-* **Option 2: Using Workday Custom IDs**: Check if the calculated field value can be represented as a Custom ID on the Worker Profile. Use `Maintain Custom ID Type` task in Workday to define a new type and populate values in this custom ID. Make sure the [Workday ISU account used for the integration](../saas-apps/workday-inbound-tutorial.md#configuring-domain-security-policy-permissions) has domain security permission for `Person Data: ID Information`. For example, you can define "External_Payroll_ID" as a custom ID in Workday and retrieved it using the XPATH: `wd:Worker/wd:Worker_Data/wd:Personal_Data/wd:Identification_Data/wd:Custom_ID/wd:Custom_ID_Data[wd:ID_Type_Reference/wd:ID[@wd:type=\"Custom_ID_Type_ID\"]=\"External_Payroll_ID\"]/wd:ID/text()`

-The Azure AD accounts can be in the same tenant or different tenants. Guest accounts aren't supported for multiple account sign-in from one device.

-Azure AD lets you choose which authentication methods can be used during the sign-in process. Users then register for the methods they'd like to use. The **Microsoft Authenticator** authentication method policy manages both the traditional push MFA method, as well as the passwordless authentication method.

-1. Each added group or user is enabled by default to use Microsoft Authenticator in both passwordless and push notification modes ("Any" mode). To change this, for each row:

-## User registration and management of Microsoft Authenticator

-1. Select **Done** to complete Authenticator configuration.

-A user can start to utilize passwordless sign-in after all the following actions are completed:

-In one scenario, a user can have an unanswered passwordless phone sign-in verification that is pending. Yet the user might attempt to sign in again. When this happens, the user might see only the option to enter a password.

-To resolve this scenario, the following steps can be used:

-Then the user can continue to utilize passwordless phone sign-in.

-#Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform.

-If you haven't already, create your first app by completing the JavaScript SPA quickstart:

-[Quickstart: Single-page application](./quickstart-v2-javascript-auth-code.md)

- Proof Key for Code Exchange, or _PKCE_, is an extension to the authorization code flow to prevent authorization code injection attacks. This IETF standard mitigates the threat of having an authorization code intercepted and enables secure OAuth exchange from public clients as documented in [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636). In addition, it returns **refresh** tokens that provide long-term access to resources on behalf of users without requiring interaction from those users.

-This authentication flow does not include application scenarios that use cross-platform JavaScript frameworks such as Electron and React-Native. They require further capabilities for interaction with the native platforms.

-Azure Active Directory is available as an identity provider option for B2B collaboration by default. If an external guest user has an Azure AD account through work or school, they can redeem your B2B collaboration invitations or complete your sign-up user flows using their Azure AD account.

-Azure Active Directory is available in the list of External Identities identity providers by default. No further configuration is needed to allow guest users to sign in with their Azure AD account using either the invitation flow or a [self-service sign-up user flow](self-service-sign-up-overview.md).

-

-

-

-If you use Azure Active Directory (Azure AD) B2B collaboration to work with external partners, you can invite multiple guest users to your organization at the same time. In this tutorial, you learn how to use PowerShell to send bulk invitations to external users. Specifically, you do the following:

-Make sure that you install the latest version of the Azure AD PowerShell for Graph module (AzureADPreview).

-First, check which modules you have installed. Open Windows PowerShell as an elevated user (Run as administrator), and run the following command:

-

-You should see the users that you invited listed, with a user principal name (UPN) in the format *emailaddress*#EXT#\@*domain*. For example, *lstokes_fabrikam.com#EXT#\@contoso.onmicrosoft.com*, where contoso.onmicrosoft.com is the organization from which you sent the invitations.

-In this tutorial, you sent bulk invitations to guest users outside of your organization. Next, learn how the invitation redemption process works.

-> [!div class="nextstepaction"]

-> [Learn about the Azure AD B2B collaboration invitation redemption process](redemption-experience.md)

-Connect-MgGraph

-In this article, you'll learn how to integrate Adstream with Azure Active Directory (Azure AD). Adstream provides the safest and easiest to use business solution for sending and receiving files. When you integrate Adstream with Azure AD, you can:

-1. If you want to setup ArcGIS Online manually, open a new web browser window and log into your ArcGIS company site as an administrator and perform the following steps:

-1. Log in to your Citrix Cloud SAML SSO company site as an administrator.

-1. Log in to your embed signage company site as an administrator.

-

- > For more information on how to configure TMWS with Azure AD, see [Configuring Azure AD Settings on TMWS](https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-security-online-help/administration_001/directory-services/azure-active-directo/configuring-azure-ad.aspx).

-| [Azure Virtual Machine Scale Sets](../virtual-machine-scale-sets/overview.md) | [virtual-machine-scale-sets](/answers/topics/azure-virtual-machine-scale-sets.html)|

-Learn more about [Azure Kubernetes Service](./index.yml)

-* For your more complex applications, you can configure ingress traffic for SSL/TLS termination or routing of multiple components.

-* For security reasons, you can restrict the flow of network traffic into or between pods and nodes.

-* More complex routing of application traffic can also be achieved with *Ingress Controllers*.

-* Security and filtering of the network traffic for pods is possible with Kubernetes *network policies*.

-The Azure platform also simplifies virtual networking for AKS clusters. When you create a Kubernetes load balancer, you also create and configure the underlying Azure load balancer resource. As you open network ports to pods, the corresponding Azure network security group rules are configured. For HTTP application routing, Azure can also configure *external DNS* as new ingress routes are configured.

- Creates an internal IP address for use within the AKS cluster. Good for internal-only applications that support other workloads within the cluster.

- ![Diagram showing Cluster IP traffic flow in an AKS cluster][aks-clusterip]

- Creates a port mapping on the underlying node that allows the application to be accessed directly with the node IP address and port.

- Creates an Azure load balancer resource, configures an external IP address, and connects the requested pods to the load balancer backend pool. To allow customers' traffic to reach the application, load balancing rules are created on the desired ports.

-In AKS, you can deploy a cluster that uses one of the following two network models:

-

-1. Nodes receive an IP address from the Azure virtual network subnet.

-1. Pods receive an IP address from a logically different address space than the nodes' Azure virtual network subnet.

-1. Network address translation (NAT) is then configured so that the pods can reach resources on the Azure virtual network.

-Nodes use the [kubenet][kubenet] Kubernetes plugin. You can:

-* Let the Azure platform create and configure the virtual networks for you, or

-* Choose to deploy your AKS cluster into an existing virtual network subnet.

-Remember, only the nodes receive a routable IP address. The pods use NAT to communicate with other resources outside the AKS cluster. This approach reduces the number of IP addresses you need to reserve in your network space for pods to use.

-With Azure CNI, every pod gets an IP address from the subnet and can be accessed directly. These IP addresses must be planned in advance and unique across your network space. Each node has a configuration parameter for the maximum number of pods it supports. The equivalent number of IP addresses per node are then reserved up front. Without planning, this approach can lead to IP address exhaustion or the need to rebuild clusters in a larger subnet as your application demands grow.

- * Conserves IP address space.

- * Uses Kubernetes internal or external load balancer to reach pods from outside of the cluster.

- * You manually manage and maintain user-defined routes (UDRs).

- * Maximum of 400 nodes per cluster.

- * Pods get full virtual network connectivity and can be directly reached via their private IP address from connected networks.

- * Requires more IP address space.

-When you create a LoadBalancer-type Service, you also create an underlying Azure load balancer resource. The load balancer is configured to distribute traffic to the pods in your Service on a given port.

-The LoadBalancer only works at layer 4. At layer 4, the Service is unaware of the actual applications, and can't make any more routing considerations.

-*Ingress controllers* work at layer 7, and can use more intelligent rules to distribute application traffic. Ingress controllers typically route HTTP traffic to different applications based on the inbound URL.

-### Create an ingress resource

-In AKS, you can create an Ingress resource using NGINX, a similar tool, or the AKS HTTP application routing feature. When you enable HTTP application routing for an AKS cluster, the Azure platform creates the Ingress controller and an *External-DNS* controller. As new Ingress resources are created in Kubernetes, the required DNS A records are created in a cluster-specific DNS zone.

-With the Application Gateway Ingress Controller (AGIC) add-on, AKS customers leverage Azure's native Application Gateway level 7 load-balancer to expose cloud software to the Internet. AGIC monitors the host Kubernetes cluster and continuously updates an Application Gateway, exposing selected services to the Internet.

-SSL/TLS termination is another common feature of Ingress. On large web applications accessed via HTTPS, the Ingress resource handles the TLS termination rather than within the application itself. To provide automatic TLS certification generation and configuration, you can configure the Ingress resource to use providers such as "Let's Encrypt".

-For more information on configuring an NGINX Ingress controller with Let's Encrypt, see [Ingress and TLS][aks-ingress-tls].

-Configure your ingress controller to preserve the client source IP on requests to containers in your AKS cluster. When your ingress controller routes a client's request to a container in your AKS cluster, the original source IP of that request is unavailable to the target container. When you enable *client source IP preservation*, the source IP for the client is available in the request header under *X-Forwarded-For*.

-AKS clusters are deployed on a virtual network and have outbound dependencies on services outside of that virtual network. These outbound dependencies are almost entirely defined with fully qualified domain names (FQDNs). By default, AKS clusters have unrestricted outbound (egress) internet access. This allows the nodes and services you run to access external resources as needed. If desired, you can restrict outbound traffic.

-A network security group filters traffic for VMs like the AKS nodes. As you create Services, such as a LoadBalancer, the Azure platform automatically configures any necessary network security group rules.

-You don't need to manually configure network security group rules to filter traffic for pods in an AKS cluster. Simply define any required ports and forwarding as part of your Kubernetes Service manifests. Let the Azure platform create or update the appropriate rules.

-* Backend applications are only exposed to required frontend services.

-Network policy is a Kubernetes feature available in AKS that lets you control the traffic flow between pods. You allow or deny traffic to the pod based on settings such as assigned labels, namespace, or traffic port. While network security groups are better for AKS nodes, network policies are a more suited, cloud-native way to control the flow of traffic for pods. As pods are dynamically created in an AKS cluster, required network policies can be automatically applied.

-1. Uninstall the Dapr namespace:

-dapr uninstall -k ΓÇô-all

-1. Uninstall CRDs:

-1. Uninstall the Dapr namespace:

-```azure-cli-interactive

-```azure-cli-interactive

-```azure-cli-interactive

-```azure-cli-interactive

-```azure-cli-interactive

-```azure-cli-interactive

-```azure-cli-interactive

-> [!NOTE]

-> High availability (HA) can be enabled at any time. However, once enabled, disabling it requires deletion and recreation of the extension. If you aren't sure if high availability is necessary for your use case, we recommend starting with it disabled to minimize disruption.

-## Set the outbound proxy for Dapr extension for Azure Arc on-prem

-```azure-cli-interactive

-az k8s-extension delete --resource-group myResourceGroup --cluster-name myAKSCluster --cluster-type managedClusters --name myDaprExtension

-[supported-cloud-regions]: https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc

-| [Private endpoints](private-endpoint.md) | ✔️ | ✔️ | ❌ |

-Deploying the API Management gateway on an Azure Arc-enabled Kubernetes cluster expands API Management support for hybrid and multi-cloud environments. Enable the deployment using a cluster extension to make managing and applying policies to your Azure Arc-enabled cluster a consistent experience.

-* [Connect your Kubernetes cluster](../azure-arc/kubernetes/quickstart-connect-cluster.md) within [a supported Azure Arc region](https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc).

-> Linux is currently the recommended option for running Python apps in App Service. For information on the Windows option, see [Python on the Windows flavor of App Service](/visualstudio/python/managing-python-on-azure-app-service).

- 1. Your *requirements.txt* file must be at the root of your repository for App Service to automatically install the necessary packages.

-1. **Database**: If your app depends on a database, create the necessary resources on Azure as well.

-1. **App service resources**: Create a resource group, App Service Plan, and App Service web app to host your application. You can do it easily by running the Azure CLI command [`az webapp up`](/cli/azure/webapp?az-webapp-up). Or, you can create and deploy resources as shown in [Tutorial: Deploy a Django web app with PostgreSQL](tutorial-python-postgresql-app.md). Replace the names of the resource group, App Service Plan, and the web app to be more suitable for your application.

