+try {

+ const response = await fetch(apiEndpoint, options);

+ if (response.status === 401 && response.headers.get('www-authenticate')) {

+ const authenticateHeader = response.headers.get('www-authenticate');

+ const claimsChallenge = parseChallenges(authenticateHeader).claims;

+

+ // use the claims challenge to acquire a new access token...

+ }

+} catch(error) {

+ // ...

+}

+// helper function to parse the www-authenticate header

+const tokenRequest = {

+ claims: window.atob(claimsChallenge), // decode the base64 string

+ scopes: ['User.Read']

+ account: msalInstance.getActiveAccount();

+};

+ tokenResponse = await msalInstance.acquireTokenSilent(tokenRequest);

+ tokenResponse = await msalInstance.acquireTokenPopup(tokenRequest);

+ // remaining settings...

+ .Build();

+ "ClientId": 'Enter_the_Application_Id_Here'

+ "ClientCapabilities": [ "cp1" ],

+ // remaining settings...

+Those using MSAL.js or MSAL Node can add `clientCapabilities` property to the configuration object. Note: this option is available to both public and confidential cient applications.

+ // remaining settings...

+The following snippet illustrates a custom Express.js middleware:

+ return res.status(403).json({ error: 'Client is not capable' });

+| `msi_res_id` | (Optional) A query string parameter, indicating the msi_res_id (Azure Resource ID) of the managed identity you would like the token for. Required, if your VM has multiple user-assigned managed identities. |

+> Alternatively you can use [Pod Identity](./use-azure-ad-pod-identity.md) though this is in Public Preview. It has a pod (NMI) that runs as a DaemonSet on each node in the AKS cluster. NMI intercepts security token requests to the Azure Instance Metadata Service on each node, redirect them to itself and validates if the pod has access to the identity it's requesting a token for and fetch the token from the Azure AD tenant on behalf of the application.

+>

+| 1.25 | Aug 2022 | Oct 2022 | Nov 2022 | 1.28 GA

+ Title: Vertical Pod Autoscaling (preview) in Azure Kubernetes Service (AKS)

+description: Learn how to vertically autoscale your pod on an Azure Kubernetes Service (AKS) cluster.

+# Vertical Pod Autoscaling (preview) in Azure Kubernetes Service (AKS)

+This article provides an overview of Vertical Pod Autoscaler (VPA) (preview) in Azure Kubernetes Service (AKS), which is based on the open source [Kubernetes](https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler) version. When configured, it automatically sets resource requests and limits on containers per workload based on past usage. This ensures pods are scheduled onto nodes that have the required CPU and memory resources.

+## Benefits

+Vertical Pod Autoscaler provides the following benefits:

+* It analyzes and adjusts processor and memory resources to *right size* your applications. VPA isn't only responsible for scaling up, but also for scaling down based on their resource use over time.

+* A Pod is evicted if it needs to change its resource requests if its scaling mode is set to *auto* or *recreate*.

+* Set CPU and memory constraints for individual containers by specifying a resource policy

+* Ensures nodes have correct resources for pod scheduling

+* Configurable logging of any adjustments to processor or memory resources made

+* Improve cluster resource utilization and frees up CPU and memory for other pods.

+## Limitations

+* Vertical Pod autoscaling supports a maximum of 500 `VerticalPodAutoscaler` objects per cluster.

+* With this preview release, you can't change the `controlledValue` and `updateMode` of `managedCluster` object.

+## Before you begin

+* AKS cluster is running Kubernetes version 1.24 and higher.

+* The Azure CLI version 2.0.64 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

+* The `aks-preview` extension version 0.5.102 or later.

+* `kubectl` should be connected to the cluster you want to install VPA.

+## API Object

+The Vertical Pod Autoscaler is an API resource in the Kubernetes autoscaling API group. The version supported in this preview release is 0.11 can be found in the [Kubernetes autoscaler repo][github-autoscaler-repo-v011].

+## Register the VPA provider feature

+To install the aks-vpapreview preview feature, run the following command:

+```azurecli

+az feature register --namespace Microsoft.ContainerService --name AKS-VPAPreview

+```

+## Deploy, upgrade, or disable VPA on a cluster

+In this section, you deploy, upgrade, or disable the Vertical Pod Autoscaler on your cluster.

+1. To enable VPA on a new cluster, use `--enable-vpa` parameter with the [az aks create][az-aks-create] command.

+ ```azurecli

+ az aks create -n myAKSCluster -g myResourceGroup --enable-vpa

+ ```

+ After a few minutes, the command completes and returns JSON-formatted information about the cluster.

+2. Optionally, to enable VPA on an existing cluster, use the `--enable-vpa` with the [az aks upgrade][az-aks-upgrade] command.

+ ```azurecli

+ az aks update -n myAKSCluster -g myResourceGroup --enable-vpa

+ ```

+ After a few minutes, the command completes and returns JSON-formatted information about the cluster.

+3. Optionally, to disable VPA on an existing cluster, use the `--disable-vpa` with the [az aks upgrade][az-aks-upgrade] command.

+ ```azurecli

+ az aks update -n myAKSCluster -g myResourceGroup --disable-vpa

+ ```

+ After a few minutes, the command completes and returns JSON-formatted information about the cluster.

+4. To verify that the Vertical Pod Autoscaler pods have been created successfully, use the [kubectl get][kubectl-get] command.

+```bash

+kubectl get pods -n kube-system

+```

+The output of the command includes the following results specific to the VPA pods. The pods should show a *running* status.

+```output

+NAME READY STATUS RESTARTS AGE

+vpa-admission-controller-7867874bc5-vjfxk 1/1 Running 0 41m

+vpa-recommender-5fd94767fb-ggjr2 1/1 Running 0 41m

+vpa-updater-56f9bfc96f-jgq2g 1/1 Running 0 41m

+```

+## Test your Vertical Pod Autoscaler installation

+The following steps create a deployment with two pods, each running a single container that requests 100 millicores and tries to utilize slightly above 500 millicores. Also created is a VPA config pointing at the deployment. The VPA observes the behavior of the pods, and after about five minutes, they're updated with a higher CPU request.

+1. Create a file named `hamster.yaml` and copy in the following manifest of the Vertical Pod Autoscaler example from the [kubernetes/autoscaler][kubernetes-autoscaler-github-repo] GitHub repository.

+1. Deploy the `hamster.yaml` Vertical Pod Autoscaler example using the [kubectl apply][kubectl-apply] command and specify the name of your YAML manifest:

+ ```bash

+ kubectl apply -f hamster.yaml

+ ```

+ After a few minutes, the command completes and returns JSON-formatted information about the cluster.

+1. Run the following [kubectl get][kubectl-get] command to get the pods from the hamster example application:

+ ```bash

+ kubectl get pods -l app=hamster

+ ```

+ The example output resembles the following:

+ ```bash

+ hamster-78f9dcdd4c-hf7gk 1/1 Running 0 24s

+ hamster-78f9dcdd4c-j9mc7 1/1 Running 0 24s

+ ```

+1. Use the [kubectl describe][kubectl-describe] command on one of the pods to view its CPU and memory reservation. Replace "exampleID" with one of the pod IDs returned in your output from the previous step.

+ ```bash

+ kubectl describe pod hamster-exampleID

+ ```

+ The example output is a snippet of the information about the cluster:

+ ```bash

+ hamster:

+ Container ID: containerd://

+ Image: k8s.gcr.io/ubuntu-slim:0.1

+ Image ID: sha256:

+ Port: <none>

+ Host Port: <none>

+ Command:

+ /bin/sh

+ Args:

+ -c

+ while true; do timeout 0.5s yes >; sleep 0.5s; done

+ State: Running

+ Started: Wed, 28 Sep 2022 15:06:14 -0400

+ Ready: True

+ Restart Count: 0

+ Requests:

+ cpu: 100m

+ memory: 50Mi

+ Environment: <none>

+ ```

+ The pod has 100 millicpu and 50 Mibibytes of memory reserved in this example. For this sample application, the pod needs less than 100 millicpu to run, so there's no CPU capacity available. The pods also reserves much less memory than needed. The Vertical Pod Autoscaler *vpa-recommender* deployment analyzes the pods hosting the hamster application to see if the CPU and memory requirements are appropriate. If adjustments are needed, the vpa-updater relaunches the pods with updated values.

+1. Wait for the vpa-updater to launch a new hamster pod. This should take a few minutes. You can monitor the pods using the [kubectl get][kubectl-get] command.

+ ```bash

+ kubectl get --watch pods -l app=hamster

+ ```

+1. When a new hamster pod is started, describe the pod running the [kubectl describe][kubectl-describe] command and view the updated CPU and memory reservations.

+ ```bash

+ kubectl describe pod hamster-<exampleID>

+ ```

+ The example output is a snippet of the information describing the pod:

+ ```bash

+ State: Running

+ Started: Wed, 28 Sep 2022 15:09:51 -0400

+ Ready: True

+ Restart Count: 0

+ Requests:

+ cpu: 587m

+ memory: 262144k

+ Environment: <none>

+ ```

+ In the previous output, you can see that the CPU reservation increased to 587 millicpu, which is over five times the original value. The memory increased to 262,144 Kilobytes, which is around 250 Mibibytes, or five times the original value. This pod was under-resourced, and the Vertical Pod Autoscaler corrected the estimate with a much more appropriate value.

+1. To view updated recommendations from VPA, run the [kubectl describe][kubectl-describe] command to describe the hamster-vpa resource information.

+ ```bash

+ kubectl describe vpa/hamster-vpa

+ ```

+ The example output is a snippet of the information about the resource utilization:

+ ```bash

+ State: Running

+ Started: Wed, 28 Sep 2022 15:09:51 -0400

+ Ready: True

+ Restart Count: 0

+ Requests:

+ cpu: 587m

+ memory: 262144k

+ Environment: <none>

+ ```

+## Set Pod Autoscaler requests automatically

+Vertical Pod autoscaling uses the `VerticalPodAutoscaler` object to automatically set resource requests on Pods when the updateMode is set to **Auto** or **Recreate**.

+1. Enable VPA for your cluster by running the following command. Replace cluster name `myAKSCluster` with the name of your AKS cluster and replace `myResourceGroup` with the name of the resource group the cluster is hosted in.

+ ```azurecli

+ az aks update -n myAKSCluster -g myResourceGroup --enable-vpa

+ ```

+2. Create a file named `azure-autodeploy.yaml`, and copy in the following manifest.

+ ```yml

+ apiVersion: apps/v1

+ kind: Deployment

+ metadata:

+ name: vpa-auto-deployment

+ spec:

+ replicas: 2

+ selector:

+ matchLabels:

+ app: vpa-auto-deployment

+ template:

+ metadata:

+ labels:

+ app: vpa-auto-deployment

+ spec:

+ containers:

+ - name: mycontainer

+ image: mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine

+ resources:

+ requests:

+ cpu: 100m

+ memory: 50Mi

+ command: ["/bin/sh"]

+ args: ["-c", "while true; do timeout 0.5s yes >; sleep 0.5s; done"]

+ ```

+ This manifest describes a deployment that has two Pods. Each Pod has one container that requests 100 milliCPU and 50 MiB of memory.

+3. Create the pod with the [kubectl create][kubectl-create] command, as shown in the following example:

+ ```bash

+ kubectl create -f azure-autodeploy.yaml

+ ```

+ After a few minutes, the command completes and returns JSON-formatted information about the cluster.

+4. Run the following [kubectl get][kubectl-get] command to get the pods:

+ ```bash

+ kubectl get pods

+ ```

+ The output resembles the following example showing the name and status of the pods:

+ ```output

+ NAME READY STATUS RESTARTS AGE

+ vpa-auto-deployment-54465fb978-kchc5 1/1 Running 0 52s

+ vpa-auto-deployment-54465fb978-nhtmj 1/1 Running 0 52s

+ ```

+5. Create a file named `azure-vpa-auto.yaml`, and copy in the following manifest that describes a `VerticalPodAutoscaler`:

+ ```yml

+ apiVersion: autoscaling.k8s.io/v1

+ kind: VerticalPodAutoscaler

+ metadata:

+ name: vpa-auto

+ spec:

+ targetRef:

+ apiVersion: "apps/v1"

+ kind: Deployment

+ name: vpa-auto-deployment

+ updatePolicy:

+ updateMode: "Auto"

+ ```

+ The `targetRef.name` value specifies that any Pod that is controlled by a deployment named `vpa-auto-deployment` belongs to this `VerticalPodAutoscaler`. The `updateMode` value of `Auto` means that the Vertical Pod Autoscaler controller can delete a Pod, adjust the CPU and memory requests, and then start a new Pod.

+6. Apply the manifest to the cluster using the [kubectl apply][kubectl-apply] command:

+ ```bash

+ kubectl create -f azure-vpa-auto.yaml

+ ```

+7. Wait a few minutes, and view the running Pods again by running the following [kubectl get][kubectl-get] command:

+ ```bash

+ kubectl get pods

+ ```

+ The output resembles the following example showing the pod names have changed and status of the pods:

+ ```output

+ NAME READY STATUS RESTARTS AGE

+ vpa-auto-deployment-54465fb978-qbhc4 1/1 Running 0 2m49s

+ vpa-auto-deployment-54465fb978-vbj68 1/1 Running 0 109s

+ ```

+8. Get detailed information about one of your running Pods by using the [Kubectl get][kubectl-get] command. Replace `podName` with the name of one of your Pods that you retrieved in the previous step.

+ ```bash

+ kubectl get pod podName --output yaml

+ ```

+ The output resembles the following example, showing that the Vertical Pod Autoscaler controller has increased the memory request to 262144k and CPU request to 25 milliCPU.

+ ```output

+ apiVersion: v1

+ kind: Pod

+ metadata:

+ annotations:

+ vpaObservedContainers: mycontainer

+ vpaUpdates: 'Pod resources updated by vpa-auto: container 0: cpu request, memory

+ request'

+ creationTimestamp: "2022-09-29T16:44:37Z"

+ generateName: vpa-auto-deployment-54465fb978-

+ labels:

+ app: vpa-auto-deployment

+ spec:

+ containers:

+ - args:

+ - -c

+ - while true; do timeout 0.5s yes >; sleep 0.5s; done

+ command:

+ - /bin/sh

+ image: mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine

+ imagePullPolicy: IfNotPresent

+ name: mycontainer

+ resources:

+ requests:

+ cpu: 25m

+ memory: 262144k

+ ```

+9. To get detailed information about the Vertical Pod Autoscaler and its recommendations for CPU and memory, use the [kubectl get][kubectl-get] command:

+ ```bash

+ kubectl get vpa vpa-auto --output yaml

+ ```

+ The output resembles the following example:

+ ```output

+ recommendation:

+ containerRecommendations:

+ - containerName: mycontainer

+ lowerBound:

+ cpu: 25m

+ memory: 262144k

+ target:

+ cpu: 25m

+ memory: 262144k

+ uncappedTarget:

+ cpu: 25m

+ memory: 262144k

+ upperBound:

+ cpu: 230m

+ memory: 262144k

+ ```

+ The results show the `target` attribute specifies that for the container to run optimally, it doesn't need to change the CPU or the memory target. Your results may vary where the target CPU and memory recommendation are higher.

+ The Vertical Pod Autoscaler uses the `lowerBound` and `upperBound` attributes to decide whether to delete a Pod and replace it with a new Pod. If a Pod has requests less than the lower bound or greater than the upper bound, the Vertical Pod Autoscaler deletes the Pod and replaces it with a Pod that meets the target attribute.

+## Next steps

+This article showed you how to automatically scale resource utilization, such as CPU and memory, of cluster nodes to match application requirements. You can also use the horizontal pod autoscaler to automatically adjust the number of pods that run your application. For steps on using the horizontal pod autoscaler, see [Scale applications in AKS][scale-applications-in-aks].

+<!-- EXTERNAL LINKS -->

+[kubernetes-autoscaler-github-repo]: https://github.com/kubernetes/autoscaler/blob/master/vertical-pod-autoscaler/examples/hamster.yaml

+[kubectl-apply]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply

+[kubectl-create]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#create

+[kubectl-get]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get

+[kubectl-describe]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#describe

+[github-autoscaler-repo-v011]: https://github.com/kubernetes/autoscaler/blob/vpa-release-0.11/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1/types.go

+<!-- INTERNAL LINKS -->

+[get-started-with-aks]: /azure/architecture/reference-architectures/containers/aks-start-here

+[install-azure-cli]: /cli/azure/install-azure-cli

+[az-aks-create]: /cli/azure/aks#az-aks-create

+[az-aks-upgrade]: /cli/azure/aks#az-aks-upgrade

+[horizontal-pod-autoscaling]: concepts-scale.md#horizontal-pod-autoscaler

+[scale-applications-in-aks]: tutorial-kubernetes-scale.md

+# Send an email from an Automation runbook

+ $ARM_ID_CLUSTER = (Get-AzConnectedKubernetes -ResourceGroupName $RESOURCE_GROUP -Name $CLUSTER_NAME).Id

+Azure Arc-enabled VMware vSphere (preview) works with vCenter Server versions 6.7 and 7.

+- [Support matrix for Arc enabled VMware vSphere](support-matrix-for-arc-enabled-vmware-vsphere.md)

+- A resource group in the subscription where you have the *Owner*, *Contributor*, or *Azure Arc VMware Private Clouds Onboarding* role for onboarding.

+### Azure Arc Resource Bridge

+- Azure Arc Resource Bridge IP needs access to the URLs listed [here](../vmware-vsphere/support-matrix-for-arc-enabled-vmware-vsphere.md#resource-bridge-networking-requirements).

