Value

-#### Return Value

-#### Return Value

-The default strategy is appropriate under these circumstances:

-If any of these assumptions don't hold, then the default rebalancing

-can result in a bad plan. In this case you may customize the strategy,

-using the `rebalance_strategy` parameter.

-#### Return Value

-#### Return Value

-#### Return Value

-#### Return Value

-#### Return Value

-the distribution column. It's especially handy for the multi-tenant

-#### Return Value

-custom colocation group may be specified when creating a distributed table, if

-| shard_allowed_on_node_function | regproc | Identifier for a function that given shardid bigint, and nodeidarg int, returns boolean for whether Azure Cosmos DB for PostgreSQL may store the shard on the node |

-default_strategy | true

-default_strategy | false

-The default strategy, `by_shard_count`, assigns every shard the same

-cost. Its effect is to equalize the shard count across nodes. The other

-predefined strategy, `by_disk_size`, assigns a cost to each shard

-matching its disk size in bytes plus that of the shards that are

-colocated with it. The disk size is calculated using

-`pg_total_relation_size`, so it includes indices. This strategy attempts

-to achieve the same disk space on every node. Note the threshold of 0.1--it prevents unnecessary shard movement caused by insignificant

-differences in disk space.

-This view can trace queries to originating tenants in a multi-tenant

-> Clusters running older versions of [the Citus extension](./reference-versions.md#citus-and-other-extension-versions) may not

-rare cases, complex upgrade processes may require setting this parameter

-50000, and may be changed to any value in the range 1000 - 10000000. Each row requires 140 bytes of storage, so setting `stat_statements_max` to its

-When the database is experiencing load, the administrator may wish to disable

-statement tracking. The `citus.stat_statements_track` GUC can turn tracking on

-and off.

- placements is committed in a single round. Data may be lost if a

-on the size of the cluster and rate of node failure. For example, you may want

-to increase this replication factor if you run large clusters and observe node

-In some cases, select queries with limit clauses may need to fetch all

-> [reference_tables](concepts-distributed-data.md#type-2-reference-tables).

-which hits more than one shard). Logging is useful during a multi-tenant

-It may be useful to use `error` during development testing,

- parallel operation on distributed tables. There may be some inconsistency

-The default value is true for Postgres versions 14 and higher. For Postgres

-versions 13 and lower the default is false, which means all results are encoded

-and transferred in text format.

-faster task assignment. However, if the number of workers is large, then it may

-all tasks may cause the EXPLAIN to take longer.

-* [parallel_tuple_cost](https://www.postgresql.org/docs/current/runtime-config-query.html#GUC-PARALLEL-TUPLE-COST) - Sets the planner's estimate of the cost of passing each tuple (row) from worker to master backend

-parallel to execute queries.

-* The capability to turn on Synapse Link in database accounts with continuous backup enabled is in preview now. The opposite situation, to turn on continuous backup in Synapse Link enabled database accounts, is still not supported yet.

-To install the latest version of the module that contains the `New-AzSubscriptionAlias` cmdlet, run `Install-Module Az.Subscription`. To install a recent version of PowerShellGet, see [Get PowerShellGet Module](/powershell/gallery/powershellget/install-powershellget).

-To install the latest version of the module that contains the `New-AzSubscriptionAlias` cmdlet, run `Install-Module Az.Subscription`. To install a recent version of PowerShellGet, see [Get PowerShellGet Module](/powershell/gallery/powershellget/install-powershellget).

-To install the latest version of the module that contains the `New-AzSubscriptionAlias` cmdlet, run `Install-Module Az.Subscription`. To install a recent version of PowerShellGet, see [Get PowerShellGet Module](/powershell/gallery/powershellget/install-powershellget).

-To install the latest version of the module that contains the `New-AzSubscription` cmdlet, run `Install-Module Az.Subscription`. To install a recent version of PowerShellGet, see [Get PowerShellGet Module](/powershell/gallery/powershellget/install-powershellget).

-| Disk encryption assessment | Γ£ö</br>(for [supported scenarios](../virtual-machines/windows/disk-encryption-windows.md#unsupported-scenarios)) | - | No |

-| Disk encryption assessment | Γ£ö</br>(for [supported scenarios](../virtual-machines/windows/disk-encryption-windows.md#unsupported-scenarios)) | - | No |

-| Disk encryption assessment | Γ£ö</br>(for [supported scenarios](../virtual-machines/windows/disk-encryption-windows.md#unsupported-scenarios)) | Γ£ö</br>(for [supported scenarios](../virtual-machines/windows/disk-encryption-windows.md#unsupported-scenarios)) |

-description: Learn how to add and configure an environment definition to use in your dev center projects. Environment definitions contain an IaC template that defines the environment.

-To modify the configuration of Azure resources in an existing environment definition, update the associated ARM template JSON file in the repository. The change is immediately reflected when you create a new environment by using the specific environment definition. The update also is applied when you redeploy an environment that's associated with that environment definition.

-To delete an existing environment definition, in the repository, delete the subfolder that contains the ARM template JSON file and the associated manifest YAML file. Then, [update the catalog](how-to-configure-catalog.md#update-a-catalog).

-description: Learn how to add a catalog in your dev center to provide environment templates for your developers. Catalogs are repositories stored in GitHub or Azure DevOps.

-# Add and configure a catalog from GitHub or Azure DevOps

-Learn how to add and configure a [catalog](./concept-environments-key-concepts.md#catalogs) in your Azure Deployment Environments dev center. You can use a catalog to provide your development teams with a curated set of infrastructure as code (IaC) templates called [environment definitions](./concept-environments-key-concepts.md#environment-definitions). Your catalog is encrypted; Azure Deployment Environments supports encryption at rest with platform-managed encryption keys, which are managed by Microsoft for Azure Services.

-To sync an updated catalog:

-You can delete a catalog to remove it from the dev center. Templates in a deleted catalog aren't available to development teams when they deploy new environments. Update the environment definition reference for any existing environments that were created by using the environment definitions in the deleted catalog. If the reference isn't updated and the environment is redeployed, the deployment fails.

-A [managed identity](../active-directory/managed-identities-azure-resources/overview.md) adds elevated-privileges capabilities and secure authentication to any service that supports Microsoft Entra authentication. Azure Deployment Environments uses identities to give development teams self-serve deployment capabilities without giving them access to the subscriptions in which Azure resources are created.

-In this article, you learn how to:

-> [!div class="checklist"]

->

-> - Add a managed identity to your dev center

-> - Assign a subscription role assignment to a managed identity

-> - Grant access to a key vault secret for a managed identity

-The identity that's attached to the dev center should be assigned the Owner role for all the deployment subscriptions and the Reader role for all subscriptions that contain the relevant project. When a user creates or deploys an environment, the service grants appropriate access to the deployment identity that's attached to the project environment type. The deployment identity uses the access to perform deployments on behalf of the user. You can use the managed identity to empower developers to create environments without granting them access to the subscription.

-You can set up your key vault to use either a [key vault access policy'](../key-vault/general/assign-access-policy.md) or [Azure role-based access control](../key-vault/general/rbac-guide.md).

-# Manage your deployment environment

-In Azure Deployment Environments, a platform engineer gives developers access to projects and the environment types that are associated with them. After a developer has access, they can create deployment environments based on the preconfigured environment types. The permissions that the creator of the environment and the rest of team have to access the environment's resources are defined in the specific environment type.

-As a developer, you can create and manage your environments from the developer portal or by using the Azure CLI.

-The developer portal provides a graphical interface for development teams to create new environments and manage existing environments. You can create, redeploy, and delete your environments as needed in the developer portal.

- :::image type="content" source="media/how-to-manage-environments/option-redeploy.png" alt-text="Screenshot showing an environment tile with the options menu expanded and the redeploy option selected.":::

-The Azure CLI provides a command-line interface for speed and efficiency when you create multiple similar environments, or for platforms where resources like memory are limited. You can use the `devcenter` Azure CLI extension to create, list, deploy, or delete an environment.

-You can create an environment from the developer portal.

-If your environment is configured to accept parameters, you are able to enter them on a separate pane. In this example, you don't need to specify any parameters.

-You can access and manage your environments in the Microsoft Developer portal.

-1. You are able to view all of your existing environments. To access the specific resources created as part of an Environment, select the **Environment Resources** link.

-1. You are able to view the resources in your environment listed in the Azure portal.

-description: Learn how to configure a dev center in Deployment Environments. You create a dev center, attach an identity, attach a catalog, and create environment types.

-This quickstart shows you how to create and configure a dev center in Azure Deployment Environments.

-When you are using a GitHub repository or an Azure DevOps repository to store your [catalog](./concept-environments-key-concepts.md#catalogs), you need an Azure Key Vault to store a personal access token (PAT) that is used to grant Azure access to your repository. Key Vaults can control access with either access policies or role-based access control (RBAC). If you have an existing key vault, you can use it, but you should check whether it uses access policies or RBAC assignments to control access. This quickstart assumes you're using an RBAC Key Vault and a GitHub repository.

-# Quickstart: Create and configure a project

-This quickstart shows you how to create a project in Azure Deployment Environments, and associate the project with the dev center you created in [Quickstart: Create and configure a dev center](./quickstart-create-and-configure-devcenter.md).

-To create a project in your dev center:

- |**Deployment subscription**| Select the subscription in which the environment will be created.|

-# Tutorial: Deploy environments in CI/CD with GitHub

-Continuous integration and continuous delivery (CI/CD) is a software development approach that helps teams to automate the process of building, testing, and deploying software changes. CI/CD enables you to release software changes more frequently and with greater confidence.

-This workflow is a small example for the purposes of this tutorial. Real world workflows may be more complex.

-In this section, you create a dev center and project with three environment types; Dev, Test and Prod

-Next, create a [fine-grained personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#fine-grained-personal-access-tokens) to enable your dev center to connect to your repository and consume the environment catalog.

-A catalog is a repository that contains a set of environment definitions. Catalog items consist of an IaC template and a manifest file. The template defines the environment, and the manifest provides metadata about the template. Development teams use environment definitions from the catalog to create environments.

-Create three environments: Dev, Test, and Prod to map to the project's environment types.

-2. Search for and select your GitHub user. You may enter up to six people or teams. Only one of the required reviewers needs to approve the job for it to proceed.

-description: Learn key concepts and terminology for Microsoft Dev Box.

-# Key concepts for Microsoft Dev Box

-This article describes the key concepts and components of Microsoft Dev Box.

-As you learn about Microsoft Dev Box, you'll also encounter components of [Azure Deployment Environments](../deployment-environments/overview-what-is-azure-deployment-environments.md), a complementary service that shares certain architectural components. Deployment Environments provides developers with preconfigured cloud-based environments for developing applications.

-description: Learn how to create an Azure Compute Gallery repository for managing and sharing Dev Box images.

-Azure Compute Gallery is a service for managing and sharing images. A gallery is a repository that's stored in your Azure subscription and helps you build structure and organization around your image resources. You can use a gallery to provide custom images for your dev box users.

-

-When creating a virtual machine image, select an image from the marketplace that is Dev Box compatible, like the following examples:

-> - Dev Box image requirements exceed [Windows 365 image requirements](/windows-365/enterprise/device-images) and include settings to optimize dev box creation time and performance.

-When you use an Azure Compute Gallery image to create a dev box definition, the Windows 365 service validates the image to ensure that it meets the requirements to be provisioned for a dev box. The Dev Box service replicates the image to the regions specified in the attached network connections, so the images are present in the region that's required for dev box creation.

-The Dev Box service behaves differently depending how you attach your gallery:

-To use the images from a gallery in dev box definitions, you must first associate the gallery with the dev center by attaching it:

-## Next steps

-description: Learn how to enable, disable and troubleshoot hibernation for your dev boxes. Configure hibernation settings for your image and dev box definition.

-# Configure Dev Box Hibernation (preview) for a dev box definition

-There are two steps in enabling hibernation; you must enable hibernation on your dev box image and enable hibernation on your dev box definition.

-## Key concepts for hibernation-enabled images

-## Enable hibernation on your dev box image

-The Visual Studio and Microsoft 365 images that Dev Box provides in the Azure Marketplace are already configured to support hibernation. You don't need to enable hibernation on these images, they're ready to use.

-If you plan to use a custom image from an Azure Compute Gallery, you need to enable hibernation capabilities as you create the new image. To enable hibernation capabilities, set the IsHibernateSupported flag to true. You must set the IsHibernateSupported flag when you create the image, existing images can't be modified.

-To enable hibernation capabilities, set the `IsHibernateSupported` flag to true:

-You can enable hibernation as you create a dev box definition, providing that the dev box definition uses a hibernation-enabled custom or marketplace image. You can also update an existing dev box definition that uses a hibernation-enabled custom or marketplace image.

-Dev Box validates your image for hibernate support. Your dev box definition might fail validation if hibernation couldn't be successfully enabled using your image.

-### Enable hibernation on an existing dev box definition by using the Azure portal

-### Update an existing dev box definition by using the CLI

- If you have issues provisioning new VMs after enabling hibernation on a pool or you want to revert to shut down only dev boxes, you can disable hibernation on the dev box definition.