-1. **Continuous deployment**: Set up continuous deployment, as described on [Continuous deployment to Azure App Service](deploy-continuous-deployment.md) if using Azure Pipelines or Kudu deployment, or [Deploy to App Service using GitHub Actions](./deploy-continuous-deployment.md) if using GitHub actions.

-For a production environment like Azure App Service, Django apps should follow Django's [Deployment checklist](https://docs.djangoproject.com/en/3.1/howto/deployment/checklist/) (djangoproject.com).

-| `DATABASES` | Define settings in App Service for the database connection and load them as environment variables to populate the [`DATABASES`](https://docs.djangoproject.com/en/3.1/ref/settings/#std:setting-DATABASES) dictionary. You can alternately store the values (especially the username and password) as [Azure Key Vault secrets](../key-vault/secrets/quick-create-python.md). |

-If your Django web app includes static front-end files, first follow the instructions on [Managing static files](https://docs.djangoproject.com/en/3.1/howto/static-files/) in the Django documentation.

-If your Flask web app includes static front-end files, first follow the instructions on [managing static files](https://flask.palletsprojects.com/en/2.1.x/tutorial/static/) in the Flask documentation. For an example of serving static files in a Flask application, see the [quickstart sample Flask application](https://github.com/Azure-Samples/msdocs-python-flask-webapp-quickstart) on GitHub.

-[](#app-doesnt-appear)

-App Service ignores any errors that occur when processing a custom startup command or file, then continues its startup process by looking for Django and Flask apps. If you don't see the behavior you expect, check that your startup command or file is error-free and that a startup command file is deployed to App Service along with your app code. You can also check the [Diagnostic logs](#access-diagnostic-logs) for more information. Also check the app's **Diagnose and solve problems** page on the [Azure portal](https://portal.azure.com).

-Popular web frameworks let you access the `X-Forwarded-*` information in your standard app pattern. In [CodeIgniter](https://codeigniter.com/), the [is_https()](https://github.com/bcit-ci/CodeIgniter/blob/master/system/core/Common.php#L338-L365) checks the value of `X_FORWARDED_PROTO` by default.

-1. On the Azure portal for your web app, select **Deployment** > **Deployment Center (Preview)** on the left menu.

-1. On the Azure portal for your web app, select **Diagnose and solve problems** from the left menu.

-1. Select **Availability and performance**.

-1. Examine the information in the **Application Logs**, **Container crash**, and **Container Issues** options, where the most common issues will appear.

- - Be sure you're using App Service for Linux rather than a Windows-based instance. From the Azure CLI, run the command `az webapp show --resource-group <resource-group-name> --name <app-name> --query kind`, replacing `<resource-group-name>` and `<app-name>` accordingly. You should see `app,linux` as output; otherwise, recreate the App Service and choose Linux.

-If you see an error like `ModuleNotFoundError: No module named 'example'`, this means that Python couldn't find one or more of your modules when the application started. This most often occurs if you deploy your virtual environment with your code. Virtual environments aren't portable, so a virtual environment shouldn't be deployed with your application code. Instead, let Oryx create a virtual environment and install your packages on the web app by creating an app setting, `SCM_DO_BUILD_DURING_DEPLOYMENT`, and setting it to `1`. This will force Oryx to install your packages whenever you deploy to App Service. For more information, please see [this article on virtual environment portability](https://azure.github.io/AppService/2020/12/11/cicd-for-python-apps.html).

-When attempting to run database migrations with a Django app, you may see "sqlite3. OperationalError: database is locked." The error indicates that your application is using a SQLite database for which Django is configured by default, rather than using a cloud database such as PostgreSQL for Azure.

-| Australia Central | | | ✅ |

-| Australia Central 2 | | | ✅ |

-| Germany North | | | ✅ |

-| Korea South | | | ✅ |

-| South India | | | ✅ |

-| West India | | | ✅ |

-adobe-target: true

-adobe-target-activity: DocsExpΓÇô386541ΓÇôA/BΓÇôEnhanced-Readability-QuickstartsΓÇô2.19.2021

-adobe-target-experience: Experience B

-adobe-target-content: ./quickstart-html-uiex

-* Existing TCP sessions will fail when new outbound TCP sessions from Azure App Service source port. You can either use a single IP or reconfigure backend pool members to avoid conflicts

-#Customer intent: As an Azure customer, I want to learn how to deploy multiple containers using WordPress into Web App for Containers.

-The Read API analyzes and extracts ext lines, words, their locations, detected languages, and handwritten style if detected.

-### Form Recognizer versioned content

-Form Recognizer documentation has been updated to present a versioned experience. Now, you can choose to view content targeting the v3.0 GA experience or the v2.1 GA experience. The v3.0 experience is the default.

-### Form Recognizer Studio Sample Code

-Sample code for the [Form Recognizer Studio labeling experience](https://github.com/microsoft/Form-Recognizer-Toolkit/tree/main/SampleCode/LabelingUX) is now available on GitHub. Customers can develop and integrate Form Recognizer into their own UX or build their own new UX using the Form Recognizer Studio sample code.

-### Language expansion

-With the latest preview release, Form Recognizer's Read (OCR), Layout, and Custom template models support 134 new languages. These language additions include Greek, Latvian, Serbian, Thai, Ukrainian, and Vietnamese, along with several Latin and Cyrillic languages. Form Recognizer now has a total of 299 supported languages across the most recent GA and new preview versions. Refer to the [supported languages](language-support.md) page to see all supported languages.

-Use the REST API parameter `api-version=2022-06-30-preview` when using the API or the corresponding SDK to support the new languages in your applications.

-### New Prebuilt Contract model

-A new prebuilt that extracts information from contracts such as parties, title, contract ID, execution date and more. the contracts model is currently in preview, request access [here](https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR7en2Ais5pxKtso_Pz4b1_xUQTRDQUdHMTBWUDRBQ01QUVNWNlNYMVFDViQlQCN0PWcu_).

-### Region expansion for training custom neural models

-Training custom neural models now supported in added regions.

-* East US

-* East US2

-* US Gov Arizona

-### Region expansion for training custom neural models

-Training custom neural models is now supported in six new regions.

-* Australia East

-* Central US

-* East Asia

-* France Central

-* UK South

-* West US2

-For a complete list of regions where training is supported see [custom neural models](concept-custom-neural.md).

-#### Form Recognizer SDK version 4.0.0 GA release

-* **Form Recognizer SDKs version 4.0.0 (.NET/C#, Java, JavaScript) and version 3.2.0 (Python) are generally available and ready for use in production applications!**

-* For more information on Form Recognizer SDKs, see the [**SDK overview**](sdk-overview.md).

-* Update your applications using your programming language's **migration guide** (see below).

-This release includes the following updates:

-## August 2022

-#### Form Recognizer SDK beta August 2022 preview release

-This release includes the following updates:

-### Form Recognizer v3.0 generally available

-**Form Recognizer REST API v3.0 is now generally available and ready for use in production applications!** Update your applications with [**REST API version 2022-08-31**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument).

-#### The August release introduces the following new capabilities and updates:

-##### Form Recognizer Studio updates

-* **Next steps**. Under each model page, the Studio now has a next steps section. Users can quickly reference sample code, troubleshooting guidelines, and pricing information.

-* **Custom models**. The Studio now includes the ability to reorder labels in custom model projects to improve labeling efficiency.

-* **Copy Models** Custom models can be copied across Form Recognizer services from within the Studio. The operation enables the promotion of a trained model to other environments and regions.

-* **Delete documents**. The Studio now supports deleting documents from labeled dataset within custom projects.

-##### Form Recognizer service updates

-* [**prebuilt-read**](concept-read.md). Read OCR model is now also available in Form Recognizer with paragraphs and language detection as the two new features. Form Recognizer Read targets advanced document scenarios aligned with the broader document intelligence capabilities in Form Recognizer.

-* [**prebuilt-layout**](concept-layout.md). The Layout model extracts paragraphs and whether the extracted text is a paragraph, title, section heading, footnote, page header, page footer, or page number.

-* [**prebuilt-invoice**](concept-invoice.md). The TotalVAT and Line/VAT fields will now resolve to the existing fields TotalTax and Line/Tax respectively.

-* [**prebuilt-idDocument**](concept-id-document.md). Data extraction support for US state ID, social security, and green cards. Support for passport visa information.

-* [**prebuilt-receipt**](concept-receipt.md). Expanded locale support for French (fr-FR), Spanish (es-ES), Portuguese (pt-PT), Italian (it-IT) and German (de-DE).

-* [**prebuilt-businessCard**](concept-business-card.md). Address parsing support to extract subfields for address components like address, city, state, country, and zip code.

-## June 2022

-### [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio) June Update

-The June release is the latest update to the Form Recognizer Studio. There are considerable user experience and accessibility improvements addressed in this update:

-* **Code sample for Javascript and C#**. The Studio code tab now adds JavaScript and C# code samples in addition to the existing Python one.

-* **New document upload UI**. Studio now supports uploading a document with drag & drop into the new upload user interface.

-* **New feature for custom projects**. Custom projects now support creating storage account and blobs when configuring the project. In addition, custom project now supports uploading training files directly within the Studio and copying the existing custom model.

-### Form Recognizer v3.0 preview release

-The **2022-06-30-preview** release presents extensive updates across the feature APIs:

-* [**Layout extends structure extraction**](concept-layout.md). Layout now includes added structure elements including sections, section headers, and paragraphs. This update enables finer grain document segmentation scenarios. For a complete list of structure elements identified, _see_ [enhanced structure](concept-layout.md#data-extraction).

-* [**Custom neural model tabular fields support**](concept-custom-neural.md). Custom document models now support tabular fields. Tabular fields by default are also multi page. To learn more about tabular fields in custom neural models, _see_ [tabular fields](concept-custom-neural.md#tabular-fields).

-* [**Custom template model tabular fields support for cross page tables**](concept-custom-template.md). Custom form models now support tabular fields across pages. To learn more about tabular fields in custom template models, _see_ [tabular fields](concept-custom-neural.md#tabular-fields).

-* [**Invoice model output now includes general document key-value pairs**](concept-invoice.md). Where invoices contain required fields beyond the fields included in the prebuilt model, the general document model supplements the output with key-value pairs. _See_ [key value pairs](concept-invoice.md#key-value-pairs).

-* [**Invoice language expansion**](concept-invoice.md). The invoice model includes expanded language support. _See_ [supported languages](concept-invoice.md#supported-languages-and-locales).

-* [**Prebuilt business card**](concept-business-card.md) now includes Japanese language support. _See_ [supported languages](concept-business-card.md#supported-languages-and-locales).

-* [**Prebuilt ID document model**](concept-id-document.md). The ID document model now extracts DateOfIssue, Height, Weight, EyeColor, HairColor, and DocumentDiscriminator from US driver's licenses. _See_ [field extraction](concept-id-document.md).

-* [**Read model now supports common Microsoft Office document types**](concept-read.md). Document types like Word (docx) and PowerPoint (ppt) are now supported with the Read API. See [Microsoft Office and HTML text extraction ](concept-read.md#microsoft-office-and-html-text-extraction).

-#### Form Recognizer SDK beta June 2022 preview release

-This new release includes the following updates:

-## February 2022

-### Form Recognizer v3.0 preview release

- Form Recognizer v3.0 preview release introduces several new features and capabilities and enhances existing one:

-* [**Custom neural model**](concept-custom-neural.md) or custom document model is a new custom model to extract text and selection marks from structured forms, semi-strutured and **unstructured documents**.

-* [**W-2 prebuilt model**](concept-w2.md) is a new prebuilt model to extract fields from W-2 forms for tax reporting and income verification scenarios.

-* [**Read**](concept-read.md) API extracts printed text lines, words, text locations, detected languages, and handwritten text, if detected.

-* [**General document**](concept-general-document.md) pre-trained model is now updated to support selection marks in addition to API text, tables, structure, key-value pairs, and named entities from forms and documents.

-* [**Invoice API**](language-support.md#invoice-model) Invoice prebuilt model expands support to Spanish invoices.

-* [**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com) adds new demos for Read, W2, Hotel receipt samples, and support for training the new custom neural models.

