+ | Client ID | The Mobile ID client ID. For example, 00001111-aaaa-2222-bbbb-3333cccc4444. |

+ | Client ID | The SwissID client ID. For example, `00001111-aaaa-2222-bbbb-3333cccc4444`. |

+- `00001111-aaaa-2222-bbbb-3333cccc4444` with the app ID of the application you've registered in your tenant.

+client_id=00001111-aaaa-2222-bbbb-3333cccc4444

+&scope="00001111-aaaa-2222-bbbb-3333cccc4444 offline_access",

+client_id=00001111-aaaa-2222-bbbb-3333cccc4444

+See the code sample: [Sign-in with Azure AD B2C in a JavaScript SPA](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-browser-samples/VanillaJSTestApp2.0/app/b2c).

+ - **objectId**, transformation claim type **customerEntity.userObjectId** "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"

+ "userObjectId":"aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "userObjectId":"aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+| IssuanceClaimPattern | No | Controls the Issuer (iss) claim. One of the values:<ul><li>AuthorityAndTenantGuid - The iss claim includes your domain name, such as `login.microsoftonline` or `tenant-name.b2clogin.com`, and your tenant identifier https:\//login.microsoftonline.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0/</li><li>AuthorityWithTfp - The iss claim includes your domain name, such as `login.microsoftonline` or `tenant-name.b2clogin.com`, your tenant identifier and your relying party policy name. https:\//login.microsoftonline.com/tfp/aaaabbbb-0000-cccc-1111-dddd2222eeee/b2c_1a_tp_sign-up-or-sign-in/v2.0/</li></ul> Default value: AuthorityAndTenantGuid |

+https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/B2C_1A_signup_signin/oauth2/v2.0/authorize&client_id=00001111-aaaa-2222-bbbb-3333cccc4444&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms&scope=openid&response_type=id_token&prompt=login&ui_locales=es

+- `00001111-aaaa-2222-bbbb-3333cccc4444` with the app ID of an [application you registered in your tenant](tutorial-register-applications.md).

+client_id=00001111-aaaa-2222-bbbb-3333cccc4444

+&client_id=00001111-aaaa-2222-bbbb-3333cccc4444

+&scope=00001111-aaaa-2222-bbbb-3333cccc4444 offline_access

+ "scope": "00001111-aaaa-2222-bbbb-3333cccc4444 offline_access",

+&client_id=00001111-aaaa-2222-bbbb-3333cccc4444

+ "scope": "00001111-aaaa-2222-bbbb-3333cccc4444 offline_access",

+ <Item Key="client_id">00001111-aaaa-2222-bbbb-3333cccc4444</Item>

+ <!--Insert b2c-extensions-app application ID here, for example: 00001111-aaaa-2222-bbbb-3333cccc4444-->

+ <Item Key="00001111-aaaa-2222-bbbb-3333cccc4444"></Item>

+ <!--Insert b2c-extensions-app application ObjectId here, for example: aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb-->

+ <Item Key="aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"></Item>

+ <!--<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/00001111-aaaa-2222-bbbb-3333cccc4444</Item>-->

+* [Tutorial: Create user flows and custom policies in Azure Active Directory B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy)

+ <Item Key="client_id">00001111-aaaa-2222-bbbb-3333cccc4444</Item>

+ "sub": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "aud": "00001111-aaaa-2222-bbbb-3333cccc4444",

+ "tid": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"

+ <Item Key="client_id">00001111-aaaa-2222-bbbb-3333cccc4444</Item>

+|{Settings:AppInsightsInstrumentationKey}|Instrumentation key of your Application Insights instance*|`00001111-aaaa-2222-bbbb-3333cccc4444`|

+|{Settings:IdentityExperienceFrameworkAppId}App ID of the IdentityExperienceFramework app configured in your Azure AD B2C tenant|`00001111-aaaa-2222-bbbb-3333cccc4444`|

+|{Settings:ProxyIdentityExperienceFrameworkAppId}|App ID of the ProxyIdentityExperienceFramework app configured in your Azure AD B2C tenant|`00001111-aaaa-2222-bbbb-3333cccc4444`|

+|{Settings:DfpApiBaseUrl}|The base path for your DFP API instance, found in the DFP portal| `https://tenantname-00001111-aaaa-2222-bbbb-3333cccc4444.api.dfp.dynamics.com/v1.0/`|

+|{Settings:DfpTenantId}|The ID of the Microsoft Entra tenant (not B2C) where DFP is licensed and installed|`00001111-aaaa-2222-bbbb-3333cccc4444` or `consoto.onmicrosoft.com` |

+| {your_tenant_IdentityExperienceFramework_appid} |App ID of the IdentityExperienceFramework app configured in your Azure AD B2C tenant| 00001111-aaaa-2222-bbbb-3333cccc4444|

+| {your_tenant_ ProxyIdentityExperienceFramework_appid}| App ID of the ProxyIdentityExperienceFramework app configured in your Azure AD B2C tenant | 00001111-aaaa-2222-bbbb-3333cccc4444|

+| {your_tenant_extensions_appid} | App ID of your tenant storage application| 00001111-aaaa-2222-bbbb-3333cccc4444|

+| {your_tenant_extensions_app_objectid}| Object ID of your tenant storage application| aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb|

+ <Item Key="client_id">00001111-aaaa-2222-bbbb-3333cccc4444</Item>

+|{your_tenantID}|Your Azure AD B2C TenantID| aaaabbbb-0000-cccc-1111-dddd2222eeee|

+|{your_tenant_IdentityExperienceFramework_appid}|IdentityExperienceFramework app App ID configured in your Azure AD B2C tenant|00001111-aaaa-2222-bbbb-3333cccc4444|

+|{your_tenant_ ProxyIdentityExperienceFramework_appid}|ProxyIdentityExperienceFramework app App ID configured in your Azure AD B2C tenant| 00001111-aaaa-2222-bbbb-3333cccc4444|

+|{your_tenant_extensions_appid}|Your tenant storage application App ID| 00001111-aaaa-2222-bbbb-3333cccc4444|

+|{your_tenant_extensions_app_objectid}|Your tenant storage application Object ID| aaaabbbb-0000-cccc-1111-dddd2222eeee|

+|{your_app_insights_instrumentation_key}|Your app insights instance* instrumentation key|00001111-aaaa-2222-bbbb-3333cccc4444|

+ <Item Key="client_id">00001111-aaaa-2222-bbbb-3333cccc4444</Item>

+ <!--Insert b2c-extensions-app application ID here, for example: 00001111-aaaa-2222-bbbb-3333cccc4444-->

+ <Item Key="00001111-aaaa-2222-bbbb-3333cccc4444"></Item>

+ <!--Insert b2c-extensions-app application ObjectId here, for example: aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb-->

+ <Item Key="00001111-aaaa-2222-bbbb-3333cccc4444"></Item>

+ <!--<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/187f16e9-81ab-4516-8db7-1c8ef94ffeca,https://login.microsoftonline.com/00001111-aaaa-2222-bbbb-3333cccc4444</Item>-->

+ <add key="ida:TenantId" value="aaaabbbb-0000-cccc-1111-dddd2222eeee" />

+ <add key="ida:ClientId" value="00001111-aaaa-2222-bbbb-3333cccc4444" />

+ <Item Key="client_id">00001111-aaaa-2222-bbbb-3333cccc4444</Item>

+`https://login.microsoft.com/contoso.onmicrosoft.com/oauth2/v2.0/authorize?pB2C_1A_signup_signin&client_id=00001111-aaaa-2222-bbbb-3333cccc4444&nonce=defaultNonce&redirect_uri=http%3A%2F%2Fjwt.io%2F&scope=openid&response_type=id_token&prompt=login&campaignId=hawaii`

+ "sub": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+https://<tenant-name>.b2clogin.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0/

+ <audience>00001111-aaaa-2222-bbbb-3333cccc4444</audience>

+ <issuer>https://<tenant-name>.b2clogin.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0/</issuer>

+ <audience>00001111-aaaa-2222-bbbb-3333cccc4444</audience>

+ <audience>11112222-bbbb-3333-cccc-4444dddd5555</audience>

+ <issuer>https://<tenant-name>.b2clogin.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0/</issuer>

+ <issuer>https://login.microsoftonline.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0/</issuer>

+ <audience>00001111-aaaa-2222-bbbb-3333cccc4444</audience>

+ <audience>11112222-bbbb-3333-cccc-4444dddd5555</audience>

+ <issuer>https://login.microsoftonline.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0/</issuer>

+ <issuer>https://<tenant-name>.b2clogin.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0/</issuer>

+| Audience | `aud` | `00001111-aaaa-2222-bbbb-3333cccc4444` | Identifies the intended recipient of the token. For Azure AD B2C, the audience is the application ID. Your application should validate this value and reject the token if it doesn't match. Audience is synonymous with resource. |

+| Issuer | `iss` |`https://<tenant-name>.b2clogin.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0/` | Identifies the security token service (STS) that constructs and returns the token. It also identifies the directory in which the user was authenticated. Your application should validate the issuer claim to make sure that the token came from the appropriate endpoint. |

+| Subject | `sub` | `aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb` | The principal about which the token asserts information, such as the user of an application. This value is immutable and can't be reassigned or reused. It can be used to perform authorization checks safely, such as when the token is used to access a resource. By default, the subject claim is populated with the object ID of the user in the directory. |

+| `traces | where customDimensions.CorrelationId == "aaaa0000-bb11-2222-33cc-444444dddddd"`| Get all of the logs generated by Azure AD B2C for a correlation ID. Replace the correlation ID with your correlation ID. |

+1. Copy the **Application ID**. Example: `00001111-aaaa-2222-bbbb-3333cccc4444`.