+| **Static IP / DHCP** | If you have DHCP server in your network and want to use it, enter **y**. Otherwise, enter **n**. If you are using a DHCP server, reserve the IP address assigned to the Azure Arc Resource Bridge VM (Appliance VM IP). </br>When you choose a static IP configuration, you're asked for the following information: </br> 1. **Static IP address prefix**: Network address in CIDR notation. For example: **192.168.0.0/24**. </br> 2. **Static gateway**: Gateway address. For example: **192.168.0.0**. </br> 3. **DNS servers**: IP address(es) of DNS server(s) used by Azure Arc Resource Bridge VM for DNS resolution. VM must be able to resolve external sites, like mcr.microsoft.com and the vCenter server. </br> 4. **Start range IP**: Minimum size of two available IP addresses is required. One IP address is for the VM, and the other is reserved for upgrade scenarios. Provide the starting IP address of that range. Ensure the Start range IP has internet access. </br> 5. **End range IP**: Last IP address of the IP range requested in the previous field. Ensure the End range IP has internet access. </br> 6. **VLAN ID** (optional) |

+| **Control Plane IP** address | Provide a static IP address that's outside the DHCP range but still available on the network. Ensure that this IP address isn't assigned to any other machine on the network. Azure Arc resource bridge (preview) runs a Kubernetes cluster, and its control plane requires a static IP address. Control Plane IP must have internet access. |

+ Title: Support matrix for Arc-enabled VMware vSphere (preview)

+description: In this article, you'll learn about the support matrix for Arc-enabled VMware vSphere including vCenter Server versions supported, network requirements etc.

+# Customer intent: As a VI admin, I want to understand the support matrix for Arc-enabled VMware vSphere.

+# Support matrix for Arc-enabled VMware vSphere (preview)

+This article documents the prerequisites and support requirements for using the [Arc-enabled VMware vSphere (preview)](overview.md) to manage your VMware vSphere VMs through Azure Arc.

+To use Arc-enabled VMware vSphere, you must deploy an Azure Arc resource bridge in your VMware vSphere environment. The resource bridge provides an ongoing connection between your VMware vCenter Server and Azure. Once you've connected your VMware vCenter Server to Azure, components on the resource bridge discover your vCenter inventory. You can enable them in Azure and start performing virtual hardware and guest OS operations on them using Azure Arc.

+## VMware vSphere Requirements

+### Supported vCenter Server versions

+- vCenter Server version 6.7 or 7.

+### Required vSphere account privileges

+You need a vSphere account that can:

+- Read all inventory.

+- Deploy and update VMs to all the resource pools (or clusters), networks, and VM templates that you want to use with Azure Arc.

+This account is used for the ongoing operation of Azure Arc-enabled VMware vSphere (preview) and the deployment of the Azure Arc resource bridge (preview) VM.

+### Resource bridge resource requirements

+For Arc-enabled VMware vSphere, resource bridge has the following minimum virtual hardware requirements

+- 16 GB of memory

+- 4 vCPUs

+- An external virtual switch that can provide access to the internet directly or through a proxy. If internet access is through a proxy or firewall, ensure [these URLs](#resource-bridge-networking-requirements) are allow-listed.

+### Resource bridge networking requirements

+The following firewall URL exceptions are needed for the Azure Arc resource bridge VM:

+| **Service** | **Port** | **URL** | **Direction** | **Notes**|

+| | | | | |

+| Microsoft container registry | 443 | https://mcr.microsoft.com | Appliance VM IP and control plane endpoint need outbound connection. | Required to pull container images for installation. |

+| Azure Arc Identity service | 443 | https://*.his.arc.azure.com | Appliance VM IP and control plane endpoint need outbound connection. | Manages identity and access control for Azure resources |

+| Azure Arc configuration service | 443 | https://*.dp.kubernetesconfiguration.azure.com | Appliance VM IP and control plane endpoint need outbound connection. | Used for Kubernetes cluster configuration. |

+| Cluster connect service | 443 | https://*.servicebus.windows.net | Appliance VM IP and control plane endpoint need outbound connection. | Provides cloud-enabled communication to connect on-premises resources with the cloud. |

+| Guest Notification service | 443 | https://guestnotificationservice.azure.com | Appliance VM IP and control plane endpoint need outbound connection. | Used to connect on-premises resources to Azure. |

+| SFS API endpoint | 443 | msk8s.api.cdp.microsoft.com | Host machine, Appliance VM IP and control plane endpoint need outbound connection. | Used when downloading product catalog, product bits, and OS images from SFS. |

+| Resource bridge (appliance) Dataplane service | 443 | https://*.dp.prod.appliances.azure.com | Appliance VM IP and control plane endpoint need outbound connection. | Communicate with resource provider in Azure. |

+| Resource bridge (appliance) container image download | 443 | *.blob.core.windows.net, https://ecpacr.azurecr.io | Appliance VM IP and control plane endpoint need outbound connection. | Required to pull container images. |

+| Resource bridge (appliance) image download | 80 | *.dl.delivery.mp.microsoft.com | Host machine, Appliance VM IP and control plane endpoint need outbound connection. | Download the Arc resource bridge OS images. |

+| Azure Arc for K8s container image download | 443 | https://azurearcfork8sdev.azurecr.io | Appliance VM IP and control plane endpoint need outbound connection. | Required to pull container images. |

+| ADHS telemetry service | 443 | adhs.events.data.microsoft.com | Appliance VM IP and control plane endpoint need outbound connection. Runs inside the appliance/mariner OS. | Used periodically to send Microsoft required diagnostic data from control plane nodes. Used when telemetry is coming off Mariner, which would mean any K8s control plane. |

+| Microsoft events data service | 443 | v20.events.data.microsoft.com | Appliance VM IP and control plane endpoint need outbound connection. | Used periodically to send Microsoft required diagnostic data from the Azure Stack HCI or Windows Server host. Used when telemetry is coming off Windows like Windows Server or HCI. |

+## Azure permissions required

+Following are the minimum Azure roles required for various operations:

+| **Operation** | **Minimum role required** | **Scope** |

+| | | |

+| Onboarding your vCenter Server to Arc | Azure Arc VMware Private Clouds Onboarding | On the subscription or resource group into which you want to onboard |

+| Administering Arc-enabled VMware vSphere | Azure Arc VMware Administrator | On the subscription or resource group where vCenter server resource is created |

+| VM Provisioning | Azure Arc VMware Private Cloud User | On the subscription or resource group that contains the resource pool/cluster/host, datastore and virtual network resources, or on the resources themselves |

+| VM Provisioning | Azure Arc VMware VM Contributor | On the subscription or resource group where you want to provision VMs |

+| VM Operations | Azure Arc VMware VM Contributor | On the subscription or resource group that contains the VM, or on the VM itself |

+Any roles with higher permissions such as *Owner/Contributor* role on the same scope, will also allow you to perform all the operations listed above.

+## Guest management (Arc agent) requirements

+With Arc-enabled VMware vSphere, you can install the Arc connected machine agent on your VMs at scale and use Azure management services on the VMs. There are additional requirements for this capability:

+To enable guest management (install the Arc connected machine agent), ensure

+- VM is powered on

+- VM has VMware tools installed and running

+- Resource bridge has access to the host on which the VM is running

+- VM is running a [supported operating system](#supported-operating-systems)

+- VM has internet connectivity directly or through proxy. If the connection is through a proxy, ensure [these URLs](#networking-requirements) are allow-listed.

+### Supported operating systems

+The officially supported versions of the Windows and Linux operating system for the Azure Connected Machine agent are listed [here](../servers/prerequisites.md#supported-operating-systems). Only x86-64 (64-bit) architectures are supported. x86 (32-bit) and ARM-based architectures, including x86-64 emulation on arm64, aren't supported operating environments.

+### Software requirements

+Windows operating systems:

+* NET Framework 4.6 or later is required. [Download the .NET Framework](/dotnet/framework/install/guide-for-developers).

+* Windows PowerShell 5.1 is required. [Download Windows Management Framework 5.1.](https://www.microsoft.com/download/details.aspx?id=54616).

+Linux operating systems:

+* systemd

+* wget (to download the installation script)

+### Networking requirements

+The following firewall URL exceptions are needed for the Azure Arc agents:

+| **URL** | **Description** |

+| | |

+| aka.ms | Used to resolve the download script during installation |

+| download.microsoft.com | Used to download the Windows installation package |

+| packages.microsoft.com | Used to download the Linux installation package |

+| login.windows.net | Azure Active Directory |

+| login.microsoftonline.com | Azure Active Directory |

+| pas.windows.net | Azure Active Directory |

+| management.azure.com | Azure Resource Manager - to create or delete the Arc server resource |

+| *.his.arc.azure.com | Metadata and hybrid identity services |

+| *.guestconfiguration.azure.com | Extension management and guest configuration services |

+| guestnotificationservice.azure.com, *.guestnotificationservice.azure.com | Notification service for extension and connectivity scenarios |

+| azgn*.servicebus.windows.net | Notification service for extension and connectivity scenarios |

+| *.servicebus.windows.net | For Windows Admin Center and SSH scenarios |

+| *.blob.core.windows.net | Download source for Azure Arc-enabled servers extensions |

+| dc.services.visualstudio.com | Agent telemetry |

+## Next steps

+- [Connect VMware vCenter to Azure Arc using the helper script](quick-start-connect-vcenter-to-arc-using-script.md)

+This article presents the information for customers to create a _business continuity and disaster recovery plan_ for their Azure Cache for Redis, or Azure Cache for Redis Enterprise implementation.

+Azure Cache for Redis has a high availability architecture that ensures your managed instance is functioning, even when outages affect the underlying virtual machines (VMs). Whether the outage is planned or unplanned outages, Azure Cache for Redis delivers much greater percentage availability rates than what's attainable by hosting Redis on a single VM.

+An Azure Cache for Redis in the applicable tiers runs on a pair of Redis servers by default. The two servers are hosted on dedicated VMs. Open-source Redis allows only one server to handle data write requests.

+With Azure Cache for Redis, one server is the _primary_ node, while the other is the _replica_. After it provisions the server nodes, Azure Cache for Redis assigns primary and replica roles to them. The primary node usually is responsible for servicing write and read requests from clients. On a write operation, it commits a new key and a key update to its internal memory and replies immediately to the client. It forwards the operation to the _replica_ asynchronously.

+If the _primary_ node in a cache is unavailable, the _replica_ automatically promotes itself to become the new primary. This process is called a _failover_. A failover is just two nodes, primary/replica, trading roles, replica/primary, with one of the nodes possibly going offline for a few minutes. In most failovers, the primary and replica nodes coordinate the handover so you have near zero time without a primary.

+The former primary goes offline briefly to receive updates from the new primary. Then, the now replica comes back online and rejoins the cache fully synchronized. The key is that when a node is unavailable, it's a temporary condition and it comes back online.

+A typical failover sequence looks like this, when a primary needs to go down for maintenance:

+1. Primary and replica nodes negotiate a coordinated failover and trade roles.

+1. Replica (formerly primary) goes offline for a reboot.

+1. A few seconds or minutes later, the replica comes back online.

+1. Replica syncs the data from the primary.

+A cache in either Enterprise tier runs on a Redis Enterprise _cluster_. It always requires an odd number of server nodes to form a quorum. By default, it has three nodes, each hosted on a dedicated VM.

+- An Enterprise cache has two same-sized _data nodes_ and one smaller _quorum node_.

+The Enterprise cluster divides Azure Cache for Redis data into partitions internally. Each partition has a _primary_ and at least one _replica_. Each data node holds one or more partitions. The Enterprise cluster ensures that the primary and replica(s) of any partition are never collocated on the same data node. Partitions replicate data asynchronously from primaries to their corresponding replicas.

+When a data node becomes unavailable or a network split happens, a failover similar to the one described in [Standard replication](#standard-replication-for-high-availability) takes place. The Enterprise cluster uses a quorum-based model to determine which surviving nodes participate in a new quorum. It also promotes replica partitions within these nodes to primaries as needed.

+If you experience a regional outage, consider recreating your cache in a different region, and updating your application to connect to the new cache instead. It's important to understand that data will be lost during a regional outage. Your application code should be resilient to data loss.

+Once the affected region is restored, your unavailable Azure Cache for Redis is automatically restored, and available for use again. For more strategies for moving your cache to a different region, see [Move Azure Cache for Redis instances to different regions](./cache-moving-resources.md).

+description: This article describes the different management tasks that you'll typically perform during the lifecycle of the Log Analytics Windows or Linux agent deployed on a machine.

+After initial deployment of the Log Analytics Windows or Linux agent in Azure Monitor, you might need to reconfigure the agent, upgrade it, or remove it from the computer if it has reached the retirement stage in its lifecycle. You can easily manage these routine maintenance tasks manually or through automation, which reduces both operational error and expenses.

+Upgrade to the latest release of the Log Analytics agent for Windows and Linux manually or automatically based on your deployment scenario and the environment the VM is running in.

+| Azure VM | Log Analytics agent VM extension for Windows/Linux | The agent is automatically upgraded [after the VM model changes](../../virtual-machines/extensions/features-linux.md#how-agents-and-extensions-are-updated), unless you configured your Azure Resource Manager template to opt out by setting the property `autoUpgradeMinorVersion` to **false**. Once deployed, however, the extension won't upgrade minor versions unless redeployed, even with this property set to **true**. Only the Linux agent supports automatic update post deployment with `enableAutomaticUpgrade` property (see [Enable Auto-update for the Linux agent](#enable-auto-update-for-the-linux-agent)). Major version upgrade is always manual (see [VirtualMachineExtensionInner.AutoUpgradeMinorVersion Property](https://docs.azure.cn/dotnet/api/microsoft.azure.management.compute.fluent.models.virtualmachineextensioninner.autoupgrademinorversion?view=azure-dotnet)). |

+| Custom Azure VM images | Manual installation of Log Analytics agent for Windows/Linux | Updating VMs to the newest version of the agent must be performed from the command line running the Windows installer package or Linux self-extracting and installable shell script bundle.|

+| Non-Azure VMs | Manual installation of Log Analytics agent for Windows/Linux | Updating VMs to the newest version of the agent must be performed from the command line running the Windows installer package or Linux self-extracting and installable shell script bundle. |

+### Upgrade the Windows agent

+To update the agent on a Windows VM to the latest version not installed by using the Log Analytics VM extension, you either run from the command prompt, script, or other automation solution or use the **MMASetup-\<platform\>.msi Setup Wizard**.

+To download the latest version of the Windows agent from your Log Analytics workspace:

+1. In the Azure portal, select **All services**. In the list of resources, enter **Log Analytics**. As you begin typing, the list filters based on your input. Select **Log Analytics workspaces**.

+1. In your list of Log Analytics workspaces, select the workspace.

+1. In your Log Analytics workspace, select the **Agents Management** tile and then select **Windows Servers**.

+1. On the **Windows Servers** screen, select the appropriate **Download Windows Agent** version to download depending on the processor architecture of the Windows operating system.

+>During the upgrade of the Log Analytics agent for Windows, it doesn't support configuring or reconfiguring a workspace to report to. To configure the agent, follow one of the supported methods listed under [Add or remove a workspace](#add-or-remove-a-workspace).

+#### Upgrade using the Setup Wizard

+1. Execute **MMASetup-\<platform\>.exe** to start the **Setup Wizard**.

+1. On the first page of the **Setup Wizard**, select **Next**.

+1. In the **Microsoft Monitoring Agent Setup** dialog, select **I agree** to accept the license agreement.

+1. In the **Microsoft Monitoring Agent Setup** dialog, select **Upgrade**. The status page displays the progress of the upgrade.

+1. When the **Microsoft Monitoring Agent configuration completed successfully** page appears, select **Finish**.

+#### Upgrade from the command line

+1. To extract the agent installation files, run `MMASetup-<platform>.exe /c` from an elevated command prompt, and it will prompt you for the path to extract files to. Alternatively, you can specify the path by passing the arguments `MMASetup-<platform>.exe /c /t:<Full Path>`.

+1. Run the following command, where D:\ is the location for the upgrade log file:

+### Upgrade the Linux agent

+Run the following command to upgrade the agent:

+### Enable auto-update for the Linux agent

+We recommend that you enable [Automatic Extension Upgrade](../../virtual-machines/automatic-extension-upgrade.md) by using these commands to update the agent automatically.

+# [PowerShell](#tab/PowerShellLinux)

+Add or remove a workspace using the Windows agent or the Linux agent.

+The steps in this section are necessary not only when you want to reconfigure the Windows agent to report to a different workspace or remove a workspace from its configuration, but also when you want to configure the agent to report to more than one workspace. (This practice is commonly referred to as multihoming.) Configuring the Windows agent to report to multiple workspaces can only be performed after initial setup of the agent and by using the methods described in this section.

+1. Open Control Panel.

+1. Select **Microsoft Monitoring Agent** and then select the **Azure Log Analytics** tab.

+1. If you're removing a workspace, select it and then select **Remove**. Repeat this step for any other workspace you want the agent to stop reporting to.

+1. If you're adding a workspace, select **Add**. In the **Add a Log Analytics Workspace** dialog, paste the workspace ID and workspace key (primary key). If the computer should report to a Log Analytics workspace in Azure Government cloud, select **Azure US Government** from the **Azure Cloud** dropdown list.

+1. Select **OK** to save your changes.

+1. To verify the agent is registered to a workspace, run the following command:

+ It's important that the status also shows the agent is running. Otherwise, the following steps to reconfigure the agent won't finish successfully.

+1. If the agent is already registered with a workspace, remove the registered workspace by running the following command. Otherwise, if it isn't registered, proceed to the next step.

+1. To register with a different workspace, run the following command:

+1. To verify your changes took effect, run the following command:

+The agent service doesn't need to be restarted for the changes to take effect.

+Log Analytics Agent (MMA) doesn't use the system proxy settings. As a result, you have to pass proxy settings while you install MMA. These settings will be stored under MMA configuration (registry) on the VM. To configure the agent to communicate to the service through a proxy server or [Log Analytics gateway](./gateway.md) after deployment, use one of the following methods to complete this task.

+Use a Windows agent.

+1. Open Control Panel.

+1. Select **Microsoft Monitoring Agent** and then select the **Proxy Settings** tab.

+1. Select **Use a proxy server** and provide the URL and port number of the proxy server or gateway. If your proxy server or Log Analytics gateway requires authentication, enter the username and password to authenticate and then select **OK**.