-* [**Language Expansion**](language-support.md) Form Recognizer Read, Layout, and Custom Form add support for 42 new languages including Arabic, Hindi, and other languages using Arabic and Devanagari scripts to expand the coverage to 164 languages. Handwritten language support expands to Japanese and Korean.

-Get started with the new [REST API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v3-0-preview-2/operations/AnalyzeDocument), [Python](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true), or [.NET](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true) SDK for the v3.0 preview API.

-#### Form Recognizer model data extraction

- | **Model** | **Text extraction** |**Key-Value pairs** |**Selection Marks** | **Tables** |**Signatures**|

- | | :: |::| :: | :: |:: |

- |Read | Γ£ô | | | | |

- |General document | Γ£ô | Γ£ô | Γ£ô | Γ£ô | |

- | Layout | Γ£ô | | Γ£ô | Γ£ô | |

- | Invoice | Γ£ô | Γ£ô | Γ£ô | Γ£ô ||

- |Receipt | Γ£ô | Γ£ô | | |Γ£ô|

- | ID document | Γ£ô | Γ£ô | | ||

- | Business card | Γ£ô | Γ£ô | | ||

- | Custom template |Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

- | Custom neural |Γ£ô | Γ£ô | Γ£ô | Γ£ô | |

-#### Form Recognizer SDK beta preview release

-This new release includes the following updates:

-* [Custom Document models and modes](concept-custom.md):

- * [Custom template](concept-custom-template.md) (formerly custom form)

- * [Custom neural](concept-custom-neural.md).

- * [Custom modelΓÇöbuild mode](concept-custom.md#build-mode).

-* [W-2 prebuilt model](concept-w2.md) (prebuilt-tax.us.w2).

-* [Read prebuilt model](concept-read.md) (prebuilt-read).

-* [Invoice prebuilt model (Spanish)](concept-invoice.md#supported-languages-and-locales) (prebuilt-invoice).

-## November 2021

-### Form Recognizer v3.0 preview SDK release update (beta.2)

- The beta.2 version of the Azure Form Recognizer SDKs has been released. This new beta release incorporates bug fixes and minor feature updates.

-### [**C#**](#tab/csharp)

-**Version 4.0.0-beta.2 (2021-11-09)**

-| [**Package (NuGet)**](https://www.nuget.org/packages/Azure.AI.FormRecognizer/4.0.0-beta.2) | [**Changelog**](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/formrecognizer/Azure.AI.FormRecognizer/CHANGELOG.md) | [**API reference documentation**](/dotnet/api/azure.ai.formrecognizer?view=azure-dotnet-preview&preserve-view=true)

-#### Bugs Fixed

-The `BuildModelOperation` and `CopyModelOperation` now correctly populate the `PercentCompleted` property, and no longer return a constant value of 0.

-### [**Java**](#tab/java)

- | [**Package (Maven)**](https://mvnrepository.com/artifact/com.azure/azure-ai-formrecognizer/4.0.0-beta.2) | [**Changelog**](https://oss.sonatype.org/service/local/repositories/releases/content/com/azure/azure-ai-formrecognizer/4.0.0-beta.2/azure-ai-formrecognizer-4.0.0-beta.2-changelog.md) | [**API reference documentation**](https://azuresdkdocs.blob.core.windows.net/$web/java/azure-ai-formrecognizer/4.0.0-beta.2/https://docsupdatetracker.net/index.html)

-#### Feature updates

-* The `HttpResponseException` has been updated to use azure-core `ResponseError`.

-* Client validation has been added to check for empty `modelId` passed by the user for `beginAnalyzeDocument` methods.

-#### Breaking changes

-* `DocumentAnalysisException` has been renamed to `DocumentModelOperationException`.

-* `FormRecognizerError` has been renamed to `DocumentModelOperationError`.

-* `InnerError` has been renamed to `DocumentModelOperationInnerError`.

-| [**Package (NPM)**](https://www.npmjs.com/package/@azure/ai-form-recognizer/v/4.0.0-beta.2) | [**Changelog**](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/formrecognizer/ai-form-recognizer/CHANGELOG.md) | [**API reference documentation**](/javascript/api/overview/azure/ai-form-recognizer-readme?view=azure-node-preview&preserve-view=true) |

-#### Feature updates

-* The `words` property has been added to the `DocumentLine` interface.

-* The `createdOn` (date created) and `lastUpdatedOn` (time last modified) properties have been added to the `DocumentAnalysisPollOperationState` and `TrainingPollOperationState` interfaces.

-#### Bugs fixed

-* The handling of long-running operations (analysis and model creation operations) has been improved. Clients will no longer attempt to parse model IDs and will now accept operation-location fields verbatim. Thus, the *unable to parse operationLocation* error is no longer possible.

-#### Breaking changes

-* The `operationId` field for `DocumentAnalysisPollOperationState` has been replaced with the `operationLocation` field that contains the full operation URL not the operation GUID.

-| [**Package (PyPI)**](https://pypi.org/project/azure-ai-formrecognizer/3.2.0b2/) | [**Changelog**](https://github.com/Azure/azure-sdk-for-python/blob/azure-ai-formrecognizer_3.2.0b2/sdk/formrecognizer/azure-ai-formrecognizer/CHANGELOG.md) | [**API reference documentation**](https://azuresdkdocs.blob.core.windows.net/$web/python/azure-ai-formrecognizer/latest/azure.ai.formrecognizer.html)

-#### Feature updates

-* The `get_words()` method has been added to the `DocumentLine` model. *See* our [How to get words contained in a Document line](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/formrecognizer/azure-ai-formrecognizer/samples/v3.2/sample_get_words_on_document_line.py) sample on GitHub.

-#### Breaking changes

-* The `DocumentElement` class has been renamed to `DocumentContentElement`.

-### Form Recognizer v3.0 preview release (beta.1)

-**Version 4.0.0-beta.1 (2021-10-07)**

- Form Recognizer v3.0 preview release introduces several new features and capabilities:

-* [**General document**](concept-general-document.md) model is a new API that uses a pre-trained model to extract text, tables, structure, key-value pairs, and named entities from forms and documents.

-* [**Hotel receipt**](concept-receipt.md) model added to prebuilt receipt processing.

-* [**Expanded fields for ID document**](concept-id-document.md) the ID model supports endorsements, restrictions, and vehicle classification extraction from US driver's licenses.

-* [**Signature field**](concept-custom.md) is a new field type in custom forms to detect the presence of a signature in a form field.

-* [**Language Expansion**](language-support.md) Support for 122 languages (print) and 7 languages (handwritten). Form Recognizer Layout and Custom Form expand [supported languages](language-support.md) to 122 with its latest preview. The preview includes text extraction for print text in 49 new languages including Russian, Bulgarian, and other Cyrillic and more Latin languages. In addition extraction of handwritten text now supports seven languages that include English, and new previews of Chinese Simplified, French, German, Italian, Portuguese, and Spanish.

-* **Tables and text extraction enhancements** Layout now supports extracting single row tables also called key-value tables. Text extraction enhancements include better processing of digital PDFs and Machine Readable Zone (MRZ) text in identity documents, along with general performance.

-* [**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com) To simplify use of the service, you can now access the Form Recognizer Studio to test the different prebuilt models or label and train a custom model

-Get started with the new [REST API](https://westus2.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/AnalyzeWithCustomForm), [Python](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true), or [.NET](quickstarts/get-started-sdks-rest-api.md?view=form-recog-3.0.0&preserve-view=true) SDK for the v3.0 preview API.

-#### Form Recognizer model data extraction

-### Monitoring menu

-### Charts

-### System-assigned managed identity support

- You can now enable a system-assigned managed identity to grant Form Recognizer limited access to private storage accounts including accounts protected by a Virtual Network (VNet) or firewall or have enabled bring-your-own-storage (BYOS). *See* [Create and use managed identity for your Form Recognizer resource](managed-identity-byos.md) to learn more.

-### Form Recognizer containers v2.1 released in gated preview

-Form Recognizer features are now supported by six feature containersΓÇö**Layout**, **Business Card**,**ID Document**, **Receipt**, **Invoice**, and **Custom**. To use them, you must submit an [online request](https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR7en2Ais5pxKtso_Pz4b1_xUNlpBU1lFSjJUMFhKNzVHUUVLN1NIOEZETiQlQCN0PWcu), and receive approval.

-*See* [**Install and run Docker containers for Form Recognizer**](containers/form-recognizer-container-install-run.md?branch=main&tabs=layout) and [**Configure Form Recognizer containers**](containers/form-recognizer-container-configuration.md?branch=main)

-### Form Recognizer connector released in preview

- The [**Form Recognizer connector**](/connectors/formrecognizer) integrates with [Azure Logic Apps](../../logic-apps/logic-apps-overview.md), [Microsoft Power Automate](/power-automate/getting-started), and [Microsoft Power Apps](/powerapps/powerapps-overview). The connector supports workflow actions and triggers to extract and analyze document data and structure from custom and prebuilt forms, invoices, receipts, business cards and ID documents.

-### Form Recognizer SDK v3.1.0 patched to v3.1.1 for C#, Java, and Python

-The patch addresses invoices that don't have subline item fields detected such as a `FormField` with `Text` but no `BoundingBox` or `Page` information.

-## May 2021

-### Form Recognizer 2.1 API Generally Available release

-* Form Recognizer 2.1 is generally available. The General Availability release marks the stability of the changes introduced in prior 2.1 preview package versions. This release enables you to detect and extract information and data from the following document types:

-* [Documents](concept-layout.md)

-* [Receipts](./concept-receipt.md)

-* [Business cards](./concept-business-card.md)

-* [Invoices](./concept-invoice.md)

-* [Identity documents](./concept-id-document.md)

-* [Custom forms](concept-custom.md)

-#### Get started

-Go to the [Form Recognizer Sample Tool](https://fott-2-1.azurewebsites.net/) and follow the [quickstart](./quickstarts/try-sample-label-tool.md)

-### Layout adds table headers

-The updated Layout API table feature adds header recognition with column headers that can span multiple rows. Each table cell has an attribute that indicates whether it's part of a header or not. This update can be used to identify which rows make up the table header.

-#### SDK updates

-| [Reference documentation](/dotnet/api/azure.ai.formrecognizer?view=azure-dotnet&preserve-view=true) | [NuGet package version 3.0.1](https://www.nuget.org/packages/Azure.AI.FormRecognizer) |

-#### **Non-breaking changes**

-* **FormRecognizerModelFactory** class now supports updates to **TextAppearance** and **ReadingOrder** and removal of **TextStyle** models. See [Breaking changes](#breaking-changes-may)

-#### **Breaking changes (May)**

-* Client defaults to the latest supported service version, currently v2.1. You can specify version 2.0 in the **FormRecognizerClientOptions** object's **Version** property.

-* **StartRecognizeIdentityDocuments**. Renamed methods and method parameters using **Identity** to replace _ID_ keyword for all related identity documents recognition API functionalities.

-* **FormReadingOrder**. *ReadingOrder* renamed to **FormReadingOrder**.

-* **AsCountryRegion**. *AsCountryCode* renamed to **AsCountryRegion**.

-* **TextAppearance** now includes **StyleName** and **StyleConfidence** properties (formerly part of the **TextStyle** object).

-* **FieldValueType**. Value **Gender** removed from the model.

-* **TextStyle** model removed.

-* **FieldValueGender** type removed.

- | [Reference documentation](/java/api/com.azure.ai.formrecognizer.models?view=azure-java-stable&preserve-view=true)| [Maven artifact package dependency version 3.1.0](https://mvnrepository.com/artifact/com.azure/azure-ai-formrecognizer) |

-#### **Non-breaking changes**

-* **FormRecognizerClientBuilder** and **FormTrainingClientBuilder** . Added **clientOptions** and **getDefaultLogOptions** methods.

-* **FormRecognizerLanguage**. Added more language fields.

-#### **Breaking changes (May)**

-* Client defaults to the latest supported service version, currently v2.1. You can specify version 2.0 in the **FormRecognizerClientBuilder** object's **serviceVersion** method.

-* Removed v2.1-preview.1 and v2.1-preview.2 support.