+ * **Application ID**. Example: `00001111-aaaa-2222-bbbb-3333cccc4444`.

+ * **Object ID**. Example: `aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb`.

+ <!--Insert b2c-extensions-app application ID here, for example: 00001111-aaaa-2222-bbbb-3333cccc4444-->

+ <!--Insert b2c-extensions-app application ObjectId here, for example: aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb-->

+Custom attributes (directory extensions) in the Microsoft Graph API are named by using the convention `extension_{appId-without-hyphens}_{extensionProperty-name}` where `{appId-without-hyphens}` is the stripped version of the **appId** (called Client ID on the Azure AD B2C portal) for the `b2c-extensions-app` with only characters 0-9 and A-Z. For example, if the **appId** of the `b2c-extensions-app` application is `11112222-bbbb-3333-cccc-4444dddd5555` and the attribute name is `loyaltyId`, then the custom attribute is named `extension_25883231668a43a780b25685c3f874bc_loyaltyId`.

+ <Item Key="issuer">https://yourtenant.b2clogin.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0/</Item>

+ <Item Key="audience">[ "00001111-aaaa-2222-bbbb-3333cccc4444", "11112222-bbbb-3333-cccc-4444dddd5555" ]</Item>

+ In the following access token, the `iss` claim value is `https://contoso.b2clogin.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/v2.0/`. The `aud` claim value is `00001111-aaaa-2222-bbbb-3333cccc4444`.

+ "sub": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "aud": "00001111-aaaa-2222-bbbb-3333cccc4444",

+ "tid": "aaaabbbb-0000-cccc-1111-dddd2222eeee"

+ "objectId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "correlationId": "ffffffff-eeee-dddd-cccc-bbbbbbbbbbb0",

+ "appId": "00001111-aaaa-2222-bbbb-3333cccc4444",

+ "subscriptionId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "subscriptionId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+1. Select an API, for example, the *Conference API*.

+1. On the **Conference API** page, under **Details**, select **Deployments** > **+ Add deployment**.

+ | **Definition** | Select or add a definition file for a version of the Conference API. | API definition file. |

+ "subscriptionId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "subscriptionId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "subscriptionId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "subscriptionId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "subscriptionId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "subscriptionId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ * [Conference API](https://bigconference.azurewebsites.net)

+The following steps register two sample APIs: Swagger Petstore API and Conference API (see [Prerequisites](#prerequisites)). If you prefer, register APIs of your own.

+1. Repeat the preceding three steps to register another API, such as the Conference API.

+1. In the left menu, select **APIs**, and then select an API, for example, *Swagger Petstore*.

+1. On the API page, under **Details**, select **Versions** > **+ Add version**.

+ | **Specification name** | For the Petstore API, select **OpenAPI**. | Specification format for the API.|

+ | **Specification version** | Enter a version identifier of your choice, such as *3.0*. | Specification version. |

+ |**Document** | Browse to a local definition file for the Petstore API, or enter a URL. Example URL: `https://raw.githubusercontent.com/swagger-api/swagger-petstore/refs/heads/master/src/main/resources/openapi.yaml` | API definition file. |

+

+> - When you enable Change Tracking in the Azure portal using the Azure Monitoring Agent, the process automatically creates a Data Collection Rule (DCR). This rule will appear in the resource group with a name in the format ct-dcr-aaaaaaaaa. After the rule is created, add the required resources.

+> - It usually takes up to two to three minutes to successfully onboard and enable the virtual machine(s). After you enable a virtual machine for change tracking, you can make changes to the files, registries, or software for the specific VM.

+ > You can select up to 250 virtual machines at a time to enable this feature.

+> [!NOTE]

+> After creating the Data Collection Rule (DCR) using the Azure Monitoring Agent's change tracking schema, ensure that you don't add any Data Sources to this rule. This can cause Change Tracking and Inventory to fail. You must only add new Resources in this section.

+This article provides information on troubleshooting and resolving issues that may occur while attempting to install and configure Start/Stop VMs.

+ <script src="https://unpkg.com/pmtiles@3.2.0/dist/pmtiles.js"></script>

+ //Initialize the plugin.

+ const protocol = new pmtiles.Protocol();

+ atlas.addProtocol("pmtiles", protocol.tile);

+The following sample uses the [Overture] building dataset to add building data over the basemap.

+const PMTILES_URL = "https://overturemaps-tiles-us-west-2-beta.s3.amazonaws.com/2024-07-22/buildings.pmtiles";

+ new atlas.source.VectorTileSource("my_source", {

+ "my_source",

+### Unsupported scenarios

+The platform blocks a scenario where resources from Subscription A are migrated to Subscription B when *at the same time* resources from Subscription B are migrated to Subscription C. This is by design.

+ sudo docker run --cap-add SYS_PTRACE -e 'ACCEPT_EULA=1' -e 'MSSQL_SA_PASSWORD=<password>' -p 1433:1433 --name azuresqledge -d mcr.microsoft.com/azure-sql-edge

+ sudo docker run --cap-add SYS_PTRACE -e 'ACCEPT_EULA=1' -e 'MSSQL_SA_PASSWORD=<password>' -e 'MSSQL_PID=Premium' -p 1433:1433 --name azuresqledge -d mcr.microsoft.com/azure-sql-edge

+ | **-e "MSSQL_SA_PASSWORD=\<password\>"** | Specify your own strong password that is at least eight characters and meets the [password requirements](/sql/relational-databases/security/password-policy). Required setting for the SQL Edge image. |

+1. Use `docker exec` to run **sqlcmd** to change the password using Transact-SQL. In the following example, replace the old password, `<old-password>`, and the new password, `<new-password>`, with your own password values.

+ -S localhost -U SA -P "<old-password>" \

+ -Q 'ALTER LOGIN SA WITH PASSWORD="<new-password>"'

+ /opt/mssql-tools/bin/sqlcmd -S localhost -U SA -P "<password>"

+### Azure Resource Health for Azure VMware Solution Private Cloud (Public preview)

+In this article, you learn how Azure Resource Health helps you diagnose and get support for service problems that affect your Private Cloud resources. Azure Resource Health reports on the current and past health of your Private Cloud Infrastructure resources and provides you with a personalized dashboard of the health of the infrastructure resources. Azure Resource Health allows you to report on historical events and can identify every time a service is unavailable and if Service Level Agreement (SLA) is violated.

+#### Preview Enablement

+You are required to register yourself for the feature preview under _Preview Features_ of Azure VMware Solution in Azure portal. Customers should first register themselves to ***"Microsoft.AVS/ResourceHealth"*** preview flag from Azure portal and once registered, all the preconfigured alerts related to Host replacement, vCenter, and other critical alarms will start to surface in the Resource Health of Azure VMware Solution (AVS) User Interface (UI).

+#### Benefits of enabling Resource Health

+- Resource Health feature enablement adds significant value to your monitoring capabilities. You get notified about unplanned maintenance that took place in your private cloud infrastructure.

+- Resource Health gives you a personalized dashboard of the health of your resources. Resource Health shows all the time that your resources have been unavailable which makes it easy for you to check if SLA was violated.

+- For the Public Preview, a group of critical alerts are enabled which notifies you about Host replacements, storage critical alarms and also about the Network health of your private cloud.

+- The alerts are updated to have all the necessary information for better reporting and triage purposes.

+- Resource Health uses Azure Action groups that allow you to configure Email/SMS/Webhook/ITSM and get notified via communication method of your choice.

+- Once Enabled the health of your private cloud infrastructure reflects following statuses

+

+ - Available

+

+ - Unavailable

+ - Unknown

+ - Degraded

+#### Available

+Available means that there are no events detected that affect the health of the resource. In cases where the resource recovered from unplanned downtime during the last 24 hours, you see a "Recently resolved" notification

+#### Unavailable

+Unavailable means that the service detected an ongoing platform or nonplatform event that affects the health of the resource.