+Perform the following steps if your Linux computers need to communicate through a proxy server or Log Analytics gateway. The proxy configuration value has the following syntax: `[protocol://][user:password@]proxyhost[:port]`. The `proxyhost` property accepts a fully qualified domain name or IP address of the proxy server.

+1. Edit the file `/etc/opt/microsoft/omsagent/proxy.conf` by running the following commands and change the values to your specific settings:

+1. Restart the agent by running the following command:

+ If you see `cURL failed to perform on this base url` in the log, you can try removing `'\n'` in `proxy.conf` EOF to resolve the failure:

+Use one of the following procedures to uninstall the Windows or Linux agent by using the command line or **Setup Wizard**.

+Use the Windows agent.

+1. In Control Panel, select **Programs and Features**.

+1. In **Programs and Features**, select **Microsoft Monitoring Agent** > **Uninstall** > **Yes**.

+>The **Agent Setup Wizard** can also be run by double-clicking `MMASetup-\<platform\>.exe`, which is available for download from a workspace in the Azure portal.

+The downloaded file for the agent is a self-contained installation package created with IExpress. The setup program for the agent and supporting files are contained in the package and must be extracted to properly uninstall by using the command line shown in the following example.

+1. To extract the agent installation files, from an elevated command prompt run `extract MMASetup-<platform>.exe` and it will prompt you for the path to extract files to. Alternatively, you can specify the path by passing the arguments `extract MMASetup-<platform>.exe /c:<Path> /t:<Path>`. For more information on the command-line switches supported by IExpress, see [Command-line switches for IExpress](https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/197147) and then update the example to suit your needs.

+1. At the prompt, enter `%WinDir%\System32\msiexec.exe /x <Path>:\MOMAgent.msi /qb`.

+To remove the agent, run the following command on the Linux computer. The `--purge` argument completely removes the agent and its configuration.

+Use the Windows agent.

+1. Open Control Panel.

+1. Select **Microsoft Monitoring Agent** and then select the **Operations Manager** tab.

+1. If your Operations Manager servers have integration with Active Directory, select **Automatically update management group assignments from AD DS**.

+1. Select **Add** to open the **Add a Management Group** dialog.

+1. In the **Management group name** field, enter the name of your management group.

+1. In the **Primary management server** field, enter the computer name of the primary management server.

+1. In the **Management server port** field, enter the TCP port number.

+1. Under **Agent Action Account**, choose either the local system account or a local domain account.

+1. Select **OK** to close the **Add a Management Group** dialog. Then select **OK** to close the **Microsoft Monitoring Agent Properties** dialog.

+1. Edit the file `/etc/opt/omi/conf/omiserver.conf`.

+1. Ensure that the line beginning with `httpsport=` defines the port 1270, such as, `httpsport=1270`.

+1. Restart the OMI server by using the following command:

+ `sudo /opt/omi/bin/service_control restart`

+## Next steps

+- Review [Troubleshooting the Linux agent](agent-linux-troubleshoot.md) if you encounter issues while you install or manage the Linux agent.

+- Review [Troubleshooting the Windows agent](agent-windows-troubleshoot.md) if you encounter issues while you install or manage the Windows agent.

+ Title: Troubleshoot issues with the Log Analytics agent for Windows

+# Troubleshoot issues with the Log Analytics agent for Windows

+This article provides help in troubleshooting errors you might experience with the Log Analytics agent for Windows in Azure Monitor and suggests possible solutions to resolve them.

+The Log Analytics agent for Windows Troubleshooting Tool is a collection of PowerShell scripts designed to help find and diagnose issues with the Log Analytics agent. It's automatically included with the agent upon installation. Running the tool should be the first step in diagnosing an issue.

+### Use the Troubleshooting Tool

+1. Open the PowerShell prompt as administrator on the machine where the Log Analytics agent is installed.

+1. Go to the directory where the tool is located:

+ `cd "C:\Program Files\Microsoft Monitoring Agent\Agent\Troubleshooter"`

+1. Execute the main script by using this command:

+ `.\GetAgentInfo.ps1`

+1. Follow instructions on the console. Note that trace logs steps require manual intervention to stop log collection. Based on the reproducibility of the issue, wait for the time duration and select "s" to stop log collection and proceed to the next step.

+ The location of the results file is logged upon completion and a new explorer window highlighting it is opened.

+The Troubleshooting Tool is automatically included upon installation of the Log Analytics Agent build 10.20.18053.0 and onward.

+The Troubleshooting Tool checks the following scenarios:

+- The agent isn't reporting data or heartbeat data is missing.

+- The agent extension deployment is failing.

+- The agent is crashing.

+- The agent is consuming high CPU or memory.

+- Installation and uninstallation experience failures.

+- Custom logs have issues.

+- OMS Gateway has issues.

+- Performance counters have issues.

+- Agent logs can't be collected.

+>Run the Troubleshooting Tool when you experience an issue. Having the logs initially will help our support team troubleshoot your issue faster.

+ To assist with troubleshooting issues related to the Log Analytics agent for Windows, the agent logs events to the Windows Event Log, specifically under *Application and Services\Operations Manager*.

+If the agent is communicating through a proxy server or firewall, restrictions might be in place that prevent communication from the source computer and the Azure Monitor service. If communication is blocked because of misconfiguration, registration with a workspace might fail while attempting to install the agent or configure the agent post-setup to report to another workspace. Agent communication might fail after successful registration. This section describes the methods to troubleshoot this type of issue with the Windows agent.

+Double-check that the firewall or proxy is configured to allow the following ports and URLs described in the following table. Also confirm that HTTP inspection isn't enabled for web traffic. It can prevent a secure TLS channel between the agent and Azure Monitor.

+|Agent resource|Ports |Direction |Bypass HTTPS inspection|

+For firewall information required for Azure Government, see [Azure Government management](../../azure-government/compare-azure-government-global-azure.md#azure-monitor). If you plan to use the Azure Automation Hybrid Runbook Worker to connect to and register with the Automation service to use runbooks or management solutions in your environment, it must have access to the port number and the URLs described in [Configure your network for the Hybrid Runbook Worker](../../automation/automation-hybrid-runbook-worker.md#network-planning).

+There are several ways you can verify if the agent is successfully communicating with Azure Monitor:

+- Enable the [Azure Log Analytics Agent Health assessment](../insights/solution-agenthealth.md) in the workspace. From the Agent Health dashboard, view the **Count of unresponsive agents** column to quickly see if the agent is listed.

+- Run the following query to confirm the agent is sending a heartbeat to the workspace it's configured to report to. Replace `<ComputerName>` with the actual name of the machine.

+ If the computer is successfully communicating with the service, the query should return a result. If the query didn't return a result, first verify the agent is configured to report to the correct workspace. If it's configured correctly, proceed to step 3 and search the Windows Event Log to identify if the agent is logging the issue that might be preventing it from communicating with Azure Monitor.

+- Another method to identify a connectivity issue is by running the **TestCloudConnectivity** tool. The tool is installed by default with the agent in the folder *%SystemRoot%\Program Files\Microsoft Monitoring Agent\Agent*. From an elevated command prompt, go to the folder and run the tool. The tool returns the results and highlights where the test failed. For example, perhaps it was related to a particular port or URL that was blocked.

+ 

+- Filter the *Operations Manager* event log by **Event sources** *Health Service Modules*, *HealthService*, and *Service Connector* and filter by **Event Level** *Warning* and *Error* to confirm if it has written events from the following table. If they are, review the resolution steps included for each possible event.

+ |2133 & 2129 |Health Service |Connection to the service from the agent failed. |This error can occur when the agent can't communicate directly or through a firewall or proxy server to the Azure Monitor service. Verify agent proxy settings or that the network firewall or proxy allows TCP traffic from the computer to the service.|

+ |2138 |Health Service Modules |Proxy requires authentication. |Configure the agent proxy settings and specify the username/password required to authenticate with the proxy server. |

+ |2129 |Health Service Modules |Failed connection. Failed TLS negotiation. |Check your network adapter TCP/IP settings and agent proxy settings.|

+ |2127 |Health Service Modules |Failure sending data received error code. |If it only happens periodically during the day, it could be a random anomaly that can be ignored. Monitor to understand how often it happens. If it happens often throughout the day, first check your network configuration and proxy settings. If the description includes HTTP error code 404 and it's the first time that the agent tries to send data to the service, it will include a 500 error with an inner 404 error code. The 404 error code means "not found," which indicates that the storage area for the new workspace is still being provisioned. On the next retry, data will successfully write to the workspace as expected. An HTTP error 403 might indicate a permission or credentials issue. More information is included with the 403 error to help troubleshoot the issue.|

+ |4000 |Service Connector |DNS name resolution failed. |The machine couldn't resolve the internet address used when it sent data to the service. This issue might be DNS resolver settings on your machine, incorrect proxy settings, or a temporary DNS issue with your provider. If it happens periodically, it could be caused by a transient network-related issue.|

+ |4001 |Service Connector |Connection to the service failed. |This error can occur when the agent can't communicate directly or through a firewall or proxy server to the Azure Monitor service. Verify agent proxy settings or that the network firewall or proxy allows TCP traffic from the computer to the service.|

+ |4002 |Service Connector |The service returned HTTP status code 403 in response to a query. Check with the service administrator for the health of the service. The query will be retried later. |This error is written during the agent's initial registration phase. You'll see a URL similar to *https://\<workspaceID>.oms.opinsights.azure.com/AgentService.svc/AgentTopologyRequest*. A 403 error code means "forbidden" and can be caused by a mistyped Workspace ID or key. The date and time might also be incorrect on the computer. If the time is +/- 15 minutes from current time, onboarding fails. To correct this issue, update the date and/or time of your Windows computer.|

+After the agent is installed and reports to its configured workspace or workspaces, it might stop receiving configuration and collecting or forwarding performance, logs, or other data to the service depending on what's enabled and targeting the computer. You need to determine:

+- Is it a particular data type or all data that's not available in the workspace?

+- How many computers are affected? Is it a single computer or multiple computers reporting to the workspace?

+- Was it working and did it stop at a particular time of day, or has it never been collected?

+- Is the log search query you're using syntactically correct?

+If the query returns results, you need to determine if a particular data type isn't collected and forwarded to the service. This issue could be caused by the agent not receiving updated configuration from the service or some other symptom that prevents the agent from operating normally. Perform the following steps to further troubleshoot.

+1. Open an elevated command prompt on the computer and restart the agent service by entering `net stop healthservice && net start healthservice`.

+1. Open the *Operations Manager* event log and search for **event IDs** *7023, 7024, 7025, 7028*, and *1210* from **Event source** *HealthService*. These events indicate the agent is successfully receiving configuration from Azure Monitor and they're actively monitoring the computer. The event description for event ID 1210 will also specify on the last line all of the solutions and Insights that are included in the scope of monitoring on the agent.

+ 

+1. Wait several minutes. If you don't see the expected data in the query results or visualization, depending on if you're viewing the data from a solution or Insight, from the *Operations Manager* event log, search for **Event sources** *HealthService* and *Health Service Modules*. Filter by **Event Level** *Warning* and *Error* to confirm if it has written events from the following table.

+ ||-||--|

+ |8000 |HealthService |This event will specify if a workflow related to performance, event, or other data type collected is unable to forward to the service for ingestion to the workspace. | Event ID 2136 from source HealthService is written together with this event and can indicate the agent is unable to communicate with the service. Possible reasons might be misconfiguration of the proxy and authentication settings, network outage, or the network firewall or proxy doesn't allow TCP traffic from the computer to the service.|

+ |10102 and 10103 |Health Service Modules |Workflow couldn't resolve the data source. |This issue can occur if the specified performance counter or instance doesn't exist on the computer or is incorrectly defined in the workspace data settings. If this is a user-specified [performance counter](data-sources-performance-counters.md#configuring-performance-counters), verify the information specified follows the correct format and exists on the target computers. |

+ |26002 |Health Service Modules |Workflow couldn't resolve the data source. |This issue can occur if the specified Windows event log doesn't exist on the computer. This error can be safely ignored if the computer isn't expected to have this event log registered. Otherwise, if this is a user-specified [event log](data-sources-windows-events.md#configure-windows-event-logs), verify the information specified is correct. |

+# "location" property value under the "body" section should be the Azure region where the MO object would be stored. It should be the "same region" where you created the Data Collection Rule. This is the location of the region from where agent communications would happen.

+##########################

+ Title: Monitor data from virtual machines with Azure Monitor Agent

+description: Describes how to collect events and performance data from virtual machines by using Azure Monitor Agent.

+# Collect data from virtual machines with Azure Monitor Agent

+This article describes how to collect events and performance counters from virtual machines by using Azure Monitor Agent.

+To collect data from virtual machines by using Azure Monitor Agent, you'll:

+1. Create [data collection rules (DCRs)](../essentials/data-collection-rule-overview.md) that define which data Azure Monitor Agent sends to which destinations.

+ You can associate virtual machines to multiple data collection rules. Define each data collection rule to address a particular requirement. Associate one or more data collection rules to a virtual machine based on the specific data you want the machine to collect.

+To send data to Log Analytics, create the data collection rule in the *same region* as your Log Analytics workspace. You can still associate the rule to machines in other supported regions.

+1. On the **Monitor** menu, select **Data Collection Rules**.

+1. Select **Create** to create a new data collection rule and associations.

+ [  ](media/data-collection-rule-azure-monitor-agent/data-collection-rules-updated.png#lightbox)

+1. Enter a **Rule name** and specify a **Subscription**, **Resource Group**, **Region**, and **Platform Type**:

+ - **Region** specifies where the DCR will be created. The virtual machines and their associations can be in any subscription or resource group in the tenant.

+ - **Platform Type** specifies the type of resources this rule can apply to. The **Custom** option allows for both Windows and Linux types.

+ [  ](media/data-collection-rule-azure-monitor-agent/data-collection-rule-basics-updated.png#lightbox)

+1. On the **Resources** tab, add the resources to which to associate the data collection rule. Resources can be virtual machines, virtual machine scale sets, and Azure Arc for servers. The Azure portal installs Azure Monitor Agent on resources that don't already have it installed. The portal also enables Azure Managed Identity.

+ > [!IMPORTANT]

+ > The portal enables system-assigned managed identity on the target resources, along with existing user-assigned identities, if there are any. For existing applications, unless you specify the user-assigned identity in the request, the machine defaults to using system-assigned identity instead.

+ If you need network isolation using private links, select existing endpoints from the same region for the respective resources or [create a new endpoint](../essentials/data-collection-endpoint-overview.md).

+ [  ](media/data-collection-rule-azure-monitor-agent/data-collection-rule-virtual-machines-with-endpoint.png#lightbox)

+1. Select which data you want to collect. For performance counters, you can select from a predefined set of objects and their sampling rate. For events, you can select from a set of logs and severity levels.

+ [  ](media/data-collection-rule-azure-monitor-agent/data-collection-rule-data-source-basic-updated.png#lightbox)

+1. Select **Custom** to collect logs and performance counters that aren't [currently supported data sources](azure-monitor-agent-overview.md#data-sources-and-destinations) or to [filter events by using XPath queries](#filter-events-using-xpath-queries). You can then specify an [XPath](https://www.w3schools.com/xml/xpath_syntax.asp) to collect any specific values. For an example, see [Sample DCR](data-collection-rule-sample-agent.md).

+ [  ](media/data-collection-rule-azure-monitor-agent/data-collection-rule-data-source-custom-updated.png#lightbox)

+1. On the **Destination** tab, add one or more destinations for the data source. You can select multiple destinations of the same or different types. For instance, you can select multiple Log Analytics workspaces, which is also known as multihoming.

+ You can send Windows event and Syslog data sources to Azure Monitor Logs only. You can send performance counters to both Azure Monitor Metrics and Azure Monitor Logs.

+ [  ](media/data-collection-rule-azure-monitor-agent/data-collection-rule-destination.png#lightbox)

+1. Select **Add data source** and then select **Review + create** to review the details of the data collection rule and association with the set of virtual machines.

+1. Create a DCR file by using the JSON format shown in [Sample DCR](data-collection-rule-sample-agent.md).

+1. Create the rule by using the [REST API](/rest/api/monitor/datacollectionrules/create#examples).

+1. Create an association for each virtual machine to the data collection rule by using the [REST API](/rest/api/monitor/datacollectionruleassociations/create#examples).

+| Get rules | [Get-AzDataCollectionRule](/powershell/module/az.monitor/get-azdatacollectionrule?view=azps-5.4.0&preserve-view=true) |

+| Update "Tags" for a rule | [Update-AzDataCollectionRule](/powershell/module/az.monitor/update-azdatacollectionrule?view=azps-6.0.0&viewFallbackFrom=azps-5.4.0&preserve-view=true) |

+| Get associations | [Get-AzDataCollectionRuleAssociation](/powershell/module/az.monitor/get-azdatacollectionruleassociation?view=azps-6.0.0&viewFallbackFrom=azps-5.4.0&preserve-view=true) |

+This capability is enabled as part of the Azure CLI monitor-control-service extension. [View all commands](/cli/azure/monitor/data-collection/rule).

+For sample templates, see [Azure Resource Manager template samples for data collection rules in Azure Monitor](./resource-manager-data-collection-rules.md).

+You're charged for any data you collect in a Log Analytics workspace, so collect only the data you need. The basic configuration in the Azure portal provides you with a limited ability to filter out events.

+To specify more filters, use custom configuration and specify an XPath that filters out the events you don't need. XPath entries are written in the form `LogName!XPathQuery`. For example, you might want to return only events from the Application event log with an event ID of 1035. The `XPathQuery` for these events would be `*[System[EventID=1035]]`. Because you want to retrieve the events from the Application event log, the XPath is `Application!*[System[EventID=1035]]`

+### Extract XPath queries from Windows Event Viewer

+In Windows, you can use Event Viewer to extract XPath queries as shown in the screenshots.

+When you paste the XPath query into the field on the **Add data source** screen, as shown in step 5, you must append the log type category followed by an exclamation point (!).