-* **beginRecognizeIdentityDocuments**. Renamed methods and method parameters using **Identity** to replace `Id` keyword for all related identity documents recognition API functionalities.

-* **FormReadingOrder**. *ReadingOrder* renamed to **FormReadingOrder**, and refactor the class to be expandable string class.

-* **asCountryRegion**. *asCountry* renamed to **asCountryRegion** method.

-* **FieldValueType**. Field value *COUNTRY* renamed to **COUNTRY_REGION**.

-* **TextAppearance** class now includes **styleName** and **styleConfidence** properties (formerly part of the **TextStyle** object).

-* **FieldValueType**. Value *Gender* removed from the model.

-* **TextStyle** model removed.

-* **FieldValueGender** class type removed.

-* **pollInterval**. Removed the pollInterval methods from **RecognizeBusinessCardsOptions**, **RecognizeContentOptions**, **RecognizeCustomFormsOptions**, **RecognizeIdentityDocumentOptions**, **RecognizeInvoicesOptions**, and **RecognizeReceiptsOptions** classes. Polling interval can be updated using the Azure Core [**SyncPoller setPollInterval**](/java/api/com.azure.core.util.polling.syncpoller.setpollinterval?view=azure-java-stable&preserve-view=true) or [**PollerFlux setPollInterval**](/java/api/com.azure.core.util.polling.pollerflux.setpollinterval?view=azure-java-stable&preserve-view=true) methods synchronously or asynchronously, respectively.

-* **FormLine**, **FormPage**, **FormTable**, **FormSelectionMark**, **TextAppearance**, **CustomFormModel**, **CustomFormModelInfo**, **CustomFormModelProperties**, **CustomFormSubmodel**, and **TrainingDocumentInfo** are now immutable model classes.

-| [Reference documentation](/javascript/api/@azure/cognitiveservices-formrecognizer/formrecognizerclient?view=azure-node-latest&preserve-view=true)| [npm package dependency form-recognizer 3.1.0](https://www.npmjs.com/package/@azure/ai-form-recognizer) |

-#### **Non-breaking changes**

-* All REST API calls are migrated to the v2.1 endpoint.

-* **KnownFormLocale** enum added to access possible values of form locales.

-* **beginRecognizeIdDocuments...**. Renamed methods and method parameters using **Identity** to replace `Id` keyword for all related identity documents recognition API functionalities.

-* **FormReadingOrder** and **FormLanguage**. *ReadingOrder* renamed to *FormReadingOrder*. *Language* renamed to **FormLanguage**.

-* **FormCountryRegionField** and **countryRegion**. *FormCountryField* type renamed to **FormCountryRegionField**, and renamed the valueType *country* to **countryRegion**.

-* **TextAppearance** interface now includes **styleName** and **styleConfidence** properties (formerly name and confidence properties in the **TextStyle** interface).

-* **KnownStyleName**, **KnownSelectionMarkState**, and **KnownKeyValueType** enums removed.

-* **FormGenderField** type removed. Any recognized value that was previously produced as a _FormGenderField_ will now be returned as a FormStringField type and the value will remain the same.

-* **TextStyle** type removed.

-#### **Breaking changes (May)**

-**No breaking changes**

-| [Reference documentation](/java/api/com.azure.ai.formrecognizer.models?view=azure-java-stable&preserve-view=true)| [PyPi azure-ai-formrecognizer 3.1.0](https://pypi.org/project/azure-ai-formrecognizer/) |

-#### **Non-breaking changes**

-* **to_dict** and **from_dict** methods added to all of the models.

-#### **Breaking changes (May)**

-* **begin_recognize_identity_documents** and **begin_recognize_identity_documents_from_url**. Renamed methods and method parameters using **Identity** to replace _ID_ keyword.

-* **FieldValueType**. Renamed value type *country* to **countryRegion**. Removed value type *gender*.

-* **TextAppearance**model now includes **style_name** and **style_confidence** properties (formerly name and confidence properties in the **TextStyle** object).

-* **TextStyle** model removed.

-### SDK preview updates for API version 2.1-preview.3

-NuGet package version 3.1.0-beta.4

-#### Breaking changes (April)

-* The client defaults to the latest supported service version, which is currently **2.1-preview.3**.

-* **[StartRecognizeCustomForms](/dotnet/api/azure.ai.formrecognizer.formrecognizerclient.startrecognizecustomforms?view=azure-dotnet-preview&preserve-view=true)** method now throws a `RequestFailedException()` when an invalid file is passed.

-Maven artifact package dependency version 3.1.0-beta.3

-* **Bitmap Image file (.bmp) support for custom forms and training methods in the `FormContentType` enum**:

-* `image/bmp`

-* **New property `Pages` supported by the following classes**:

- The `Pages` property allows you to select individual or a range of pages for multi-page PDF and TIFF documents. For individual pages, enter the page number, for example, `3`. For a range of pages (like page 2 and pages 5-7) enter the page numbers and ranges separated by commas: `2, 5-7`.

-* **Bitmap Image file (.bmp) support for custom forms and training methods in the [FormContentType](/java/api/com.azure.ai.formrecognizer.models.formcontenttype?view=azure-java-preview&preserve-view=true#fields) fields**:

- `image/bmp`

-* **[beginRecognizeContent](/java/api/com.azure.ai.formrecognizer.formrecognizerclient.beginrecognizecontent?preserve-view=true&view=azure-java-preview)**</br>

-**[beginRecognizeContentFromUrl](/java/api/com.azure.ai.formrecognizer.formrecognizerclient.beginrecognizecontentfromurl?view=azure-java-preview&preserve-view=true)**</br>

- The `ReadingOrder` keyword argument is an optional parameter that allows you to specify which reading order algorithmΓÇö`basic` or `natural`ΓÇöshould be applied to order the extraction of text elements. If not specified, the default value is `basic`.

-npm package version 3.1.0-beta.3

-pip package version 3.1.0b4

-**Form Recognizer v2.1 public preview 3 is now available.** v2.1-preview.3 has been released, including the following features:

- :::image type="content" source="./media/id-canada-passport-example.png" alt-text="passport example" lightbox="./media/id-canada-passport-example.png":::

- :::image type="content" source="./media/table-labeling.png" alt-text="Table labeling" lightbox="./media/table-labeling.png":::

-### New features

-**Form Recognizer v2.1 public preview 2 is now available.** v2.1-preview.2 has been released, including the following features:

-* **New prebuilt invoice model** - The new prebuilt Invoice model enables customers to take invoices in various formats and return structured data to automate the invoice processing. It combines our powerful Optical Character Recognition (OCR) capabilities with invoice understanding deep learning models to extract key information from invoices in English. It extracts key text, tables, and information such as customer, vendor, invoice ID, invoice due date, total, amount due, tax amount, ship to, and bill to.

- > [Learn more about the prebuilt invoice model](./concept-invoice.md)

- :::image type="content" source="./media/invoice-example.jpg" alt-text="invoice example" lightbox="./media/invoice-example.jpg":::

-* **Enhanced table extraction** - Form Recognizer now provides enhanced table extraction, which combines our powerful Optical Character Recognition (OCR) capabilities with a deep learning table extraction model. Form Recognizer can extract data from tables, including complex tables with merged columns, rows, no borders and more.

- :::image type="content" source="./media/tables-example.jpg" alt-text="tables example" lightbox="./media/tables-example.jpg":::

- > [Learn more about Layout extraction](concept-layout.md)

-* **Client library update** - The latest versions of the [client libraries](/azure/applied-ai-services/form-recognizer/how-to-guides/v2-1-sdk-rest-api) for .NET, Python, Java, and JavaScript support the Form Recognizer 2.1 API.

-* **New language supported: Japanese** - The following new languages are now supported: for `AnalyzeLayout` and `AnalyzeCustomForm`: Japanese (`ja`). [Language support](language-support.md)

-* **Text line style indication (handwritten/other) (Latin languages only)** - Form Recognizer now outputs an `appearance` object classifying whether each text line is handwritten style or not, along with a confidence score. This feature is supported only for Latin languages.

-* **Quality improvements** - Extraction improvements including single digit extraction improvements.

-* **New try-it-out feature in the Form Recognizer Sample and Labeling Tool** - Ability to try out prebuilt Invoice, Receipt, and Business Card models and the Layout API using the Form Recognizer Sample Labeling tool. See how your data will be extracted without writing any code.

- [**Try the Form Recognizer Sample Labeling tool**](https://fott-2-1.azurewebsites.net)

- 

-* **Feedback Loop** - When Analyzing files via the Sample Labeling tool you can now also add it to the training set and adjust the labels if necessary and train to improve the model.

-* **Auto Label Documents** - Automatically labels added documents based on previous labeled documents in the project.

-### New features

-**Form Recognizer v2.1 public preview is now available.** V2.1-preview.1 has been released, including the following features:

-* **REST API reference is available** - View the [v2.1-preview.1 reference](https://westcentralus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1-preview-1/operations/AnalyzeBusinessCardAsync)

-* **New languages supported In addition to English**, the following [languages](language-support.md) are now supported: for `Layout` and `Train Custom Model`: English (`en`), Chinese (Simplified) (`zh-Hans`), Dutch (`nl`), French (`fr`), German (`de`), Italian (`it`), Portuguese (`pt`) and Spanish (`es`).

-* **Checkbox / Selection Mark detection** ΓÇô Form Recognizer supports detection and extraction of selection marks such as check boxes and radio buttons. Selection Marks are extracted in `Layout` and you can now also label and train in `Train Custom Model` - _Train with Labels_ to extract key-value pairs for selection marks.

-* **Model Compose** - allows multiple models to be composed and called with a single model ID. When you submit a document to be analyzed with a composed model ID, a classification step is first performed to route it to the correct custom model. Model Compose is available for `Train Custom Model` - _Train with labels_.

-* **Model name** - add a friendly name to your custom models for easier management and tracking.

-* **[New prebuilt model for Business Cards](./concept-business-card.md)** for extracting common fields in English, language business cards.

-* **[New locales for prebuilt Receipts](./concept-receipt.md)** in addition to EN-US, support is now available for EN-AU, EN-CA, EN-GB, EN-IN

-* **Quality improvements** for `Layout`, `Train Custom Model` - _Train without Labels_ and _Train with Labels_.

-**v2.0** includes the following update:

-* The [client libraries](/azure/applied-ai-services/form-recognizer/how-to-guides/v2-1-sdk-rest-api) for NET, Python, Java, and JavaScript have entered General Availability.

-**New samples** are available on GitHub.

-* The [Knowledge Extraction Recipes - Forms Playbook](https://github.com/microsoft/knowledge-extraction-recipes-forms) collects best practices from real Form Recognizer customer engagements and provides usable code samples, checklists, and sample pipelines used in developing these projects.

-* The [Sample Labeling tool](https://github.com/microsoft/OCR-Form-Tools) has been updated to support the new v2.1 functionality. See this [quickstart](label-tool.md) for getting started with the tool.

-* The [Intelligent Kiosk](https://github.com/microsoft/Cognitive-Samples-IntelligentKiosk/blob/master/Documentation/FormRecognizer.md) Form Recognizer sample shows how to integrate `Analyze Receipt` and `Train Custom Model` - _Train without Labels_.

-### New features

-* **v2.0 reference available** - View the [v2.0 API Reference](https://westus2.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2/operations/AnalyzeWithCustomForm) and the updated SDKs for [.NET](/dotnet/api/overview/azure/ai.formrecognizer-readme), [Python](/python/api/overview/azure/), [Java](/java/api/overview/azure/ai-formrecognizer-readme), and [JavaScript](/javascript/api/overview/azure/).

-* **Table enhancements and Extraction enhancements** - includes accuracy improvements and table extractions enhancements, specifically, the capability to learn tables headers and structures in _custom train without labels_.

-* **Currency support** - Detection and extraction of global currency symbols.

-* **Azure Gov** - Form Recognizer is now also available in Azure Gov.

-* **Enhanced security features**:

- * **Bring your own key** - Form Recognizer automatically encrypts your data when persisted to the cloud to protect it and to help you to meet your organizational security and compliance commitments. By default, your subscription uses Microsoft-managed encryption keys. You can now also manage your subscription with your own encryption keys. [Customer-managed keys, also known as bring your own key (BYOK)](./encrypt-data-at-rest.md), offer greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your data.