-### Disable hibernation on an existing dev box definition by using the Azure portal

-### Disable hibernation on an existing dev box definition by using the CLI

-## Next steps

-description: Learn how to create, delete, attach, and remove Microsoft Dev Box network connections.

-Network connections allow dev boxes to connect to existing virtual networks. They also determine the region into which dev boxes are deployed.

- | **Name** | Enter **VNet-name**. |

-## Allow access to Dev Box endpoints from your network

-The Dev Box service requires a configured and working Active Directory join, which defines how dev boxes join your domain and access resources. There are two choices:

-## Next steps

-description: Learn how to create, delete, and connect to Microsoft Dev Box dev boxes by using the developer portal.

-# Manage a dev box by using the developer portal

-Developers can manage their dev boxes through the developer portal. As a developer, you can view information about your dev boxes. You can also connect to, start, stop, restart, and delete them.

-You can create as many dev boxes as you need through the developer portal, but there are common ways to split up your workload.

-You could create a dev box for your front-end work and a separate dev box for your back-end work. You could also create multiple dev boxes for your back end.

-For example, say you're working on a bug. You could use a separate dev box for the bug fix to work on the specific task and troubleshoot the issue without impacting your primary machine.

-After you create your dev box, you can connect to it through a Remote Desktop app or through a browser.

-Remote Desktop provides the highest performance and best user experience for heavy workloads. Remote Desktop also supports multi-monitor configuration. For more information, see [Tutorial: Use a Remote Desktop client to connect to a dev box](./tutorial-connect-to-dev-box-with-remote-desktop-app.md).

-Use the browser for lighter workloads. When you access your dev box via your phone or laptop, you can use the browser. The browser is useful for tasks such as a quick bug fix or a review of a GitHub pull request. For more information, see the [steps for using a browser to connect to a dev box](./quickstart-create-dev-box.md#connect-to-a-dev-box).

-You can perform many actions on a dev box through the developer portal by using the actions menu on the dev box tile. The options you see depend on the state of the dev box, and the configuration of the dev box pool it belongs to. For example, you can shut down or restart a running dev box, or start a stopped dev box.

-You can view information about a dev box, like the creation date, the dev center it belongs to, and the dev box pool it belongs to. You can also check the source image in use.

-When you no longer need a dev box, you can delete it.

-description: Learn how to create a custom image by using Azure VM Image Builder, and then create a dev box by using the image.

-# Configure a dev box by using Azure VM Image Builder

-When your organization uses standardized virtual machine (VM) images, it can more easily migrate to the cloud and help ensure consistency in your deployments.

-Images ordinarily include predefined security, configuration settings, and any necessary software. Setting up your own imaging pipeline requires time, infrastructure, and many other details. With Azure VM Image Builder, you can create a configuration that describes your image. The service then builds the image and submits it to a dev box project.

-In this article, you create a customized dev box by using a template. The template includes a customization step to install Visual Studio Code (VS Code).

-The next step is to use Azure VM Image Builder and Azure PowerShell to create an image version in Azure Compute Gallery and then distribute the image globally. You can also do this by using the Azure CLI.

-1. Copy the following Azure Resource Manger template for VM Image Builder. This template indicates the source image and the customizations applied. This template installs Choco and VS Code. It also indicates where the image will be distributed.

-## Set up the Dev Box service with a custom image

-After the gallery images are available in the dev center, you can use the custom image with the Microsoft Dev Box service. For more information, see [Quickstart: Configure Microsoft Dev Box ](./quickstart-configure-dev-box-service.md).

-## Next steps

-description: Learn how to provide user-level access to projects for developers so that they can create and manage dev boxes.

-# Provide user-level access to projects for developers

-Team members must have access to a specific Microsoft Dev Box project before they can create dev boxes. By using the built-in DevCenter Dev Box User role, you can assign permissions to Active Directory users or groups at the project level.

-## Next steps

-description: Learn how to hibernate your dev boxes.

-# How to hibernate your dev box

-You can hibernate your dev box through the developer portal or the CLI. You can't hibernate your dev box from the dev box itself.

-Hibernate your dev box through the developer portal:

-Dev boxes that support hibernation will show the **Hibernate** option. Dev boxes that only support shutdown will show the **Shutdown** option.

-Resume your Dev box through the developer portal:

-In addition, you can also double select on your dev box in the list of VMs you see in the "Remote Desktop" app. Your dev box automatically starts up and resumes from a hibernating state.

-## Hibernate your dev box using the CLI

-You can use the CLI to hibernate your dev box:

-If your machine is unresponsive, it may have stalled either while going into hibernation or resuming from hibernation, you can manually reboot your dev box.

-Dev Box Hibernation is a preview feature, and you might run into reliability issues. Enable AutoSave on your applications to minimize the impact of session loss.

- ## Next steps

-description: Microsoft Dev Box dev box definitions define a source image, compute size, and storage size for your dev boxes with. Learn how to manage dev box definitions.

-A dev box definition is a Microsoft Dev Box resource that specifies a source image, compute size, and storage size.

-When you create a dev box definition, you can choose a preconfigured image from Azure Marketplace or a custom image from Azure Compute Gallery.

-Azure Compute Gallery enables you to store and manage a collection of custom images. You can build an image to your dev team's exact requirements and store it in a gallery.

-To use the custom image while creating a dev box definition, attach the gallery to your dev center. To learn how to attach a gallery, see [Configure Azure Compute Gallery](how-to-configure-azure-compute-gallery.md).

-When you select an image to use in your dev box definition, you must specify whether you'll use updated versions of the image:

-You can create multiple dev box definitions to meet the needs of your developer teams.

-Over time, your needs for dev boxes will change. You might want to move from a Windows 10 base operating system to a Windows 11 base operating system, or increase the default compute specification for your dev boxes. Your initial dev box definitions might no longer be appropriate for your needs. You can update a dev box definition so that new dev boxes will use the new configuration.

-## Next steps

-description: Microsoft Dev Box dev box pools are collections of dev boxes that you manage together. Learn how to create, configure, and delete dev box pools.

-# Manage a dev box pool

-To allow developers to create their own dev boxes, you need to set up dev box pools that define the dev box specifications and network connections for new dev boxes. Developers can then create dev boxes from the dev box pools they have access to through their project memberships.

-A dev box pool is a collection of dev boxes that you manage together. You must have a pool before users can create a dev box.

-The following steps show you how to create a dev box pool that's associated with a project. You'll use an existing dev box definition and network connection in the dev center to configure the pool.

-## Next steps

-# Manage a dev box project

-Each project is associated with a single dev center. When you associate a project with a dev center, all the settings at the dev center level will be applied to the project automatically.

-Microsoft Dev Box makes it possible for you to delegate administration of projects to a member of the project team. Project administrators can assist with the day-to-day management of projects for their team, like creating and managing dev box pools. To provide users permissions to manage projects, add them to the DevCenter Project Admin role. The tasks in this quickstart can be performed by project admins.

-## Create a dev box project

-The following steps show you how to create and configure a project in dev box.

- |**Dev center**|Select the dev center to which you want to associate this project. All the dev center level settings will be applied to the project.|

-## Delete a dev box project

-You can delete a dev box project when you're no longer using it. Deleting a project is permanent and cannot be undone. You cannot delete a project that has dev box pools associated with it.

-## Provide access to a dev box project

-The user will now be able to view the project and all the pools within it. They can create dev boxes from any of the pools and manage those dev boxes from the [developer portal](https://aka.ms/devbox-portal).

-To assign administrative access to a project, select the DevCenter Project Admin role. For more details on how to add a user to the Project Admin role, refer to [Provide access to projects for project admins](how-to-project-admin.md).

-Your development teams' requirements change over time. You can create a new dev center to support organizational changes like a new business requirement or a new regional center. You can create as many or as few dev centers as you need, depending on how you organize and manage your development teams.

-To create a dev center:

-You might choose to delete a dev center to reflect organizational or workload changes. Deleting a dev center is irreversible, and you must prepare for the deletion carefully.

-## Next steps

-description: Learn how to manage multiple Dev Box projects by assigning admin permissions and delegating project administration.

-# Provide administrative access to Dev Box projects for project admins

-## Next steps

-description: In this quickstart, you learn how to configure the Microsoft Dev Box service to provide dev box workstations for users.

-This quickstart describes how to set up Microsoft Dev Box to enable development teams to self-serve their dev boxes. A dev box is a virtual machine (VM) preconfigured with the tools and resources the developer needs for a project. A dev box acts as a day-to-day workstation for the developer.

-After you complete this quickstart, you'll have Microsoft Dev Box set up ready for users to create and connect to dev boxes.

-Network connections determine the region in which dev boxes are deployed. They also allow dev boxes to be connected to your existing virtual networks. The following steps show you how to create and configure a network connection in Microsoft Dev Box.

-Dev boxes automatically register with Microsoft Intune when they're created. If your network connection displays a warning for the **Intune Enrollment Restrictions Allow Windows Enrollment** test, check the Intune Windows platform restriction policy, as it may block you from provisioning.

-Dev box definitions define the image and SKU (compute + storage) that's used in the creation of the dev boxes. To create and configure a dev box definition:

- |**Name**|Enter a descriptive name for your dev box definition.|

-A dev box pool is a collection of dev boxes that have similar settings. Dev box pools specify the dev box definitions and network connections that dev boxes use. You must associate at least one pool with your project before users can create a dev box.

-Before users can create dev boxes based on the dev box pools in a project, you must provide access for them through a role assignment. The Dev Box User role enables dev box users to create, manage, and delete their own dev boxes. You must have sufficient permissions to a project before you can add users to it.

-## Next steps

-description: In this quickstart, you learn how to create a dev box and connect to it through a browser.

-# Quickstart: Create a dev box by using the developer portal

-You can create and manage multiple dev boxes as a dev box user. Create a dev box for each task that you're working on, and create multiple dev boxes within a single project to help streamline your workflow.

-1. Sign in to the [developer portal](https://aka.ms/devbox-portal).

-After you create a dev box, one way to access it quickly is through a browser:

-A new tab opens with a Remote Desktop session through which you can use your dev box. Use a work or school account to log in to your dev box, not a personal Microsoft account.

-## Next steps

-To learn how to connect to a dev box by using a Remote Desktop app, see [Tutorial: Use a Remote Desktop client to connect to a dev box](./tutorial-connect-to-dev-box-with-remote-desktop-app.md).

-description: In this tutorial, you learn how to download a Remote Desktop client and connect to your dev box. You also learn how to configure a dev box to use multiple monitors during a remote desktop session.

-# Tutorial: Use a Remote Desktop client to connect to a dev box

-After you configure the Microsoft Dev Box service and create dev boxes, you can connect to them by using a browser or by using a Remote Desktop client.

-## Download the client and connect to your dev box

-Remote Desktop clients are available for many operating systems and devices. In this tutorial, you can view the steps for Windows or the steps for a non-Windows operating system by selecting the relevant tab.

-Microsoft Remote Desktop for Windows and Microsoft Remote Desktop for Mac both support up to 16 monitors. Use the following steps to configure Remote Desktop to use multiple monitors.

- :::image type="content" source="media/tutorial-connect-to-dev-box-with-remote-desktop-app/remote-desktop-select-display.png" alt-text="Screenshot showing the remote desktop display settings. ":::

-To learn about managing your dev box, see:

-categories. To jump to a specific **category**, use the menu on the right side of the page.

-specific **table**, use the menu on the right side of the page. Otherwise, use

-In addition, HDInsight on AKS Trino allows storing secrets in Key Vault so you donΓÇÖt have to specify them explicitly in ARM template.

-* An operational HDInsight on AKS Trino cluster.

- |${SECRET_REF:\<referenceName\>}|Special tag to reference a secret from secretsProfile. HDInsight on AKS Trino at runtime fetch the secret from Key Vault and substitute it in catalog configuration.|

-This article provides an overview of how to configure Delta Lake catalog in your HDInsight on AKS Trino cluster. You can add a new catalog by updating your cluster ARM template except the hive catalog, which you can add during [Trino cluster creation](./trino-create-cluster.md) in the Azure portal.

-This article provides an overview of how to configure Iceberg catalog in HDInsight on AKS Trino cluster. You can add a new catalog by updating your cluster ARM template except the hive catalog, which you can add during [Trino cluster creation](./trino-create-cluster.md) in the Azure portal.

-description: How to create Airflow DAG connecting to Azure HDInsight on AKS Trino

-# Use Airflow with Trino cluster

-This article demonstrates how to configure available open-source [Airflow Trino provider](https://airflow.apache.org/docs/apache-airflow-providers-trino/stable/https://docsupdatetracker.net/index.html) to connect to HDInsight on AKS Trino cluster.

-The objective is to show how you can connect Airflow to HDInsight on AKS Trino considering main steps as obtaining access token and running query.

-* An operational HDInsight on AKS Trino cluster.

-1. Trino endpoint (`trino_endpoint`) - HDInsight on AKS Trino cluster endpoint from Overview page in the Azure portal.

-1. Pay attention to connection properties, which configure JWT authentication type, https and port. These values are required to connect to HDInsight on AKS Trino cluster.