+#### Unknown

+Unknown means that Resource Health hasn't received information about the resource for more than 10 minutes. You may see this status under two different conditions:

+- Your subscription is not enabled for Resource Health metrics, and you need to register yourself for the preview.

+- If the resource is running as expected, the status of the resource will change to Available after a few minutes. If you experience problems with the resource, the Unknown health status might mean that an event in the private cloud is affecting the resource.

+#### Degraded

+Degraded means that Resource Health detected a loss in performance in either one or more private cloud resources, although it's still available for use. Different resources have their own criteria for when they report that they are degraded.

+#### Pre-configured Alarms enabled in Azure Resource Health

+|Alert Name|Remediation Mode|

+| -- | -- |

+|Physical Disk Health AlarmΓÇ»|System Remediation|

+|System Board Health Alarm|System Remediation|

+| Memory Health Alarm|System Remediation|

+|Storage Health Alarm|System Remediation|

+|Temperature Health AlarmΓÇ»|System Remediation|

+|Host Connection State Alarm|System Remediation|

+|High Availability (HA) host StatusΓÇ»|System Remediation|

+| Network Connectivity Lost Alarm|System Remediation|

+|Virtual Storage (vSAN) Host Disk Error Alarm|System Remediation|

+|Voltage Health Alarm |System Remediation|

+|Processor Health Alarm| System Remediation|

+|Fan Health Alarm|System Remediation|

+|High pNIC error rate detected|System Remediation|

+|iDRAC critical alerts if there are hardware faults (CPU/DIMM/PCI bus/Voltage issues)|System Remediation|

+|vSphere HA restarted a virtual machine|System Remediation|

+|Virtual Storage (vSAN) High Disk Utilization|Customer Intervention Required|

+|Replacement Start and Stop Notification|System Remediation|

+|Repair Service notification to customers (Host reboot and Restart of Management services) |System Remediation|

+|Notification to customer when a Virtual Machine is configured to use an external device that prevents a maintenance operation|Customer Intervention Required|

+| Customer notification when CD-ROM is mounted on the Virtual Machine and its ISO image isn't accessible and blocks maintenance operation|Customer Intervention Required|

+|Notification to customer when an external Datastore mounted becomes inaccessible and will block maintenance operations|Customer Intervention Required|

+|Notification to customer when connected network adapter becomes inaccessible and blocks any maintenance operations|Customer Intervention Required|

+|VMware Network (NSX ΓÇôT) alarms (Customer notification about License expiration)|Customer Intervention Required|

+## Next Steps

+Now that you have configured an alert rule for your Azure VMware Solution private cloud, you can learn more about:

+- [Azure Resource Health](/azure/service-health/resource-health-overview)

+- [Azure Monitor](/azure/azure-monitor/overview)

+- [Azure Action Groups](/azure/azure-monitor/alerts/action-groups)

+You can also continue with one of the other Azure VMware Solution how-to [guides](/azure/azure-vmware/deploy-azure-vmware-solution?tabs=azure-portal)

+Our application performance monitoring and troubleshooting partners have industry-leading solutions in VMware-based environments that assure the availability, reliability, and responsiveness of applications and services. You can adopt many of the solutions integrated with VMware NSX-T Data Center for their on-premises deployments. As one of our key principles, we want to enable you to continue to use your investments and VMware solutions running on Azure. Many of the Independent Software Vendors (ISV) already validated their solutions with Azure VMware Solution.

+| **OS versions** | SLES 12 with SP2, SP3, SP4 and SP5; SLES 15 with SP0, SP1, SP2, SP3, SP4, SP5, and SP6 <br><br> RHEL 7.4, 7.6, 7.7, 7.9, 8.1, 8.2, 8.4, 8.6, 8.8, 9.0, 9.2, and 9.4. | |

+When connecting to a Linux virtual machine using SSH, you can use both username/password and SSH keys for authentication.

+Call recordings are stored temporarily in the same geography that was selected for ```Data Location``` during resource creation for 24 hours. After this the recording is deleted and you are responsible for storing the recording in a secure and compliant location.

+const callClient = new CallClient({

+> If you don't set a value of `appName` and `appVersion` from within the client API, the default value of default/0.0.0 will appear within the `UserAgent` field.

+ Title: Dapr component resiliency

+# Dapr component resiliency

+1. Expand the **Additional TCP ports** section within the Ingress blade.

+2. Add in additional TCP ports that your application will be accepting traffic on in the _Target port_ field. If _Exposed port_ is left empty, this will take from the same value set in _Target port_.

+3. Change the _Ingress traffic_ field as needed. This will configure where ingress traffic will be limited to for each port.

+4. When finished, click **Save**.

+> To use this feature, you must have the container apps CLI extension. Run `az extension add -n containerapp` in order to install the latest version of the container apps CLI extension.

+ Title: Service discovery resiliency

+# Service discovery resiliency

+Navigate into your container app in the Azure portal. In the left side menu under **Settings**, select **Resiliency** to open the resiliency pane.

+> - When there are adjustment charges, back-dated credits, or discounts for the account that result in an invoice getting rebilled, it resets the refund behavior. Refunds are shown in the rebilled invoice for the rebilled period.

+> - If a purchase and refund occur in the same month before they get billed, both the positive and negative adjustments get shown on the next invoice.

+[Update your PO number](../manage/change-azure-account-profile.yml#update-a-po-number) in your billing profile and, after moving your subscriptions, ensure you [update your tax ID](../manage/change-azure-account-profile.yml#update-your-tax-id). The tax ID is used for tax exemption calculations and appears on your invoice. [Learn more about how to update your billing account settings](../understand/mosp-new-customer-experience.md).

+#customer intent: As a billing administrator, I want to learn how to assign SQL Server licenses in Azure using centrally managed Azure Hybrid Benefit.

+In this tutorial, you learn how to proactively assign SQL Server licenses in Azure to optimize [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-benefit/) as you centrally manage it. Optimizing your benefit reduces the costs of running Azure SQL.

+Verify that your self-installed virtual machines running SQL Server in Azure are registered before you start to use the new experience. Doing so ensures that Azure resources that are running SQL Server are visible to you and Azure. For more information about registering SQL VMs in Azure, see:

+- [Register SQL Server VM with SQL IaaS Agent Extension](/azure/azure-sql/virtual-machines/windows/sql-agent-extension-manually-register-single-vm)

+- [Register multiple SQL VMs in Azure with the SQL IaaS Agent extension](/azure/azure-sql/virtual-machines/windows/sql-agent-extension-manually-register-vms-bulk)

+After reviewing the information gathered, you might determine that the number of SQL Server licenses available is insufficient to cover planned Azure SQL usage. If so, talk to your procurement department to buy more SQL Server core licenses with Software Assurance (or subscription licenses).

+1. A table is shown that includes the Azure Hybrid Benefit licenses assignments that you made and the utilization percentage of each one.

+After you assign a license and set a review date, the license assignment automatically becomes inactive and expires 90 days after the review date.

+- 90 days before the review date

+- 30 days before the review date

+- Seven days before the review date

+After you read the preceding instructions in the article, you understand that:

+1. You review Azure resource usage data from recent months and you talk to others in Contoso. You determine that 2000 SQL Server Enterprise Edition and 750 SQL Server Standard Edition core licenses, or 8,750 normalized cores, are needed to cover expected Azure SQL usage for the next year. Expected usage also includes migrating workloads (1500 SQL Server Enterprise Edition + 750 SQL Server Standard Edition = 6750 normalized) and net new Azure SQL workloads (another 500 SQL Server Enterprise Edition or 2000 normalized cores).

+1. Next, confirm with your with procurement team that the licenses required are available. Or, that they're planned to get purchased. The confirmation ensures that the licenses are available to assign to Azure.

+ - You determine that there are 1800 SQL Server Enterprise Edition licenses and 2000 SQL Server Standard Edition licenses available to assign to Azure. The available licenses equal 9,200 normalized cores. That value is a little more than the 8750 needed (2000 x 4 + 750 = 8750).

+1. Then, you assign the 1800 SQL Server Enterprise Edition and 2000 SQL Server Standard Edition to Azure. That action results in 9,200 normalized cores that the system can apply to Azure SQL resources as they run each hour. Assigning more licenses than are required now provides a buffer if usage grows faster than you expect.

+## Related content

+# Copy from Microsoft 365 (Office 365) into Azure using Azure Data Factory or Synapse Analytics

+|login.microsoftonline.com |TCP |443 |Authentication to Microsoft Online Services | AzureActiveDirectory |

+# Move DevTest Labs and Schedules

+You can move DevTest Labs and their associated schedules to another region or resource group. You can move resource groups through the Azure Portal. To move a lab, create a copy of an existing lab in another region. When you've moved your lab, and you have a virtual machine (VM) in the target region, you can move your lab schedules..

+> - Move resources to different resource groups.