- * **Private endpoints** ΓÇô Enables you on a virtual network to [securely access data over a Private Link.](../../private-link/private-link-overview.md)

-## June 2020

-### New features

-## April 2020

-### New features

- * [.NET SDK](/dotnet/api/overview/azure/ai.formrecognizer-readme)

- * [Java SDK](/java/api/overview/azure/ai-formrecognizer-readme)

- * [Python SDK](/python/api/overview/azure/ai-formrecognizer-readme)

- * [JavaScript SDK](/javascript/api/overview/azure/ai-form-recognizer-readme)

- The new SDK supports all the features of the v2.0 REST API for Form Recognizer. You can share your feedback on the SDKs through the [SDK Feedback form](https://aka.ms/FR_SDK_v1_feedback).

- * [Generate a copy authorization](https://westus2.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2/operations/CopyCustomFormModelAuthorization) REST API

- * [Copy a custom model](https://westus2.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2/operations/CopyCustomFormModel) REST API

-### Security improvements

-## March 2020

-### New features

- * `string`

- * default, `no-whitespaces`, `alphanumeric`

- * `number`

- * default, `currency`

- * `date`

- * default, `dmy`, `mdy`, `ymd`

- * `time`

- * `integer`

- See the [Sample Labeling tool](label-tool.md#specify-tag-value-types) guide to learn how to use this feature.

- The following image is an example of how tables are recognized and extracted:

- > [!div class="mx-imgBorder"]

- > 

- The extracted tables are available in the JSON output under `"pageResults"`.

- > Labeling tables isn't supported. If tables are not recognized and extrated automatically, you can only label them as key/value pairs. When labeling tables as key/value pairs, label each cell as a unique value.

-### Extraction enhancements

-This release includes extraction enhancements and accuracy improvements, specifically, the capability to label and extract multiple key/value pairs in the same line of text.

-### Sample Labeling tool is now open-source

-The Form Recognizer Sample Labeling tool is now available as an open-source project. You can integrate it within your solutions and make customer-specific changes to meet your needs.

-For more information about the Form Recognizer Sample Labeling tool, review the documentation available on [GitHub](https://github.com/microsoft/OCR-Form-Tools/blob/master/README.md).

-### TLS 1.2 enforcement

-TLS 1.2 is now enforced for all HTTP requests to this service. For more information, see [Azure Cognitive Services security](../../cognitive-services/security-features.md).

-### New features

-* **Custom model**

- * **Train with labels** You can now train a custom model with manually labeled data. This method results in better-performing models and can produce models that work with complex forms or forms containing values without keys.

- * **Asynchronous API** You can use async API calls to train with and analyze large data sets and files.

- * **TIFF file support** You can now train with and extract data from TIFF documents.

- * **Extraction accuracy improvements**

-* **Prebuilt receipt model**

- * **Tip amounts** You can now extract tip amounts and other handwritten values.

- * **Line item extraction** You can extract line item values from receipts.

- * **Confidence values** You can view the model's confidence for each extracted value.

- * **Extraction accuracy improvements**

-* **Layout extraction** You can now use the Layout API to extract text data and table data from your forms.

-### Custom model API changes

-All of the APIs for training and using custom models have been renamed, and some synchronous methods are now asynchronous. The following are major changes:

-* The process of training a model is now asynchronous. You initiate training through the **/custom/models** API call. This call returns an operation ID, which you can pass into **custom/models/{modelID}** to return the training results.

-* Key/value extraction is now initiated by the **/custom/models/{modelID}/analyze** API call. This call returns an operation ID, which you can pass into **custom/models/{modelID}/analyzeResults/{resultID}** to return the extraction results.

-* Operation IDs for the Train operation are now found in the **Location** header of HTTP responses, not the **Operation-Location** header.

-### Receipt API changes

-The APIs for reading sales receipts have been renamed.

-* Receipt data extraction is now initiated by the **/prebuilt/receipt/analyze** API call. This call returns an operation ID, which you can pass into **/prebuilt/receipt/analyzeResults/{resultID}** to return the extraction results.

-### Output format changes

-The JSON responses for all API calls have new formats. Some keys and values have been added, removed, or renamed. See the quickstarts for examples of the current JSON formats.

-Complete a [quickstart](/azure/applied-ai-services/form-recognizer/how-to-guides/v2-1-sdk-rest-api) to get started writing a forms processing app with Form Recognizer in the development language of your choice.

-## See also

-* [What is Form Recognizer?](./overview.md)

-1. If the following permissions are not assigned for Custom users, jobs might get suspended. Add these permission to the Hybrid Runbook Worker account on the runbook worker machine, instead of adding the account to **Administrators** group because the `Filtered Token` feature of UAC would grant standard user rights to this account when logging-in. For more details, refer to - [Information about UAC on Windows Server](/troubleshoot/windows-server/windows-security/disable-user-account-control#more-information).

-Use your discretion in assigning the elevated permissions corresponding to the following registry keys/folders:

-**Registry path**

-description: In this quickstart, create a Python app with the Azure App Configuration Python provider to centralize storage and management of application settings separate from your code.

-# Quickstart: Create a Python app with the Azure App Configuration Python provider

-description: In this quickstart, create a Python app with the Azure SDK for Python to centralize storage and management of application settings separate from your code.

-#Customer intent: As a Python developer, I want to manage all my app settings in one place.

-# Quickstart: Create a Python app with the Azure SDK for Python

-In this quickstart, you will use the Azure SDK for Python to centralize storage and management of application settings using the [Azure App Configuration client library for Python](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/appconfiguration/azure-appconfiguration).

-To use Azure App Configuration with the Python provider instead of the SDK, go to [Python provider](./quickstart-python-provider.md). The Python provider enables loading configuration settings from an Azure App Configuration store in a managed way.

-## Create an App Configuration store

-9. Select **Configuration Explorer** > **Create** > **Key-value** to add the following key-value pairs:

-10. Select **Apply**.

-## Setting up the Python app

-1. In this tutorial, you'll create a new directory for the project named *app-configuration-quickstart*.

- mkdir app-configuration-quickstart

-1. Switch to the newly created *app-configuration-quickstart* directory.

- cd app-configuration-quickstart

-1. Create a new file called *app-configuration-quickstart.py* in the *app-configuration-quickstart* directory and add the following code:

- print("Azure App Configuration - Python Quickstart")

- # Quickstart code goes here

-> The code snippets in this quickstart will help you get started with the App Configuration client library for Python. For your application, you should also consider handling exceptions according to your needs. To learn more about exception handling, please refer to our [Python SDK documentation](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/appconfiguration/azure-appconfiguration).

-The sample code snippets in this section show you how to perform common operations with the App Configuration client library for Python. Add these code snippets to the `try` block in *app-configuration-quickstart.py* file you created earlier.

-In this quickstart, you created a Python app that uses the Azure App Configuration client library to retrieve a configuration setting created through the Azure portal, add a new setting, retrieve a list of existing settings, lock and unlock a setting, update a setting, and finally delete a setting.

-At this point, your *app-configuration-quickstart.py* file should have the following code:

- print("Azure App Configuration - Python Quickstart")

- # Quickstart code goes here

-In your console window, navigate to the directory containing the *app-configuration-quickstart.py* file and execute the following Python command to run the app:

-python app-configuration-quickstart.py

-Azure App Configuration - Python Quickstart

-In this quickstart, you created a new App Configuration store and learned how to access key-values from a Python app.

-description: Learn how to use availability zone redundancy with Azure Functions for high-availability function applications on Elastic Premium plans.

-# Goal: Introduce availability zone redundancy in Azure Functions Elastic Premium plans to customers and a tutorial on how to get started with Portal and ARM templates

-# Azure Functions support for availability zone redundancy

-Azure function apps in the Premium plan can be deployed into availability zones to help you achieve resiliency and reliability for your business-critical workloads. This architecture is also known as zone redundancy.

-Availability zones support for Azure Functions is available on Premium (Elastic Premium) and Dedicated (App Service) plans. A zone-redundant function app plan automatically balances its instances between availability zones for higher availability. This article focuses on zone redundancy support for Premium plans. For zone redundancy on Dedicated plans, refer [here](../reliability/migrate-app-service.md).

-## Overview

-An [availability zone](../reliability//availability-zones-overview.md) is a high-availability offering that protects your applications and data from datacenter failures. Availability zones are unique physical locations within an Azure region. Each zone comprises one or more datacenters equipped with independent power, cooling, and networking. To ensure resiliency, there's a minimum of three separate zones in all enabled regions. You can build high-availability into your application architecture by co-locating your compute, storage, networking, and data resources within a zone and replicating into other zones.

-A zone redundant function app automatically distributes the instances your app runs on between the availability zones in the region. For apps running in a zone-redundant Premium plan, even as the app scales in and out, the instances the app is running on are still evenly distributed between availability zones.

-Function apps are zonal services, which means that function apps can be deployed using one of the following methods:

-## Availability zone considerations

-All of the available function app instances of function apps configured as zone redundant are enabled and processing events. When a zone goes down, Functions detect lost instances and automatically attempts to find new replacement instances, when needed. [Elastic scale behavior](functions-premium-plan.md#rapid-elastic-scale) still applies. However, in a zone-down scenario there's no guarantee that requests for additional instances can succeed, since back-filling lost instances occurs on a best-effort basis.

-Applications that are deployed in a Premium plan that has availability zones enabled continue to run even when other zones in the same region suffer an outage. However, it's possible that non-runtime behaviors could still be impacted from an outage in other availability zones. These impacted behaviors can include Premium plan scaling, application creation, application configuration, and application publishing. Zone redundancy for Premium plans only guarantees continued uptime for deployed applications.

-When Functions allocates instances to a zone redundant Premium plan, it uses [best effort zone balancing offered by the underlying Azure Virtual Machine Scale Sets](../virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones.md#zone-balancing). A Premium plan is considered _balanced_ when each zone has either the same number of VMs (┬▒ 1 VM) in all of the other zones used by the Premium plan.

-## Requirements

-Availability zone support is a property of the Premium plan. The following are the current requirements/limitations for enabling availability zones:

- - Availability zone support isn't currently available for function apps on [Consumption](consumption-plan.md) plans.

- - The platform will enforce this minimum count behind the scenes if you specify an instance count fewer than three.

-## Regional availability

-Zone-redundant Premium plans can currently be enabled in any of the following regions:

-| Americas | Europe | Middle East | Africa | Asia Pacific |

-||-||--|-|

-| Brazil South | France Central | Qatar Central | | Australia East |

-| Canada Central | Germany West Central | | | Central India |

-| Central US | North Europe | | | China North 3 |

-| East US | Sweden Central | | | East Asia |

-| East US 2 | UK South | | | Japan East |

-| South Central US | West Europe | | | Southeast Asia |

-| West US 2 | | | | |

-| West US 3 | | | | |

-## How to deploy a function app on a zone redundant Premium plan

-There are currently two ways to deploy a zone-redundant Premium plan and function app. You can use either the [Azure portal](https://portal.azure.com) or an ARM template.

-# [Azure portal](#tab/azure-portal)

-1. Open the Azure portal and navigate to the **Create Function App** page. Information on creating a function app in the portal can be found [here](functions-create-function-app-portal.md#create-a-function-app).

-1. In the **Basics** page, fill out the fields for your function app. Pay special attention to the fields in the table below (also highlighted in the screenshot below), which have specific requirements for zone redundancy.

- | Setting | Suggested value | Notes for Zone Redundancy |

- | | - | -- |

- | **Region** | Preferred region | The subscription under which this new function app is created. You must pick a region that is availability zone enabled from the [list above](#requirements). |

- 

-1. In the **Hosting** page, fill out the fields for your function app hosting plan. Pay special attention to the fields in the table below (also highlighted in the screenshot below), which have specific requirements for zone redundancy.