-This example demonstrates basic steps required to connect Airflow to HDInsight on AKS Trino. Main steps are obtaining access token and running query.

-* [HDInsight on AKS Trino authentication](./trino-authentication.md)

-Azure HDInsight on AKS Trino provides tools such as CLI client, JDBC driver etc., to access the cluster, which is integrated with Microsoft Entra ID to simplify the authentication for users.

-HDInsight on AKS Trino has added **final result caching** capability, which provides the following benefits:

-> Final result caching is using query plan and ttl as a cache key.

-Final result caching can also be controlled through the following session parameters:

-* An operational HDInsight on AKS Trino cluster.

-description: How to configure HDInsight on AKS Trino catalogs with Glue as metastore

-# Query data from AWS S3 and with Glue

-This article provides examples of how you can add catalogs to an HDInsight on AKS Trino cluster where catalogs are using AWS Glue as metastore and S3 as storage.

-* [Understanding of HDInsight on AKS Trino cluster configurations](./trino-service-configuration.md).

-## Trino catalogs with S3 and Glue as metastore

-You can add the following sample JSON in your HDInsight on AKS Trino cluster under `clusterProfile` section in the ARM template.

-You can add the following sample JSON in your HDInsight on AKS Trino cluster under `clusterProfile` section in the ARM template.

-You can add the following sample JSON in your HDInsight on AKS Trino cluster under `clusterProfile` section in the ARM template.

-Use existing or create new user in AWS IAM - this user is used by Trino connector to read data from Glue/S3. Create and retrieve access keys on Security Credentials tab and save them as secrets into [Azure Key Vault](/azure/key-vault/secrets/about-secrets) linked to your HDInsight on AKS Trino cluster. Refer to [Add catalogs to existing cluster](./trino-add-catalogs.md) for details on how to link Key Vault to your Trino cluster.

-Configure a Trino catalog using examples above [Trino catalogs with S3 and Glue as metastore](./trino-catalog-glue.md#trino-catalogs-with-s3-and-glue-as-metastore).

-Hive metastore is used as a central repository for storing metadata about the data. This article describes how you can add a Hive metastore database to your HDInsight on AKS Trino cluster. There are two ways:

-* An operational HDInsight on AKS Trino cluster.

-This article describes the steps to create an HDInsight on AKS Trino cluster by using the Azure portal.

-You can perform the following operations on the tables using HDInsight on AKS Trino.

-1. Create a Delta Lake schema in HDInsight on AKS Trino.

-Use `format("delta")` to save a dataframe as a Delta table, then you can use the path where you saved the dataframe as delta format to register the table in HDInsight on AKS Trino.

-This article provides details on how to deploy custom plugins to your HDInsight on AKS Trino cluster.

-* An operational HDInsight on AKS Trino cluster.

-description: Learn how to configure fault-tolerance in HDInsight on AKS Trino.

-HDInsight on AKS Trino supports [fault-tolerant execution](https://trino.io/docs/current/admin/fault-tolerant-execution.html) to mitigate query failures and increase resilience.

-This article describes how you can enable fault tolerance for your HDInsight on AKS Trino cluster.

-<br>HDInsight on AKS Trino supports `filesystem` based exchange managers that can store the data in Azure Blob Storage (ADLS Gen 2). This section describes how to configure exchange manager with Azure Blob Storage.

-> HDInsight on AKS Trino currently does not support MSI authentication in exchange manager set up backed by Azure Blob Storage.

-This article describes how to modify initial and max heap size for HDInsight on AKS Trino pods.

-> In HDInsight on AKS, Heap settings on Trino pods are already right-sized based on the selected SKU size. These settings should only be modified when a user wants to control JVM behavior on the pods and is aware of side-effects of changing these settings.

-* An operational HDInsight on AKS Trino cluster.

-* An operational HDInsight on AKS Trino cluster.

-* `fileName`: Symbolic name of the file to use as a reference in other configurations. This name isn't a physical file name. To use given miscellaneous file in other configurations, specify `${MISC:\<fileName\>}` and HDInsight on AKS Trino substitutes this tag with actual file path at runtime provided value must satisfy the following conditions:

-* `path`: Relative file path including file name and extension if applicable. HDInsight on AKS Trino only guarantees location of each given miscellaneous file relative to other miscellaneous files that is, base directory may change. You can't assume anything about absolute path of miscellaneous files, except that it ends with value specified in ΓÇ£pathΓÇ¥ property.

-description: Log Query lifecycle events in Trino Cluster

-Trino supports custom [event listeners](https://trino.io/docs/current/develop/event-listener.html) that can be used to listen for Query lifecycle events. You can author your own event listeners or use a built-in plugin provided by HDInsight on AKS Trino that logs events to Azure Blob Storage.

-* An operational HDInsight on AKS Trino cluster.

-A new capability has been added in HDInsight on AKS Trino that allows user to capture Scan statistics for any connector. This capability provides deeper insights into query performance profile beyond what is available in statistics produced by Trino.

-HDInsight on AKS Trino cluster comes with most of the default configurations of open-source Trino. This article describes how to update config files, and adds your own supplemental config files to the cluster.

-> HDInsight on AKS Trino enforces certain configurations and prohibits modification of some files and/or properties. This is done to ensure proper security/connectivity via configuration. Example of prohibited files/properties includes, but is not limited to:

-* An operational HDInsight on AKS Trino cluster.

-All HDInsight on AKS Trino configurations can be specified in `serviceConfigsProfiles.serviceName[ΓÇ£trinoΓÇ¥]` under `properties.clusterProfile`.

-description: Deploying Superset and connecting to HDInsight on AKS Trino

-# Deploy Apache Superset

-This article describes how to deploy an Apache Superset UI instance in Azure and connect it to HDInsight on AKS Trino cluster to query data and create dashboards.

-### Create a HDInsight on AKS Trino cluster and assign a Managed Identity

-1. If you haven't already, create an [HDInsight on AKS Trino cluster](trino-create-cluster.md).

- 6. Enter the SQL Alchemy URI of your HDInsight on AKS Trino cluster.

-### Troubleshooting

-The Trino CLI provides a terminal-based, interactive shell for running queries.

-For Windows, the Trino CLI is installed via an MSI, which gives you access to the CLI through the Windows Command Prompt (CMD) or PowerShell. When installing for Windows Subsystem for Linux (WSL), see [Install on Linux](#install-on-linux).

-The MSI package is used for installing or updating the HDInsight on AKS Trino CLI on Windows.

-It's possible to use JDBC driver with many available database tools. This article demonstrates how to configure one of the most popular tool **DBeaver** to connect to HDInsight on AKS Trino cluster in few simple steps.

-* [Install HDInsight on AKS Trino CLI with JDBC driver](./trino-ui-command-line-interface.md#install-on-windows).

-## Configure DBeaver to use HDInsight on AKS Trino JDBC driver

- > DBeaver comes with existing open-source Trino driver, create a copy of it and register HDInsight on AKS Trino JDBC driver.

- * Update **Driver Name**, for example, "Azure Trino" or "Azure HDInsight on AKS Trino" or any other name.

- :::image type="content" source="./media/trino-ui-dbeaver/dbeaver-new-driver.png" alt-text="Screenshot showing Create new Azure Trino driver."

- 1. Click **Add File** and select [installed](./trino-ui-command-line-interface.md#install-on-windows) HDInsight on AKS Trino JDBC jar file from your local disk.

- > HDInsight on AKS Trino CLI comes with Trino JDBC jar. You can find it in your local disk.

- :::image type="content" source="./media/trino-ui-dbeaver/dbeaver-new-driver-library.png" alt-text="Screenshot showing Select Azure Trino JDBC driver file."

-## Query and browse HDInsight on AKS Trino cluster with DBeaver

-HDInsight on AKS Trino provides JDBC driver, which supports Microsoft Entra authentication and adds few parameters for it.

-JDBC driver jar is included in the Trino CLI package, [Install HDInsight on AKS Trino CLI](./trino-ui-command-line-interface.md). If CLI is already installed, you can find it on your file system at following path:

-This article covers the details around the Trino UI provided for monitoring the cluster nodes and the queries submitted.

-| [HDInsight 5.1](./hdinsight-5x-component-versioning.md) |Ubuntu 18.0.4 LTS |Feb 27, 2023 | [Standard](hdinsight-component-versioning.md#support-options-for-hdinsight-versions) | Not announced |Not announced| Yes |

-| 5.1 | 3.3 | October 26, 2023 | General availability |-|-|-|

-* HDInsight announces the General availability of HDInsight 5.1 starting October 26, 2023. This release brings in a full stack refresh to the [open source components](./hdinsight-5x-component-versioning.md#open-source-components-available-with-hdinsight-5x) and the integrations from Microsoft.

-If you migrate from Kafka to 3.2.0, you can take advantage of the following new features:

-New Kafka brokers support older clients. [KIP-35 - Retrieving protocol version](https://cwiki.apache.org/confluence/display/KAFKA/KIP-35+-+Retrieving+protocol+version) introduced a mechanism for dynamically determining the functionality of a Kafka broker and [KIP-97: Improved Kafka Client RPC Compatibility Policy](https://cwiki.apache.org/confluence/display/KAFKA/KIP-97%3A+Improved+Kafka+Client+RPC+Compatibility+Policy) introduced a new compatibility policy and guarantees for the Java client. Previously, a Kafka client had to interact with a broker of the same version or a newer version. Now, newer versions of the Java clients and other clients that support KIP-35 such as `librdkafka` can fall back to older request types or throw appropriate errors if functionality isn't available.

-description: This article describes how to deploy DICOM service in the Azure portal.

-In this quickstart, you'll learn how to deploy the DICOM&reg; service using the Azure portal.

-Once deployment is complete, you can use the Azure portal to navigate to the newly created DICOM service to see the details including your service URL. The service URL to access your DICOM service will be: ```https://<workspacename-dicomservicename>.dicom.azurehealthcareapis.com```. Make sure to specify the version as part of the url when making requests. More information can be found in the [API Versioning for DICOM service documentation](api-versioning-dicom-service.md).

-## Deploying DICOM service

- [  ](media/select-workspace-resource-group.png#lightbox)

-2. Select **Deploy DICOM service**.

- [  ](media/workspace-deploy-dicom-services.png#lightbox)

-3. Select **Add DICOM service**.

- [  ](media/add-dicom-service.png#lightbox)

-4. Enter a name for DICOM service, and then select **Review + create**.

- [  ](media/enter-dicom-service-name.png#lightbox)

- (**Optional**) Select **Next: Tags >**.

- Tags are name/value pairs used for categorizing resources. For information about tags, see [Use tags to organize your Azure resources and management hierarchy](../../azure-resource-manager/management/tag-resources.md).

-5. When you notice the green validation check mark, select **Create** to deploy DICOM service.

-6. When the deployment process completes, select **Go to resource**.

- [  ](media/go-to-resource.png#lightbox)

- The result of the newly deployed DICOM service is shown below.

- [  ](media/results-deployed-dicom-service.png#lightbox)

-[Assign roles for the DICOM service](../configure-azure-rbac.md#assign-roles-for-the-dicom-service)

-[Use DICOMweb Standard APIs with DICOM services](dicomweb-standard-apis-with-dicom-services.md)

-Each converted WSI results in a DICOM series with multiple instances. We recommend uploading each instance as a single part POST for better performance.

-description: This how-to guide explains how to export DICOM files to an Azure Blob Storage account

-# Export DICOM Files

-The DICOM service provides the ability to easily export DICOM data in a file format, simplifying the process of using medical imaging in external workflows, such as AI and machine learning. DICOM studies, series, and instances can be exported in bulk to an [Azure Blob Storage account](../../storage/blobs/storage-blobs-introduction.md) using the export API. DICOM data that is exported to a storage account will be exported as a `.dcm` file in a folder structure that organizes instances by `StudyInstanceID` and `SeriesInstanceID`.

-There are three steps to exporting data from the DICOM service:

-The first step to export data from the DICOM service is to enable a system managed identity. This managed identity is used to authenticate the DICOM service and give permission to the storage account used as the destination for export. For more information about managed identities in Azure, see [About managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md).

-2. Set the **Status** option to **On**, and then select **Save**.

-3. Select **Yes** in the confirmation dialog that appears.

-It will take a few minutes to create the system managed identity. When the system identity has been enabled, an **Object (principal) ID** will be displayed.

-## Give storage account permissions to the system managed identity

-The system managed identity will need **Storage Blob Data Contributor** permission to write data to the destination storage account.

-1. Under **Permissions** select **Azure role assignments**.

-2. Select **Add role assignment**. On the **Add role assignment** panel, make the following selections:

- * Under **Resource**, select the destination storage account for the export operation.

- * Under **Role**, select **Storage Blob Data Contributor**.

-3. Select **Save** to add the permission to the system managed identity.

-The export API exposes one `POST` endpoint for exporting data.

-Given a *source*, the set of data to be exported, and a *destination*, the location to which data will be exported, the endpoint returns a reference to a new, long-running export operation. The duration of this operation depends on the volume of data to be exported. See [Operation Status](#operation-status) below for more details about monitoring progress of export operations.