+[  ](media/data-collection-rule-azure-monitor-agent/data-collection-rule-extract-xpath.png#lightbox)

+For a list of limitations in the XPath supported by Windows event log, see [XPath 1.0 limitations](/windows/win32/wes/consuming-events#xpath-10-limitations).

+> You can use the PowerShell cmdlet `Get-WinEvent` with the `FilterXPath` parameter to test the validity of an XPath query locally on your machine first. The following script shows an example:

+>

+> - In the preceding cmdlet, the value of the `-LogName` parameter is the initial part of the XPath query until the exclamation point (!). The rest of the XPath query goes into the `$XPath` parameter.

+> - If you receive the message "No events were found that match the specified selection criteria," the query might be valid but there are no matching events on the local machine.

+> - If you receive the message "The specified query is invalid," the query syntax is invalid.

+Examples of using a custom XPath to filter events:

+- [Collect text logs by using Azure Monitor Agent](data-collection-text-log.md).

+- Learn more about [Azure Monitor Agent](azure-monitor-agent-overview.md).

+ Title: Collect Syslog data sources with the Log Analytics agent in Azure Monitor

+description: Syslog is an event logging protocol that's common to Linux. This article describes how to configure collection of Syslog messages in Log Analytics and details the records they create.

+# Collect Syslog data sources with the Log Analytics agent

+Syslog is an event logging protocol that's common to Linux. Applications send messages that might be stored on the local machine or delivered to a Syslog collector. When the Log Analytics agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the messages to Azure Monitor where a corresponding record is created.

+> Azure Monitor supports collection of messages sent by rsyslog or syslog-ng, where rsyslog is the default daemon. The default Syslog daemon on version 5 of Red Hat Enterprise Linux, CentOS, and Oracle Linux version (sysklog) isn't supported for Syslog event collection. To collect Syslog data from this version of these distributions, the [rsyslog daemon](http://rsyslog.com) should be installed and configured to replace sysklog.

+

+## Configure Syslog

+You can add a new facility by selecting **Add facility**. For each facility, only messages with the selected severities will be collected. Select the severities for the particular facility that you want to collect. You can't provide any other criteria to filter messages.

+[](media/data-sources-syslog/configure.png#lightbox)

+By default, all configuration changes are automatically pushed to all agents. If you want to configure Syslog manually on each Linux agent, clear the **Apply below configuration to my machines** checkbox.

+When the [Log Analytics agent is installed on a Linux client](../vm/monitor-virtual-machine.md), it installs a default Syslog configuration file that defines the facility and severity of the messages that are collected. You can modify this file to change the configuration. The configuration file is different depending on the Syslog daemon that the client has installed.

+> If you edit the Syslog configuration, you must restart the Syslog daemon for the changes to take effect.

+The configuration file for rsyslog is located at `/etc/rsyslog.d/95-omsagent.conf`. Its default contents are shown in the following example. This example collects Syslog messages sent from the local agent for all facilities with a level of warning or higher.

+You can remove a facility by removing its section of the configuration file. You can limit the severities that are collected for a particular facility by modifying that facility's entry. For example, to limit the user facility to messages with a severity of error or higher, you would modify that line of the configuration file to the following example:

+The configuration file for syslog-ng is located at `/etc/syslog-ng/syslog-ng.conf`. Its default contents are shown in this example. This example collects Syslog messages sent from the local agent for all facilities and all severities.

+You can remove a facility by removing its section of the configuration file. You can limit the severities that are collected for a particular facility by removing them from its list. For example, to limit the user facility to alert only critical messages, you would modify that section of the configuration file as shown in the following example:

+### Collect data from other Syslog ports

+The Log Analytics agent listens for Syslog messages on the local client on port 25224. When the agent is installed, a default Syslog configuration is applied and found in the following location:

+You can change the port number by creating two configuration files: a FluentD config file and a rsyslog-or-syslog-ng file depending on the Syslog daemon you have installed.

+* The FluentD config file should be a new file located in `/etc/opt/microsoft/omsagent/conf/omsagent.d` and replace the value in the `port` entry with your custom port number.

+* For rsyslog, you should create a new configuration file located in `/etc/rsyslog.d/` and replace the value `%SYSLOG_PORT%` with your custom port number.

+* The syslog-ng config should be modified by copying the example configuration shown next and adding the custom modified settings to the end of the `syslog-ng.conf` configuration file located in `/etc/syslog-ng/`. Do *not* use the default label `%WORKSPACE_ID%_oms` or `%WORKSPACE_ID_OMS`. Define a custom label to help distinguish your changes.

+ > If you modify the default values in the configuration file, they'll be overwritten when the agent applies a default configuration.

+After you finish the changes, restart the Syslog and the Log Analytics agent service to ensure the configuration changes take effect.

+Syslog records have a type of **Syslog** and have the properties shown in the following table.

+| Syslog |All Syslogs |

+| Syslog &#124; where SeverityLevel == "error" |All Syslog records with severity of error |

+| Syslog &#124; summarize AggregatedValue = count() by Computer |Count of Syslog records by computer |

+| Syslog &#124; summarize AggregatedValue = count() by Facility |Count of Syslog records by facility |

+* Use [custom fields](../logs/custom-fields.md) to parse data from Syslog records into individual fields.

+description: Use Azure Diagnostics for debugging, measuring performance, monitoring, and performing traffic analysis in cloud services, virtual machines, and service fabric.

+Azure Diagnostics extension is an [agent in Azure Monitor](../agents/agents-overview.md) that collects monitoring data from the guest operating system of Azure compute resources including virtual machines. This article provides an overview of Azure Diagnostics extension, the specific functionality that it supports, and options for installation and configuration.

+> Azure Diagnostics extension is one of the agents available to collect monitoring data from the guest operating system of compute resources. For a description of the different agents and guidance on selecting the appropriate agents for your requirements, see [Overview of the Azure Monitor agents](../agents/agents-overview.md).

+Use Azure Diagnostics extension if you need to:

+- Send data to [Azure Monitor Metrics](../essentials/data-platform-metrics.md) to analyze it with [metrics explorer](../essentials/metrics-getting-started.md) and to take advantage of features such as near-real-time [metric alerts](../alerts/alerts-metric-overview.md) and [autoscale](../autoscale/autoscale-overview.md) (Windows only).

+- Collect [boot diagnostics](/troubleshoot/azure/virtual-machines/boot-diagnostics) to investigate VM boot issues.

+Limitations of Azure Diagnostics extension:

+- It can only be used with Azure resources.

+- It has limited ability to send data to Azure Monitor Logs.

+The Log Analytics agent in Azure Monitor can also be used to collect monitoring data from the guest operating system of virtual machines. You can choose to use either or both depending on your requirements. For a comparison of the Azure Monitor agents, see [Overview of the Azure Monitor agents](../agents/agents-overview.md).

+- Azure Diagnostics extension can be used only with Azure virtual machines. The Log Analytics agent can be used with virtual machines in Azure, other clouds, and on-premises.

+- Azure Diagnostics extension sends data to Azure Storage, [Azure Monitor Metrics](../essentials/data-platform-metrics.md) (Windows only), and Azure Event Hubs. The Log Analytics agent collects data to [Azure Monitor Logs](../logs/data-platform-logs.md).

+There's no cost for Azure Diagnostics extension, but you might incur charges for the data ingested. Check [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/) for the destination where you're collecting data.

+| Data source | Description |

+| Windows event logs | Events from Windows event log. |

+| IIS logs | Usage information for IIS websites running on the guest operating system. |

+| .NET EventSource logs |Code writing events using the .NET [EventSource](/dotnet/api/system.diagnostics.tracing.eventsource) class. |

+| [Manifest-based ETW logs](/windows/desktop/etw/about-event-tracing) |Event tracing for Windows events generated by any process. |

+| File-based logs | Logs created by your application or service. |

+| Data source | Description |

+| Syslog | Events sent to the Linux event logging system |

+| Performance counters | Numerical values measuring performance of different aspects of operating system and workloads |

+| Log files | Entries sent to a file-based log |

+The Azure Diagnostics extension for both Windows and Linux always collects data into an Azure Storage account. For a list of specific tables and blobs where this data is collected, see [Install and configure Azure Diagnostics extension for Windows](diagnostics-extension-windows-install.md) and [Use Azure Diagnostics extension for Linux to monitor metrics and logs](../../virtual-machines/extensions/diagnostics-linux.md).

+Configure one or more *data sinks* to send data to other destinations. The following sections list the sinks available for the Windows and Linux diagnostics extension.

+| Event hubs | Use Azure Event Hubs to send data outside of Azure. See [Streaming Azure Diagnostics data to Azure Event Hubs](diagnostics-extension-stream-event-hubs.md). |

+| Azure Storage blobs | Write data to blobs in Azure Storage in addition to tables. |

+You can also collect WAD data from storage into a Log Analytics workspace to analyze it with Azure Monitor Logs, although the Log Analytics agent is typically used for this functionality. It can send data directly to a Log Analytics workspace and supports solutions and insights that provide more functionality. See [Collect Azure diagnostic logs from Azure Storage](../agents/diagnostics-extension-logs.md).

+| Azure Storage blobs | Write data to blobs in Azure Storage in addition to tables. |

+The diagnostics extension is implemented as a [virtual machine extension](../../virtual-machines/extensions/overview.md) in Azure, so it supports the same installation options using Azure Resource Manager templates, PowerShell, and the Azure CLI. For information on installing and maintaining virtual machine extensions, see [Virtual machine extensions and features for Windows](../../virtual-machines/extensions/features-windows.md) and [Virtual machine extensions and features for Linux](../../virtual-machines/extensions/features-linux.md).

+You can also install and configure both the Windows and Linux diagnostics extension in the Azure portal under **Diagnostic settings** in the **Monitoring** section of the virtual machine's menu.

+See the following articles for information on installing and configuring the diagnostics extension for Windows and Linux:

+- [Install and configure Azure Diagnostics extension for Windows](diagnostics-extension-windows-install.md)

+- [Use Linux diagnostics extension to monitor metrics and logs](../../virtual-machines/extensions/diagnostics-linux.md)

+See the following articles for more information.

+### Azure Cloud Services (classic) web and worker roles

+- [Introduction to Azure Cloud Services monitoring](../../cloud-services/cloud-services-how-to-monitor.md)

+- [Application Insights for Azure Cloud Services](../app/azure-web-apps-net-core.md)<br>

+- [Trace the flow of an Azure Cloud Services application with Azure Diagnostics](../../cloud-services/cloud-services-dotnet-diagnostics-trace-flow.md)

+[Monitor and diagnose services in a local machine development setup](../../service-fabric/service-fabric-diagnostics-how-to-monitor-and-diagnose-services-locally.md)

+## Next steps

+* Learn to [use performance counters in Azure Diagnostics](../../cloud-services/diagnostics-performance-counters.md).

+* If you have trouble with diagnostics starting or finding your data in Azure Storage tables, see [Troubleshooting Azure Diagnostics](diagnostics-extension-troubleshooting.md).

+> [!NOTE]

+> Access to data in the Log Analytics Workspaces is governed as outline [here](https://learn.microsoft.com/azure/azure-monitor/logs/manage-access).

+>

+Log Analytics is a tool in the Azure portal that's used to edit and run log queries against data in the Azure Monitor Logs store.

+> Use the smallest scope that you need to meet your requirements.

+* [Managed identities](../../active-directory/managed-identities-azure-resources/managed-identities-faq.md#are-there-any-rate-limits-that-apply-to-managed-identities)

+To generate a Video Indexer restricted viewer access token via API, see [documentation](/rest/api/videoindexer/generate/access-token).

+This quickstart shows you how to sign in to the Azure Video Indexer [website](https://www.videoindexer.ai/) and how to upload your first video.

+## Sign up and upload a video

+### Upload

+## Preview limitations

+## Known issues

+>* Enabling the soft delete policy with AZ through ARM template leaves the registry stuck in the `creation` state. To avoid this, we recommend deleting and recreating the registry by disabling the soft delete policy.

+>* Accessing the manage deleted artifacts blade after disabling the soft delete policy will throw an error message with 405 status.

+>* The customers with restrictions on permissions to restore, will see an issue as File not found.

+* Learn more about options to [delete images and repositories](container-registry-delete.md) in Azure Container Registry.

+1. Pair the primary and secondary on-premises management console appliances. The primary on-premises management console must manage at least two sensors in order to carry out the setup.

+ For more information, see [Create the primary and secondary pair](#create-the-primary-and-secondary-pair).

+If you already have a script, you can skip to [Create a load test](#create-a-load-test). In this section, you'll create a sample JMeter test script to load test a single web endpoint.

+You can also use the [Apache JMeter test script recorder](https://jmeter.apache.org/usermanual/jmeter_proxy_step_by_step.html) to record the requests while navigating the application in a browser. Alternatively, [import cURL commands](https://jmeter.apache.org/usermanual/curl.html) to generate the requests in the JMeter test script.

+To create a sample JMeter test script:

+ <elementProp name="HTTPsampler.Arguments" elementType="Arguments" guiclass="HTTPArgumentsPanel" testclass="Arguments" testname="Sample web test" enabled="true">

+When you create a load test in Azure Load Testing, you specify a JMeter script to define the [load test plan](./how-to-create-manage-test.md#test-plan). An Azure Load Testing resource can contain multiple load tests.

+When you [create a quick test by using a URL](./quickstart-create-and-run-load-test.md), Azure Load Testing automatically generates the corresponding JMeter script.

+You can update the test configuration at any time, for example to upload a different JMX file. Choose your test in the list of tests, and then select **Edit**.

+When Azure Load Testing starts your load test, it will first deploy the JMeter script, and any other files onto test engine instances, and then start the load test.

+1. Notice the test run details, statistics, and client metrics in the Azure portal.

+ :::image type="content" source="./media/how-to-create-and-run-load-test-with-jmeter-script/test-run-aggregated-by-percentile.png" alt-text="Screenshot that shows the test run dashboard." :::

+ Use the run statistics and error information to identify performance and stability issues for your application under load.

+## Next steps

+You've created a cloud-based load test based on an existing JMeter test script. For Azure-hosted applications, you can also [monitor server-side metrics](./how-to-monitor-server-side-metrics.md) for further application insights.

+- Learn how to [export test results](./how-to-export-test-results.md).

+- Learn how to [parameterize a load test with environment variables](./how-to-parameterize-load-tests.md).

+- Learn how to [configure your test for high-scale load](./how-to-high-scale-load.md).

+You can deploy directly to the new compute target with your previous models and environments, or use the [scripts](https://aka.ms/moeonboard) (preview) provided by us to export the current services and then deploy to the new compute without affecting your existing services. If you regularly create and delete Azure Container Instances (ACI) web services, we strongly recommend the deploying directly and not using the scripts.

+1. Choose the PartnerID (formerly MPN ID) that you want to associate with the publisher.

+ - **Publisher location**: Select the PartnerID you want to use for this new user.

+You should create a unique GUID for each product and distribution channel. You can use a single GUID for a product's multiple distribution channels if you don't want reporting to be split. Reporting occurs by PartnerID and GUID.

+Ensure you have an active Microsoft Cloud Partner Program membership and are enrolled in the commercial marketplace in Partner Center.

+- Join the Microsoft Cloud Partner Program [at no cost](https://partner.microsoft.com/dashboard/account/v3/enrollment/introduction/partnership). As a partner, youΓÇÖll have access to exclusive resources, programs, tools, and connections to grow your business.

+1. To begin migrating, select the **Solutions** tab, which displays all the solutions associated to your PartnerIDs.

+- If you're new to Partner Center and don't have a Microsoft Cloud Partner Program account, continue to [Create a Partner Center account and enroll in the commercial marketplace](#create-a-partner-center-account-and-enroll-in-the-commercial-marketplace).

+- If you're already enrolled in the Microsoft Cloud Partner Program or a developer program, create an account directly from Partner Center. Go to [Use an existing Partner Center account to enroll in the commercial marketplace](#use-an-existing-partner-center-account-to-enroll-in-the-commercial-marketplace).

+As part of the commercial marketplace registration process, you need to agree to the terms and conditions in the [Microsoft Publisher Agreement](/legal/marketplace/msft-publisher-agreement). If youΓÇÖre new to Microsoft Partner Network, you also need to agree to the terms and conditions in the Microsoft Cloud Partner Program Agreement.

+- [Use an existing Microsoft Cloud Partner Program account](#use-an-existing-microsoft-cloud-partner-program-account) to create your account.

+#### Use an existing Microsoft Cloud Partner Program account

+When you use your existing Microsoft Cloud Partner Program account to enroll in the commercial marketplace program in Partner Center, we link your company's work email account domain to your new commercial marketplace account.

+1. Sign in to [Partner Center](https://go.microsoft.com/fwlink/?linkid=2165507) with your Microsoft Cloud Partner Program account.

+ Microsoft Cloud Partner Program detects your subscription and displays the **Publisher profile** pane.

+1. Select the PartnerID you want to link to your publisher account and enter your company name.

+If you need to get screenshots of these items in Azure Cloud Shell to use for debugging assistance, jump down to [Find Tenant, Object, and PartnerID association for debugging](#find-ids-for-debugging).

+## Find PartnerID

+This section describes how to find tenant, object, and PartnerID (formerly MPN ID) association for debugging purposes.

+To learn more about how the Microsoft Cloud Partner Program can help you grow your business, see [Go to market with Microsoft](https://partner.microsoft.com/reach-customers/gtm). Sign in to [Partner Center](https://go.microsoft.com/fwlink/?linkid=2165290) to create and configure your offer.

+The minimum requirement to publish in the online stores is an MPNID, so these benefits are available to all partners regardless of competency status or partner type. Every partner is empowered to grow your business through the commercial marketplace as a platform.

+- **MPN IDs**: Any PartnerIDs associated with your account

+- **CSP**: PartnerIDs associated with the CSP program for this account.

+Reporting is done by the partner value (Microsoft PartnerID) and the GUIDs. You can also track GUIDs at a more granular level aligning to each plan within your offer.