- | Setting | Suggested value | Notes for Zone Redundancy |

- | | - | -- |

- | **Storage Account** | A [zone-redundant storage account](storage-considerations.md#storage-account-requirements) | As mentioned above in the [requirements](#requirements) section, we strongly recommend using a zone-redundant storage account for your zone redundant function app. |

- | **Plan Type** | Functions Premium | This article details how to create a zone redundant app in a Premium plan. Zone redundancy isn't currently available in Consumption plans. Information on zone redundancy on app service plans can be found [in this article](../reliability/migrate-app-service.md). |

- | **Zone Redundancy** | Enabled | This field populates the flag that determines if your app is zone redundant or not. You won't be able to select `Enabled` unless you have chosen a region supporting zone redundancy, as mentioned in step 2. |

- 

-1. For the rest of the function app creation process, create your function app as normal. There are no fields in the rest of the creation process that affect zone redundancy.

-# [ARM template](#tab/arm-template)

-You can use an [ARM template](../azure-resource-manager/templates/quickstart-create-templates-use-visual-studio-code.md) to deploy to a zone-redundant Premium plan. A guide to hosting Functions on Premium plans can be found [here](functions-infrastructure-as-code.md#deploy-on-premium-plan).

-The only properties to be aware of while creating a zone-redundant hosting plan are the new `zoneRedundant` property and the plan's instance count (`capacity`) fields. The `zoneRedundant` property must be set to `true` and the `capacity` property should be set based on the workload requirement, but not less than `3`. Choosing the right capacity varies based on several factors and high availability/fault tolerance strategies. A good rule of thumb is to ensure sufficient instances for the application such that losing one zone of instances leaves sufficient capacity to handle expected load.

-> [!IMPORTANT]

-> Azure Functions apps hosted on an elastic premium, zone-redundant plan must have a minimum [always ready instance](functions-premium-plan.md#always-ready-instances) count of 3. This make sure that a zone-redundant function app always has enough instances to satisfy at least one worker per zone.

-Below is an ARM template snippet for a zone-redundant, Premium plan showing the `zoneRedundant` field and the `capacity` specification.

-```json

-"resources": [

- {

- "type": "Microsoft.Web/serverfarms",

- "apiVersion": "2021-01-15",

- "name": "<YOUR_PLAN_NAME>",

- "location": "<YOUR_REGION_NAME>",

- "sku": {

- "name": "EP1",

- "tier": "ElasticPremium",

- "size": "EP1",

- "family": "EP",

- "capacity": 3

- },

- "kind": "elastic",

- "properties": {

- "perSiteScaling": false,

- "elasticScaleEnabled": true,

- "maximumElasticWorkerCount": 20,

- "isSpot": false,

- "reserved": false,

- "isXenon": false,

- "hyperV": false,

- "targetWorkerCount": 0,

- "targetWorkerSizeId": 0,

- "zoneRedundant": true

- }

- }

-]

-```

-To learn more about these templates, see [Automate resource deployment in Azure Functions](functions-infrastructure-as-code.md).

-After the zone-redundant plan is created and deployed, any function app hosted on your new plan is considered zone-redundant.

-## Migrate your function app to a zone-redundant plan

-For information on how to migrate the public multi-tenant Premium plan from non-availability zone to availability zone support, see [Migrate App Service to availability zone support](../reliability/migrate-functions.md).

-## Pricing

-There's no additional cost associated with enabling availability zones. Pricing for a zone redundant Premium plan is the same as a single zone Premium plan. You'll be charged based on your Premium plan SKU, the capacity you specify, and any instances you scale to based on your autoscale criteria. If you enable availability zones but specify a capacity less than three, the platform will enforce a minimum instance count of three and charge you for those three instances.

-## Next steps

-The Functions runtime uses an Azure Storage account internally. For all trigger types other than HTTP and webhooks, set the `Values.AzureWebJobsStorage` key to a valid Azure Storage account connection string. Your function app can also use the [Azurite emulator](/storage/common/storage-use-azurite.md) for the `AzureWebJobsStorage` connection setting that's required by the project. To use the emulator, set the value of `AzureWebJobsStorage` to `UseDevelopmentStorage=true`. Change this setting to an actual storage account connection string before deployment. For more information, see [Local storage emulator](functions-develop-local.md#local-storage-emulator).

-Azure Functions run in a function app in a specific region. There's no built-in redundancy available. To avoid loss of execution during outages, you can redundantly deploy the same functions to function apps in multiple regions.

-|**Active/passive** | Functions run actively in region receiving events, while the same functions in a second region remains idle. When failover is required, the second region is activated and takes over processing. We recommend this pattern for your event-driven, non-HTTP triggered functions, such as Service Bus and Event Hub triggered functions.

-The active/active pattern is the best deployment model for HTTP trigger functions. In this case, you need to use [Azure Front Door](../frontdoor/front-door-overview.md) to coordinate requests between both regions. Azure Front Door can route and round-robin HTTP requests between functions running in multiple regions.It also periodically checks the health of each endpoint. When a function in one region stops responding to health checks, Azure Front Door takes it out of rotation and only forwards traffic to the remaining healthy functions.

-Redundancy for functions that consume events from other services requires a different pattern, which work with the failover pattern of the related services.

-Active/passive provides a way for only a single function to process each message, but provides a mechanism to fail over to a secondary region in case of a disaster. Function apps work with the failover behaviors of the partner services, such as [Azure Service Bus geo-recovery](../service-bus-messaging/service-bus-geo-dr.md) and [Azure Event Hubs geo-recovery](../event-hubs/event-hubs-geo-dr.md). The secondary function app is considered _passive_ because the failover service to which it's connected isn't currently active, so the function app is essentially _idle_.

-* Azure Event Hub deployed to both a primary and secondary region.

-* [Geo-disaster enabled](../service-bus-messaging/service-bus-geo-dr.md) to pair the primary and secondary Event Hub. This also creates an _alias_ you can use to connect to event hubs and switch from primary to secondary without changing the connection info.

-Before failover, publishers sending to the shared alias route to the primary event hub. The primary function app is listening exclusively to the primary event hub. The secondary function app is passive and idle. As soon as failover is initiated, publishers sending to the shared alias are routed to the secondary event hub. The secondary function app now become active and start triggering automatically. Effective failover to a secondary region can be driven entirely from the event hub, with the functions becoming active only when the respective event hub is active.

-You can still achieve active/active deployments for non-HTTP triggered functions. However, you need to consider how the two active regions interact or coordinate with one another. When you deploy the same function app to two regions with each triggering on the same Service Bus queue, they would act as competing consumers on de-queueing that queue. While this means each message is only being processed by either one of the instances, it also means there is still a single point of failure on the single Service Bus instance.

-You could instead deploy two Service Bus queues, with one in a primary region, one in a secondary region. In this case, you could have two function apps, with each pointed to the Service Bus queue active in their region. The challenge with this topology is how the queue messages are distributed between the two regions. Often, this means that each publisher attempts to publish a message to *both* regions, and each message is processed by both active function apps. While this creates the desired active/active pattern, it also creates other challenges around duplication of compute and when or how data is consolidated. Because of these challenges, we recommend use the active/passive pattern for non-HTTPS trigger functions.

- The `extensionBundle` element is required because after version 1.x, bindings are maintained as external packages. For more information, see [Extension bundles](/functions-bindings-register.md#extension-bundles).

- The `AzureWebJobsStorage` setting can be either the Azurite storage emulator or an actual Azure storage account. For more information, see [Local storage emulator](/functions-develop-local.md#local-storage-emulator).

-Starting with version 2.x, you must install the extensions for specific triggers and bindings used by the functions in your app. The only exception for this HTTP and timer triggers, which don't require an extension. For more information, see [Register and install binding extensions](./functions-bindings-register.md).

-> + We've added a plan (**AZ - Availability Zone**) to our Start/Stop VMs v2 solution to enable a high-availability offering. You can now choose between Consumption and Availability Zone plans before you start your deployment. In most cases, the monthly cost of the Availability Zone plan is higher when compared to the Consumption plan.

-[geolocation readme]: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/maps/Azure.Maps.geolocation/README.md

-[NuGet]: https://www.nuget.org/

-[C# geolocation readme]: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/maps/Azure.Maps.geolocation/README.md

-[py route readme]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/maps/azure-maps-routing/README.md

-[py route sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/maps/azure-maps-routing/samples

-1. In your workspace blade, under **General**, select **Quick Start**.

-1. In the **Direct Agent** blade, select **Download Log Analytics gateway**.

-1. In your workspace blade, under **Settings**, select **Advanced settings**.

- * No, you get a message about each issue only once. If the issue persists, it will be updated in the smart detection feed blade.

-Open the Browsers metric blade. The segmented display of browser page load time shows where the time is going.

-> 

-3. In the Add/Edit application setting blade, complete the form as follows and select **OK**.

- :::image type="content" source="media/tutorial-asp-net-core/add-edit-app-setting.png" alt-text="Screenshot of the Add/Edit application setting blade in the Azure portal with the preceding values populated in the Name and Value fields." lightbox="media/tutorial-asp-net-core/add-edit-app-setting.png":::

-Send feedback from the Change Analysis blade:

-The change details blade also shows important information, including who made the change.

- > This `id` can also be found in the *Overview* blade of the Log Analytics workspace through the Azure portal.

-### Onboarding from Azure Monitor blade

-1. In the Azure portal, navigate to the 'Monitor' blade, and select the 'Containers' option under the 'Insights' menu.

-If your cluster is disconnected from Azure for > 48 hours, then Azure Resource Graph won't have information about your cluster. As a result the Insights blade may display incorrect information about your cluster state.

-| Consumption | Viewable only from Log Analytics Workspace | Accessible from both Azure Monitor and AKS/Arc resource blade |

-2. You can use an existing storage account or deploy a new storage account. It's best if the storage account is in the same region as the classic cloud service that you created. In the Azure portal, go to the **Storage accounts** resource blade, and then select **Keys**. Take note of the storage account name and the storage account key. You'll need this information in later steps.

-3. On the **Monitor** blade, select the **Metrics Preview** tab.

-### Configure system identify

-

-2. On the **Health Check** page, review the summary information in one of the focus area blades and then click one to view recommendations for that focus area.

-2. On the **Azure Key Vault** dashboard, review the summary information in one of the blades, and then click one to view detailed information about it in the log search page.

-The following sections describe how you can use the blades shown in the Application Insights dashboard to view and interact with data from your apps.

-Click the **Application Insights** tile to open the **Application Insights** dashboard to see the following blades.

-

-

-The dashboard includes the blades shown in the table. Each blade lists up to 10 items matching that blade's criteria for the specified scope and time range. You can run a log search that returns all records when you click **See all** at the bottom of the blade or when you click the blade header.

-When you click anywhere in the Applications blade, you see the default **Applications** perspective.

-The **Availability** blade shows a different perspective view where you can see web test results and related failed requests.

-When you click anywhere in the **Server Requests** or **Failures** blades, the perspective components change to give you a visualization that related to requests.

-

-When you click anywhere in the **Exceptions** blade, you see a visualization that's tailored to exceptions.

-

-Application Insights Connector blades are designed to enable you to pivot to the selected Application Insights app *when you use the Azure portal*. You can use the solution as a high-level monitoring platform that helps you troubleshoot an app. When you see a potential problem in any of your connected applications, you can either drill into it in Log Analytics search or you can pivot directly to the Application Insights app.

-When deleting a cluster, you're losing access to all data in cluster, ingested from workspaces that are linked to it, or were linked previously. This operation isn't reversible. If you delete your cluster while workspaces are linked, the workspaces get automatically unlinked from the cluster before the delete, and new data to workspaces gets ingested to Log Analytics. If workspace data retention is longer than the period it was linked to the cluster, you can query workspace for the time range before the link to cluster and after the unlink, and the service performs cross-cluster queries seamlessly.

-> - There is a limit of seven clusters per subscription, five active plus two if were deleted in past 14 days.

-> - Cluster's name remain reserved for 14 days after deletion, and can't be used for creating a new cluster. Deleted cluster's name is released and can be reused after 14 days.

-> Queries sent through the Azure Resource Management (ARM) API can't use Azure Monitor Private Links. These queries can only go through if the target resource allows queries from public networks (set through the Network Isolation blade, or [using the CLI](./private-link-configure.md#set-resource-access-flags)).