-Any errors encountered while attempting to export will be recorded in an error log. See [Errors](#errors) below for details.

-| `Values` | Yes | | A list of one or more DICOM studies, series, and/or SOP instances identifiers in the format of `"<StudyInstanceUID>[/<SeriesInstanceUID>[/<SOPInstanceUID>]]"`. |

-The connection to the Azure Blob storage account is specified with a `BlobContainerUri`.

-| `BlobContainerUri` | No | `""` | The complete URI for the blob container. |

-| `UseManagedIdentity` | Yes | `false` | A required flag indicating whether managed identity should be used to authenticate to the blob container. |

-The below example requests the export of the following DICOM resources to the blob container named `export` in the storage account named `dicomexport`:

-Inside of the destination container, the DCM files can be found with the following path format: `<operation id>/results/<study>/<series>/<sop instance>.dcm`

-The above `href` URL can be polled for the current status of the export operation until completion. Once the job has reached a terminal state, the API will return a 200 status code instead of 202, and the value of its status property will be updated accordingly.

-If there are any user errors when exporting a DICOM file, then the file is skipped and its corresponding error is logged. This error log is also exported alongside the DICOM files and can be reviewed by the caller. The error log can be found at `<export blob container uri>/<operation ID>/errors.log`.

-Each line of the error log is a JSON object with the following properties. A given error identifier may appear multiple times in the log as each update to the log is processed *at least once*.

-| `Timestamp` | The date and time when the error occurred. |

-| `Identifier` | The identifier for the DICOM study, series, or SOP instance in the format of `"<study instance UID>[/<series instance UID>[/<SOP instance UID>]]"`. |

-| `Error` | The detailed error message. |

-This article outlines the basic steps to get started with the DICOM&reg; service in [Azure Health Data Services](../healthcare-apis-overview.md).

-As a prerequisite, you need an Azure subscription and permissions to create Azure resource groups and to deploy Azure resources. You can follow all the steps, or skip some if you have an existing environment. Also, you can combine all the steps and complete them in PowerShell, Azure CLI, and REST API scripts. You need a workspace to provision a DICOM service. A FHIR&reg; service is optional and is needed only if you connect imaging data with electronic health records of the patient via DICOMcast.

-[](media/get-started-with-dicom.png#lightbox)

-You can create a workspace from the [Azure portal](../healthcare-apis-quickstart.md) or using PowerShell, Azure CLI, and REST API. You can find scripts from the [Azure Health Data Services samples](https://github.com/microsoft/healthcare-apis-samples/tree/main/src/scripts).

-You can create a DICOM service instance from the [Azure portal](deploy-dicom-services-in-azure.md) or using PowerShell, Azure CLI, and REST API. You can find scripts from the [Azure Health Data Services samples](https://github.com/microsoft/healthcare-apis-samples/tree/main/src/scripts).

-You can create or register a client application from the [Azure portal](dicom-register-application.md), or using PowerShell and Azure CLI scripts. This client application can be used for one or more DICOM service instances. It can also be used for other services in Azure Health Data Services.

-You can delete a client application. Before doing that, ensure that it's not used in production, dev, test, or quality assurance (QA) environments.

-You can grant access permissions or assign roles from the [Azure portal](../configure-azure-rbac.md), or using PowerShell and Azure CLI scripts.

-### Perform create, read, update, and delete (CRUD) transactions

-You can perform, create, read (search), update, or delete (CRUD) transactions against the DICOM service in your applications or by using tools such as Postman, REST Client, cURL, and Python. Because the DICOM service is secured by default, you must obtain an access token and include it in your transaction request.

-You can obtain a Microsoft Entra access token using PowerShell, Azure CLI, REST CLI, or .NET SDK. For more information, see [Get access token](../get-access-token.md).

-#### Access using existing tools

-You can find more details on DICOMweb standard APIs and change feed in the [DICOM service](dicom-services-overview.md) documentation.

-DICOMcast is currently available as an [open source](https://github.com/microsoft/dicom-server/blob/main/docs/concepts/dicom-cast.md) project.

-[Deploy DICOM service using the Azure portal](deploy-dicom-services-in-azure.md)

-description: Learn how to import DICOM files using bulk import in Azure Health Data Services

-# Import DICOM files (Preview)

-

-2. On the **Identity** page, select the **System assigned** tab, and then set the **Status** field to **On**. Choose **Save**.

-2. On the **Bulk Import** page, in the **Bulk Import** field, select **Enabled**. Choose **Save**.

-#### Use an Azure Resource Manager (ARM) template

-When you use an ARM template, enable bulk import with the property named `bulkImportConfiguration`.

-After you enable bulk import, a resource group is provisioned in your Azure subscription. The name of the resource group begins with the prefix `AHDS_`, followed by the workspace and DICOM service name. For example, the DICOM service named `mydicom` in the workspace `contoso`, the resource group would be named `AHDS_contoso-mydicom`.

-The user or account that adds DICOM images to the import container needs write access to the container using the `Data Owner` role. For more information, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

-Data is uploaded to Azure storage containers in many ways:

-description: Use Azure OpenAI models in Azure Machine Learning

-# How to use Azure OpenAI models in Azure Machine Learning (Preview)

-In this article, you learn how to discover, finetune and deploy Azure OpenAI models at scale, using Azure Machine Learning.

-## What is OpenAI Models in Azure Machine Learning?

-In recent years, advancements in AI have led to the rise of large foundation models that are trained on a vast quantity of data. These models can be easily adapted to a wide variety of applications across various industries. This emerging trend gives rise to a unique opportunity for enterprises to build and use these foundation models in their deep learning workloads.

-**OpenAI Models in AzureML** provides Azure Machine Learning native capabilities that enable customers to build and operationalize OpenAI models at scale:

-## Access Azure OpenAI models in Azure Machine Learning

-The model catalog (preview) in Azure Machine Learning studio is your starting point to explore various collections of foundation models. The Azure OpenAI models collection is a collection of models, exclusively available on Azure. These models enable customers to access prompt engineering, finetuning, evaluation, and deployment capabilities for large language models available in Azure OpenAI Service. You can view the complete list of supported OpenAI models in the [model catalog](https://ml.azure.com/model/catalog), under the `Azure OpenAI Service` collection.

-> [!TIP]

->Supported OpenAI models are published to the AzureML Model Catalog. View a complete list of [Azure OpenAI models](../ai-services/openai/concepts/models.md).

-You can filter the list of models in the model catalog by inference task, or by finetuning task. Select a specific model name and see the model card for the selected model, which lists detailed information about the model. For example:

-### Connect to Azure OpenAI service

-In order to deploy an Azure OpenAI model, you need to have an [Azure OpenAI resource](https://azure.microsoft.com/products/cognitive-services/openai-service/). You can create an Azure OpenAI resource following the instructions [here](../ai-services/openai/how-to/create-resource.md).

-### Deploying Azure OpenAI models

-To deploy an Azure Open Model from Azure Machine Learning, in order to deploy an Azure OpenAI model:

-1. Select on **Model Catalog** in the left pane.

-1. Select **View Models** under Azure OpenAI language models. Then select a model to deploy.

-1. Select `Deploy` to deploy the model to the Azure OpenAI service.

- :::image type="content" source="./media/how-to-use-openai-models-in-azure-ml/deploy-to-azure-open-ai-turbo.png" lightbox="./media/how-to-use-openai-models-in-azure-ml/deploy-to-azure-open-ai-turbo.png" alt-text="Screenshot showing the deploy to Azure OpenAI.":::

-1. Select on **Azure OpenAI resource** from the options

-1. Provide a name for your deployment in **Deployment Name** and select **Deploy**.

-1. The find the models deployed to Azure OpenAI service, go to the **Endpoint** section in your workspace.

-1. Select the **Azure OpenAI** tab and find the deployment you created. When you select the deployment, you'll be redirect to the OpenAI resource that is linked to the deployment.

-> [!NOTE]

-> Azure Machine Learning will automatically deploy [all base Azure OpenAI models](../ai-services/openai/concepts/models.md) for you so you can using interact with the models when getting started.

-## Finetune Azure OpenAI models using your own training data

-In order to improve model performance in your workload, you might want to fine tune the model using your own training data. You can easily finetune these models by using either the finetune settings in the studio or by using the code based samples in this tutorial.

-

-### Finetune using the studio

-You can invoke the finetune settings form by selecting on the **Finetune** button on the model card for any foundation model.

-**Finetune Settings:**

-**Training Data**

-

-1. Pass in the training data you would like to use to finetune your model. You can choose to either upload a local file (in JSONL format) or select an existing registered dataset from your workspace.

-For models with completion task type, the training data you use must be formatted as a JSON Lines (JSONL) document in which each line represents a single prompt-completion pair.

- :::image type="content" source="./media/how-to-use-openai-models-in-azure-ml/finetune-training-data.png" lightbox="./media/how-to-use-openai-models-in-azure-ml/finetune-training-data.png" alt-text="Screenshot showing the training data in the finetune UI section.":::

- For models with a chat task type, each row in the dataset should be a list of JSON objects. Each row corresponds to a conversation and each object in the row is a turn/utterance in the conversation.

- :::image type="content" source="./media/how-to-use-openai-models-in-azure-ml/finetune-training-data-chat.png" lightbox="./media/how-to-use-openai-models-in-azure-ml/finetune-training-data-chat.png" alt-text="Screenshot showing the training data after the data is uploaded into Azure.":::

- * Validation data: Pass in the data you would like to use to validate your model.

-2. Select **Finish** in the finetune form to submit your finetuning job. Once the job completes, you can view evaluation metrics for the finetuned model. You can then deploy this finetuned model to an endpoint for inferencing.

-**Customizing finetuning parameters:**

-If you would like to customize the finetuning parameters, you can select on the Customize button in the Finetune wizard to configure parameters such as batch size, number of epochs and learning rate multiplier. Each of these settings has default values, but can be customized via code based samples, if needed.

-**Deploying finetuned models:**

-To run a deploy fine-tuned model job from Azure Machine Learning, in order to deploy finetuned an Azure OpenAI model:

-1. After you have finished finetuning an Azure OpenAI model

-1. Find the registered model in **Models** list with the name provided during finetuning and select the model you want to deploy.

-1. Select the **Deploy** button and give the deployment name. The model is deployed to the default Azure OpenAI resource linked to your workspace.

-### Finetuning using code based samples

-To enable users to quickly get started with code based finetuning, we have published samples (both Python notebooks and CLI examples) to the azureml-examples git repo -

-Here are some steps to help you resolve any of the following issues with your Azure OpenAI in Azure Machine Learning experience.

-You might receive any of the following errors when you try to deploy an Azure OpenAI model.

- - **Fix**: Go to the [Azure OpenAI Studio](https://oai.azure.com/portal) and delete the deployments of the model you're trying to deploy.

- - **Fix**: Azure OpenAI failed to create. This is due to quota issues, make sure you have enough quota for the deployment. The default quota for fine-tuned models is 2 deployment per customer.

- - **Fix**: Unable to create the resource. You either aren't in correct region, or you have exceeded the maximum limit of three Azure OpenAI resources. You need to delete an existing Azure OpenAI resource or you need to make sure you created a workspace in one of the [supported regions](../ai-services/openai/concepts/models.md#model-summary-table-and-region-availability).

- - **Fix**: This usually happens while trying to deploy a GPT-4 model. Due to high demand you need to [apply for access to use GPT-4 models](/azure/ai-services/openai/concepts/models#gpt-4-models).

- - **Fix**: Currently, only a maximum of 10 workspaces can be designated for a particular subscription for new fine tunable models. If a user creates more workspaces, they will get access to the models, but their jobs will fail. Try to limit number of workspaces per subscription to 10.

-[How to use foundation models](how-to-use-foundation-models.md)

-Normally the network load balancer, VMs and database that underpin a Managed Grafana instance are located in a region based on system resource availability, and could end up being in a same Azure datacenter.

-#### Create a workspace: basic and advanced settings

- | Zone redundancy | Zone redundancy is disabled by default. Zone redundancy automatically provisions and manages a standby replica of the Managed Grafana instance in a different availability zone within one region. There's an [additional charge](https://azure.microsoft.com/pricing/details/managed-grafana/#pricing) for this option. | *Disabled* |

- :::image type="content" source="media/authentication/create-form-basics.png" alt-text="Screenshot of the Azure portal. Create workspace form. Basics.":::

-1. Select **Next : Advanced >** to access API key creation and statics IP address options. **Enable API key creation** and **Deterministic outbound IP** options are set to **Disable** by default. Optionally enable API key creation and enable a static IP address.

-1. Select **Next : Permission >** to control access rights for your Grafana instance and data sources:

-#### Create a workspace: permission settings

-#### Create a workspace: tags and review + create

-1. Select **Next : Tags** and optionally add tags to categorize resources.

-1. Select **Next : Review + create >**. After validation runs, select **Create**. Your Azure Managed Grafana resource is deploying.

- :::image type="content" source="media/authentication/create-form-validation.png" alt-text="Screenshot of the Azure portal. Create workspace form. Validation.":::

-## Sign in to Azure

-Sign in to the Azure portal at [https://portal.azure.com/](https://portal.azure.com/) with your Azure account.