+The following section describes how to move resources to a different resource group and create and customize an ARM template to move a lab from one region to another.

+### Move Resource Groups using Azure Portal

+Moving resources between resource groups in different locations is now seamlessly enabled in DevTest Labs. You can effortlessly transfer any resource from one group to another within the same subscription.

+To begin, select the resource you wish to move. On the resource's **Overview** page, you'll find the current **Resource Group** displayed at the top. Next to the resource group name, you'll see the word `(move)` in parentheses.

+Click the hyperlinked `move` text, which will direct you to a new page where you can relocate the resource to any other resource group within the same subscription. Please note that moving the resource will not change its location, even if the destination resource group is in a different location. If you're not moving resources through the Azure Portal or if you're transferring to a resource group in a different subscription, alternative methods using ARM are outlined below.

+### Move Labs to a Different Region

+After the deployment, if you want to start over, you can delete the target lab, and repeat the steps described in the [Prepare](#move-labs-to-a-different-region) and [Move](#deploy-the-template-to-move-the-lab) sections of this article.

+ 1. For **Filter to Event Types**, select types of events you want to subscribe to.

+#### JSON Schema

+ "field": "Microsoft.EventHub/namespaces/minimumTlsVersion",

+- [Configure Transport Layer Security (TLS) for an Event Hubs client application](transport-layer-security-configure-client-version.md)

+> As of 28 February 2025, TLS 1.0 and TLS 1.1 will no longer be supported on Azure Event Hubs. The minimum TLS version will be 1.2 for all Event Hubs deployments.

+* Plan for [disaster recovery](designing-for-disaster-recovery-with-expressroute-privatepeering.md) and [using VPN as a backup](use-s2s-vpn-as-backup-for-expressroute-privatepeering.md).

+1. Enter the resource ID of your gateway.

+- Update 50 IP Groups at a time

+**What the AZFW Latency Probe Metric Measures (and Doesn't):**

+- What it measures: The latency of the Azure Firewall within the Azure platform

+- What it doesn't meaure: The metric does not capture end-to-end latency for the entire network path. Instead, it reflects the performance within the firewall, rather than how much latency Azure Firewall introduces into the network.

+- Error reporting: If the latency metric isn't functioning correct, it reports a value of 0 in the metrics dashboard, indicating a probe failure or interruption.

+**Factors that impact latency:**

+- High CPU utilization

+- High throughput or traffic load

+- Networking issues within the Azure platform

+**Latency Probes: From ICMP to TCP**

+The latency probe currently uses Microsoft's Ping Mesh technology, which is based on ICMP (Internet Control Message Protcol). ICMP is suitable for quick health checks, like ping requests, but it may not accurately represent real-world application traffic, which typically relis on TCP.However, ICMP probes prioritize differently across the Azure platform, which can result in variation across SKUs. To reduce these discrepancies, Azure Firewall plans to transition to TCP-based probes.

+- Latency spikes: With ICMP probes, intermittent spikes are normal and are part of the host network's standard behavior. These should not be misinterpreted as firewall issues unless they are persistent.

+- Average latency: On average, the latency of Azure Firewall is expected to range from 1ms to 10 ms, dpending on the Firewall SKU and deployment size.

+**Best Practices for Monitoring Latency**

+- Set a baseline: Establish a latency baseline under light traffic conditions for accurate comparisons during normal or peak usage.

+- Monitor for patterns: Expect occasional latency spikes as part of normal operations. If high latency persists beyond these normal variations, it may indicate a deeper issue requiring investigation.

+- Recommended latency threshold: A recommended guideline is that latency should not exceed 3x the baseline. If this threshold is crossed, further investigation is recommended.

+- Check the rule limit: Ensure that the network rules are within the 20K rule limit. Exceeding this limit can affect performance.

+- New application onboarding: Check for any newly onboarded applications that could be adding significant load or causing latency issues.

+- Support request: If you observe continuous latency degredation that does not align with expected behavior, consider filing a support ticket for further assistance.

+### Release date: Aug 30, 2024

+> [!NOTE]

+> This is a Hotfix / maintenance release for Resource Provider. For more information see, [Resource Provider](.//hdinsight-overview-versioning.md#hdinsight-resource-provider).

+Azure HDInsight periodically releases maintenance updates for delivering bug fixes, performance enhancements, and security patches ensuring you stay up to date with these updates guarantees optimal performance and reliability.

+This release note applies to

+HDInsight release will be available to all regions over several days. This release note is applicable for image number **2407260448**. [How to check the image number?](./view-hindsight-cluster-image-version.md)

+HDInsight uses safe deployment practices, which involve gradual region deployment. It might take up to 10 business days for a new release or a new version to be available in all regions.

+**OS versions**

+* HDInsight 5.1: Ubuntu 18.04.5 LTS Linux Kernel 5.4

+* HDInsight 5.0: Ubuntu 18.04.5 LTS Linux Kernel 5.4

+* HDInsight 4.0: Ubuntu 18.04.5 LTS Linux Kernel 5.4

+> [!NOTE]

+> Ubuntu 18.04 is supported under [Extended Security Maintenance(ESM)](https://techcommunity.microsoft.com/t5/linux-and-open-source-blog/canonical-ubuntu-18-04-lts-reaching-end-of-standard-support/ba-p/3822623) by the Azure Linux team for [Azure HDInsight July 2023](/azure/hdinsight/hdinsight-release-notes-archive#release-date-july-25-2023), release onwards.

+For workload specific versions, see [HDInsight 5.x component versions](./hdinsight-5x-component-versioning.md).

+## Issue fixed

+* Default DB bug fix.

+## :::image type="icon" border="false" source="./media/hdinsight-release-notes/clock.svg"::: Coming soon

+* [Basic and Standard A-series VMs Retirement](https://azure.microsoft.com/updates/basic-and-standard-aseries-vms-on-hdinsight-will-retire-on-31-august-2024/).

+ * On August 31, 2024, we'll retire Basic and Standard A-series VMs. Before that date, you need to migrate your workloads to Av2-series VMs, which provide more memory per vCPU and faster storage on solid-state drives (SSDs).

+ * To avoid service disruptions, [migrate your workloads](https://aka.ms/Av1retirement) from Basic and Standard A-series VMs to Av2-series VMs before August 31, 2024.

+* Retirement Notifications for [HDInsight 4.0](https://azure.microsoft.com/updates/azure-hdinsight-40-will-be-retired-on-31-march-2025-migrate-your-hdinsight-clusters-to-51) and [HDInsight 5.0](https://azure.microsoft.com/updates/hdinsight5retire/).

+

+If you have any more questions, contact [Azure Support](https://ms.portal.azure.com/#view/Microsoft_Azure_Support/HelpAndSupportBlade/~/overview).

+You can always ask us about HDInsight on [Azure HDInsight - Microsoft Q&A](/answers/tags/168/azure-hdinsight).

+We're listening: YouΓÇÖre welcome to add more ideas and other topics here and vote for them - [HDInsight Ideas](https://feedback.azure.com/d365community/search/?q=HDInsight) and follow us for more updates on [AzureHDInsight Community](https://www.linkedin.com/groups/14313521/).

+> [!NOTE]

+> We advise customers to use to latest versions of HDInsight [Images](./view-hindsight-cluster-image-version.md) as they bring in the best of open source updates, Azure updates and security fixes. For more information, see [Best practices](./hdinsight-overview-before-you-start.md).

+**Coming soon**

+### Release date: Oct 22, 2024

+HDInsight release will be available to all regions over several days. This release note is applicable for image number **2409240625**. [How to check the image number?](./view-hindsight-cluster-image-version.md)

+## Updated

+* MSI based authentication support available for Azure blob storage.

+Azure HDInsight now supports OAuth-based authentication for accessing Azure Blob storage by leveraging Azure Active Directory (AAD) and managed identities (MSI). With this enhancement, HDInsight uses user-assigned managed identities to access Azure blob storage. For more information, see [Managed identities for Azure resources](/entra/identity/managed-identities-azure-resources/overview).

+* HDInsight service is transitioning to use standard load balancers for all its cluster configurations because of [deprecation announcement](https://azure.microsoft.com/updates/azure-basic-load-balancer-will-be-retired-on-30-september-2025-upgrade-to-standard-load-balancer#main) of Azure basic load balancer.

+ * This change will be rolled out in a phased manner for different regions between November 07, 2024 and November 21, 2024. Watch out our release notes for more updates.

+|For FHIR instances created after August 19,2024, in metrics blade - Total requests, Total latency, and Total errors metrics are not being populated. |September 19,2024 9:00 am PST| -- | October 28,2024 9:00 am PST |

+|Customers accessing the FHIR Service via a private endpoint are experiencing difficulties, specifically receiving a 403 error when making API calls from within the vNet. This problem affects FHIR instances provisioned after August 19 that utilize private link.|August 22,2024 11:00 am PST|-- | September 3,2024 9:00 am PST |

+1. From the main menu under **Settings**, select **Agents**.