-> * Log Analytics' Workspace Summary blade (showing the solutions dashboard)

-> * The Workspace Summary blade in the portal (showing the solutions dashboard)

-You can create a query pack using the REST API or from the **Log Analytics query packs** blade in the Azure portal. Currently the **Log Analytics query packs** blade shows up under **Other** category of **All services** page in the Azure portal.

- :::image type="content" source="./media/profiler-overview/profiler-button-inline.png" alt-text="Screenshot of the Profiler button from the Performance blade." lightbox="media/profiler-settings/profiler-button.png":::

-To open the Azure Application Insights Profiler settings pane, select **Performance** from the left menu within your Application Insights page.

- > Using the Security privilege users feature requires that you submit a waitlist request through the Azure NetApp Files SMB Continuous Availability Shares Public Preview waitlist submission page. Wait for an official confirmation email from the Azure NetApp Files team before using this feature.

-Snapshots consume storage capacity. As such, they are not typically kept indefinitely. For data protection, retention, and recoverability, a number of snapshots (created at various points in time) are usually kept online for a certain duration depending on RPO, RTO, and retention SLA requirements. However, older snapshots often do not have to be kept on the storage service and might need to be deleted to free up space. Any snapshot can be deleted (not necessarily in order of creation) by an administrator at any time.

- [Citrix App Layering](https://docs.citrix.com/en-us/citrix-app-layering/4.html) radically reduces the time it takes to manage Windows applications and images. App Layering separates the management of your OS and apps from your infrastructure. You can install each app and OS patch once, update the associated templates, and redeploy your images. You can publish layered images as open standard virtual disks, usable in any environment. App Layering can be used to provide dynamic access application layer virtual disks stored on SMB shared networked storage, including Azure NetApp Files. To enhance App Layering resiliency to events of storage service maintenance, Azure NetApp Files has extended support for [SMB Transparent Failover via SMB Continuous Availability (CA) shares on Azure NetApp Files](azure-netapp-files-create-volumes-smb.md#continuous-availability) for App Layering virtual disks. For more information, see [Azure NetApp Files Azure Virtual Desktop Infrastructure solutions | Citrix](azure-netapp-files-solution-architectures.md#citrix).

-Test-AzMarketplaceTemplate "Path to the unzipped package folder"

- > [!NOTE]

- > This step is required to gracefully terminate the edge module and get all log files in a usable format without dropping any events.

-

- On the IoT Edge device, use the following command after replacing `<avaedge>` with the name of your Video Analyzer edge module:

-

- ```cmd

- sudo iotedge restart <avaedge>

- ```

-As gRPC server implementation differ across languages, there is no standard way of adding logging inside in the server.

-Azure Video Indexer (AVI) [REST API](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Upload-Video) supports both server-to-server and client-to-server communication. The API enables you to integrate video and audio insights into your application logic. To make the integration easier, we support [Logic Apps](https://azure.microsoft.com/services/logic-apps/) and [Power Automate](https://preview.flow.microsoft.com/connectors/shared_videoindexer-v2/video-indexer-v2/) connectors that are compatible with the Azure Video Indexer API.

-## Set up the first flow - file upload

- 1. Once the Logic App deployment is complete, in the Azure portal, go to the newly created Logic App.

- 1. Under **System assigned**, change the **Status** from **Off** to **On** (the step is important for later on in this tutorial).

- 1. Press **Save** (on the top of the page).

- 1. Select the **Logic app designer** tab, in the pane on the left.

- 1. Pick a **Blank Logic App** flow.

- 1. Search for "blob".

- 1. In the **All** tab, choose the **Azure Blob Storage** component.

- 1. Under **Triggers**, select the **When a blob is added or modified (properties only) (V2)** trigger.

-1. Generate an access token.

- |Key| Value|

- |-|-|

- |Method | **POST**|

- | URI| `https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.VideoIndexer/accounts/{accountName}/generateAccessToken?api-version={API-version}`. |

- | Body|`{ "permissionType": "Contributor", "scope": "Account" }` |

- | Add new parameter | **Authentication** |

- 

-## Create a new logic app of type consumption

- 1. **Generate an access token** we did for the first flow.

-Azure VMware Solution supports the use of custom roles with equal or lesser privileges than the CloudAdmin role. You'll use the CloudAdmin role to create, modify, or delete custom roles with privileges lesser than or equal to their current role.

- >[!NOTE]

-## NSX-T Manager access and identity

-When a private cloud is provisioned using Azure portal, software-defined data center (SDDC) management components like vCenter Server and NSX-T Manager are provisioned for customers.

-Microsoft is responsible for the lifecycle management of NSX-T appliances like NSX-T Managers and NSX-T Data Center Edges. They're responsible for bootstrapping network configuration, like creating the Tier-0 gateway.

-You're responsible for NSX-T Data Center software-defined networking (SDN) configuration, for example:

-You can access NSX-T Manager using the built-in local user "cloudadmin" assigned to a custom role that gives limited privileges to a user to manage NSX-T Data Center. While Microsoft manages the lifecycle of NSX-T Data Center, certain operations aren't allowed by a user. Operations not allowed include editing the configuration of host and edge transport nodes or starting an upgrade. For new users, Azure VMware Solution deploys them with a specific set of permissions needed by that user. The purpose is to provide a clear separation of control between the Azure VMware Solution control plane configuration and Azure VMware Solution private cloud user.

-For new private cloud deployments, NSX-T Data Center access will be provided with a built-in local user cloudadmin assigned to the **cloudadmin** role with a specific set of permissions to use NSX-T Data Center functionality for workloads.

-### NSX-T Data Center cloudadmin user permissions

-> **NSX-T Data Center cloudadmin user** on Azure VMware Solution is not the same as the **cloudadmin user** mentioned in the VMware product documentation.

-You can view the permissions granted to the Azure VMware Solution cloudadmin role on your Azure VMware Solution private cloud NSX-T Data Center.

-## NSX-T Data Center LDAP integration for role based access control (RBAC)

-In an Azure VMware Solution deployment, the NSX-T Data Center can be integrated with external LDAP directory service to add remote directory users or group, and assign them an NSX-T Data Center RBAC role, like on-premises deployment. For more information on how to enable NSX-T Data Center LDAP integration, see the [VMware product documentation](https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-DB5A44F1-6E1D-4E5C-8B50-D6161FFA5BD2.html).

-Unlike on-premises deployment, not all pre-defined NSX-T Data Center RBAC roles are supported with Azure VMware solution to keep Azure VMware Solution IaaS control plane config management separate from tenant network and security configuration. Please see the next section, Supported NSX-T Data Center RBAC roles, for more details.

-> NSX-T LDAP Integration supported only with SDDCΓÇÖs with NSX-T Data Center ΓÇ£cloudadminΓÇ¥ user.

- In an Azure VMware Solution deployment, the following NSX-T Data Center predefined RBAC roles are supported with LDAP integration:

- In an Azure VMware Solution deployment, the following NSX-T Data Center predefined RBAC roles are not supported with LDAP integration:

-> The NSX-T Data Center **System** > **Identity Firewall AD** configuration option isn't supported by the NSX custom role. The recommendation is to assign the **Security Operator** role to the user with the custom role to allow managing the Identity Firewall (IDFW) feature for that user.

-> The NSX-T Data Center Traceflow feature isn't supported by NSX-T Data Center custom role. The recommendation is to assign the **Auditor** role to the user along with above custom role to enable Traceflow feature for that user.

-> - This preview version will be retired on **31 March 2023**, and will be replaced by [Simplified node communication pool without public IP addresses](simplified-node-communication-pool-no-public-ip.md). For more details, please refer to [Retirement Migration Guide](batch-pools-without-public-ip-addresses-classic-retirement-migration-guide.md).

- - You must disable private link service and endpoint network policies. This can be done by using Azure CLI:

-1. Specify the remaining required settings, including the **Node size**, **Target dedicated nodes**, and **Target Spot/low-priority nodes**, as well as any desired optional settings.

-1. Optionally select a virtual network and subnet you wish to use. This virtual network must be in the same resource group as the pool you are creating.

-In a pool without public IP addresses, your virtual machines won't be able to access the public internet unless you configure your network setup appropriately, such as by using [virtual network NAT](../virtual-network/nat-gateway/nat-overview.md). Note that NAT only allows outbound access to the internet from the virtual machines in the virtual network. Batch-created compute nodes won't be publicly accessible, since they don't have public IP addresses associated.

-Another way to provide outbound connectivity is to use a user-defined route (UDR). This lets you route traffic to a proxy machine that has public internet access.

-1. Specify the remaining required settings, including the **Node size**, **Target dedicated nodes**, and **Target Spot/low-priority nodes**, and any desired optional settings.

-

-1. Grant the Azure Center for SAP solutions application *Azure SAP Workloads Management* **Storage Blob Data Reader** and **Reader and Data Access** role access to this storage account.

-* At present the VNet injection will only be possible in subscriptions/regions where Azure Container Instances and Azure Relay are available.

-|Go|[Authoring and prediction](https://godoc.org/github.com/Azure/azure-sdk-for-go/services/cognitiveservices/v2.0/luis)|[SDK](https://github.com/Azure/azure-sdk-for-go/tree/master/services/cognitiveservices/v2.0/luis)||

-There's no cost to use custom keyword to generate models, including both Basic and Advanced models. There's also no cost to run models on-device with the Speech SDK.

-**Make Call** - Make Call action can be used to place outbound calls to phone numbers and to other communication users. Use cases include your application placing outbound calls to proactively inform users about an outage or notify about an order update.

-This feature is currently in private preview. Please provide feedback on the API design, capabilities and pricing. Feedback is key for the team to move forward and push the feature into public preview and general availability.

-zone_pivot_groups: acs-csharp-java

-To add a Communication Services user, provide a CommunicationUserIdentifier instead of PhoneNumberIdentifier. Source caller ID isn't mandatory in this case.

-

-> This functionality is in public preview.

-This section shows how to create an alert when you receive an HTTP status code 429, which is received when the requests are rate limited. For examples, you may want to receive an alert when there are 100 or more rate limited requests. This article shows you how to configure an alert for such scenario by using the HTTP status code. You can use the similar steps to configure other types of alerts as well, you just need to choose a different condition based on your requirement.

-Let's look at the hierarchy of resources in the API for MongoDB and the object model that's used to create and access these resources. The API for MongoDB creates resources in the following order:

-> [Create a database in Azure Cosmos DB for MongoDB using Python](how-to-python-manage-databases.md)

-Let's look at the hierarchy of resources in the API for MongoDB and the object model that's used to create and access these resources. The API for MongoDB creates resources in the following order:

-Extract a matching substring for a given regex pattern. The last parameter identifies the match group and is defaulted to 1 if omitted. Use `<regex>`(back quote) to match a string without escaping.

-The current update is Update 2209. This update installs two updates, the device update followed by Kubernetes updates. The associated versions for this update are:

-**To apply 2209 update, your device must be running version 2207.**

- The update listing appears as **Azure Stack Edge Update 2209**.

-6. After the restart is complete, you are taken to the **Sign in** page. To verify that the device software has been updated, in the local web UI, go to **Maintenance** > **Software update**. For the current release, the displayed software version should be **Azure Stack Edge 2205**.

-az devcenter environment delete --dev-center <devcenter-name> --project-name <project-name> -n <name> --user-id "me"

-The vocabulary of an Azure Digital Twins solution is defined using [models](concepts-models.md), which describe the types of entities that exist in your environment. An *ontology* is a set of models for a given domain, like building structures, IoT systems, smart cities, energy grids, web content, and more.

- :::image type="content" source="media/how-to-create-app-registration/client-secret.png" alt-text="Screenshot of the Azure portal showing an Azure AD app registration and a highlight around 'New client secret'." lightbox="media/how-to-create-app-registration/client-secret.png":::

- :::image type="content" source="media/how-to-create-app-registration/add-client-secret.png" alt-text="Screenshot of the Azure portal while adding a client secret.":::

-To access Azure Digital Twins, your function app needs a system-managed identity with permissions to access your Azure Digital Twins instance. You'll set that up in this section, by assigning an access role for the function and configuring the application settings so that it can access your Azure Digital Twins instance.

-You can find these details in the [Azure portal](https://portal.azure.com) after setting up your instance. Log into the portal and search for the name of your instance in the portal search bar.