-By design, Grafana can be configured with multiple data sources. A data source is an externalized storage backend that holds your telemetry information. Azure Managed Grafana supports many popular data sources.

-Azure-specific data sources available for all customers:

-Data sources reserved for Grafana Enterprise customers - exclusively preloaded in instances with a Grafana Enterprise subscription:

-Other data sources:

-## Add a datasource

-A number of data sources are added by in your Grafana instance by default. To add more data sources, follow the steps below using the Azure portal or the Azure CLI.

-1. Open the Grafana UI of your Azure Managed Grafana instance and select **Configuration** > **Data sources** from the left menu.

-1. Select **Add data source**, search for the data source you need from the available list, and select it.

-> [!NOTE]

-> Installing Grafana plugins listed on the page **Configuration** > **Plugins** isnΓÇÖt currently supported.

-The Azure Monitor data source is automatically added to all new Managed Grafana resources. To review or modify its configuration, follow these steps below in the Grafana UI of your Azure Managed Grafana instance or in the Azure CLI.

-1. From the left menu, select **Configuration** > **Data sources**.

-> User-assigned managed identity isn't supported currently.

-When creating an instance, in the **Advanced** tab, set **Deterministic outbound IP** to **Enable**.

-> Zone redundancy for Azure Managed Grafana is a billable option. [See prices](https://azure.microsoft.com/pricing/details/managed-grafana/#pricing). Zone redundancy can only be enabled when creating the Managed Grafana instance, and can't be modified subsequently.

-## Prerequisite

-An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free).

-## Create a Managed Grafana workspace

- | Setting | Description | Example |

- ||-||

- | Subscription ID | Select the Azure subscription you want to use. | *my-subscription* |

- | Resource group name | Create a resource group for your Azure Managed Grafana resources. | *my-resource-group* |

- | Location | Use Location to specify the geographic location in which to host your resource. Choose the location closest to you. | *(US) East US* |

- | Name | Enter a unique resource name. It will be used as the domain name in your Managed Grafana instance URL. | *my-grafana* |

- | Zone Redundancy | Set **Enable Zone Redundancy** to **Enable**. Zone redundancy automatically provisions and manages a standby replica of the Managed Grafana instance in a different availability zone within one region. | *Enabled* |

-1. Set **Zone redundancy** to **Enable**. Zone redundancy automatically provisions and manages a standby replica of the Managed Grafana instance in a different availability zone within one region. There's an [additional charge](https://azure.microsoft.com/pricing/details/managed-grafana/#pricing) for this option.

- :::image type="content" source="media/zone-redundancy/create-form-basics.png" alt-text="Screenshot of the Azure portal. Create workspace form. Basics.":::

-Grafana Enterprise plugins, as of January 2023:

-To activate Grafana Enterprise plugins when creating an Azure Managed Grafana Workspace, in **Create a Grafana Workspace**, go to the **Basics** tab and follow the steps below:

-Grafana Enterprise gives you access to preinstalled plugins reserved for Grafana Enterprise customers. Once you've activated a Grafana Enterprise plan, go to the Grafana platform, and then select **Configuration > Data sources** from the left menu to set up a data source.

-To disable access to an Azure Managed Grafana workspace from public network, follow these steps:

- 1. For **Integrate with private DNS zone**, select **Yes** to integrate your private endpoint with a private DNS zone. You may also use your own DNS servers or create DNS records using the host files on your virtual machines.

-SMTP settings can be enabled on an existing Azure Managed Grafana instance via the Azure Portal and the Azure CLI. Enabling SMTP settings while creating a new instance is currently not supported.

- 1. Select **Save** to save the SMTP settings. Updating may take a couple of minutes.

-The following are some common error messages you may encounter:

-In this guide, you learn how to set up Azure Monitor alerts and use them with Azure Managed Grafana. Both Azure Monitor and Grafana provide alerting functions. Grafana alerts work with any supported data source. Alert rules are processed in your Managed Grafana workspace. Because of that, Grafana alerts need to share the same compute resources and query throttling limits with dashboard rendering. Azure Monitor has its own [alert system](../azure-monitor/alerts/alerts-overview.md). It offers many advantages:

-For any Azure Monitor service, including Managed Service for Prometheus, you should define and manage your alert rules in Azure Monitor. You can view fired and resolved alerts in the [Azure Alert Consumption dashboard](https://grafana.com/grafana/dashboards/15128-azure-alert-consumption/) included in Managed Grafana.

-> You'll see a "Image Rendering Timeout" error if a rendering request has exceeded the 200 second limit.

-Azure Managed Grafana delivers the native Grafana functionality in the highest possible fidelity. There are some differences between what it provides and what you can get by self-hosting Grafana. As a general rule, Azure Managed Grafana disables features and settings that may affect the security or reliability of the service and individual Grafana instances it manages.

-* Data source query results are capped at 80 MB. To mitigate this constraint, reduce the size of the query, for example, by shortening the time duration.

-* Querying Azure Data Explorer may take a long time or return 50x errors. To resolve these issues, use a table format instead of a time series, shorten the time duration, or avoid having many panels querying the same data cluster that can trigger throttling.

-* Unified alerting is enabled by default for all instances created after December 2022. For instances created before this date, unified alerting must be enabled manually by the Azure Managed Grafana team. For activation, [contact us](mailto:ad4g@microsoft.com)

- | Setting | Sample value | Description |

- ||||

- | Subscription ID | *my-subscription* | Select the Azure subscription you want to use. |

- | Resource group name | *my-resource-group* | Create a resource group for your Azure Managed Grafana resources. |

- | Location | *(US) East US* | Use Location to specify the geographic location in which to host your resource. Choose the location closest to you. |

- | Name | *my-grafana* | Enter a unique resource name. It will be used as the domain name in your Managed Grafana instance URL. |

- | Zone redundancy | *Disabled* | Zone redundancy is disabled by default. Zone redundancy automatically provisions and manages a standby replica of the Managed Grafana instance in a different availability zone within one region. There's an [additional charge](https://azure.microsoft.com/pricing/details/managed-grafana/#pricing) for this option. |

- :::image type="content" source="media/quickstart-portal/create-form-basics.png" alt-text="Screenshot of the Azure portal. Create workspace form. Basics.":::

-1. Select **Next : Advanced >** to access API key creation and statics IP address options. **Enable API key creation** and **Deterministic outbound IP** options are set to **Disable** by default. Optionally enable API key creation and enable a static IP address.

- :::image type="content" source="media/quickstart-portal/create-form-advanced.png" alt-text="Screenshot of the Azure portal. Create workspace form. Advanced.":::

- :::image type="content" source="media/quickstart-portal/create-form-permission.png" alt-text="Screenshot of the Azure portal. Create workspace form. Permission.":::

- :::image type="content" source="media/quickstart-portal/create-form-tags.png" alt-text="Screenshot of the Azure portal. Create workspace form. Tags.":::

- > [!NOTE]

- > Azure Managed Grafana doesn't support connecting with personal Microsoft accounts currently.

-After you verify the connectivity, download the appliance setup and key file, run the installation process, and register the appliance to Azure Migrate. Learn more about how to [set up the replication appliance](./tutorial-migrate-physical-virtual-machines.md#prepare-a-machine-for-the-replication-appliance). After you set up the replication appliance, follow these instructions to [install the mobility service](./tutorial-migrate-physical-virtual-machines.md#install-the-mobility-service) on the machines you want to migrate.

- 

- 

- 

- 

-3. In **1:Generate project key**, provide a name for the Azure Migrate appliance that you'll set up for discovery of physical or virtual servers. The name should be alphanumeric with 14 characters or fewer.

-1. Copy the key as you'll need it to complete the registration of the appliance during its configuration.

- [ ](./media/tutorial-assess-physical/generate-key-physical-expanded-1.png#lightbox)

- > This is a new user experience in Azure Migrate appliance which is available only if you have set up an appliance using the latest OVA/Installer script downloaded from the portal. The appliances which have already been registered will continue seeing the older version of the user experience and will continue to work without any issues.

- 2. The appliance will verify the key and start the auto-update service, which updates all the services on the appliance to their latest versions. When the auto-update has run, you can select **View appliance services** to see the status and versions of the services running on the appliance server.

- 3. To register the appliance, you need to select **Login**. In **Continue with Azure Login**, select **Copy code & Login** to copy the device code (you must have a device code to authenticate with Azure) and open an Azure Login prompt in a new browser tab. Make sure you've disabled the pop-up blocker in the browser to see the prompt.

- > If you close the login tab accidentally without logging in, refresh the browser tab of the appliance configuration manager to display the device code and Copy code & Login button.

- 

- > By default, the credentials will be used to gather data about the installed applications, roles, and features, and also to collect dependency data from Windows and Linux servers, unless you disable the slider to not perform these features (as instructed in the last step).

-1. Select Save. The appliance will try validating the connection to the servers added and show the **Validation status** in the table against each server.

-1. To perform discovery of SQL Server instances and databases, you can add additional credentials (Windows domain/non-domain, SQL authentication credentials) and the appliance will attempt to automatically map the credentials to the SQL servers. If you add domain credentials, the appliance will authenticate the credentials against Active Directory of the domain to prevent any user accounts from locking out. To check validation of the domain credentials, follow these steps:

-* Appliance can connect to only those SQL Server instances to which it has network line of sight, whereas software inventory by itself may not need network line of sight.

-* [Software inventory](how-to-discover-applications.md) identifies web server role existing on discovered servers. If a server is found to have web server role enabled, Azure Migrate will perform web apps discovery on the server. Web apps configuration data is updated once every 24 hours.

-* By default, Azure Migrate uses the most secure way of connecting to SQL instances that is, Azure Migrate encrypts communication between the Azure Migrate appliance and the source SQL Server instances by setting the TrustServerCertificate property to `true`. Additionally, the transport layer uses SSL to encrypt the channel and bypass the certificate chain to validate trust. Hence, the appliance server must be set up to trust the certificate's root authority. However, you can modify the connection settings, by selecting **Edit SQL Server connection properties** on the appliance. [Learn more](/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine) to understand what to choose.

-> If you choose to delete a server where discovery has been initiated, it will stop the ongoing discovery and assessment which may impact the confidence rating of the assessment that includes this server. [Learn more](./common-questions-discovery-assessment.md#why-is-the-confidence-rating-of-my-assessment-low)

-## Install the Mobility service

-A Mobility service agent must be installed on the source AWS VMs to be migrated. The agent installers are available on the replication appliance. You find the right installer, and install the agent on each machine you want to migrate. Do as follows:

-1. Sign in to the replication appliance.

-2. Navigate to **%ProgramData%\ASR\home\svsystems\pushinstallsvc\repository**.

-3. Find the installer for the source AWS VMs operating system and version. Review [supported operating systems](../site-recovery/vmware-physical-azure-support-matrix.md#replicated-machines).

-4. Copy the installer file to the source AWS VM you want to migrate.

-5. Make sure that you have the saved passphrase text file that was created when you installed the replication appliance.

- - If you forgot to save the passphrase, you can view the passphrase on the replication appliance with this step. From the command line, run **C:\ProgramData\ASR\home\svsystems\bin\genpassphrase.exe -v** to view the current passphrase.

- - Now, copy this passphrase to your clipboard and save it in a temporary text file on the source VMs.

-### Installation guide for Windows AWS VMs

-1. Extract the contents of installer file to a local folder (for example C:\Temp) on the AWS VM, as follows:

- ```

- ren Microsoft-ASR_UA*Windows*release.exe MobilityServiceInstaller.exe

- MobilityServiceInstaller.exe /q /x:C:\Temp\Extracted

- cd C:\Temp\Extracted

- ```

-2. Run the Mobility Service Installer:

- ```

- UnifiedAgent.exe /Role "MS" /Silent

- ```

-3. Register the agent with the replication appliance:

- ```

- cd C:\Program Files (x86)\Microsoft Azure Site Recovery\agent

- UnifiedAgentConfigurator.exe /CSEndPoint <replication appliance IP address> /PassphraseFilePath <Passphrase File Path>

- ```

-### Installation guide for Linux AWS VMs

-1. Extract the contents of the installer tarball to a local folder (for example /tmp/MobSvcInstaller) on the AWS VM, as follows:

- ```

- mkdir /tmp/MobSvcInstaller

- tar -C /tmp/MobSvcInstaller -xvf <Installer tarball>

- cd /tmp/MobSvcInstaller

- ```

-2. Run the installer script:

- ```

- sudo ./install -r MS -v VmWare -d <Install Location> -q -c CSLegacy

- ```

-3. Register the agent with the replication appliance:

- ```

- /usr/local/ASR/Vx/bin/UnifiedAgentConfigurator.sh -i <replication appliance IP address> -P <Passphrase File Path> -c CSLegacy

- ```

-## Install the Mobility service

-A Mobility service agent must be installed on the source GCP VMs to be migrated. The agent installers are available on the replication appliance. You find the right installer, and install the agent on each machine you want to migrate. Do as follows:

-1. Sign in to the replication appliance.

-2. Navigate to **%ProgramData%\ASR\home\svsystems\pushinstallsvc\repository**.