+1. Copy the values of **Workspace ID** and **Primary key**, available under 'Log Analytics agent instructions'. You'll use these two values later in the tutorial to configure the metrics collector module to send the metrics to this workspace.

+| US Gov Texas | 52.238.119.104, 52.238.112.96, 52.238.119.145, 52.245.171.151, 52.245.163.42, 52.238.78.169, 52.238.164.135, 52.238.164.111, 52.238.164.44, 52.243.250.114, 52.243.248.33, 52.243.253.54, 52.243.253.44 |

+| US Gov Texas | 52.238.114.217, 52.238.115.245, 52.238.117.119, 20.141.120.209, 52.245.171.152, 20.141.123.226, 52.245.163.1, 52.238.164.53, 52.238.72.216, 52.238.164.123, 52.238.160.255, 52.243.237.44, 52.249.101.31, 52.243.251.37, 52.243.252.22 |

+| RHEL 9.x, 8.1, 8.0, 7.8, 7.7, 7.6, 7.5, 7.4, 7.0, 6.x | Y | Y | Y |

+- Red Hat Enterprise Linux 9.x, 8.x, 7.9, 7.8, 7.7, 7.6, 7.5, 7.4, 7.3, 7.2, 7.1, 7.0, 6.x (Azure Linux VM agent is also installed automatically during migration)

+Review the list of [required packages](/azure/virtual-machines/extensions/agent-linux#requirements) to install Linux VM agent. Azure Migrate installs the Linux VM agent automatically for RHEL 9.x, 8.x/7.x/6.x, Ubuntu 14.04/16.04/18.04/19.04/19.10/20.04, SUSE 15 SP0/15 SP1/12/11 SP4/11 SP3, Debian 9/8/7, and Oracle 7 when using the agentless method of VMware migration.

+Asianux 3<br/>Asianux 4<br/>Asianux 5<br/>CoreOS Linux<br/>Debian GNU/Linux 4<br/>Debian GNU/Linux 5<br/>Debian GNU/Linux 6<br/>Debian GNU/Linux 7<br/>Debian GNU/Linux 8<br/>FreeBSD | IBM OS/2<br/>macOS X 10<br/>MS-DOS<br/>Novell NetWare 5<br/>Novell NetWare 6<br/>Oracle Linux<br/>Oracle Linux 4/5<br/>Oracle Solaris 10<br/>Oracle Solaris 11<br/>Red Hat Enterprise Linux 2<br/>Red Hat Enterprise Linux 3<br/>Red Hat Enterprise Linux 4<br/>Red Hat Enterprise Linux 5<br/>Red Hat Enterprise Linux 6<br/>Red Hat Enterprise Linux 7<br/>Red Hat Enterprise Linux 8<br/>Red Hat Enterprise Linux 9<br/>Red Hat Fedora | SCO OpenServer 5<br/>SCO OpenServer 6<br/>SCO UnixWare 7<br/> Serenity Systems eComStation<br/>Serenity Systems eComStation 1<br/>Serenity Systems eComStation 2<br/>Sun Microsystems Solaris 8<br/>Sun Microsystems Solaris 9<br/><br/>SUSE Linux Enterprise 10<br/>SUSE Linux Enterprise 11<br/>SUSE Linux Enterprise 12<br/>SUSE Linux Enterprise 8/9<br/>SUSE Linux Enterprise 11<br/>SUSE openSUSE | Ubuntu Linux<br/>VMware ESXi 4<br/>VMware ESXi 5<br/>VMware ESXi 6<br/>Windows 10<br/>Windows 2000<br/>Windows 3<br/>Windows 7<br/>Windows 8<br/>Windows 95<br/>Windows 98<br/>Windows NT<br/>Windows Server (R) 2008<br/>Windows Server 2003<br/>Windows Server 2008<br/>Windows Server 2008 R2<br/>Windows Server 2012<br/>Windows Server 2012 R2<br/>Windows Server 2016<br/>Windows Server 2019<br/>Windows Server Threshold<br/>Windows Vista<br/>Windows Web Server 2008 R2<br/>Windows XP Professional

+Linux servers | Red Hat Enterprise Linux 5.1, 5.3, 5.11, 6.x, 7.x, 8.x, 9.x <br /> Ubuntu 12.04, 14.04, 16.04, 18.04, 20.04, 22.04 <br /> OracleLinux 6.1, 6.7, 6.8, 6.9, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 8, 8.1, 8.3, 8.5 <br /> SUSE Linux 10, 11 SP4, 12 SP1, 12 SP2, 12 SP3, 12 SP4, 15 SP2, 15 SP3 <br /> Debian 7, 8, 9, 10, 11

+ Review the list of [required packages](/azure/virtual-machines/extensions/agent-linux#requirements) to install Linux VM agent. Azure Migrate installs the Linux VM agent automatically for RHEL 9.x, 8.x/7.x/6.x, Ubuntu 14.04/16.04/18.04/19.04/19.10/20.04, SUSE 15 SP0/15 SP1/12, Debian 9/8/7, and Oracle 7/6 when using the agentless method of VMware migration. Follow these instructions to [install the Linux Agent manually](/azure/virtual-machines/extensions/agent-linux#installation) for other OS versions.

+- Public IPs with DDoS protection enabled aren't supported with NAT gateway. For more information, see [DDoS limitations](/azure/ddos-protection/ddos-protection-sku-comparison#limitations).zzzzz

+

+- Azure NAT Gateway is not supported in a secured virtual hub network (vWAN) architecture.

+# Diagnose a virtual machine network routing problem using the Azure CLI

+In this article, you learn how to use Azure Network Watcher [next hop](network-watcher-next-hop-overview.md) tool to troubleshoot and diagnose a VM routing problem that's preventing it from correctly communicating with other resources.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- Azure Cloud Shell or Azure CLI.

+ The steps in this article run the Azure CLI commands interactively in [Azure Cloud Shell](/azure/cloud-shell/overview). To run the commands in the Cloud Shell, select **Open Cloud Shell** at the upper-right corner of a code block. Select **Copy** to copy the code, and paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.

+ You can also [install Azure CLI locally](/cli/azure/install-azure-cli) to run the commands. This article requires the Azure CLI version 2.0 or later. Run [az --version](/cli/azure/reference-index#az-version) command to find the installed version. If you run Azure CLI locally, sign in to Azure using the [az login](/cli/azure/reference-index#az-login) command.

+## Create a virtual machine

+# Diagnose a virtual machine network routing problem using PowerShell

+In this article, you learn how to use Azure Network Watcher [next hop](network-watcher-next-hop-overview.md) tool to troubleshoot and diagnose a virtual machine (VM) routing problem that's preventing it from correctly communicating with other resources.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- Azure Cloud Shell or Azure PowerShell.

+ The steps in this article run the Azure PowerShell cmdlets interactively in [Azure Cloud Shell](/azure/cloud-shell/overview). To run the cmdlets in the Cloud Shell, select **Open Cloud Shell** at the upper-right corner of a code block. Select **Copy** to copy the code and then paste it into Cloud Shell to run it. You can also run the Cloud Shell from within the Azure portal.

+ You can also [install Azure PowerShell locally](/powershell/azure/install-azure-powershell) to run the cmdlets. Run [Get-Module -ListAvailable Az](/powershell/module/microsoft.powershell.core/get-module) to find the installed version. If you run PowerShell locally, sign in to Azure using the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) cmdlet.

+## Create a virtual machine

+1. Select **+ Create**.

+1. Enter or select the following values on the **Basics** tab of **Create virtual network**:

+ | Region | Select **(US) East US**. |

+1. Enter the following values on the **IP Addresses** tab:

+In this section, you create two virtual machines:

+- **myVM**: to test the communication from.

+- **myNVA**: to use as a network virtual appliance.

+1. Enter or select the following values on the **Basics** tab of **Create a virtual machine**:

+ | Resource group | Select **myResourceGroup**. |

+ | Availability options | Select **No infrastructure redundancy required**. |

+1. On the Networking tab, enter or select the following values:

+1. Select **+ Create** to create a new route table. On the **Create Route table** page, enter, or select the following values:

+This article shows you how to quickly set up JBoss Enterprise Application Platform (EAP) on Azure Red Hat OpenShift using the Azure portal.

+This article uses the Azure Marketplace offer for JBoss EAP to accelerate your journey to Azure Red Hat OpenShift. The offer automatically provisions resources including an Azure Red Hat OpenShift cluster with a built-in OpenShift Container Registry (OCR), the JBoss EAP Operator, and optionally a container image including JBoss EAP and your application using Source-to-Image (S2I). To see the offer, visit the [Azure portal](https://aka.ms/eap-aro-portal). If you prefer manual step-by-step guidance for running JBoss EAP on Azure Red Hat OpenShift that doesn't use the automation enabled by the offer, see [Deploy a Java application with Red Hat JBoss Enterprise Application Platform (JBoss EAP) on an Azure Red Hat OpenShift 4 cluster](/azure/developer/java/ee/jboss-eap-on-aro).