+The minimum requirement to publish in the online stores is an PartnerID, so these benefits are available to all partners regardless of competency status or partner type. Each partner is empowered to grow their business through the commercial marketplace as a platform.

+- If you're already enrolled in the Microsoft Cloud Partner Program or in a Partner Center developer program, see [Create an account using existing Microsoft Partner Center enrollments](/azure/marketplace/partner-center-portal/create-account#create-an-account-using-existing-microsoft-partner-center-enrollments) for information about how to create your account.

+Each offer type checks a set of required base eligibility criteria. This criteria may include publisher Microsoft Cloud Partner Program status, competencies held, competency levels, and so on.

+> For the commercial marketplace program, the Global admin, Business Contributor, Financial Contributor, and Marketer roles are not used. Assigning these roles to users has no effect. Only the Manager and Developer roles grant permissions to users.

+For more information about managing roles and permissions in other areas of Partner Center, such as Azure Active Directory (AD), Cloud Solution Provider (CSP), Control Panel Vendor (CPV), Guest users, or Microsoft Partner Network, see [Assign users roles and permissions in Partner Center](/partner-center/permissions-overview).

+ Title: Organize spaceborne geospatial data with STAC - Azure Orbital Analytics

+description: Create an implementation of SpatioTemporal Asset Catalog (STAC) creation to structure geospatial data.

+# Organize spaceborne geospatial data with SpatioTemporal Asset Catalog (STAC)

+This reference architecture shows an end-to-end implementation of [SpatioTemporal Asset Catalog (STAC)](https://stacspec.org) creation to structure geospatial data. In this document, we'll use the publicly available [National Agriculture Imagery Program (NAIP)](https://catalog.data.gov/dataset/national-agriculture-imagery-program-naip) data set using geospatial libraries on Azure. The architecture can be adapted to take data sets from other sources such as Satellite imagery providers, [Azure Orbital Ground Station (AOGS)](https://azure.microsoft.com/products/orbital/), or Bring Your Own Data (BYOD).

+The implementation consists of four stages: Data acquisition, Metadata generation, Cataloging, and Data discovery via [STAC FastAPI](https://github.com/stac-utils/stac-fastapi). This article also shows how to build STAC based on a new data source or on bring-your-own-data.

+An implementation of this architecture is available on [GitHub](https://github.com/Azure/Azure-Orbital-STAC).

+This article is intended for users with intermediate levels of skill in working with spaceborne geospatial data. Refer to the table in the [glossary](#glossary) for the definition of commonly used STAC terms. For more details visit the official [stacspec](https://stacspec.org/en) page.

+## Scenario details

+Spaceborne data collection is becoming increasingly common. There are various data providers of spatiotemporal assets such as Imagery, Synthetic Aperture Radar (SAR), Point Clouds, and so forth. Data providers don't have a standard way of providing users access to their spatiotemporal data. Users of spatiotemporal data are often burdened with building unique workflows for each different collection of data they want to consume. Developers are required to develop new tools and libraries to interact with the spatiotemporal data.

+The STAC community has defined a specification to remove these complexities and spur common tooling. The STAC specification is a common language to describe geospatial information, so it can more easily be worked with, indexed, and discovered. There are many deployed products that are built on top of STAC and one such is [Microsoft Planetary Computer](https://planetarycomputer.microsoft.com/docs/overview/about) providing a multi-petabyte STAC catalog of global environmental data for sustainability research.

+Our [sample solution](https://github.com/Azure/Azure-Orbital-STAC) uses open source tools such as STAC FastAPI, [pystac](https://github.com/stac-utils/pystac), [Microsoft Planetary Computer APIs](https://github.com/microsoft/planetary-computer-apis) and open standard geospatial libraries (listed in the [Components](#components) section) to run the solution on Azure.

+### Potential use cases

+STAC has become an industry standard to support how geospatial data should be structured and queried. It has been used in many production deployments for various use cases.

+Here are a couple of examples:

+- A satellite data provider company needs to make their data easy to discover and access. The provider builds STAC Catalogs to index all of its historic archive data sets and also the incoming refresh data on a daily basis. A web client UI is built on top of STAC APIs that allows users to browse the catalogs and search for their desired images based on the area of interest (AOI), date/time range, and other parameters.

+- A geospatial data analysis company needs to build a database of spaceborne data including imagery, Digital Elevation Model (DEM), and 3D types that it has acquired from various data sources. The database will serve its geographic information system (GIS) analysis solution to aggregate different data sets for machine learning model-based object detection analysis. To support a standard data access layer, the company decides to implement an open source compatible STAC API interface for the GIS analysis solution to interact with the database in a scalable and performing way.

+## Architecture

+Download a [Visio file](https://download.microsoft.com/download/5/6/4/564196b7-dd01-468a-af21-1da16489f298/stac_arch.vsdx) for this architecture.

+### Dataflow

+Download a [Visio file](https://download.microsoft.com/download/5/6/4/564196b7-dd01-468a-af21-1da16489f298/stac_data_flow.vsdx) for this dataflow.

+The following sections describe the four stages in the architecture.

+**Data acquisition**

+- Spaceborne data is provided by various data providers including [Airbus](https://oneatlas.airbus.com/home), [NAIP/USDA (via the Planetary Computer API)](https://planetarycomputer.microsoft.com/dataset/naip), and [Maxar](https://www.maxar.com).

+- In the sample solution we use the NAIP dataset provided by [Microsoft Planetary Computer](https://planetarycomputer.microsoft.com/docs/overview/about).

+**Metadata generation**

+- Data providers define the metadata describing provider, license terms, keywords, etc. This metadata forms the STAC Collection.

+- Data providers may provide metadata describing the geospatial assets. In our sample, we use metadata provided by [NAIP](https://www.usgs.gov/centers/eros/science/national-agriculture-imagery-program-naip-data-dictionary) & [FGDC](https://www.fgdc.gov/metadata). More metadata is extracted from the assets using standard geospatial libraries. This metadata forms the STAC Items.

+- This STAC Collection and Items are used to build the STAC Catalog that helps users discover the spatiotemporal assets using STAC APIs.

+**Cataloging**

+- STAC Catalog

+

+ - STAC Catalog is a top-level object that logically groups other Catalog, Collection, and Item Objects. As part of the deployment of this solution, we create a STAC Catalog under which all the collections and items are organized.

+- STAC Collection

+ - It's a related group of STAC Items that is made available by a data provider.

+ - Search queries for discovering the assets are scoped at the STAC Collection level.

+ - It's generated for a data provider, NAIP in this case and this JSON metadata is uploaded to an Azure Storage container.

+ - The upload of a [STAC Collection](https://stacspec.org/en/about/stac-spec/) metadata file triggers a message to Azure Service Bus.

+ - The processor processes this metadata on Azure Kubernetes Cluster and ingests to the STAC Catalog database (PostgreSQL database). There are different processors for different data providers and each processor subscribes to the respective Service Bus Topic.

+- STAC Item and asset

+ - An asset that is to be cataloged (raster data in the form of [GeoTiff](https://www.ogc.org/standards/geotiff), [Cloud Optimized GeoTiff](https://www.cogeo.org/) and so forth). Metadata describing the asset and the metadata extracted from the asset is uploaded to the Storage Account under the appropriate storage container.

+ - The asset(s) (GeoTiff) are then uploaded to the Storage Account under the appropriate storage container following the successful upload of their corresponding metadata.

+ - Each asset and its associated metadata uploaded to the Storage Account triggers a message to the Service Bus. This metadata forms the STAC Item in the catalog database.

+ - The processor processes this metadata on Azure Kubernetes Cluster and ingests to the STAC Catalog database (PostgreSQL database).

+**Data discovery**

+- STAC API is based on open source STAC FastAPI.

+- STAC API layer is implemented on Azure Kubernetes Service and the APIs are exposed using [API Management Service](https://azure.microsoft.com/products/api-management/).

+- STAC APIs are used to discover the geospatial data in your Catalog. These APIs are based on STAC specifications and understand the STAC metadata defined and indexed in the STAC Catalog database (PostgresSQL server).

+- Based on the search criteria, you can quickly locate your data from a large dataset.

+ - Querying the STAC Collection, Items & Assets:

+ - A query is submitted by a user to look up one or more STAC Collection, Items & Assets through the STAC FastAPI.

+ - STAC FastAPI queries the data in the PostgreSQL database to retrieve the STAC Collection, Items & references to Assets.

+ - The result is served back to the user by the STAC FastAPI.

+### Components

+The following Azure services are used in this architecture.

+- [Key Vault](/azure/key-vault/general/basic-concepts) stores and controls access to secrets such as tokens, passwords, and API keys. Key Vault also creates and controls encryption keys and manages security certificates.

+- [Service Bus](https://azure.microsoft.com/services/service-bus/) is part of a broader [Azure messaging](/azure/service-bus-messaging/service-bus-messaging-overview) infrastructure that supports queueing, publish/subscribe, and more advanced integration patterns.

+- [Azure Data Lake Storage](https://azure.microsoft.com/services/storage/data-lake-storage/) is dedicated to big data analytics, and is built on [Azure Blob Storage](https://azure.microsoft.com/services/storage/blobs).

+- [Azure Virtual Network](/azure/virtual-network/virtual-networks-overview) enables Azure resources to securely communicate with each other, the internet, and on-premises networks.

+- [Azure Database for PostgreSQL - Flexible Server](/azure/postgresql/flexible-server/overview) is a fully managed database service designed to provide more granular control and flexibility over database management functions and configuration settings. It has richer capabilities such as zone resilient high availability (HA), predictable performance, maximum control, custom maintenance window, cost optimization controls, and simplified developer experience suitable for your enterprise workloads.

+- [API Management Services](https://azure.microsoft.com/services/api-management/) offers a scalable, multicloud API management platform for securing, publishing and analyzing APIs.

+- [Azure Kubernetes Services](/azure/aks/intro-kubernetes) offers the quickest way to start developing and deploying cloud-native apps, with built-in code-to-cloud pipelines and guardrails.

+- [Container Registry](/azure/container-registry/container-registry-intro) to store and manage your container images and related artifacts.

+- [Virtual Machine](/azure/virtual-machines/overview) (VM) gives you the flexibility of virtualization for a wide range of computing solutions. In a fully secured deployment, a user connects to a VM via Azure Bastion (described in the next item below) to perform a range of operations like copying files to storage accounts, running Azure CLI commands, and interacting with other services.

+- [Azure Bastion](/azure/bastion/bastion-overview) enables you to securely and seamlessly RDP & SSH to your VMs in Azure virtual network, without the need of public IP on the VM, directly from the Azure portal, and without the need of any other client/agent or any piece of software.

+- [Application Insights](/azure/azure-monitor/app/app-insights-overview) provides extensible application performance management and monitoring for live web apps.

+- [Log Analytics](/azure/azure-monitor/logs/log-analytics-overview) is a tool to edit and run log queries from data collected by Azure Monitor logs and interactively analyze the results.

+The following Geospatial libraries are also used:

+- [GDAL](https://gdal.org/) is a library of tools for manipulating spaceborne data. GDAL works on raster and vector data types. It's a good tool to know if you're working with spaceborne data.

+- [Rasterio](https://rasterio.readthedocs.io/en/latest/intro.html) is a module for raster processing. You can use it to read and write several different raster formats in Python. Rasterio is based on GDAL. When the module is imported, Python automatically registers all known GDAL drivers for reading supported formats.

+- [Shapely](https://shapely.readthedocs.io/en/stable/manual.html#introduction) is a Python package for set-theoretic analysis and manipulation of planar features. It uses (via Python's ctypes module) functions from the widely deployed GEOS library.

+- [pyproj](https://pyproj4.github.io/pyproj/stable/examples.html) performs cartographic transformations. It converts from longitude and latitude to native map projection x, y coordinates, and vice versa, by using [PROJ](https://proj.org/).

+## Considerations

+- The sample solution demonstrates STAC's core JSON support that is needed to interact with any geospatial data collection. While STAC standardizes metadata fields, naming conventions, query language, and catalog structure, users should additionally consider [STAC Extensions](https://stac-extensions.github.io/) to support metadata fields specific to their Assets.

+- In the sample implementation, components that process the asset to extract metadata have a set number of replicas. Scaling this component allows you to process your assets faster. However, scaling isn't dynamic. If large number of assets to be cataloged, consider scaling these replicas.

+### Adding a new data source

+To catalog more data sources or to catalog your own data source, consider the following options.

+- Define the STAC Collection for your data source. Search queries are scoped at the STAC Collection level. Consider how the user will search STAC Items and Assets in your collection.

+- Generate the STAC Item metadata. More metadata may be derived from geospatial assets using standard tools and libraries. Define and implement the process to capture supplemental metadata for the assets that will be useful in making STAC items rich and in turn make discovery of data using APIs easier.

+- Once this metadata (in the form STAC Collection and STAC Items) is available for a data source, this sample solution can be used to build your STAC Catalog using the same flow. The data once cataloged will be queryable using standard STAC APIs.

+- The processor component of this architecture is extensible to include custom code that can be developed and run as containers in Azure Kubernetes Cluster. It's intended to provide a way for different representation of geospatial data to be cataloged as assets.

+### Security

+Security provides assurances against deliberate attacks and the abuse of your valuable data and systems. For more information, see [Overview of the security pillar](/azure/architecture/framework/security/overview).

+- Azure Kubernetes Service [Container Security](https://learn.microsoft.com/azure/aks/concepts-security) implementation ensures the processors are built and run as containers are secure.

+- API Management Service [Security baseline](https://learn.microsoft.com/azure/aks/concepts-security) provides recommendations on how to secure your cloud solutions on Azure.

+- [Azure Database for PostgreSQL Security](https://learn.microsoft.com/azure/postgresql/flexible-server/concepts-security) covers in-depth the security at multiple layers when data is stored in PostgreSQL Flexible Server including data at rest and data in transit scenarios.

+### Cost optimization

+Cost optimization is about looking at ways to reduce unnecessary expenses and improve operational efficiencies. For more information, see [Overview of the cost optimization pillar](https://learn.microsoft.com/azure/architecture/framework/cost/overview).

+As this solution is intended for learning and development, we have used minimal configuration for the Azure resources. This minimal configuration runs a sample solution on a sample dataset.

+Users can also adjust the configurations to meet their workload and scaling needs to be performant. For instance, you can swap Standard HDDs for Premium SSDs in your AKS cluster or scale API Management Services to premium SKUs.

+### Performance efficiency

+Performance efficiency is the ability of your workload to scale to meet the demands placed on it by users in an efficient manner. For more information, see [Performance efficiency pillar overview](/azure/architecture/framework/scalability/overview). Additionally, the following guidance can be useful in maximizing performance efficiency:

+- [Monitor and tune](/azure/postgresql/single-server/tutorial-monitor-and-tune) provides a way to monitor your data and tune your database to improvement performance.

+- [Performance tuning a distributing application](/azure/architecture/performance/) walks through a few different scenarios, how to identify key metrics and improve performance.

+- [Baseline architecture for an Azure Kubernetes Service (AKS) cluster](/azure/architecture/reference-architectures/containers/aks/baseline-aks) recommends baseline infrastructure architecture to deploy an Azure Kubernetes Service (AKS) cluster on Azure.

+- [Improve the performance of an API by adding a caching policy in Azure API Management](/training/modules/improve-api-performance-with-apim-caching-policy/) is a training module on improving performance through Caching Policy.

+## Deploy this scenario

+We built a [sample solution](https://github.com/Azure/Azure-Orbital-STAC) that can be deployed into your subscription. This solution enables users to validate the overall data flow from STAC metadata, ingestion to discovering the assets using standard STAC APIs. The deployment instructions and the validation steps are documented in the [README](https://github.com/Azure/Azure-Orbital-STAC/blob/main/deploy/README.md) file.

+At a high level, this deployment does the following:

+- Deploys various infrastructure components such as Azure Kubernetes Services, Azure PostgreSQL Server, Azure Key Vault, Azure Storage account, Azure Service Bus, and so forth, in the private network.

+- Deploys Azure API Management service and publishes the endpoint for STAC FastAPI.

+- Packages the code and its dependencies, builds the Docker container images, and pushes them to Azure Container Registry.

+ :::image type="content" source="media/stac-deploy.png" alt-text="Diagram of STAC deployment services." lightbox="media/stac-deploy.png":::

+Download a [Visio file](https://download.microsoft.com/download/5/6/4/564196b7-dd01-468a-af21-1da16489f298/stac_deploy.vsdx) for this implementation.

+## Next steps

+If you want to start building this, we have put together a [sample solution](https://github.com/Azure/Azure-Orbital-STAC) discussed briefly above. Below are some useful links to get started on STAC & model implementation.

+- [STAC Overview](https://github.com/radiantearth/stac-spec/blob/master/overview.md)

+- [STAC tutorial](https://stacspec.org/en/tutorials/)

+- [Microsoft Planetary Computer API](https://github.com/Microsoft/planetary-computer-apis)

+## Related resources

+- [Microsoft Planetary Computer](https://planetarycomputer.microsoft.com/docs/overview/about) lets users apply the power of the cloud to accelerate environmental sustainability and Earth science. Many of the Planetary Computer components are also open source.

+- [The STAC specification](https://stacspec.org/en)

+- [STAC FastAPI](https://stac-utils.github.io/stac-fastapi/)

+- [PySTAC](https://pystac.readthedocs.io/en/stable/)

+- [PgSTAC](https://stac-utils.github.io/pgstac/pgstac/)

+- [pyPgSTAC](https://stac-utils.github.io/pgstac/pypgstac/)

+- [NAIP](https://datagateway.nrcs.usda.gov/GDGHome_DirectDownLoad.aspx)

+- [FGDC](https://www.fgdc.gov/metadata)

+## Glossary

+|STAC term|Definition|

+|-||

+|Asset|Any file that represents spaceborne data captured in a certain space and time.|

+|STAC Specification|Allows you to describe the geospatial data so it can be easily indexed and discovered.|

+|STAC Item|The core atomic unit, representing a single spatiotemporal asset as a GeoJSON feature plus metadata like datetime and reference links.|

+|STAC Catalog|A simple, flexible JSON that provides a structure and organized the metadata like STAC items, collections and other catalogs.|

+|STAC Collection|Provides additional information such as the extents, license, keywords, providers, and so forth, that describe STAC Items within the Collection.|

+|STAC API|Provides a RESTful endpoint that enables search of STAC Items, specified in OpenAPI.|

+#### Verify replication privileges for Single server's admin user

+ Please run the following query to check if single server's admin user has replication privileges.