-3. Find the installer for the source GCP VMs operating system and version. Review [supported operating systems](../site-recovery/vmware-physical-azure-support-matrix.md#replicated-machines).

-4. Copy the installer file to the source GCP VM you want to migrate.

-5. Make sure that you have the saved passphrase text file that was created when you installed the replication appliance.

- - If you forgot to save the passphrase, you can view the passphrase on the replication appliance with this step. From the command line, run **C:\ProgramData\ASR\home\svsystems\bin\genpassphrase.exe -v** to view the current passphrase.

- - Now, copy this passphrase to your clipboard and save it in a temporary text file on the source VMs.

-### Installation guide for Windows GCP VMs

-1. Extract the contents of installer file to a local folder (for example C:\Temp) on the GCP VM, as follows:

- ```

- ren Microsoft-ASR_UA*Windows*release.exe MobilityServiceInstaller.exe

- MobilityServiceInstaller.exe /q /x:C:\Temp\Extracted

- cd C:\Temp\Extracted

- ```

-2. Run the Mobility Service Installer:

- ```

- UnifiedAgent.exe /Role "MS" /Silent

- ```

-3. Register the agent with the replication appliance:

- ```

- cd C:\Program Files (x86)\Microsoft Azure Site Recovery\agent

- UnifiedAgentConfigurator.exe /CSEndPoint <replication appliance IP address> /PassphraseFilePath <Passphrase File Path>

- ```

-### Installation guide for Linux GCP VMs

-## Install the Mobility service

-On machines you want to migrate, you need to install the Mobility service agent. The agent installers are available on the replication appliance. You find the right installer, and install the agent on each machine you want to migrate. Do this as follows:

-1. Sign in to the replication appliance.

-2. Navigate to **%ProgramData%\ASR\home\svsystems\pushinstallsvc\repository**.

-3. Find the installer for the machine operating system and version. Review [supported operating systems](../site-recovery/vmware-physical-azure-support-matrix.md#replicated-machines).

-4. Copy the installer file to the machine you want to migrate.

-5. Make sure that you have the passphrase that was generated when you deployed the appliance.

- - Store the file in a temporary text file on the machine.

- - You can obtain the passphrase on the replication appliance. From the command line, run **C:\ProgramData\ASR\home\svsystems\bin\genpassphrase.exe -v** to view the current passphrase.

- - Don't regenerate the passphrase. This will break connectivity and you will have to reregister the replication appliance.

-> [!NOTE]

-> In the */Platform* parameter, you specify *VMware* if you migrate VMware VMs, or physical machines.

-### Install on Windows

-1. Extract the contents of installer file to a local folder (for example C:\Temp) on the machine, as follows:

- ```

- ren Microsoft-ASR_UA*Windows*release.exe MobilityServiceInstaller.exe

- MobilityServiceInstaller.exe /q /x:C:\Temp\Extracted

- cd C:\Temp\Extracted

- ```

-2. Run the Mobility Service Installer:

- ```

- UnifiedAgent.exe /Role "MS" /Platform "VmWare" /Silent /CSType CSLegacy

- ```

-3. Register the agent with the replication appliance:

- ```

- cd C:\Program Files (x86)\Microsoft Azure Site Recovery\agent

- UnifiedAgentConfigurator.exe /CSEndPoint <replication appliance IP address> /PassphraseFilePath <Passphrase File Path>

- ```

-### Install on Linux

-Configure [VNet-to-VNet VPN gateway connection](../../vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal.md) to establish connectivity to a Azure Database for MySQL from an Azure VM in a different region or subscription.

-| **Subscription_s** | Subscription of the Azure virtual network / network interface / virtual machine is populated in this field | Applicable only for FlowType = S2S, P2S, AzurePublic, ExternalPublic, MaliciousFlow, and UnknownPrivate flow types (flow types where only one side is Azure). |

-| **Subscription1_s** | Subscription ID | Subscription ID of virtual network / network interface / virtual machine that the source IP in the flow belongs to. |

-| **Subscription2_s** | Subscription ID | Subscription ID of virtual network/ network interface / virtual machine that the destination IP in the flow belongs to. |

-> - Deprecated fields: `VMIP_s`, `Subscription_s`, `Region_s`, `NSGRules_s`, `Subnet_s`, `VM_s`, `NIC_s`, `PublicIPs_s`, `FlowCount_d`

-## Next Steps

- For more information about NSG flow logs, see [VNet flow logs overview](vnet-flow-logs-overview.md).

-Configure a contact profile with Azure Orbital Ground Station to save and reuse contact configurations. This is required before scheduling a contact to ingest data from a satellite into Azure.

-1. In the Azure portal search box, enter **Contact Profiles**. Select **Contact Profiles** in the search results. Alternatively, navigate to the Azure Orbital service and select **Contact profiles** in the left column.

-2. In the **Contact Profiles** page, select **Create**.

-3. In **Create Contact Profile Resource**, enter or select this information in the **Basics** tab:

- | Subscription | Select a subscription |

- | Resource group | Select a resource group |

- | Name | Enter the contact profile name. Specify the antenna provider and mission information here. Like *Microsoft_Aqua_Uplink_Downlink_1* |

- | Region | Select a region |

- | Minimum viable contact duration | Define the minimum duration of the contact as a prerequisite to show you available time slots to communicate with your spacecraft. If an available time window is less than this time, it won't show in the list of available options. Provide minimum contact duration in ISO 8601 format. Like *PT1M* |

- | Minimum elevation | Define minimum elevation of the contact, after acquisition of signal (AOS), as a prerequisite to show you available time slots to communicate with your spacecraft. Using higher value can reduce the duration of the contact. Provide minimum viable elevation in decimal degrees. |

- | Auto track configuration | Select the frequency band to be used for autotracking during the contact. X band, S band, or Disabled. |

- | Event Hubs Namespace | Select an Event Hubs Namespace to which you'll send telemetry data of your contacts. Select a Subscription before you can select an Event Hubs Namespace. |

- | Event Hubs Instance | Select an Event Hubs Instance that belongs to the previously selected Namespace. *This field will only appear if an Event Hubs Namespace is selected first*. |

- | Virtual Network | Select a Virtual Network according to the instructions on the page. |

- :::image type="content" source="media/orbital-eos-contact-profile.png" alt-text="Contact Profile Resource Page" lightbox="media/orbital-eos-contact-profile.png":::

-4. Select the **Links** tab, or select the **Next: Links** button at the bottom of the page.

-5. In the **Links** page, select **Add new Link**.

-6. In the **Add Link** page, enter or select this information per link direction:

- | Name | Provide a name for the link |

- | Direction | Select the link direction |

- | Gain/Temperature (Downlink only) | Enter the gain to noise temperature in db/K |

- | EIRP in dBW (Uplink only) | Enter the effective isotropic radiated power in dBW |

- | Polarization | Select RHCP, LHCP, Dual, or Linear Vertical |

-7. Select the **Add Channel** button.

-8. In the **Add Channel** page, enter or select this information per channel:

- | Name | Enter the name for the channel |

- | Center Frequency | Enter the center frequency in MHz |

- | Bandwidth MHz | Enter the bandwidth in MHz |

- | Endpoint name | Enter the name of the data delivery endpoint |

- | IP Address | Specify the IP Address for data retrieval/delivery |

- | Port | Specify the Port for data retrieval/delivery |

- | Protocol | Select TCP or UDP protocol for data retrieval/delivery |

- | Demodulation Configuration Type (Downlink only) | Select type |

- | Demodulation Configuration (Downlink only) | Refer to [configure the modem chain](modem-chain.md) for options. |

- | Decoding Configuration (Downlink only)| If applicable, paste your decoding configuration |

- | Modulation Configuration (Uplink only) | Refer to [configure the modem chain](modem-chain.md) for options. |

- | Encoding Configuration (Uplink only)| If applicable, paste your encoding configuration |

- :::image type="content" source="media/orbital-eos-contact-link.png" alt-text="Contact Profile Links Page" lightbox="media/orbital-eos-contact-link.png":::

-7. Select the **Submit** button to add the channel.

-8. After adding all channels, select the **Submit** button to add the link.

-9. If a mission requires third-party providers, select the **Third-Party Configuration** tab, or select the **Next: Third-Party Configurations** button at the bottom of the page.

- > Mission configurations are agreed upon with third-party providers. Contacts can only be successfully scheduled with the partners if the contact profile contains the discussed mission configuration.

-10. In the **Third-Party Configurations** page, select **Add new Configuration**.

-11. In the **Mission Configuration** page, enter this information:

- | Provider Name | Enter the name of the provider |

- | Mission Configuration | Enter the mission configuration from the provider |

-13. Select the **Submit** button to add the mission configuration.

-14. Select the **Review + create** tab or select the **Review + create** button at the bottom of the page.

-15. Select the **Create** button.

-description: Learn how to schedule a contact with NASA's Aqua public satellite by using the Azure Orbital Ground Station service.

-# Customer intent: As a satellite operator, I want to ingest data from NASA's Aqua public satellite into Azure.

-# Tutorial: Downlink data from NASA's Aqua public satellite

-You can communicate with satellites directly from Azure by using the Azure Orbital Ground Station service. After you downlink data, you can process and analyze it in Azure. In this guide, you'll learn how to:

-> * Create and authorize a spacecraft for the Aqua public satellite.

-> * Prepare a virtual machine (VM) to receive downlinked Aqua data.

-> * Configure a contact profile for an Aqua downlink mission.

-> * Schedule a contact with Aqua by using Azure Orbital and save the downlinked data.

-Sign in to the [Azure portal - Azure Orbital Preview](https://aka.ms/orbital/portal).

-> [!NOTE]

-> For all the procedures in this tutorial, follow the steps exactly as shown, or you won't be able to find the resources. Use the preceding link to sign in directly to the Azure Orbital Preview page.

-## Create a spacecraft resource for Aqua

-1. In the Azure portal search box, enter **Spacecraft**. Select **Spacecraft** in the search results.

-2. On the **Spacecraft** page, select **Create**.

-3. Get an up-to-date Two-Line Element (TLE) for Aqua by checking [CelesTrak](https://celestrak.com/NORAD/elements/active.txt).

- > Be sure to update this TLE value before you schedule a contact. A TLE that's more than two weeks old might result in an unsuccessful downlink.

-4. In **Create spacecraft resource**, on the **Basics** tab, enter or select this information:

- | **Name** | Enter **AQUA**. |

- | **NORAD ID** | Enter **27424**. |

- | **TLE title line** | Enter **AQUA**. |

-5. Select the **Links** tab, or select the **Next: Links** button at the bottom of the page. Then, enter or select this information:

- | **Center Frequency** | Enter **8160**. |

- | **Bandwidth** | Enter **15**. |

-7. Select the **Review + create** tab, or select the **Next: Review + create** button.

-8. Select **Create**.

-## Request authorization of the new Aqua spacecraft resource

-1. Go to the overview page for the newly created spacecraft resource.

-2. On the left pane, in the **Support + troubleshooting** section, select **New support request**.

-3. On the **New support request** page, on the **Basics** tab, enter or select this information:

- | **Summary** | Enter **Request authorization for AQUA**. |

-4. Select the **Details** tab at the top of the page. In the **Problem details** section, enter this information:

- | **When did the problem start?** | Select the current date and time. |

- | **Description** | List Aqua's center frequency (**8160**) and the desired ground stations. |

- | **File upload** | Upload any pertinent licensing material, if applicable. |

-6. Complete the **Advanced diagnostic information** and **Support method** sections of the **Details** tab.

-7. Select the **Review + create** tab, or select the **Next: Review + create** button.

-8. Select **Create**.

- > You can confirm that your spacecraft resource for Aqua is authorized by checking that the **Authorization status** shows **Allowed** on the spacecraft's overview page.

-## Prepare your virtual machine and network to receive Aqua data

-1. [Create a virtual network](../virtual-network/quick-create-portal.md) to host your data endpoint VM.

-2. [Create a virtual machine](../virtual-network/quick-create-portal.md#create-virtual-machines) within the virtual network that you created. Ensure that this VM has the following specifications:

- - The operating system is Linux (Ubuntu 20.04 or later).

- - The size is at least 32 GiB of RAM.

- - The VM has internet access for downloading tools by having one standard public IP address.

-3. Enter the following commands to create a temporary file system (*tmpfs*) on the virtual machine. This virtual machine is where the data will be written to avoid slow writes to disk.

-4. Enter the following command to ensure that the Socat tool is installed on the machine:

-5. [Prepare the network for Azure Orbital Ground Station integration](prepare-network.md) to configure your network.

-## Configure a contact profile for an Aqua downlink mission

-1. In the Azure portal's search box, enter **Contact profile**. Select **Contact profile** in the search results.

-2. On the **Contact profile** page, select **Create**.

-3. In **Create contact profile resource**, on the **Basics** tab, enter or select this information:

- | **Subscription** | Select your subscription. |

- | **Resource group** | Select your resource group. |

- | **Name** | Enter **AQUA_Downlink**. |

- | **Event Hubs Namespace** | Select an Azure Event Hubs namespace to which you'll send telemetry data for your contacts. You must select a subscription before you can select an Event Hubs namespace. |

- | **Event Hubs Instance** | Select an Event Hubs instance that belongs to the previously selected namespace. This field appears only if you select an Event Hubs namespace first. |

-4. Select the **Links** tab, or select the **Next: Links** button at the bottom of the page. Then, select **Add new Link**.