+This article shows you how to quickly stand up IBM WebSphere Liberty and Open Liberty on Azure Red Hat OpenShift using the Azure portal.

+This article uses the Azure Marketplace offer for Open/WebSphere Liberty to accelerate your journey to Azure Red Hat OpenShift. The offer automatically provisions several resources including an Azure Red Hat OpenShift cluster with a built-in OpenShift Container Registry (OCR), the Liberty Operators, and optionally a container image including Liberty and your application. To see the offer, visit the [Azure portal](https://aka.ms/liberty-aro). If you prefer manual step-by-step guidance for running Liberty on Azure Red Hat OpenShift that doesn't utilize the automation enabled by the offer, see [Manually deploy a Java application with Open Liberty/WebSphere Liberty on an Azure Red Hat OpenShift cluster](/azure/developer/java/ee/liberty-on-aro).

+Now that you created the database and Azure Red Hat OpenShift cluster, you can prepare the Azure Red Hat OpenShift cluster to host your WebSphere Liberty application.

+To avoid Azure charges, you should clean up unnecessary resources. When the cluster is no longer needed, use the [az group delete](/cli/azure/group#az-group-delete) command to remove the resource group, Azure Red Hat OpenShift cluster, Azure SQL Database, and all related resources.

+ Title: Azure Operator Nexus Network Cloud SKUs

+description: SKU options for Azure Operator Nexus Network Cloud

+# Azure Operator Nexus Network Cloud Stock Keeping Units (SKUs)

+Operator Nexus Network Cloud SKUs for Azure Operator Nexus are meticulously designed to streamline the procurement and deployment processes, offering standardized bill of materials (BOM), topologies, wiring, and workflows. Microsoft crafts and prevalidates each SKU in collaboration with OEM vendors, ensuring seamless integration and optimal performance for operators.

+Operator Nexus Network Cloud SKUs offer a comprehensive range of options, allowing operators to tailor their deployments according to their specific requirements. With prevalidated configurations and standardized BOMs, the procurement and deployment processes are streamlined, ensuring efficiency and performance across the board.

+The following table outlines the various configurations of Operator Nexus Network Cloud SKUs, catering to different use-cases and functionalities required by operators.

+| Version | Use-Case | Network Cloud SKU ID | Description | BOM Components |

+||--|--|||

+| 1.7.3 | Multi Rack Near-Edge Aggregation (Agg) Rack | VNearEdge1_Aggregator_x70r3_9 | Aggregation Rack with Pure x70r3 | - Pair of Customer Edge Devices required for SKU.<br> - Two Management switch per rack deployed.<br> - Network packet broker device.<br> - Terminal Server.<br> - Pure storage array.<br> - Cable and optics. |

+| 1.7.3 | Multi Rack Near-Edge Compute | VNearEdge1_Compute_DellR750_4C2M | Support up to eight Compute Racks where each rack can support four compute servers. | - Pair of Top the rack switches per rack deployed. <br> - One Management switch per compute rack deployed.<br> - Two Management server per compute rack deployed. <br> - Up to four Compute servers per compute rack deployed. <br> - Cable and optics. |

+| 1.7.3 | Multi Rack Near-Edge Compute | VNearEdge1_Compute_DellR750_8C2M | Support up to eight Compute Racks where each rack can support eight compute servers. | - Pair of Top the rack switches per rack deployed. <br> - One Management switch per compute rack deployed.<br> - Two Management server per compute rack deployed. <br> - Up to eight Compute servers per compute rack deployed. <br> - Cable and optics. |

+| 1.7.3 | Multi Rack Near-Edge Compute | VNearEdge1_Compute_DellR750_12C2M | Support up to eight Compute Racks where each rack can support 12 compute servers. | - Pair of Top the rack switches per rack deployed. <br> - One Management switch per compute rack deployed.<br> - Two Management server per compute rack deployed. <br> - Up to 12 Compute servers per compute rack deployed. <br> - Cable and optics. |

+| 1.7.3 | Multi Rack Near-Edge Compute | VNearEdge1_Compute_DellR750_16C2M | Support up to eight Compute Racks where each rack can support 16 compute servers. | - Pair of Top the rack switches per rack deployed. <br> - One Management switch per compute rack deployed.<br> - Two Management server per compute rack deployed. <br> - Up to 16 Compute servers per compute rack deployed. <br> - Cable and optics. |

+| 1.7.3 | Multi Rack Near-Edge Compute | VNearEdge2_Compute_DellR650_4C2M | 100G Fabric support up to eight Compute Racks where each rack can support four compute servers. | - Pair of Top the rack switches per rack deployed. <br> - One Management switch per compute rack deployed.<br> - Two Management server per compute rack deployed. <br> - Up to four Compute servers per compute rack deployed. <br> - Cable and optics. |

+| 1.7.3 | Multi Rack Near-Edge Compute | VNearEdge2_Compute_DellR650_8C2M | 100G Fabric support up to eight Compute Racks where each rack can support eight compute servers. | - Pair of Top the rack switches per rack deployed. <br> - One Management switch per compute rack deployed.<br> - Two Management server per compute rack deployed. <br> - Up to eight Compute servers per compute rack deployed. <br> - Cable and optics. |

+| 1.7.3 | Multi Rack Near-Edge Compute | VNearEdge2_Compute_DellR650_12C2M | 100G Fabric support up to eight Compute Racks where each rack can support 12 compute servers. | - Pair of Top the rack switches per rack deployed. <br> - One Management switch per compute rack deployed.<br> - Two Management server per compute rack deployed. <br> - Up to 12 Compute servers per compute rack deployed. <br> - Cable and optics. |

+| 1.7.3 | Multi Rack Near-Edge Compute | VNearEdge2_Compute_DellR650_16C2M | 100G Fabric support up to eight Compute Racks where each rack can support 16 compute servers. | - Pair of Top the rack switches per rack deployed. <br> - One Management switch per compute rack deployed.<br> - Two Management server per compute rack deployed. <br> - Up to 16 Compute servers per compute rack deployed. <br> - Cable and optics. |

+| 2.0.0 | Multi Rack Near-Edge Compute | VNearEdge4_Compute_DellR760_4C2M | Support up to eight Compute Racks where each rack can support four compute servers. | - Pair of Top the rack switches per rack deployed. <br> - One Management switch per compute rack deployed.<br> - Two Management server per compute rack deployed. <br> - Up to four Compute servers per compute rack deployed. <br> - Cable and optics. |

+| 2.0.0 | Multi Rack Near-Edge Compute | VNearEdge4_Compute_DellR760_8C2M | Support up to eight Compute Racks where each rack can support eight compute servers. | - Pair of Top the rack switches per rack deployed. <br> - One Management switch per compute rack deployed.<br> - Two Management server per compute rack deployed. <br> - Up to eight Compute servers per compute rack deployed. <br> - Cable and optics. |

+| 2.0.0 | Multi Rack Near-Edge Compute | VNearEdge4_Compute_DellR760_12C2M | Support up to eight Compute Racks where each rack can support 12 compute servers. | - Pair of Top the rack switches per rack deployed. <br> - One Management switch per compute rack deployed.<br> - Two Management server per compute rack deployed. <br> - Up to 12 Compute servers per compute rack deployed. <br> - Cable and optics. |

+| 2.0.0 | Multi Rack Near-Edge Compute | VNearEdge4_Compute_DellR760_16C2M | Support up to eight Compute Racks where each rack can support 16 compute servers. | - Pair of Top the rack switches per rack deployed. <br> - One Management switch per compute rack deployed.<br> - Two Management server per compute rack deployed. <br> - Up to 16 Compute servers per compute rack deployed. <br> - Cable and optics. |

+| 2.0.0 | Multi Rack Near-Edge Agg | VNearEdge4_Aggregator_x70r4 | Aggregation Rack with Pure x70r4. | - Pair of Customer Edge Devices required for SKU.<br> - Two Management switch per rack deployed.<br> - Network packet broker device.<br> - Terminal Server.<br> - Pure storage array.<br> - Cable and optics. |

+| 2.0.0 | Multi Rack Near-Edge Agg | VNearEdge4_Aggregator_x70r3 | Aggregation Rack with Pure x70r3. | - Pair of Customer Edge Devices required for SKU.<br> - Two Management switch per rack deployed.<br> - Network packet broker device.<br> - Terminal Server.<br> - Pure storage array.<br> - Cable and optics. |

+| 2.0.0 | Multi Rack Near-Edge Agg | VNearEdge4_Aggregator_x20r4 | Aggregation Rack with Pure x70r4. | - Pair of Customer Edge Devices required for SKU.<br> - Two Management switch per rack deployed.<br> - Network packet broker device.<br> - Terminal Server.<br> - Pure storage array.<br> - Cable and optics. |

+| 2.0.0 | Multi Rack Near-Edge Agg | VNearEdge4_Aggregator_x20r3 | Aggregation Rack with Pure x70r3. | - Pair of Customer Edge Devices required for SKU.<br> - Two Management switch per rack deployed.<br> - Network packet broker device.<br> - Terminal Server.<br> - Pure storage array.<br> - Cable and optics. |

+**Notes:**

+- Bill of materials (BOM) adheres to Nexus Network Cloud specifications.