+```

+ SELECT usename, userepl FROM pg_catalog.pg_user;

+```

+ Verify that the **userpl** column for the single server's admin user has the value **true**. If it is set to **false**, please grant the replication privileges to the admin user by running the following query on the single server.

+ ```

+ ALTER ROLE <adminusername> WITH REPLICATION;

+```

+> | [Azure Kubernetes Fleet Manager RBAC Admin](#azure-kubernetes-fleet-manager-rbac-admin) | This role grants admin access - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces. | 434fb43a-c01c-447e-9f67-c3ad923cfaba |

+> | [Azure Kubernetes Fleet Manager RBAC Cluster Admin](#azure-kubernetes-fleet-manager-rbac-cluster-admin) | Lets you manage all resources in the fleet manager cluster. | 18ab4d3d-a1bf-4477-8ad9-8359bc988f69 |

+> | [Azure Kubernetes Fleet Manager RBAC Reader](#azure-kubernetes-fleet-manager-rbac-reader) | Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. | 30b27cfc-9c84-438e-b0ce-70e35255df80 |

+> | [Azure Kubernetes Fleet Manager RBAC Writer](#azure-kubernetes-fleet-manager-rbac-writer) | Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. | 5af6afb3-c06c-4fa4-8848-71a8aee05683 |

+### Azure Kubernetes Fleet Manager RBAC Admin

+This role grants admin access - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/read | Get fleet |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/listCredentials/action | List fleet credentials |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/apps/controllerrevisions/read | Reads controllerrevisions |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/apps/daemonsets/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/apps/deployments/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/apps/statefulsets/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/authorization.k8s.io/localsubjectaccessreviews/write | Writes localsubjectaccessreviews |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/autoscaling/horizontalpodautoscalers/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/batch/cronjobs/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/batch/jobs/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/configmaps/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/endpoints/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/events.k8s.io/events/read | Reads events |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/events/read | Reads events |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/extensions/daemonsets/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/extensions/deployments/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/extensions/ingresses/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/extensions/networkpolicies/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/limitranges/read | Reads limitranges |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/namespaces/read | Reads namespaces |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/networking.k8s.io/ingresses/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/networking.k8s.io/networkpolicies/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/persistentvolumeclaims/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/policy/poddisruptionbudgets/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/rbac.authorization.k8s.io/rolebindings/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/rbac.authorization.k8s.io/roles/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/replicationcontrollers/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/replicationcontrollers/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/resourcequotas/read | Reads resourcequotas |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/secrets/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/serviceaccounts/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/services/* | |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "assignableScopes": [

+ "/"

+ ],

+ "description": "This role grants admin access - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",

+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",

+ "name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",

+ "permissions": [

+ {

+ "actions": [

+ "Microsoft.Authorization/*/read",

+ "Microsoft.Resources/subscriptions/operationresults/read",

+ "Microsoft.Resources/subscriptions/read",

+ "Microsoft.Resources/subscriptions/resourceGroups/read",

+ "Microsoft.ContainerService/fleets/read",

+ "Microsoft.ContainerService/fleets/listCredentials/action"

+ ],

+ "notActions": [],

+ "dataActions": [

+ "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",

+ "Microsoft.ContainerService/fleets/apps/daemonsets/*",

+ "Microsoft.ContainerService/fleets/apps/deployments/*",

+ "Microsoft.ContainerService/fleets/apps/statefulsets/*",

+ "Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",

+ "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",

+ "Microsoft.ContainerService/fleets/batch/cronjobs/*",

+ "Microsoft.ContainerService/fleets/batch/jobs/*",

+ "Microsoft.ContainerService/fleets/configmaps/*",

+ "Microsoft.ContainerService/fleets/endpoints/*",

+ "Microsoft.ContainerService/fleets/events.k8s.io/events/read",

+ "Microsoft.ContainerService/fleets/events/read",

+ "Microsoft.ContainerService/fleets/extensions/daemonsets/*",

+ "Microsoft.ContainerService/fleets/extensions/deployments/*",

+ "Microsoft.ContainerService/fleets/extensions/ingresses/*",

+ "Microsoft.ContainerService/fleets/extensions/networkpolicies/*",

+ "Microsoft.ContainerService/fleets/limitranges/read",

+ "Microsoft.ContainerService/fleets/namespaces/read",

+ "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",

+ "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",

+ "Microsoft.ContainerService/fleets/persistentvolumeclaims/*",

+ "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",

+ "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",

+ "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",

+ "Microsoft.ContainerService/fleets/replicationcontrollers/*",

+ "Microsoft.ContainerService/fleets/replicationcontrollers/*",

+ "Microsoft.ContainerService/fleets/resourcequotas/read",

+ "Microsoft.ContainerService/fleets/secrets/*",

+ "Microsoft.ContainerService/fleets/serviceaccounts/*",

+ "Microsoft.ContainerService/fleets/services/*"

+ ],

+ "notDataActions": []

+ }

+ ],

+ "roleName": "Azure Kubernetes Fleet Manager RBAC Admin",

+ "roleType": "BuiltInRole",

+ "type": "Microsoft.Authorization/roleDefinitions"

+}

+```

+### Azure Kubernetes Fleet Manager RBAC Cluster Admin

+Lets you manage all resources in the fleet manager cluster.

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/read | Get fleet |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/listCredentials/action | List fleet credentials |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/* | |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "assignableScopes": [

+ "/"

+ ],

+ "description": "Lets you manage all resources in the fleet manager cluster.",

+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",

+ "name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",

+ "permissions": [

+ {

+ "actions": [

+ "Microsoft.Authorization/*/read",

+ "Microsoft.Resources/subscriptions/operationresults/read",

+ "Microsoft.Resources/subscriptions/read",

+ "Microsoft.Resources/subscriptions/resourceGroups/read",

+ "Microsoft.ContainerService/fleets/read",

+ "Microsoft.ContainerService/fleets/listCredentials/action"

+ ],

+ "notActions": [],

+ "dataActions": [

+ "Microsoft.ContainerService/fleets/*"

+ ],

+ "notDataActions": []

+ }

+ ],

+ "roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",

+ "roleType": "BuiltInRole",

+ "type": "Microsoft.Authorization/roleDefinitions"

+}

+```

+### Azure Kubernetes Fleet Manager RBAC Reader

+Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/read | Get fleet |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/listCredentials/action | List fleet credentials |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/apps/controllerrevisions/read | Reads controllerrevisions |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/apps/daemonsets/read | Reads daemonsets |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/apps/deployments/read | Reads deployments |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/apps/statefulsets/read | Reads statefulsets |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/autoscaling/horizontalpodautoscalers/read | Reads horizontalpodautoscalers |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/batch/cronjobs/read | Reads cronjobs |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/batch/jobs/read | Reads jobs |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/configmaps/read | Reads configmaps |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/endpoints/read | Reads endpoints |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/events.k8s.io/events/read | Reads events |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/events/read | Reads events |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/extensions/daemonsets/read | Reads daemonsets |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/extensions/deployments/read | Reads deployments |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/extensions/ingresses/read | Reads ingresses |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/extensions/networkpolicies/read | Reads networkpolicies |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/limitranges/read | Reads limitranges |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/namespaces/read | Reads namespaces |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/networking.k8s.io/ingresses/read | Reads ingresses |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/networking.k8s.io/networkpolicies/read | Reads networkpolicies |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/persistentvolumeclaims/read | Reads persistentvolumeclaims |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/policy/poddisruptionbudgets/read | Reads poddisruptionbudgets |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/replicationcontrollers/read | Reads replicationcontrollers |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/replicationcontrollers/read | Reads replicationcontrollers |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/resourcequotas/read | Reads resourcequotas |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/serviceaccounts/read | Reads serviceaccounts |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/services/read | Reads services |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "assignableScopes": [

+ "/"

+ ],

+ "description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",

+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",

+ "name": "30b27cfc-9c84-438e-b0ce-70e35255df80",

+ "permissions": [

+ {

+ "actions": [

+ "Microsoft.Authorization/*/read",

+ "Microsoft.Resources/subscriptions/operationresults/read",

+ "Microsoft.Resources/subscriptions/read",

+ "Microsoft.Resources/subscriptions/resourceGroups/read",

+ "Microsoft.ContainerService/fleets/read",

+ "Microsoft.ContainerService/fleets/listCredentials/action"

+ ],

+ "notActions": [],

+ "dataActions": [

+ "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",

+ "Microsoft.ContainerService/fleets/apps/daemonsets/read",

+ "Microsoft.ContainerService/fleets/apps/deployments/read",

+ "Microsoft.ContainerService/fleets/apps/statefulsets/read",

+ "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",

+ "Microsoft.ContainerService/fleets/batch/cronjobs/read",

+ "Microsoft.ContainerService/fleets/batch/jobs/read",

+ "Microsoft.ContainerService/fleets/configmaps/read",

+ "Microsoft.ContainerService/fleets/endpoints/read",

+ "Microsoft.ContainerService/fleets/events.k8s.io/events/read",

+ "Microsoft.ContainerService/fleets/events/read",

+ "Microsoft.ContainerService/fleets/extensions/daemonsets/read",

+ "Microsoft.ContainerService/fleets/extensions/deployments/read",

+ "Microsoft.ContainerService/fleets/extensions/ingresses/read",

+ "Microsoft.ContainerService/fleets/extensions/networkpolicies/read",

+ "Microsoft.ContainerService/fleets/limitranges/read",

+ "Microsoft.ContainerService/fleets/namespaces/read",

+ "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",

+ "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",

+ "Microsoft.ContainerService/fleets/persistentvolumeclaims/read",

+ "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",

+ "Microsoft.ContainerService/fleets/replicationcontrollers/read",

+ "Microsoft.ContainerService/fleets/replicationcontrollers/read",

+ "Microsoft.ContainerService/fleets/resourcequotas/read",

+ "Microsoft.ContainerService/fleets/serviceaccounts/read",

+ "Microsoft.ContainerService/fleets/services/read"

+ ],

+ "notDataActions": []

+ }

+ ],

+ "roleName": "Azure Kubernetes Fleet Manager RBAC Reader",

+ "roleType": "BuiltInRole",

+ "type": "Microsoft.Authorization/roleDefinitions"

+}

+```

+### Azure Kubernetes Fleet Manager RBAC Writer

+Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.

+> [!div class="mx-tableFixed"]

+> | Actions | Description |

+> | | |

+> | [Microsoft.Authorization](resource-provider-operations.md#microsoftauthorization)/*/read | Read roles and role assignments |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/operationresults/read | Get the subscription operation results. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/read | Gets the list of subscriptions. |

+> | [Microsoft.Resources](resource-provider-operations.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/read | Get fleet |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/listCredentials/action | List fleet credentials |

+> | **NotActions** | |

+> | *none* | |

+> | **DataActions** | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/apps/controllerrevisions/read | Reads controllerrevisions |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/apps/daemonsets/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/apps/deployments/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/apps/statefulsets/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/autoscaling/horizontalpodautoscalers/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/batch/cronjobs/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/batch/jobs/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/configmaps/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/endpoints/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/events.k8s.io/events/read | Reads events |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/events/read | Reads events |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/extensions/daemonsets/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/extensions/deployments/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/extensions/ingresses/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/extensions/networkpolicies/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/limitranges/read | Reads limitranges |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/namespaces/read | Reads namespaces |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/networking.k8s.io/ingresses/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/networking.k8s.io/networkpolicies/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/persistentvolumeclaims/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/policy/poddisruptionbudgets/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/replicationcontrollers/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/replicationcontrollers/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/resourcequotas/read | Reads resourcequotas |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/secrets/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/serviceaccounts/* | |

+> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/fleets/services/* | |

+> | **NotDataActions** | |

+> | *none* | |

+```json

+{

+ "assignableScopes": [

+ "/"

+ ],

+ "description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",

+ "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",

+ "name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",

+ "permissions": [

+ {

+ "actions": [

+ "Microsoft.Authorization/*/read",

+ "Microsoft.Resources/subscriptions/operationresults/read",

+ "Microsoft.Resources/subscriptions/read",

+ "Microsoft.Resources/subscriptions/resourceGroups/read",

+ "Microsoft.ContainerService/fleets/read",

+ "Microsoft.ContainerService/fleets/listCredentials/action"

+ ],

+ "notActions": [],

+ "dataActions": [

+ "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",

+ "Microsoft.ContainerService/fleets/apps/daemonsets/*",

+ "Microsoft.ContainerService/fleets/apps/deployments/*",

+ "Microsoft.ContainerService/fleets/apps/statefulsets/*",

+ "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",

+ "Microsoft.ContainerService/fleets/batch/cronjobs/*",

+ "Microsoft.ContainerService/fleets/batch/jobs/*",

+ "Microsoft.ContainerService/fleets/configmaps/*",

+ "Microsoft.ContainerService/fleets/endpoints/*",

+ "Microsoft.ContainerService/fleets/events.k8s.io/events/read",

+ "Microsoft.ContainerService/fleets/events/read",

+ "Microsoft.ContainerService/fleets/extensions/daemonsets/*",

+ "Microsoft.ContainerService/fleets/extensions/deployments/*",

+ "Microsoft.ContainerService/fleets/extensions/ingresses/*",

+ "Microsoft.ContainerService/fleets/extensions/networkpolicies/*",

+ "Microsoft.ContainerService/fleets/limitranges/read",

+ "Microsoft.ContainerService/fleets/namespaces/read",

+ "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",

+ "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",

+ "Microsoft.ContainerService/fleets/persistentvolumeclaims/*",

+ "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",

+ "Microsoft.ContainerService/fleets/replicationcontrollers/*",

+ "Microsoft.ContainerService/fleets/replicationcontrollers/*",

+ "Microsoft.ContainerService/fleets/resourcequotas/read",

+ "Microsoft.ContainerService/fleets/secrets/*",

+ "Microsoft.ContainerService/fleets/serviceaccounts/*",

+ "Microsoft.ContainerService/fleets/services/*"

+ ],

+ "notDataActions": []

+ }

+ ],

+ "roleName": "Azure Kubernetes Fleet Manager RBAC Writer",

+ "roleType": "BuiltInRole",

+ "type": "Microsoft.Authorization/roleDefinitions"

+}

+```

+ Title: Understand Azure role assignments - Azure RBAC

+description: Learn about Azure role assignments in Azure role-based access control (Azure RBAC) for fine-grained access management of Azure resources.

+documentationcenter: ''

+# Understand Azure role assignments

+Role assignments enable you to grant a principal (such as a user, a group, a managed identity, or a service principal) access to a specific Azure resource. This article describes the details of role assignments.

+## Role assignment

+Access to Azure resources is granted by creating a role assignment, and access is revoked by removing a role assignment.

+A role assignment has several components, including:

+- The *principal*, or *who* is assigned the role.

+- The *role* that they're assigned.

+- The *scope* at which the role is assigned.

+- The *name* of the role assignment, and a *description* that helps you to explain why the role has been assigned.

+For example, you can use Azure RBAC to assign roles like:

+- User Sally has owner access to the storage account *contoso123* in the resource group *ContosoStorage*.

+- Everybody in the Cloud Administrators group in Azure Active Directory has reader access to all resources in the resource group *ContosoStorage*.

+- The managed identity associated with an application is allowed to restart virtual machines within Contoso's subscription.

+The following shows an example of the properties in a role assignment when displayed using [Azure PowerShell](role-assignments-list-powershell.md):

+```json

+{

+ "RoleAssignmentName": "00000000-0000-0000-0000-000000000000",

+ "RoleAssignmentId": "/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000",

+ "Scope": "/subscriptions/11111111-1111-1111-1111-111111111111",

+ "DisplayName": "User Name",

+ "SignInName": "user@contoso.com",

+ "RoleDefinitionName": "Contributor",

+ "RoleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c",

+ "ObjectId": "22222222-2222-2222-2222-222222222222",

+ "ObjectType": "User",

+ "CanDelegate": false,

+ "Description": null,

+ "ConditionVersion": null,

+ "Condition": null

+}

+```

+The following shows an example of the properties in a role assignment when displayed using the [Azure CLI](role-assignments-list-cli.md), or the [REST API](role-assignments-list-rest.md):

+```json

+{

+ "canDelegate": null,

+ "condition": null,

+ "conditionVersion": null,

+ "description": null,

+ "id": "/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000",

+ "name": "00000000-0000-0000-0000-000000000000",

+ "principalId": "22222222-2222-2222-2222-222222222222",

+ "principalName": "user@contoso.com",

+ "principalType": "User",

+ "roleDefinitionId": "/subscriptions/11111111-1111-1111-1111-111111111111/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",

+ "roleDefinitionName": "Contributor",