-6. On the **Add Link** pane, enter or select this information:

- | **Direction** | Enter **Downlink**. |

- | **Gain/Temperature in db/K** | Enter **0**. |

- | **Center Frequency** | Enter **8160.0**. |

- | **Bandwidth MHz** | Enter **15.0**. |

- | **Polarization** | Enter **RHCP**. |

- | **Endpoint name** | Enter the name of the virtual machine that you created earlier. |

- | **IP Address** | Enter the private IP address of the virtual machine that you created earlier. |

- | **Demodulation Configuration** | Select the **Preset Named Modem Configuration** option, and then select **Aqua Direct Broadcast**.|

-7. Select the **Submit** button.

-8. Select the **Review + create** tab, or select the **Next: Review + create** button.

-9. Select **Create**.

-2. On the **Spacecraft** page, select **AQUA**.

-3. Select **Schedule contact** on the top bar of the spacecraft's overview.

-4. On the **Schedule contact** page, specify this information:

- | **Contact profile** | Select **AQUA_Downlink**. |

- | **Ground station** | Select **Quincy**. |

-5. Select **Search** to view available contact times.

-6. Select one or more contact windows, and then select **Schedule**.

-7. View the scheduled contact by selecting the **AQUA** spacecraft and going to **Contacts**.

-# Receive real-time telemetry

-An Azure Orbital Ground station emits telemetry events that can be used to analyze the ground station operation during a contact. You can configure your contact profile to send telemetry events to Azure Event Hubs. The steps in this article describe how to create and sent events to Event Hubs.

-1. In your subscription, go to Resource Provider settings and register Microsoft.Orbital as a provider

-2. Create an Azure Event Hubs in your subscription.

-3. From the left menu, select Access Control (IAM). Under Grant Access to this Resource, select Add Role Assignment

-4. Select Azure Event Hubs Data Sender.

-5. Assign access to 'User, group, or service principal'

-6. Click '+ Select members'

-7. Search for 'Azure Orbital Resource Provider' and press Select

-8. Press Review + Assign. This action will grant Azure Orbital the rights to send telemetry into your event hub.

-9. To confirm the newly added role assignment, go back to the Access Control (IAM) page and select View access to this resource.

-Congrats! Orbital can now communicate with your hub.

-## Enable telemetry for a contact profile in the Azure portal

-Ensure the contact profile is configured as follows:

-## Schedule a contact

-Schedule a contact using the Contact Profile that you previously configured for Telemetry.

-Once the contact begins, you should begin seeing data in your Event Hubs soon after.

-## Verifying telemetry data

-### Portal: Event Hubs Capture

-To verify that events are being received in your Event Hubs, you can check the graphs present on the Event Hubs namespace Overview page. This view shows data across all Event Hubs instances within a namespace. You can navigate to the Overview page of a specific instance to see the graphs for that instance.

-### Verify content of telemetry data

-You can enable Event Hubs Capture feature that will automatically deliver the telemetry data to an Azure Blob storage account of your choosing.

-Follow the [instructions to enable Capture](../event-hubs/event-hubs-capture-enable-through-portal.md). Once enabled, you can check your container and view/download the data.

-## Event Hubs consumer

-Code: Event Hubs Consumer.

-Event Hubs documentation provides guidance on how to write simple consumer apps to receive events from your Event Hubs:

-## Understanding telemetry points

-| **Telemetry Point** | **Source Device / Point** | **Possible Values** | **Definition** |

-| : | : | : | :- |

-| antennaType | Respective 1P/3P telemetry builders set this value | MICROSOFT, KSAT, VIASAT | Antenna network used for the contact. |

-| inputEsN0InDb | Not used in 1P telemetry | NULL (Not used in 1P telemetry) | Input energy per symbol to noise power spectral density in dB. |

-2023-10-03 - Introduce version 4.0. Updated schema to include uplink packet metrics and names of infrastructure in use (groundstation, antenna, spacecraft, modem, digitizer, link, channel) <br>

-2023-06-05 - Updatd schema to show metrics under channels instead of links.

-> In the section [Prepare a virtual machine (VM) to receive the downlinked AQUA data](downlink-aqua.md#prepare-your-virtual-machine-and-network-to-receive-aqua-data), use the following values:

-# Customer intent: As an Azure Orbital customer I want easy to understand documentation for virtual RF so I don't have to bug the product team to understand how to build my applications.

-In [Tutorial: Downlink data from NASA's Aqua public satellite](downlink-aqua.md), data from NASA's Aqua satellite is downlinked using a **managed modem**, meaning the raw RF signal received from the Aqua satellite by the ground station is passed through a modem managed by Azure Orbital. The output of this modem, which is in the form of bytes, is then streamed to the user's VM. As part of the step [Configure a contact profile for an Aqua downlink mission](downlink-aqua.md#configure-a-contact-profile-for-an-aqua-downlink-mission) the **Demodulation Configuration** was set to **Aqua Direct Broadcast**, which is what enabled and configured the managed modem to demodulate/decode the RF signal received from Aqua. Using the vRF concept, no managed modem is used, and instead the raw RF signal is sent to the user's VM for processing. This concept can apply to both the downlink and uplink, but in this tutorial we examine the downlink process. We create a vRF, based on GNU Radio, which processes the raw RF signal and act as the modem.

-Advantages of vRF include the ability to use modems that aren't supported by Azure Orbital or can't be shared with Azure Orbital. vRF also allows running the same RF signal through a modem while trying different parameters to optimize performance. This approach can be used to reduce the number of satellite passes needed during testing and speed up development. Due to the nature of raw RF signals, the packet/file size is typically greater than the bytes contained within that RF signal; usually between 2-10x larger. More data means the network throughput between the VM and Azure Orbital may be a limiting factor for vRF when it may not have been for a managed modem.

-Throughout this tutorial, you learn first hand how vRF works. At the end of this tutorial, you can find several RF and digitizer-specific details that may be of interest to a vRF user.

-First we remove the managed modem, and capture the raw RF data into a pcap file. Execute the steps listed in [Tutorial: Downlink data from NASA's Aqua public satellite](downlink-aqua.md) but during step [Configure a contact profile for an Aqua downlink mission](downlink-aqua.md#configure-a-contact-profile-for-an-aqua-downlink-mission) leave the **Demodulation Configuration** blank and choose UDP for **Protocol**. Lastly, towards the end, instead of the `socat` command (which captures TCP packets), run `sudo tcpdump -i eth0 port 56001 -vvv -p -w /tmp/aqua.pcap` to capture the UDP packets to a pcap file.

-You should see activity in the terminal if it worked, and there should be a new file `/tmp/samples.iq` growing larger as the script runs (it may take several minutes to finish). This new file is a binary IQ file, containing the raw RF signal. This drx.py script is essentially stripping off the DIFI header and concatenating many packets worth of IQ samples into one file. Processing the entire pcap will take a while, but you can feel free to stop it after ~10 seconds, which should save more than enough IQ samples for use in the next step.

-Yours may vary, based on the strength the signal was received. If no GUI showed up, then check GNU Radio's output in the bottom left for errors. If the GUI shows up but resembles a horizontal noisy line (with no hump), it means the contact didn't actually receive the Aqua signal. In this case, double check that autotrack is enabled in your Contact Profile and that the center frequency was entered correctly.

-In this section, we provide several RF/digitizer-specific details that may be of interest to a vRF user or designer.

-On the uplink side, the user must provide a DIFI stream to Azure Orbital throughout the pass, for Azure Orbital to transmit. The following notes may be of interest to an uplink vRF designer:

-To learn more, refer [Improve the performance of Azure applications by using Azure Advisor](../../advisor/advisor-reference-performance-recommendations.md#postgresql)

-| Azure File Sync (Microsoft.StorageSync/storageSyncServices) | afs | {regionName}.privatelink.afs.azure.net | {regionName}.afs.azure.net |

-|  | [**Agolo**](https://www.agolo.com) is the leading summarization engine for enterprise use. Agolo's AI platform analyzes hundreds of thousands of media articles, research documents and proprietary information to give each customer a summary of key points specific to their areas of interest. </br></br>Our partnership with Microsoft combines the power and adaptability of the Azure Cognitive Search platform, integrated with Agolo summarization. Rather than typical search engine snippets, the results page displays contextually relevant Agolo summaries, instantly enabling the user to determine the relevance of that document to their specific needs. The impact of summarization-powered search is that users find more relevant content faster, enabling them to do their job more effectively and gaining a competitive advantage. | [Product page](https://www.agolo.com/microsoft-azure-cognitive-search) |

-|  | [**BA Insight Search for Workplace**](https://www.bainsight.com/azure-search/) is a complete enterprise search solution powered by Azure Cognitive Search. It is the first of its kind solution, bringing the internet to enterprises for secure, "askable", powerful search to help organizations get a return on information. It delivers a web-like search experience, connects to 80+ enterprise systems and provides automated and intelligent meta tagging. | [Product page](https://www.bainsight.com/azure-search/) |

-|  | [**Enlighten Designs**](https://www.enlighten.co.nz) is an award-winning innovation studio that has been enabling client value and delivering digitally transformative experiences for over 22 years. We are pushing the boundaries of the Microsoft technology toolbox, harnessing Cognitive Search, application development, and advanced Azure services that have the potential to transform our world. As experts in Power BI and data visualization, we hold the titles for the most viewed, and the most downloaded Power BI visuals in the world and are Microsoft's Data Journalism agency of record when it comes to data storytelling. | [Product page](https://www.enlighten.co.nz/Services/Data-Visualisation/Azure-Cognitive-Search) |

-|  | [**Raytion**](https://www.raytion.com/) is an internationally operating IT business consultancy with a strategic focus on collaboration, search and cloud. Raytion offers intelligent and fully featured search solutions based on Microsoft Azure Cognitive Search and the Raytion product suite. Raytion's solutions enable an easy indexation of a broad range of enterprise content systems and provide a sophisticated search experience, which can be tailored to individual requirements. They are the foundation of enterprise search, knowledge searches, service desk agent support and many more applications. | [Product page](https://www.raytion.com/connectors) |

-The following FAQs address issues specific to AMA migration with Microsoft Sentinel. For more information, see also the [Frequently asked questions for AMA migration](/azure/azure-monitor/faq#azure-monitor-agent) in the Azure Monitor documentation.

-For your production rollout, we recommend that you configure either an MMA/OMS agent or the AMA for each data source. To address any issues for duplication, see the relevant FAQs in the [Azure Monitor documentation](/azure/azure-monitor/faq#azure-monitor-agent).

-This page shows the supported authentication types and client types of Azure App Configuration using Service Connector. You might still be able to connect to App Configuration in other programming languages without using Service Connector. You can learn more about the [Service Connector environment variable naming convention](concept-service-connector-internals.md).

-### [Azure App Service](#tab/app-service)

-| Client type | System-assigned managed identity | User-assigned managed identity | Secret/connection string | Service principal |

-|-|::|::|::|::|

-| .NET |  |  |  |  |

-| Java |  |  |  |  |

-| Node.js |  |  |  |  |

-| Python |  |  |  |  |

-| None |  |  |  |  |

-### [Azure Container Apps](#tab/container-apps)

-### [Azure Spring Apps](#tab/spring-apps)

-| Client type | System-assigned managed identity | User-assigned managed identity | Secret/connection string | Service principal |

-|-|::|::|::|::|

-| .NET |  | |  |  |

-| Java |  | |  |  |

-| Node.js |  | |  |  |

-| Python |  | |  |  |

-| None |  | |  |  |

-## Default environment variable names or application properties

-Use the connection details below to connect compute services to Azure App Configuration stores instances. For each example below, replace the placeholder texts

-`<App-Configuration-name>`, `<ID>`, `<secret>`, `<client-ID>`, `<client-secret>`, and `<tenant-ID>` with your App Configuration store name, ID, secret, client ID, client secret and tenant ID.

-### Secret / connection string

-> [!div class="mx-tdBreakAll"]

-> | Default environment variable name | Description | Sample value |

-> | | | |

-> | AZURE_APPCONFIGURATION_CONNECTIONSTRING | Your App Configuration Connection String | `Endpoint=https://<App-Configuration-name>.azconfig.io;Id=<ID>;Secret=<secret>` |

-East US, East US 2, Central US, South Central US, North Central US, West US, West US 2, West US 3, West Europe, North Europe, UK South, UK West, Sweden Central, Southeast Asia, Australia East, Canada Central, Canada East, UAE North, Central India, Korea Central, East Asia, Japan East, South Africa North, Brazil South, France Central, Germany West Central, Switzerland North, China East 2, China North 2, and China North 3. [Learn More](https://azure.microsoft.com/global-infrastructure/services/?products=spring-cloud)

-East US, East US 2, Central US, South Central US, North Central US, West US, West US 2, West US 3, West Europe, North Europe, UK South, UK West, Sweden Central, Southeast Asia, Australia East, Canada Central, Canada East, UAE North, Central India, Korea Central, East Asia, Japan East, South Africa North, Brazil South, France Central, Germany West Central, and Switzerland North.