+- All subscribed customers have the privilege to request BOM details.

+| Japan East | Japan East(Tokyo) | Γ£ô | |

+> | <a name='cognitive-services-data-reader'></a>[Cognitive Services Data Reader](./built-in-roles/ai-machine-learning.md#cognitive-services-data-reader) | Lets you read Cognitive Services data. | b59867f0-fa02-499b-be73-45a86b5b3e1c |

+## Cognitive Services Data Reader

+[Learn more](/azure/ai-services/speech-service/role-based-access-control)

+ "roleName": "Cognitive Services Data Reader",

+> | [Microsoft.CognitiveServices](../permissions/ai-machine-learning.md#microsoftcognitiveservices)/accounts/SpeechServices/*/transcriptions/action | |

+ "Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/action",

+ - For more information, see Use Azure CLI to create a Microsoft Entra app and configure it to access Media Services API.

+- As you're installing a Highly Available (HA) SAP system, get the Service Principal identifier (SPN ID) and password to authorize the Azure fence agent (fencing device) against Azure resources. For more information, see Use Azure CLI to create a Microsoft Entra app and configure it to access Media Services API.

+| 1672954 | [Oracle 11g, 12c, 18c, and 19c: Usage of hugepages on Linux](https://launchpad.support.sap.com/#/notes/1672954) |

+| 3399081 | [Oracle Linux 9: SAP Installation and Upgrade](https://launchpad.support.sap.com/#/notes/3399081) |

+7. Azure NetApp Files deployments should use Oracle dNFS which is OracleΓÇÖs own high performance Direct NFS (Network File System) driver solution.

+9. Oracle Home should be located outside of the "root" volume or disk. Use a separate disk or ANF volume. The disk holding the Oracle Home should be 64 Gigabytes in size or larger.

+| Premium SSD v2¹ | Supported | 4K Native or 512e² | ASM Recommended. LVM Supported | No support for ASM on Windows. Change Log File disks from 4K Native to 512e |

+1. Azure Premium SSD v2 doesn't have predefined storage sizes. There's no need to allocate multiple disks within an ASM Disk Group or LVM VG. It's recommended to allocate a single Premium SSD v2 disk with the required size, throughput, and IOPS per ASM Disk Group

+2. 512e is supported on Premium SSD v2 for Windows systems. 512e configurations are't recommended for Linux customers. Migrate to 4K Native using procedure in MOS 512/512e sector size to 4K Native Review (Doc ID 1133713.1)

+5. SAPInst writes to the pfile during installation. If the $ORACLE_HOME/dbs is on a 4K disk, set filesystemio_options=asynch and see the Section "Datafile Support of 4kB Sector Disks" in MOS Supporting 4K Sector Disks (Doc ID 1133713.1)

+6. No support for 4K Native sector size for Log volume on Windows platforms. SSDv2 and Ultra Disk must be changed to 512e via the "Edit Disk" pencil icon in the Azure portal

+6. ASM Allocation Unit size = 4MB (default). Very Large Databases (VLDB) OLAP systems such as SAP BW may benefit from larger ASM Allocation Unit size. Change only after confirming with Oracle support

+Customer has medium to large sized databases where backup and/or restore, or recovery of all databases can't be accomplished in a timely fashion.

+Usually customers are using RMAN, Azure Backup for Oracle and/or disk snapshot techniques in combination.

+Customer has a huge database where backup and/or restore, or recovery of a single database can't be accomplished in a timely fashion.

+Run an Oracle AWR (Automatic Workload Repository) report as the first step when troubleshooting a performance problem. Disk performance metrics are detailed in the AWR report.

+| /oracle/\<SID\>/sapdata1...n | Premium | None | Recommended |

+| /oracle/\<SID\>/oraarch² | Premium | None | Not needed |

+2. oraarch: LVM is optional

+| /oracle/\<SID\>/sapdata1...n | Premium | None | Recommended |

+| /oracle/\<SID\>/oraarch² | Premium | None | Not needed |

+2. oraarch: LVM is optional

+### Current recommendations for Oracle Storage

+1. Azure Premium Storage ΓÇô Most customers are deploying on ASM with Premium Storage

+2. Azure NetApp Files - VLDB customers, often with single Oracle databases larger than 50TB are typically using ANF and using Storage Snapshot capabilities of Azure NetApp Files for Backup and Restore

+4. Azure Write Accelerator - used for the case that the Oracle redo log is based on Premium SSD v1 disks

+5. Online disk extension is fully supported for Premium Storage v1 and works with ASM

+- [<u>Azure Backup service</u>](../../backup/backup-overview.md) is also supporting Oracle backups as described in the article [<u>Back up and recover an Oracle Database on an Azure Linux VM using Azure Backup</u>](/azure/virtual-machines/workloads/oracle/oracle-database-backup-azure-backup).

+| G:\oracle\\\<SID\>\sapdata1...n | Premium | None | Recommended |

+| H:\oracle\\\<SID\>\oraarch² | Premium | None | Not needed |

+2. oraarch: Windows Storage Spaces is optional

+| I:\oracle\\\<SID\>\sapdata1...n | Premium | None | Recommended |

+| J:\oracle\\\<SID\>\oraarch² | Premium | None | Not needed |

+2. oraarch: Windows Storage Spaces is optional

+- October 28, 2024: Added information on RedHat support and the configuration of Azure fence agents for VMs in the Azure Government cloud to the document [Set up Pacemaker on Red Hat Enterprise Linux in Azure](./high-availability-guide-rhel-pacemaker.md).

+- October 25, 2024: Adding documentation link to [SQL Server Azure Virtual Machines DBMS deployment for SAP NetWeaver](./dbms-guide-sqlserver.md) that describes how to disable SMT to be able to use some Mv3 SKUs where SQL Server would have a problem with too large NUMA nodes.

+- October 16, 2024: Included ordering constraints in [High availability of SAP HANA scale-up with Azure NetApp Files on RHEL](./sap-hana-high-availability-netapp-files-red-hat.md) to ensure SAP resources on a node stop before any of the NFS mounts.

+ > When using Azure government cloud, you must specify `cloud=` option when configuring fence agent. For example, `cloud=usgov` for the Azure US government cloud. For details on RedHat support on Azure government cloud, see [Support Policies for RHEL High Availability Clusters - Microsoft Azure Virtual Machines as Cluster Members](https://access.redhat.com/articles/3131341).

+ > [!TIP]

+ > The option `pcmk_host_map` is *only* required in the command if the RHEL hostnames and the Azure VM names are *not* identical. Specify the mapping in the format **hostname:vm-name**. For more information, see [What format should I use to specify node mappings to fencing devices in pcmk_host_map?](https://access.redhat.com/solutions/2619961).

+- Changes made to your user profiles, groups, and roles in Microsoft Entra ID are updated in the **IdentityInfo** table within 15-30 minutes.

+ | General purpose workloads | D-series V4 </br> D-series V5 </br> D-series V6 | **[Dv4 and Dsv4-series](/azure/virtual-machines/dv4-dsv4-series)** </br> **[Ddv4 and Ddsv4-series](/azure/virtual-machines/ddv4-ddsv4-series)** </br> **[Dav4 and Dasv4-series](/azure/virtual-machines/dav4-dasv4-series)** </br> **[Dv5 and Dsv5-series](/azure/virtual-machines/dv5-dsv5-series)** </br> **[Ddv5 and Ddsv5-series](/azure/virtual-machines/ddv5-ddsv5-series)** </br> **[Dlsv5 and Dldsv5-series](/azure/virtual-machines/dlsv5-dldsv5-series)** </br> **[Dasv5 and Dadsv5-series](/azure/virtual-machines/dasv5-dadsv5-series)** </br> **[Dasv6 and Dadsv6-series](/azure/virtual-machines/dasv6-dadsv6-series)** </br> **[Dalsv6 and Daldsv6-series](/azure/virtual-machines/dalsv6-daldsv6-series)** </br> **[Dsv6-series](/azure/virtual-machines/sizes/general-purpose/dsv6-series)** |

+The following list corresponds to the diagram above and describes the packet flow for the inbound connection:

+ * Public IPs must be deployed with Standard SKU. Basic SKU Public IPs aren't supported.