+ "scope": "/subscriptions/11111111-1111-1111-1111-111111111111",

+ "type": "Microsoft.Authorization/roleAssignments"

+}

+```

+The following table describes what the role assignment properties mean.

+| Property | Description |

+| | |

+| `RoleAssignmentName`<br />`name` | The name of the role assignment, which is a globally unique identifier (GUID). |

+| `RoleAssignmentId`<br />`id` | The unique ID of the role assignment, which includes the name. |

+| `Scope`<br />`scope` | The Azure resource identifier that the role assignment is scoped to. |

+| `RoleDefinitionId`<br />`roleDefinitionId` | The unique ID of the role. |

+| `RoleDefinitionName`<br />`roleDefinitionName` | The name of the role. |

+| `ObjectId`<br />`principalId` | The Azure Active Directory (Azure AD) object identifier for the principal who has the role assigned. |

+| `ObjectType`<br />`principalType` | The type of Azure AD object that the principal represents. Valid values include `User`, `Group`, and `ServicePrincipal`. |

+| `DisplayName` | For role assignments for users, the display name of the user. |

+| `SignInName`<br />`principalName` | The unique principal name (UPN) of the user, or the name of the application associated with the service principal. |

+| `Description`<br />`description` | The description of the role assignment. |

+| `Condition`<br />`condition` | Condition statement built using one or more actions from role definition and attributes. |

+| `ConditionVersion`<br />`conditionVersion` | The condition version number. Defaults to 2.0 and is the only supported version. |

+| `CanDelegate`<br />`canDelegate` | Not implemented. |

+## Scope

+When you create a role assignment, you need to specify the scope at which it's applied. The scope represents the resource, or set of resources, that the principal is allowed to access. You can scope a role assignment to a single resource, a resource group, a subscription, or a management group.

+> [!TIP]

+> Use the smallest scope that you need to meet your requirements.

+>

+> For example, if you need to grant a managed identity access to a single storage account, it's good security practice to create the role assignment at the scope of the storage account, not at the resource group or subscription scope.

+For more information about scope, see [Understand scope](scope-overview.md).

+## Role to assign

+A role assignment is associated with a role definition. The role definition specifies the permissions that the principal should have within the role assignment's scope.

+You can assign a built-in role definition or a custom role definition. When you create a role assignment, some tooling requires that you use the role definition ID while other tooling allows you to provide the name of the role.

+For more information about role definitions, see [Understand role definitions](role-definitions.md).

+## Principal

+Principals include users, security groups, managed identities, workload identities, and service principals. Principals are created and managed in your Azure Active Directory (Azure AD) tenant. You can assign a role to any principal. Use the Azure AD *object ID* to identify the principal that you want to assign the role to.

+When you create a role assignment by using Azure PowerShell, the Azure CLI, Bicep, or another infrastructure as code (IaC) technology, you specify the *principal type*. Principal types include *User*, *Group*, and *ServicePrincipal*. It's important to specify the correct principal type. Otherwise, you might get intermittent deployment errors, especially when you work with service principals and managed identities.

+## Name

+A role assignment's resource name must be a globally unique identifier (GUID).

+Role assignment resource names must be unique within the Azure Active Directory tenant, even if the scope of the role assignment is narrower.

+> [!TIP]

+> When you create a role assignment by using the Azure portal, Azure PowerShell, or the Azure CLI, the creation process gives the role assignment a unique name for you automatically.

+>

+> If you create a role assignment by using Bicep or another infrastructure as code (IaC) technology, you need to carefully plan how you name your role assignments. For more information, see [Create Azure RBAC resources by using Bicep](../azure-resource-manager/bicep/scenarios-rbac.md).

+### Resource deletion behavior

+When you delete a user, group, service principal, or managed identity from Azure AD, it's a good practice to delete any role assignments. They aren't deleted automatically. Any role assignments that refer to a deleted principal ID become invalid.

+If you try to reuse a role assignment's name for another role assignment, the deployment will fail. This issue is more likely to occur when you use Bicep or an Azure Resource Manager template (ARM template) to deploy your role assignments, because you have to explicitly set the role assignment name when you use these tools. To work around this behavior, you should either remove the old role assignment before you recreate it, or ensure that you use a unique name when you deploy a new role assignment.

+## Description

+You can add a text description to a role assignment. While descriptions are optional, it's a good practice to add them to your role assignments. Provide a short justification for why the principal needs the assigned role. When somebody audits the role assignments, descriptions can help to understand why they've been created and whether they're still applicable.

+## Conditions

+Some roles support *role assignment conditions* based on attributes in the context of specific actions. A role assignment condition is an additional check that you can optionally add to your role assignment to provide more fine-grained access control.

+For example, you can add a condition that requires an object to have a specific tag for the user to read the object.

+You typically build conditions using a visual condition editor, but here's what an example condition looks like in code:

+```

+((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})) OR (@resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<$key_case_sensitive$>] StringEqualsIgnoreCase 'Cascade'))

+```

+The preceding condition allows users to read blobs with a blob index tag key of *Project* and a value of *Cascade*.

+For more information about conditions, see [What is Azure attribute-based access control (Azure ABAC)?](conditions-overview.md)

+## Next steps

+* [Understand role definitions](role-definitions.md)

+* [Understand role assignments](role-assignments.md)

+When you try to deploy a Bicep file or ARM template that assigns a role to a service principal you get the error:

+For example, if you create a role assignment for a managed identity, then you delete the managed identity and recreate it, the new managed identity has a different principal ID. If you try to deploy the role assignment again and use the same role assignment name, the deployment fails.

+Role assignments are uniquely identified by their name, which is a globally unique identifier (GUID). You can't create two role assignments with the same name, even in different Azure subscriptions. You also can't change the properties of an existing role assignment.

+Provide an idempotent unique value for the role assignment `name`. It's a good practice to create a GUID that uses the scope, principal ID, and role ID together. It's a good idea to use the `guid()` function to help you to create a deterministic GUID for your role assignment names, like in this example:

+# [Bicep](#tab/bicep)

+```bicep

+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {

+ name: guid(resourceGroup().id, principalId, roleDefinitionId)

+ properties: {

+ roleDefinitionId: roleDefinitionId

+ principalId: principalId

+ principalType: principalType

+ }

+}

+# [ARM template](#tab/armtemplate)

+```json

+ "type": "Microsoft.Authorization/roleAssignments",

+ "apiVersion": "2020-10-01-preview",

+ "name": "[guid(resourceGroup().id, variables('principalId'), variables('roleDefinitionId'))]",

+ "properties": {

+ "roleDefinitionId": "[variables('roleDefinitionId')]",

+ "principalId": "[variables('principalId')]",

+ "principalType": "[variables('principalType')]"

+ }

+For more information, see [Create Azure RBAC resources by using Bicep](../azure-resource-manager/bicep/scenarios-rbac.md).

+```json

+> [!NOTE]

+> For a guided migration process, join the Microsoft Sentinel Migration and Modernization Program. The program allows you to simplify and accelerate the migration, including best practice guidance, resources, and expert help at every stage. To learn more, reach out to your account team.

+> [Track your migration with a workbook](migration-track.md)

+ Title: Configure SAP audit log monitoring rules with Microsoft Sentinel

+description: Monitor the SAP audit logs using Microsoft Sentinel built-in analytics rules, to easily manage your SAP logs, reducing noise with no compromise to security value.

+#Customer.intent: As a security operator, I want to monitor the SAP audit logs and easily manage the logs, so I can reduce noise without compromising security value.

+# Configure SAP audit log monitoring rules

+The SAP audit log records audit and security actions on SAP systems, like failed sign-in attempts or other suspicious actions. This article describes how to monitor the SAP audit log using Microsoft Sentinel built-in analytics rules.

+With these rules, you can monitor all audit log events, or get alerts only when anomalies are detected. This way, you can better manage your SAP logs, reducing noise with no compromise to your security value.

+You use two analytics rules to monitor and analyze your SAP audit log data:

+- **SAP - Dynamic Deterministic Audit Log Monitor (PREVIEW)**. Alerts on any SAP audit log events with minimal configuration. You can configure the rule for an even lower false-positive rate. [Learn how to configure the rule](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/microsoft-sentinel-for-sap-news-dynamic-sap-security-audit-log/ba-p/3326842).

+- **SAP - Dynamic Anomaly based Audit Log Monitor Alerts (PREVIEW)**. Alerts on SAP audit log events when anomalies are detected, using machine learning capabilities and with no coding required. [Learn how to configure the rule](#set-up-the-sapdynamic-anomaly-based-audit-log-monitor-alerts-preview-rule-for-anomaly-detection).

+The two [SAP Audit log monitor rules](sap-solution-security-content.md#built-in-sap-analytics-rules-for-monitoring-the-sap-audit-log) are delivered as ready to run out of the box, and allow for further fine tuning using the [SAP_Dynamic_Audit_Log_Monitor_Configuration and SAP_User_Config watchlists](sap-solution-security-content.md#available-watchlists).

+## Anomaly detection

+

+When trying to identify security events in a diverse activity log like the SAP audit log, you need to balance the configuration effort, and the amount of noise the alerts produce.

+With the SAP audit log module in the Sentinel for SAP solution, you can choose:

+- Which events you want to look at deterministically, using customized, predefined thresholds and filters.

+- Which events you want to leave out, so the machine can learn the parameters on its own.

+Once you mark an SAP audit log event type for anomaly detection, the alerting engine checks the events recently streamed from the SAP audit log. The engine checks if the events seem normal, considering the history it has learned.

+Microsoft Sentinel checks an event or group of events for anomalies. It tries to match the event or group of events with previously seen activities of the same kind, at the user and system levels. The algorithm learns the network characteristics of the user at the subnet mask level, and according to seasonality.

+With this ability, you can look for anomalies in previously quieted event types, such as user sign-in events. For example, if the user JohnDoe signs in hundreds of times an hour, you can now let Microsoft Sentinel decide if behavior is suspicious. Is this John from accounting, repeatedly refreshing a financial dashboard with multiple data source, or a DDoS attack forming up?

+## Set up the SAP - Dynamic Anomaly based Audit Log Monitor Alerts (PREVIEW) rule for anomaly detection

+If your SAP audit log data isn't already streaming data into the Microsoft Sentinel workspace, learn how to [deploy the solution](deployment-overview.md).

+1. From the Microsoft Sentinel navigation menu, under **Content management**, select **Content hub (Preview)**.

+1. Check if your **Continuous threat monitoring for SAP** application has updates.

+1. From the navigation menu, under **Analytics**, enable these 3 audit log alerts:

+ - **SAP - Dynamic Deterministic Audit Log Monitor**. Runs every 10 minutes and focuses on the SAP audit log events marked as **Deterministic**.

+ - **SAP - (Preview) Dynamic Anomaly based Audit Log Monitor Alerts**. Runs hourly and focuses on SAP events marked as **AnomaliesOnly**.

+ - **SAP - Missing configuration in the Dynamic Security Audit Log Monitor**. Runs daily to provide configuration recommendations for the SAP audit log module.

+Microsoft Sentinel now scans the entire SAP audit log at regular intervals, for deterministic security events and anomalies. You can view the incidents this log generates in the **Incidents** page.

+As with every machine learning solution, it will perform better with time. Anomaly detection works best using an SAP audit log history of seven days or more.

+### Configure event types with the SAP_Dynamic_Audit_Log_Monitor_Configuration watchlist

+You can further configure event types that produce too many incidents using the [SAP_Dynamic_Audit_Log_Monitor_Configuration](sap-solution-security-content.md#available-watchlists) watchlist. Here are a few options for reducing incidents.

+|Option |Description |

+|||

+|Set severities and disable unwanted events |By default, both the deterministic rules and the rules based on anomalies create alerts for events marked with medium and high severities. You can set these severities specifically for production and non-production environments. For example, you can set a debugging activity event as high severity in production systems, and disable those events in non-production systems. |

+|Exclude users by their SAP roles or SAP profiles |Microsoft Sentinel for SAP ingests the SAP userΓÇÖs authorization profile, including direct and indirect role assignments, groups and profiles, so that you can speak the SAP language in your SIEM.<br><br>You can configure an SAP event to exclude users based on their SAP roles and profiles. In the watchlist, add the roles or profiles that group your RFC interface users in the **RolesTagsToExclude** column, next to the **Generic table access by RFC** event. From now on, youΓÇÖll get alerts only for users that are missing these roles. |

+|Exclude users by their SOC tags |With tags, you can come up with your own grouping, without relying on complicated SAP definitions or even without SAP authorization. This method is useful for SOC teams that want to create their own grouping for SAP users.<br><br>Conceptually, excluding users by tags works like name tags: you can set multiple events in the configuration with multiple tags. You donΓÇÖt get alerts for a user with a tag associated with a specific event. For example, you donΓÇÖt want specific service accounts to be alerted for **Generic table access by RFC** events, but canΓÇÖt find an SAP role or an SAP profile that groups these users. In this case, you can add the **GenTableRFCReadOK** tag next to the relevant event in the watchlist, and then go to the **SAP_User_Config** watchlist and assign the interface users the same tag. |

+|Specify a frequency threshold per event type and system role |Works like a speed limit. For example, you can decide that the noisy **User Master Record Change** events only trigger alerts if more than 12 activities are observed in an hour, by the same user in a production system. If a user exceeds the 12 per hour limitΓÇöfor example, 2 events in a 10-minute windowΓÇöan incident is triggered. |

+|Determinism or anomalies |If you know the eventΓÇÖs characteristics, you can use the deterministic capabilities. If you aren't sure how to correctly configure the event, the machine learning capabilities can decide. |

+|SOAR capabilities |You can use Microsoft Sentinel to further orchestrate, automate and respond to incidents that can be applied to the SAP audit log dynamic alerts. Learn about [Security Orchestration, Automation, and Response (SOAR)](../automation.md). |

+

+

+

+

+

+| **7. Optional steps** | - [Configure auditing](configure-audit.md)<br>- [Configure Microsoft Sentinel for SAP data connector to use SNC](configure-snc.md)<br>- [Configure audit log monitoring rules](configure-audit-log-rules.md)

+8. The SAP audit log monitoring analytics rules

+The **SAPAuditLogConfigRecommend** is a helper function designed to offer recommendations for the configuration of the [SAP - Dynamic Anomaly based Audit Log Monitor Alerts (PREVIEW)](sap-solution-security-content.md#sapdynamic-anomaly-based-audit-log-monitor-alerts-preview) analytics rule. Learn how to [configure the rules](configure-audit-log-rules.md).

+Both SAP audit log monitoring analytics rules share the same data sources and the same configuration but differ in one critical aspect. While the ΓÇ£SAP - Dynamic Deterministic Audit Log MonitorΓÇ¥ requires deterministic alert thresholds and user exclusion rules, the ΓÇ£SAP - Dynamic Anomaly-based Audit Log Monitor Alerts (PREVIEW)ΓÇ¥ applies additional machine learning algorithms to filter out background noise in an unsupervised manner. For this reason, by default, most event types (or SAP message IDs) of the SAP audit log are being sent to the "Anomaly based" analytics rule, while the easier to define event types are sent to the deterministic analytics rule. This setting, along with other related settings, can be further configured to suit any system conditions.

+- [Configure the rule with the SAP_Dynamic_Audit_Log_Monitor_Configuration watchlist](#available-watchlists)

+- Learn more about how to [configure the rule](configure-audit-log-rules.md#set-up-the-sapdynamic-anomaly-based-audit-log-monitor-alerts-preview-rule-for-anomaly-detection) (full procedure)

+Learn more:

+- [Configure the rule with the SAP_Dynamic_Audit_Log_Monitor_Configuration and SAP_User_Config watchlists](#available-watchlists)

+- Learn more about how to [configure the rule](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/microsoft-sentinel-for-sap-news-dynamic-sap-security-audit-log/ba-p/3326842#feedback-success) (full procedure)

+| <a name="objects"></a>**SAP_Dynamic_Audit_Log_Monitor_Configuration** | Configure the SAP audit log alerts by assigning each message ID a severity level as required by you, per system role (production, non-production). This watchlist details all available SAP standard audit log message IDs. The watchlist can be extended to contain additional message IDs you might create on your own using ABAP enhancements on their SAP NetWeaver systems. This watchlist also allows for configuring a designated team to handle each of the event types, and excluding users by SAP roles, SAP profiles or by tags from the **SAP_User_Config** watchlist. This watchlist is one of the core components used for [configuring](configure-audit-log-rules.md) the [built-in SAP analytics rules for monitoring the SAP audit log](#built-in-sap-analytics-rules-for-monitoring-the-sap-audit-log). <br><br>- **MessageID**: The SAP Message ID, or event type, such as `AUD` (User master record changes), or `AUB` (authorization changes). <br>- **DetailedDescription**: A markdown enabled description to be shown on the incident pane. <br>- **ProductionSeverity**: The desired severity for the incident to be created with for production systems `High`, `Medium`. Can be set as `Disabled`. <br>- **NonProdSeverity**: The desired severity for the incident to be created with for non-production systems `High`, `Medium`. Can be set as `Disabled`. <br>- **ProductionThreshold** The "Per hour" count of events to be considered as suspicious for production systems `60`. <br>- **NonProdThreshold** The "Per hour" count of events to be considered as suspicious for non-production systems `10`. <br>- **RolesTagsToExclude**: This field accepts SAP role name, SAP profile names or tags from the SAP_User_Config watchlist. These are then used to exclude the associated users from specific event types. See options for role tags at the end of this list. <br>- **RuleType**: Use `Deterministic` for the event type to be sent off to the [SAP - Dynamic Deterministic Audit Log Monitor](#sapdynamic-deterministic-audit-log-monitor), or `AnomaliesOnly` to have this event covered by the [SAP - Dynamic Anomaly based Audit Log Monitor Alerts (PREVIEW)](#sapdynamic-anomaly-based-audit-log-monitor-alerts-preview).<br><br>For the **RolesTagsToExclude** field:<br>- If you list SAP roles or [SAP profiles](sap-solution-deploy-alternate.md#configuring-user-master-data-collection), this excludes any user with the listed roles or profiles from these event types for the same SAP system. For example, if you define the `BASIC_BO_USERS` ABAP role for the RFC related event types, Business Objects users won't trigger incidents when making massive RFC calls.<br>- Tagging an event type is similar to specifying SAP roles or profiles, but tags can be created in the workspace, so SOC teams can exclude users by activity without depending on the SAP team. For example, the audit message IDs AUB (authorization changes) and AUD (user master record changes) are assigned the `MassiveAuthChanges` tag. Users assigned this tag are excluded from the checks for these activities. Running the workspace `SAPAuditLogConfigRecommend` function produces a list of recommended tags to be assigned to users, such as `Add the tags ["GenericTablebyRFCOK"] to user SENTINEL_SRV using the SAP_User_Config watchlist`.