-This quickstart explains how to:

-> [!div class="checklist"]

-> * Provision a service instance

-> * Set a configuration server for an instance

-> * Build an application locally

-> * Deploy each application

-> * Assign a public endpoint for an application

-4. Copy the URL from the **Overview** page and then paste it into your browser to view your running application.

-> [!div class="nextstepaction"]

-> [I ran into an issue](https://www.research.net/r/javae2e?tutorial=asc-source-quickstart&step=public-endpoint)

-In this quickstart, you learned how to:

-> [!div class="checklist"]

-> * Provision a service instance

-> * Set a configuration server for an instance

-> * Build an application locally

-> * Deploy each application

-> * Edit environment variables for applications

-> * Assign a public endpoint to an application

-> [!div class="nextstepaction"]

-> [Quickstart: Monitoring Azure Spring Apps with logs, metrics, and tracing](./quickstart-logs-metrics-tracing.md)

-More samples are available on GitHub: [Azure Spring Apps Samples](https://github.com/Azure-Samples/Azure-Spring-Cloud-Samples/tree/master/service-binding-cosmosdb-sql).

-### Azure services that aren't supported

-The following services do not currently support managed identity-based access:

-# Quickstart: Provision an Azure Spring Apps service instance

-This quickstart shows you how to provision a Basic or Standard plan Azure Spring Apps service instance.

-> [!div class="nextstepaction"]

-> [I ran into an issue](https://www.research.net/r/javae2e?tutorial=asc-cli-quickstart&step=public-endpoint)

- For more information, see [What is Azure Resource Manager?](../azure-resource-manager/management/overview.md)

-If you plan to continue working with subsequent quickstarts and tutorials, you might want to leave these resources in place. When no longer needed, delete the resource group, which deletes the resources in the resource group. To delete the resource group by using Azure CLI, use the following commands:

-description: Learn how to cache static website content from an Azure Storage account by using Azure Content Delivery Network (CDN).

-# Integrate a static website with Azure CDN

-You can enable [Azure Content Delivery Network (CDN)](../../cdn/cdn-overview.md) to cache content from a [static website](storage-blob-static-website.md) that is hosted in an Azure storage account. You can use Azure CDN to configure the custom domain endpoint for your static website, provision custom TLS/SSL certificates, and configure custom rewrite rules. Configuring Azure CDN results in additional charges, but provides consistent low latencies to your website from anywhere in the world. Azure CDN also provides TLS encryption with your own certificate.

-For information on Azure CDN pricing, see [Azure CDN pricing](https://azure.microsoft.com/pricing/details/cdn/).

-## Enable Azure CDN for your static website

-You can enable Azure CDN for your static website directly from your storage account. If you want to specify advanced configuration settings for your CDN endpoint, such as [large file download optimization](../../cdn/cdn-optimization-overview.md#large-file-download), you can instead use the [Azure CDN extension](../../cdn/cdn-create-new-endpoint.md) to create a CDN profile and endpoint.

-1. Locate your storage account in the Azure portal and display the account overview.

-1. Under the **Security + Networking** menu, select **Azure CDN** to open the **Azure CDN** page:

- 

-1. In the **CDN profile** section, specify whether to create a new CDN profile or use an existing one. A CDN profile is a collection of CDN endpoints that share a pricing tier and provider. Then enter a name for the CDN that's unique within your subscription.

-1. Specify a pricing tier for the CDN endpoint. To learn more about pricing, see [Content Delivery Network pricing](https://azure.microsoft.com/pricing/details/cdn/). For more information about the features available with each tier, see [Compare Azure CDN product features](../../cdn/cdn-features.md).

-1. In the **CDN endpoint name** field, specify a name for your CDN endpoint. The CDN endpoint must be unique across Azure and provides the first part of the endpoint URL. The form validates that the endpoint name is unique.

-1. Specify your static website endpoint in the **Origin hostname** field.

- To find your static website endpoint, navigate to the **Static website** settings for your storage account. Copy the primary endpoint and paste it into the CDN configuration.

- > [!IMPORTANT]

- > Make sure to remove the protocol identifier (*e.g.*, HTTPS) and the trailing slash in the URL. For example, if the static website endpoint is

- > `https://mystorageaccount.z5.web.core.windows.net/`, then you would specify `mystorageaccount.z5.web.core.windows.net` in the **Origin hostname** field.

- The following image shows an example endpoint configuration:

- 

-1. Select **Create**, and then wait for the CDN to provision. After the endpoint is created, it appears in the endpoint list. (If you have any errors in the form, an exclamation mark appears next to that field.)

-1. To verify that the CDN endpoint is configured correctly, click on the endpoint to navigate to its settings. From the CDN overview for your storage account, locate the endpoint hostname, and navigate to the endpoint, as shown in the following image. The format of your CDN endpoint will be similar to `https://staticwebsitesamples.azureedge.net`.

- 

-1. Once the CDN endpoint is provisioned, navigating to the CDN endpoint displays the contents of the https://docsupdatetracker.net/index.html file that you previously uploaded to your static website.

-1. To review the origin settings for your CDN endpoint, navigate to **Origin** under the **Settings** section for your CDN endpoint. You will see that the **Origin type** field is set to *Custom Origin* and that the **Origin hostname** field displays your static website endpoint.

- 

-## Remove content from Azure CDN

-If you no longer want to cache an object in Azure CDN, you can take one of the following steps:

-An object that's already cached in Azure CDN remains cached until the time-to-live period for the object expires or until the endpoint is [purged](../../cdn/cdn-purge-endpoint.md). When the time-to-live period expires, Azure CDN determines whether the CDN endpoint is still valid and the object is still anonymously accessible. If they are not, the object will no longer be cached.

-## Next steps

-(Optional) Add a custom domain to your Azure CDN endpoint. See [Tutorial: Add a custom domain to your Azure CDN endpoint](../../cdn/cdn-map-content-to-custom-domain.md).

-1. Enable [Azure CDN](../../cdn/cdn-overview.md) on your blob or web endpoint.

- For a Blob Storage endpoint, see [Integrate an Azure storage account with Azure CDN](../../cdn/cdn-create-a-storage-account-with-cdn.md).

- For a static website endpoint, see [Integrate a static website with Azure CDN](static-website-content-delivery-network.md).

- In File Explorer, the SID of a file/directory owner is displayed instead of the UPN for files and directories hosted on Azure Files. However, you can use the following PowerShell command to view all items in a directory and their owner, including UPN:

-Azure Stream Analytics allows you to connect directly to Kafka clusters as a producer to output data. The solution is low code and entirely managed by the Azure Stream Analytics team at Microsoft, allowing it to meet business compliance standards. The Kafka Adapters are backward compatible and support all versions with the latest client release starting from version 0.10. Users can connect to Kafka clusters inside a VNET and Kafka clusters with a public endpoint, depending on the configurations. The configuration relies on existing Kafka configuration conventions.

-| Input/Output Alias | A friendly name used in queries to reference your input or output |

-The ASA Kafka adapter is a librdkafka-based client, and to connect to confluent cloud, you will need TLS certificates that confluent cloud uses for server auth.

-Confluent uses TLS certificates from LetΓÇÖs Encrypt, an open certificate authority (CA)

- | Certificate | Certificate uploaded to KeyVault downloaded from LetΓÇÖs Encrypt (You can download the ISRG Root X1 Self-sign cert in PEM format) |

-The following command can upload the certificate as a secret to your key vault. You need "Administrator" access to your Key vault for this command to work properly.

- | Role | Key vault secret reader |

- | Assign access to | User, group, or service principal |

- | Members | \<Name of your Stream Analytics job> |

-When configuring your Azure Stream Analytics job to connect to your Kafka clusters, depending on your configuration, you might have to configure your job to access your Kafka clusters, which are behind a firewall or inside a virtual network. You can visit the Azure Stream Analytics VNET documentation to learn more about configuring private endpoints to access resources inside a virtual network or behind a firewall.

-* When configuring your Azure Stream Analytics jobs to use VNET/SWIFT, your job must be configured with at least six (6) streaming units.

-> For direct help with using the Azure Stream Analytics Kafka adapter, please reach out to [askasa@microsoft.com](mailto:askasa@microsoft.com).

-### Configuration

-The ASA Kafka adapter is a librdkafka-based client, and to connect to confluent cloud, you will need TLS certificates that confluent cloud uses for server auth.

-Confluent uses TLS certificates from LetΓÇÖs Encrypt, an open certificate authority (CA)

- | Certificate | Certificate uploaded to KeyVault downloaded from LetΓÇÖs Encrypt (You can download the ISRG Root X1 Self-sign cert in PEM format) |

-The following command can upload the certificate as a secret to your key vault. You need "Administrator" access to your Key vault for this command to work properly.

- | Role | Key vault secret reader |

- | Assign access to | User, group, or service principal |

- | Members | \<Name of your Stream Analytics job> |

-When configuring your Azure Stream Analytics job to connect to your Kafka clusters, depending on your configuration, you might have to configure your job to access your Kafka clusters, which are behind a firewall or inside a virtual network. You can visit the Azure Stream Analytics VNET documentation to learn more about configuring private endpoints to access resources inside a virtual network or behind a firewall.

-4 | Dynamic Update deployment schedules (Defining scope of machines using resource group, tags, etc. which is evaluated dynamically at runtime).| Same as static update schedules. | Same as static update schedules. | [Add a dynamic scope](manage-dynamic-scoping.md#add-a-dynamic-scope | [Create a dynamic scope]( tutorial-dynamic-grouping-for-scheduled-patching.md#create-a-dynamic-scope) |

-5 | Deboard from Azure Automation Update management. | After you complete the steps 1, 2, and 3, you need to clean up Azure Update management objects. | | 1. [Remove machines from solution](../automation/update-management/remove-feature.md#remove-management-of-vms) </br> 2. [Remove Update Management solution](../automation/update-management/remove-feature.md#remove-updatemanagement-solution) </br> 3. [Unlink workspace from Automation account](../automation/update-management/remove-feature.md#unlink-workspace-from-automation-account) </br> 4. [Cleanup Automation account](../automation/update-management/remove-feature.md#cleanup-automation-account) | NA |

-In all cases, you should [take a snapshot](snapshot-copy-managed-disk.md) and/or create a backup before disks are encrypted. Backups ensure that a recovery option is possible if an unexpected failure occurs during encryption. VMs with managed disks require a backup before encryption occurs. Once a backup is made, you can use the [Set-AzVMDiskEncryptionExtension cmdlet](/powershell/module/az.compute/set-azvmdiskencryptionextension) to encrypt managed disks by specifying the -skipVmBackup parameter. For more information about how to back up and restore encrypted VMs, see the [Azure Backup](../../backup/backup-azure-vms-encryption.md) article.

->[!WARNING]

-> - If you have previously used Azure Disk Encryption with Microsoft Entra ID to encrypt a VM, you must continue use this option to encrypt your VM. See [Azure Disk Encryption with Microsoft Entra ID (previous release)](disk-encryption-overview-aad.md) for details.

->

-> - When encrypting Linux OS volumes, the VM should be considered unavailable. We strongly recommend to avoid SSH logins while the encryption is in progress to avoid issues blocking any open files that will need to be accessed during the encryption process. To check progress, use the [Get-AzVMDiskEncryptionStatus](/powershell/module/az.compute/get-azvmdiskencryptionstatus) PowerShell cmdlet or the [vm encryption show](/cli/azure/vm/encryption#az-vm-encryption-show) CLI command. This process can be expected to take a few hours for a 30GB OS volume, plus additional time for encrypting data volumes. Data volume encryption time will be proportional to the size and quantity of the data volumes unless the encrypt format all option is used.

-> - Disabling encryption on Linux VMs is only supported for data volumes. It is not supported on data or OS volumes if the OS volume has been encrypted.

-## Unsupported scenarios

-Azure Disk Encryption does not work for the following Linux scenarios, features, and technology:

-| Linux VMs when encrypting both data and OS volumes, and where the root (/) file system usage is 4GB or less | 8 GB |

-| Linux VMs when encrypting both data and OS volumes, and where the root (/) file system usage is greater than 4GB | The root file system usage * 2. For instance, a 16 GB of root file system usage requires at least 32GB of RAM |

-For more exceptions, see [Azure Disk Encryption: Unsupported scenarios](disk-encryption-linux.md#unsupported-scenarios).

-| RedHat | RHEL 9.1 | 9.1 | RedHat:RHEL:9_1:latest | OS and data disk (see note below) |

-| RedHat | RHEL 9.1 Gen 2 | 9.1 | RedHat:RHEL:91-gen2:latest | OS and data disk (see note below) |

-Azure Disk Encryption is not available on [Basic, A-series VMs](https://azure.microsoft.com/pricing/details/virtual-machines/series/), or on virtual machines with a less than 2 GB of memory. For more exceptions, see [Azure Disk Encryption: Unsupported scenarios](disk-encryption-windows.md#unsupported-scenarios).