+* In most cases, NVAs must perform source-NAT to the Firewall private IP in addition to destination-NAT to ensure flow symmetry. Certain NVA types might not require source-NAT. Contact your NVA provider for best practices around source-NAT.

+* **NVA provisioning state not succeeded**: If there are ongoing operations on the NVA or if the provisioning status of the NVA is **not successful**, IP address association fails. Wait for any existing operations to terminate.

+Contoso is a global financial organization with offices in both Europe and Asia. They're planning to move their existing applications from an on-premises data center in to Azure and have built out a foundation design based on the customer-managed hub-and-spoke architecture, including regional hub virtual networks for hybrid connectivity. As part of the move to cloud-based technologies, the network team has been tasked with ensuring that their connectivity is optimized for the business moving forward.

+| Root certificate name | Name used by Azure to identify customer root certificates. | Can be configured to be any name. You can have multiple root certificates. |

+|RADIUS server root certificate | RADIUS server root certificate public data.| This field is optional. Input the string(s) corresponding to the RADIUS root certificate public data. You can input multiple root certificates. All client certificates presented for authentication must be issued from the specified root certificates. For an example for how to get certificate public data, see the step 8 in the following document about [generating certificates](certificates-point-to-site.md).|

+|Group priority|When multiple groups are assigned to a gateway a connecting user might present credentials that match multiple groups. Virtual WAN processes groups assigned to a gateway in increasing order of priority.|Priorities are positive integers and groups with lower numerical priorities are processed first. Every group must have a distinct priority.|

+| Address Pools|Address pools are private IP addresses that connecting users are assigned.|Address pools can be specified as any CIDR block that doesn't overlap with any Virtual Hub address spaces, IP addresses used in Virtual Networks connected to Virtual WAN or addresses advertised from on-premises. Depending on the scale unit specified on the gateway, you might need more than one CIDR block. For more information, see [about address pools](about-client-address-pools.md).|

+|Routing configuration|Every connection to Virtual Hub has a routing configuration, which defines which route table the connection is associated to and which route tables the route table propagates to. |All branch connections to the same hub (ExpressRoute, VPN, NVA) must associate to the defaultRouteTable and propagate to the same set of route tables. Having different propagations for branches connections might result in unexpected routing behaviors, as Virtual WAN will choose the routing configuration for one branch and apply it to all branches and therefore routes learned from on-premises.|

+ * Configuring BGP peering between an on-premises NVA and the virtual hub router isn't supported.

+ * Configuring BGP peering between an Azure Route Server and the virtual hub router isn't supported.

+* BGP peering is only supported with an IP address that is assigned to an interface of the NVA. Peering with loopbacks isn't supported.

+The following connectivity matrix summarizes the flows supported in this scenario:

+Each of the cells in the connectivity matrix describes how a VNet or branch (the "From" side of the flow, the row headers in the table) communicates with a destination VNet or branch (the "To" side of the flow, the column headers in italics in the table). "Direct" means that connectivity is provided natively by Virtual WAN, "Peering" means that connectivity is provided by a User-Defined Route in the VNet, "Over NVA VNet" means that the connectivity traverses the NVA deployed in the NVA VNet. Consider the following items:

+> Please note that for the following routing scenarios, the Virtual WAN hub and Spoke Virtual Network containing the NVA must be in the same Azure Region.

+ If you don't want to connect VNets 1, 2, and 3 to VNet 5 and instead just use the NVA in VNet 4 to route 0.0.0.0/0 traffic from branches (on-premises VPN or ExpressRoute connections), go to the [alternate workflow](#alternate).

+ * Add a route '0.0.0.0/0' with next hop as the VNet 4 connection. '0.0.0.0/0' is added to imply sending traffic to internet. It doesn't imply specific address prefixes pertaining to VNets or branches. In the VNet4 connection, configure a route for '0.0.0.0/0', and indicate the next hop to be the specific IP of the NVA in VNet 4.

+ * **Propagation:** Connections propagate routes to route tables. Selecting VNets 1, 2, and 3 enables propagating routes from VNets 1, 2, and 3 to this route table. Make sure the option for branches (VPN/ER/P2S) is not selected. This ensures that on-premises connections can't get to the VNets 1, 2, and 3 directly.

+ * Add a route '0.0.0.0/0' with next hop as the **VNet 4 connection**. '0.0.0.0/0' is added to imply sending traffic to internet. It doesn't imply specific address prefixes pertaining to VNets or branches. In the prior step for the VNet4 connection, you would already have configured a route for '0.0.0.0/0', with next hop to be the specific IP of the NVA in VNet 4.

+* Virtual network connection doesn't support 'multiple/unique' next hop IP to the 'same' network virtual appliance in a spoke VNet 'if' one of the routes with next hop IP is indicated to be public IP address or 0.0.0.0/0 (internet).

+* When 0.0.0.0/0 is configured as a static route on a virtual network connection, that route is applied to all traffic, including the resources within the spoke itself. This means all traffic will be forwarded to the next hop IP address of the static route (NVA Private IP). Thus, in deployments with a 0.0.0.0/0 route with next hop NVA IP address configured on a spoke virtual network connection, to access workloads in the same virtual network as the NVA directly (i.e. so that traffic doesn't pass through the NVA), specify a /32 route on the spoke virtual network connection. For instance, if you want to access 10.1.3.1 directly, specify 10.1.3.1/32 next hop 10.1.3.1 on the spoke virtual network connection.

+1. Select **Connect circuit(s)**.

+Navigate to the **Connections** page for your ExpressRoute circuit to see each ExpressRoute gateway that your ExpressRoute circuit is connected to. If the gateway is in a different subscription than the circuit, then the **Peer** field will be the circuit authorization key.

+This article helps you view each of the versions of the Azure VPN Client. As new client versions become available, they're added to this article. To view the version number of an installed Azure VPN Client, launch the client and select **Help**. For the list of Azure VPN Client instructions, including how to download the Azure VPN Client, see the table in [VPN Client configuration requirements](point-to-site-about.md#what-are-the-client-configuration-requirements).

+description: Learn how to create a VPN gateway connection between virtual networks.

+This article helps you connect virtual networks by using the VNet-to-VNet connection type using the Azure portal. The virtual networks can be in different regions and from different subscriptions. When you connect virtual networks from different subscriptions, the subscriptions don't need to be associated with the same tenant. This type of configuration creates a connection between two virtual network gateways. This article doesn't apply to VNet peering. For VNet peering, see the [Virtual Network peering](../virtual-network/virtual-network-peering-overview.md) article.

+## About connecting virtual networks

+Configuring a VNet-to-VNet connection is a simple way to connect virtual networks. When you connect a virtual network to another virtual network with a VNet-to-VNet connection type (VNet2VNet), it's similar to creating a Site-to-Site IPsec connection to an on-premises location. Both connection types use a VPN gateway to provide a secure tunnel with IPsec/IKE and function the same way when communicating. However, they differ in the way the local network gateway is configured.

+If you're working with a complicated network configuration, you might prefer to connect your virtual networks by using a [Site-to-Site connection](./tutorial-site-to-site-portal.md) instead. When you follow the Site-to-Site IPsec steps, you create and configure the local network gateways manually. The local network gateway for each VNet treats the other VNet as a local site. These steps allow you to specify more address spaces for the local network gateway to route traffic. If the address space for a VNet changes, you must manually update the corresponding local network gateway.

+You can also connect your virtual networks by using VNet peering.

+This article shows you how to connect virtual networks by using the VNet-to-VNet connection type. When you follow these steps as an exercise, you can use the following example settings values. In the example, the virtual networks are in the same subscription, but in different resource groups. If your virtual networks are in different subscriptions, you can't create the connection in the portal. Use [PowerShell](vpn-gateway-vnet-vnet-rm-ps.md) or [CLI](vpn-gateway-howto-vnet-vnet-cli.md) instead. For more information about VNet-to-VNet connections, see [VNet-to-VNet FAQ](#vnet-to-vnet-faq).

+ * **Shared key**: You can create the shared key yourself. When you create the connection between the virtual networks, the values must match. For this exercise, use abc123.

+ * **Shared key**: You can create the shared key yourself. When you create the connection between the virtual networks, the values must match. For this exercise, use abc123.

+After you've configured VNet1, create VNet4 and the VNet4 gateway by repeating the previous steps and replacing the values with VNet4 values. You don't need to wait until the virtual network gateway for VNet1 has finished creating before you configure VNet4. If you're using your own values, make sure the address spaces don't overlap with any of the virtual networks to which you want to connect.

+Virtual networks in the same subscription can be connected using the portal, even if they are in different resource groups. However, if your virtual networks are in different subscriptions, you must use [PowerShell](vpn-gateway-vnet-vnet-rm-ps.md) to make the connections.