+| <a name="objects"></a>**SAP_User_Config** | Allows for fine tuning alerts by excluding /including users in specific contexts and is also used for [configuring](configure-audit-log-rules.md) the [built-in SAP analytics rules for monitoring the SAP audit log](#built-in-sap-analytics-rules-for-monitoring-the-sap-audit-log). <br><br> - **SAPUser**: The SAP user <br> - **Tags**: Tags are used to identify users against certain activity. For example Adding the tags ["GenericTablebyRFCOK"] to user SENTINEL_SRV will prevent RFC related incidents to be created for this specific user <br>**Other active directory user identifiers** <br>- AD User Identifier <br>- User On-Premises Sid <br>- User Principal Name |

+## October 2022

+### Out of the box anomaly detection on the SAP audit log (Preview)

+The SAP audit log records audit and security events on SAP systems, like failed sign-in attempts or other over 200 security related actions. Customers monitor the SAP audit log and generate alerts and incidents out of the box using Microsoft Sentinel built-in analytics rules.

+The Microsoft Sentinel for SAP solution now includes the [**SAP - Dynamic Anomaly Detection analytics** rule](https://aka.ms/Sentinel4sapDynamicAnomalyAuditRuleBlog), adding an out of the box capability to identify suspicious anomalies across the SAP audit log events.

+Now, together with the existing ability to identify threats deterministically based on predefined patterns and thresholds, customers can easily identify suspicious anomalies in the SAP security log, out of the box, with no coding required.

+You can fine-tune the new capability by editing the [SAP_Dynamic_Audit_Log_Monitor_Configuration and SAP_User_Config watchlists](sap-solution-security-content.md#available-watchlists).

+Learn more:

+- [Learn about the new feature (blog)](https://aka.ms/Sentinel4sapDynamicAnomalyAuditRuleBlog)

+- [Use the new rule for anomaly detection](sap/configure-audit-log-rules.md#anomaly-detection)

+ Title: Customize the ingress configuration in Azure Spring Apps

+description: Learn how to customize the ingress configuration in Azure Spring Apps.

+This article shows you how to set and update an application's ingress settings in Azure Spring Apps by using the Azure portal and Azure CLI.

+The Azure Spring Apps service uses an underlying ingress controller to handle application traffic management. The following ingress settings are supported for customization.

+| Name | Ingress setting | Default value | Valid range | Description |

+|-|||-|--|

+| `ingress-read-timeout` | `proxy-read-timeout` | 300 | \[1,1800\] | The timeout in seconds for reading a response from a proxied server. |

+| `ingress-send-timeout` | `proxy-send-timeout` | 60 | \[1,1800\] | The timeout in seconds for transmitting a request to the proxied server. |

+| `session-affinity` | `affinity` | None | Session, None | The type of the affinity that will make the request come to the same pod replica that was responding to the previous request. Set `session-affinity` to Cookie to enable session affinity. In the portal only, you must choose the enable session affinity box. |

+| `session-max-age` | `session-cookie-max-age` | 0 | \[0,7 days\] | The time in seconds until the cookie expires, corresponding to the `Max-Age` cookie directive. If you set `session-max-age` to 0, the expiration period is equal to the browser session period. |

+| `backend-protocol` | `backend-protocol` | Default | DefaultGRPC | Sets the backend protocol to indicate how NGINX should communicate with the backend service. Default means HTTP/HTTPS/WebSocket. The `backend-protocol` setting only applies to client-to-app traffic. For app-to-app traffic within the same service instance, choose any protocol for app-to-app traffic without modifying the `backend-protocol` setting. The protocol doesn't restrict your choice of protocol for app-to-app traffic within the same service instance. |

+- An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+- [Azure CLI](/cli/azure/install-azure-cli) with the Azure Spring Apps extension. Use the following command to remove previous versions and install the latest extension. If you previously installed the spring-cloud extension, uninstall it to avoid configuration and version mismatches.

+## Set the ingress configuration

+Use the following Azure CLI command to set the ingress configuration when you create.

+az spring app create \

+ --service <service-name> \

+ --ingress-read-timeout 300 \

+ --ingress-send-timeout 60 \

+ --session-affinity Cookie \

+ --session-max-age 1800 \

+ --backend-protocol Default \

+This command creates an app with the following settings:

+- Ingress read timeout: 300 seconds

+- Ingress send timeout: 60 seconds

+- Session affinity: Cookie

+- Session cookie max age: 1800 seconds

+- Backend protocol: Default

+## Update the ingress settings for an existing app

+Use the following steps to update the ingress settings for an application hosted by an existing service instance.

+1. Navigate to the **Apps** pane, and then select the app you want to configure.

+1. Navigate to the **Configuration** pane, and then select the **Ingress settings** tab.

+1. Update the ingress settings, and then select **Save**.

+ :::image type="content" source="media/how-to-configure-ingress/ingress-settings.jpg" lightbox="media/how-to-configure-ingress/ingress-settings.jpg" alt-text="Screenshot of Azure portal Configuration page showing the Ingress settings tab.":::

+Use the following command to update the ingress settings for an existing app.

+az spring app update \

+ --service <service-name> \

+ --ingress-read-timeout 600 \

+ --ingress-send-timeout 600 \

+ --session-affinity None \

+ --session-max-age 0 \

+ --backend-protocol GRPC \

+This command updates the app with the following settings:

+- Ingress read timeout: 600 seconds

+- Ingress send timeout: 600 seconds

+- Session affinity: None

+- Session cookie max age: 0

+- Backend protocol: GRPC

+## FAQ

+- How do you enable gRPC?

+ Set the backend protocol to *GRPC*.

+- How do you enable WebSocket?

+ WebSocket is enabled by default if you set the backend protocol to *Default*. The WebSocket connection limit is 20000. When you reach that limit, the connection will fail.

+ You can also use RSocket based on WebSocket.

+- What is the difference between ingress config and ingress settings?

+ Ingress config can still be used in the Azure CLI and SDK, and that setting will apply to all apps within the service instance. Once an app has been configured by ingress settings, the Ingress config won't affect it. We don't recommend that new scripts use ingress config since we plan to stop supporting it in the future.

+- When ingress settings are used together with App Gateway/APIM, what happens when you set the timeout in both Azure Spring Apps ingress and the App Gateway/APIM?

+ The shorter timeout is used.

+- Do you need extra config in App Gateway/APIM if you need to have end-to-end support for gRPC or WebSocket?

+ You don't need extra config as long as the App Gateway supports gRPC.

+- Is configurable port supported?

+ Configurable port isn't currently supported (80/443).

+- [Ingress controllers](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers)

+- [NGINX ingress controller](https://kubernetes.github.io/ingress-nginx)

+ Title: How to use the BlobFuse2 mount command to mount a Blob Storage container as a file system in Linux, or to display and manage existing mount points (preview). | Microsoft Docs

+description: Learn how to use the BlobFuse2 mount command to mount a Blob Storage container as a file system in Linux, or to display and manage existing mount points (preview).

+Use the `blobfuse2 mount` command to mount a Blob Storage container as a file system in Linux, or to display existing mount points.

+| [all](blobfuse2-commands-mount-all.md) | Mounts all blob containers in a specified storage account |

+1. Mount an individual Azure Blob Storage container to a new directory using the settings from a configuration file, and with foreground mode disabled:

+1. Mount all Blob Storage containers in the storage account specified in the configuration file to the path specified in the command. (Each container will be a subdirectory under the directory specified):

+1. Mount a fast storage device, then mount a Blob Storage container specifying the path to the mounted disk as the BlobFuse2 file caching location:

+1. Mount a Blob Storage container in read-only mode and skipping the automatic BlobFuse2 version check:

+1. Mount a Blob Storage container using an existing configuration file, but override the container name (mounting another container in the same storage account):

+Creating a configuration file is the preferred method of establishing settings for BlobFuse2. Once you have specified the desired settings in the file, reference the configuration file when using the `blobfuse2 mount` or other commands. Example:

+ Title: How to mount an Azure Blob Storage container on Linux with BlobFuse2 (preview) | Microsoft Docs

+description: How to mount an Azure Blob Storage container on Linux with BlobFuse2 (preview).

+# How to mount an Azure Blob Storage container on Linux with BlobFuse2 (preview)

+[BlobFuse2](blobfuse2-what-is.md) is a virtual file system driver for Azure Blob Storage. BlobFuse2 allows you to access your existing Azure block blob data in your storage account through the Linux file system. For more details see [What is BlobFuse2? (preview)](blobfuse2-what-is.md).

+> This preview version is provided without a service level agreement, and might not be suitable for production workloads. Certain features might not be supported or might have constrained capabilities.

+1. [Install the BlobFuse2 Binary](#option-1-install-the-blobfuse2-binary-preferred)

+### Option 1: Install the BlobFuse2 Binary (preferred)

+#### Install the BlobFuse2 binariesFstream

+You can configure BlobFuse2 with a variety of settings. Some of the typical settings used include:

+- Temporary file path for caching

+The settings can be configured in a yaml configuration file, using environment variables, or as parameters passed to the BlobFuse2 commands. The preferred method is to use the configuration file.

+For details about each of the configuration parameters for BlobFuse2 and how to specify them, consult the references below:

+1. [Configure caching](#configure-caching)

+### Configure caching

+BlobFuse2 provides native-like performance by using local file-caching techniques. The caching configuration and behavior varies, depending on whether you are streaming large files or accessing smaller files.

+#### Configure caching for streaming large files

+BlobFuse2 supports streaming for both read and write operations as an alternative to disk caching for files. In streaming mode, BlobFuse2 caches blocks of large files in memory for both reading and writing. The configuration settings related to caching for streaming are under the `stream:` settings in your configuration file as follows:

+```yml

+stream:

+ block-size-mb:

+ For read only mode, the size of each block to be cached in memory while streaming (in MB)

+ For read/write mode: the size of newly created blocks

+ max-buffers: The total number of buffers to store blocks in

+ buffer-size-mb: The size for each buffer

+```

+See [the sample streaming configuration file](https://github.com/Azure/azure-storage-fuse/blob/main/sampleStreamingConfig.yaml) to get started quickly with some settings for a basic streaming scenario.

+#### Configure caching for smaller files

+Smaller files are cached to a temporary path specified under `file_cache:` in the configuration file as follows:

+```yml

+file_cache:

+ path: <path to local disk cache>

+```

+> BlobFuse2 stores all open file contents in the temporary path. Make sure to have enough space to contain all open files.

+There are 3 common options for configuring the temporary path for file caching:

+- Local file caching to improve subsequent access times

+- Gain insights into mount activities and resource usage using BlobFuse2 Health Monitor

+- The addition of write-streaming for large files (read-streaming was previous supported)

+- **Readdir count of hard links**:

+- **Write-streaming**:

+ Concurrent streaming of read and write operations on large file data can produce unpredictable results. Simultaneously writing to the same blob from different threads is not supported.

+The file caching behavior plays an important role in the integrity of the data being read and written to a Blob Storage file system mount. Streaming mode is recommended for use with large files, which supports streaming for both read and write operations. BlobFuse2 caches blocks of streaming files in memory. For smaller files that do not consist of blocks, the entire file is stored in memory. File cache is the second mode and is recommended for workloads that do not contain large files. Where files are stored on disk in their entirety.

+BlobFuse2 supports both read and write operations. Continuous synchronization of data written to storage by using other APIs or other mounts of BlobFuse2 isn't guaranteed. For data integrity, it's recommended that multiple sources don't modify the same blob, especially at the same time. If one or more applications attempt to write to the same file simultaneously, the results could be unexpected. Depending on the timing of multiple write operations and the freshness of the cache for each, the result could be that the last writer wins and previous writes are lost, or generally that the updated file isn't in the desired state.

+#### File caching on disk

+When a file is written to, the data is first persisted into cache on a local disk. The data is written to blob storage only after the file handle is closed. If there's an issue attempting to persist the data to blob storage, you will receive an error message.

+#### Streaming

+For streaming during both read and write operations, blocks of data are cached in memory as they are read or updated. Updates are flushed to Azure Storage when a file is closed or when the buffer is filled with dirty blocks.

+Reading the same blob from multiple simultaneous threads is supported. However, simultaneous write operations could result in unexpected file data outcomes, including data loss. Performing simultaneous read operations and a single write operation is supported, but the data being read from some threads might not be current.

+ Title: How to mount Azure Blob Storage as a file system on Linux with BlobFuse v1 | Microsoft Docs

+description: Learn how to mount an Azure Blob Storage container with BlobFuse v1, a virtual file system driver on Linux.

+# How to mount Azure Blob Storage as a file system with BlobFuse v1

+[BlobFuse](https://github.com/Azure/azure-storage-fuse) is a virtual file system driver for Azure Blob Storage. BlobFuse allows you to access your existing block blob data in your storage account through the Linux file system. BlobFuse uses the virtual directory scheme with the forward-slash '/' as a delimiter.

+This guide shows you how to use BlobFuse v1 and mount a Blob Storage container on Linux and access data. To learn more about BlobFuse v1, see the [readme](https://github.com/Azure/azure-storage-fuse) and [wiki](https://github.com/Azure/azure-storage-fuse/wiki).

+The system-assigned managed identity must have permissions to access the key in the key vault. Assign the **Key Vault Crypto Service Encryption User** role to the system-assigned managed identity with key vault scope to grant these permissions.

+Before you can configure customer-managed keys with a system-assigned managed identity, you must assign the **Key Vault Crypto Service Encryption User** role to the system-assigned managed identity, scoped to the key vault. This role grants the system-assigned managed identity permissions to access the key in the key vault. For more information on assigning Azure RBAC roles with the Azure portal, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

+When you configure customer-managed keys with the Azure portal with a system-assigned managed identity, the system-assigned managed identity is assigned to the storage account for you under the covers.

+To assign a system-assigned managed identity to your storage account, first call [Set-AzStorageAccount](/powershell/module/az.storage/set-azstorageaccount):

+$accountName = "<storage-account>"

+$storageAccount = Set-AzStorageAccount -ResourceGroupName $rgName `

+ -Name $accountName `

+Next, assign to the system-assigned managed identity the required RBAC role, scoped to the key vault. Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples:

+New-AzRoleAssignment -ObjectId $storageAccount.Identity.PrincipalId `

+ -RoleDefinitionName "Key Vault Crypto Service Encryption User" `

+ -Scope $keyVault.ResourceId

+To authenticate access to the key vault with a system-assigned managed identity, first assign the system-assigned managed identity to the storage account by calling [az storage account update](/cli/azure/storage/account#az-storage-account-update):

+accountName="<storage-account>"

+ --name $accountName \

+ --resource-group $rgName \

+Next, assign to the system-assigned managed identity the required RBAC role, scoped to the key vault. Remember to replace the placeholder values in brackets with your own values and to use the variables defined in the previous examples:

+principalId=$(az storage account show --name $accountName \

+ --resource-group $rgName \

+ --query identity.principalId \

+ --output tsv)

+az role assignment create --assignee-object-id $principalId \

+ --role "Key Vault Crypto Service Encryption User" \

+ --scope $kvResourceId

+$accountName = "<storage-account>"

+Set-AzStorageAccount -ResourceGroupName $rgName `

+ -AccountName $accountName `

+accountName="<storage-account>"

+keyVaultUri=$(az keyvault show \

+ --name $kvName \

+ --resource-group $rgName \

+az storage account update \

+ --name $accountName \

+ --resource-group $rgName \

+ --encryption-key-name $keyName \

+ --encryption-key-vault $keyVaultUri

+$accountName = "<storage-account>"

+Set-AzStorageAccount -ResourceGroupName $rgName `

+ -AccountName $accountName `

+accountName="<storage-account>"

+keyVaultUri=$(az keyvault show \

+ --name $kvName \

+ --resource-group $rgName \

+keyVersion=$(az keyvault key list-versions \

+ --name $keyName \

+ --vault-name $kvName \

+az storage account update \

+ --name $accountName \

+ --resource-group $rgName \

+ --encryption-key-name $keyName \

+ --encryption-key-version $keyVersion \

+ --encryption-key-vault $keyVaultUri

+$accountName = "<storage-account>"

+New-AzStorageAccount -ResourceGroupName $rgName `

+ -Name $accountName `

+accountName="<storage-account>"

+ --name $accountName \

+ --resource-group $rgName \

+ --location $location \

+ --user-identity-id $identityResourceId \

+ --encryption-key-name $keyName \

+ --key-vault-user-identity-id $identityResourceId

+$accountName = "<storage-account>"

+New-AzStorageAccount -ResourceGroupName $rgName `

+ -Name $accountName `

+accountName="<storage-account>"

+ --name $accountName \

+ --resource-group $rgName \

+ --location $location \

+ --user-identity-id $identityResourceId \

+ --encryption-key-vault $keyVaultUri \

+ --encryption-key-name $keyName \

+ --encryption-key-version $keyVersion \

+ --key-vault-user-identity-id $identityResourceId

+ The key vault that stores the key must have both soft delete and purge protection enabled. Azure storage encryption supports RSA and RSA-HSM keys of sizes 2048, 3072 and 4096. For more information about keys, see [About keys](../../key-vault/keys/about-keys.md).

+ 

+ * If the dedicated SQL pool doesn't have any automatic restore points, wait a few hours, or create a user defined restore point before restoring. For User-Defined Restore Points, select an existing one or create a new one.

+ * If you want to restore a dedicated SQL pool from a different workspace, select **New dedicated SQL pool** from your current workspace. Under the **Additional settings** tab find the **Use existing data** and select the **Restore point** option. As shown in the above screenshot, you can then select the **Server or workspace** name from which you can restore.

+ * If you are restoring a geo-backup, select the workspace located in the source region and the dedicated SQL pool you want to restore.

+ > [!NOTE]

+ > You cannot perform an in-place restore of a SQL pool with the same name as an existing pool. Regardless of the SQL pool being in the same workspace or a different workspace.

+4. Select either **Automatic Restore Points** or **User-Defined Restore Points**.