-Now the event grid, event hub, or Service Bus topic is available as an endpoint in Azure Digital Twins, under the name you chose for the endpoint. You'll typically use that name as the target of an event route, which you'll create [later in this article](#create-an-event-route).

-After successfully running these commands, the event grid, event hub, or Service Bus topic will be available as an endpoint in Azure Digital Twins, under the name you supplied with the `--endpoint-name` argument. You'll typically use that name as the target of an event route, which you'll create [later in this article](#create-an-event-route).

-The value for the parameter is the dead letter SAS URI made up of the storage account name, container name, and SAS token that you gathered in the [previous section](#set-up-storage-resources). This parameter creates the endpoint with key-based authentication. Here is what the parameter looks like:

-After enabling the minimal filter of `true`, endpoints will receive different kinds of events from Azure Digital Twins:

-1. Use the Azure CLI to [get a bearer token](#get-bearer-token) that you will use to make API requests in Postman.

- To get a token to use with the data plane APIs, use the following static value for the token context: `0b07f429-9f4b-4714-9392-cc5e8e80c8b0`. This is the resource ID for the Azure Digital Twins service endpoint.

-3. Copy the value of `accessToken` in the result, and save it to use in the next section. This is your **token value** that you will provide to Postman to authorize your requests.

-* [Azure Digital Twins data plane Swagger](https://github.com/Azure/azure-rest-api-specs/tree/main/specification/digitaltwins/data-plane/Microsoft.DigitalTwins): This repo contains complete Swagger files for the Azure Digital Twins API set, which can be downloaded and imported to Postman as a collection. This will provide a comprehensive set of every API request, but with empty data bodies rather than sample data. Choose this collection if you want to have access to every API call and fill in all the data yourself. You should also use this collection if you need a specific version of the APIs (like one that supports a preview feature).

-The collection currently available for control plane is the [Azure Digital Twins control plane Swagger](https://github.com/Azure/azure-rest-api-specs/tree/main/specification/digitaltwins/data-plane/Microsoft.DigitalTwins). This repo contains the complete Swagger file for the Azure Digital Twins API set, which can be downloaded and imported to Postman as a collection. This will provide a comprehensive set of every API request.

- :::image type="content" source="media/how-to-use-postman-with-digital-twins/swagger-raw.png" alt-text="Screenshot of the data plane digitaltwins.json file in GitHub. There is a highlight around the Raw button." lightbox="media/how-to-use-postman-with-digital-twins/swagger-raw.png":::

-Follow these steps to add a bearer token to the collection for authorization. This is where you'll use the token value you gathered in the [Get bearer token](#get-bearer-token) section in order to use it for all API requests in your collection.

-1. If your collection has additional variables, fill and save those values as well.

-1. To create a collection, select the **New** button in the main postman window.

-1. This will open a tab for filling the details of the new collection. Select the Edit icon next to the collection's default name (**New Collection**) to replace it with your own choice of name.

-Follow these steps to add a bearer token to the collection for authorization. This is where you'll use the token value you gathered in the [Get bearer token](#get-bearer-token) section in order to use it for all API requests in your collection.

-1. In Postman, set the type for the request and enter the request URL, filling in placeholders in the URL as required. This is where you will use your instance's host name from the [Prerequisites section](#prerequisites).

-1. Check that the body shown for the request in the **Body** tab matches the needs described in the reference documentation. For the Query API, a JSON body is required to provide the query text. Here is an example body for this request that queries for all the digital twins in the instance:

-1. Use the following command to create a system-managed identity for the function. The output will display details of the identity that's been created. Take note of the **principalId** field in the output to use in the next step.

-Azure Event Grid is an eventing service for the cloud. Azure Event Hubs is one of the supported event handlers. In this article, you use the Azure CLI to create a custom topic, subscribe to the custom topic, and trigger the event to view the result. You send the events to an event hub.

-Create a resource group with the [az group create](/cli/azure/group#az-group-create) command.

-The following example creates a resource group named *gridResourceGroup* in the *westus2* location.

-## Create a Custom Topic

-An event grid topic provides a user-defined endpoint that you post your events to. The following example creates the custom topic in your resource group. Replace `<your-topic-name>` with a unique name for your custom topic. The custom topic name must be unique because it's represented by a DNS entry.

-```azurecli-interactive

-topicname=<your-topic-name>

-```

-```azurecli-interactive

-az eventgrid topic create --name $topicname -l westus2 -g gridResourceGroup

-```

-## Create event hub

-```azurecli-interactive

-namespace=<unique-namespace-name>

-```

-```azurecli-interactive

-hubname=demohub

-az eventhubs namespace create --name $namespace --resource-group gridResourceGroup

-az eventhubs eventhub create --name $hubname --namespace-name $namespace --resource-group gridResourceGroup

-```

-You subscribe to an event grid topic to tell Event Grid which events you want to track. The following example subscribes to the custom topic you created, and passes the resource ID of the event hub for the endpoint. The endpoint is in the format:

-`/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.EventHub/namespaces/<namespace-name>/eventhubs/<hub-name>`

-The following script gets the resource ID for the event hub, and subscribes to an event grid topic. It sets the endpoint type to `eventhub` and uses the event hub ID for the endpoint.

-To simplify this article, you use sample event data to send to the custom topic. Typically, an application or Azure service would send the event data. CURL is a utility that sends HTTP requests. In this article, use CURL to send the event to the custom topic. The following example sends three events to the event grid topic:

-Navigate to the event hub in the portal, and notice that Event Grid sent those three events to the event hub.

-# Quickstart: Route custom events to Azure Queue storage with Azure CLI and Event Grid

-Azure Event Grid is an eventing service for the cloud. Azure Queue storage is one of the supported event handlers. In this article, you use the Azure CLI to create a custom topic, subscribe to the custom topic, and trigger the event to view the result. You send the events to the Queue storage.

-This article gives you commands for using Azure CLI.

-Create a resource group with the [az group create](/cli/azure/group#az-group-create) command.

-The following example creates a resource group named *gridResourceGroup* in the *westus2* location.

-An event grid topic provides a user-defined endpoint that you post your events to. The following example creates the custom topic in your resource group. Replace `<topic_name>` with a unique name for your custom topic. The event grid topic name must be unique because it's represented by a DNS entry.

-```azurecli-interactive

-az eventgrid topic create --name <topic_name> -l westus2 -g gridResourceGroup

-```

-```azurecli-interactive

-storagename="<unique-storage-name>"

-queuename="eventqueue"

-az storage account create -n $storagename -g gridResourceGroup -l westus2 --sku Standard_LRS

-az storage queue create --name $queuename --account-name $storagename

-```

-You subscribe to a custom topic to tell Event Grid which events you want to track. The following example subscribes to the custom topic you created, and passes the resource ID of the Queue storage for the endpoint. With Azure CLI, you pass the Queue storage ID as the endpoint. The endpoint is in the format:

-`/subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/Microsoft.Storage/storageAccounts/<storage-name>/queueservices/default/queues/<queue-name>`

-The following script gets the resource ID of the storage account for the queue. It constructs the ID for the queue storage, and subscribes to an event grid topic. It sets the endpoint type to `storagequeue` and uses the queue ID for the endpoint.

-topicid=$(az eventgrid topic show --name <topic_name> -g gridResourceGroup --query id --output tsv)

- --name <event_subscription_name> \

-Let's trigger an event to see how Event Grid distributes the message to your endpoint. First, let's get the URL and key for the custom topic. Again, use your custom topic name for `<topic_name>`.

-endpoint=$(az eventgrid topic show --name <topic_name> -g gridResourceGroup --query "endpoint" --output tsv)

-key=$(az eventgrid topic key list --name <topic_name> -g gridResourceGroup --query "key1" --output tsv)

-To simplify this article, you use sample event data to send to the custom topic. Typically, an application or Azure service would send the event data. CURL is a utility that sends HTTP requests. In this article, use CURL to send the event to the custom topic. The following example sends three events to the event grid topic:

-

-|Apache Kafka | 2.4.1 | 2.1.1|

-> * If you are creating an Interactive Query Cluster, you will see from the dropdown list an other version as Interactive Query 3.1 (HDI 5.0).

-* Apache Storm

-

- You can seamlessly add or remove data nodes to your Storm cluster while it is running. But after a successful completion of the scaling operation, you will need to rebalance the topology.

-

- Rebalancing can be accomplished in two ways:

-

- * Storm web UI

- * Command-line interface (CLI) tool

-

- Please refer to the [Apache Storm documentation](https://storm.apache.org/documentation/Understanding-the-parallelism-of-a-Storm-topology.html) for more details.

-

- The Storm web UI is available on the HDInsight cluster:

-

- :::image type="content" source="./media/hdinsight-administer-use-powershell/hdinsight-portal-scale-cluster-storm-rebalance.png" alt-text="HDInsight Storm scale rebalance":::

-

- Here is an example how to use the CLI command to rebalance the Storm topology:

-

- ```console

- ## Reconfigure the topology "mytopology" to use 5 worker processes,

- ## the spout "blue-spout" to use 3 executors, and

- ## the bolt "yellow-bolt" to use 10 executors

- $ storm rebalance mytopology -n 5 -e blue-spout=3 -e yellow-bolt=10

- ```

-The following code snippet shows how to resize a cluster synchronously or asynchronously:

-```csharp

-_hdiManagementClient.Clusters.Resize("<Resource Group Name>", "<Cluster Name>", <New Size>);

-_hdiManagementClient.Clusters.ResizeAsync("<Resource Group Name>", "<Cluster Name>", <New Size>);

-```

-## Grant/revoke access

-HDInsight clusters have the following HTTP web services (all of these services have RESTful endpoints):

-* ODBC

-* JDBC

-* Apache Ambari

-* Apache Oozie

-* Apache Templeton

-By default, these services are granted for access. You can revoke/grant the access. To revoke:

-```csharp

-var httpParams = new HttpSettingsParameters

-{

- HttpUserEnabled = false,

- HttpUsername = "admin",

- HttpPassword = "*******",

-};

-_hdiManagementClient.Clusters.ConfigureHttpSettings("<Resource Group Name>, <Cluster Name>, httpParams);

-```

-To grant:

-```csharp

-var httpParams = new HttpSettingsParameters

-{

- HttpUserEnabled = enable,

- HttpUsername = "admin",

- HttpPassword = "*******",

-};

-_hdiManagementClient.Clusters.ConfigureHttpSettings("<Resource Group Name>, <Cluster Name>, httpParams);

-```

-> [!NOTE]

-> By granting/revoking the access, you will reset the cluster user name and password.

-This can also be done via the Portal. See [Manage Apache Hadoop clusters in HDInsight by using the Azure portal](hdinsight-administer-use-portal-linux.md).

-|TYPE|Hadoop, HBase, Storm, Spark.|

-> Deleting a Kafka on HDInsight cluster deletes any data stored in Kafka.

-## Next steps

-In this tutorial, you learned how to use Apache Spark Structured Streaming. To write and read data from Apache Kafka on HDInsight. Use the following link to learn how to use Apache Storm with Kafka.

-> [!div class="nextstepaction"]

-> [Use Apache Storm with Apache Kafka](hdinsight-apache-storm-with-kafka.md)

-* [Use Apache Storm with Apache Kafka on HDInsight](hdinsight-apache-storm-with-kafka.md)

-description: Learn how to create a streaming pipeline using Apache Storm and Apache Kafka on HDInsight. In this tutorial, you use the KafkaBolt and KafkaSpout components to stream data from Kafka.

-#Customer intent: As a developer, I want to learn how to build a streaming pipeline that uses Storm and Kafka to process streaming data.

-# Tutorial: Use Apache Storm with Apache Kafka on HDInsight

-This tutorial demonstrates how to use an [Apache Storm](https://storm.apache.org/) topology to read and write data with [Apache Kafka](https://kafka.apache.org/) on HDInsight. This tutorial also demonstrates how to persist data to the [Apache Hadoop HDFS](https://hadoop.apache.org/docs/r1.2.1/hdfs_design.html) compatible storage on the Storm cluster.

-In this tutorial, you learn how to:

-> [!div class="checklist"]

-> * Storm and Kafka

-> * Understanding the code

-> * Create Kafka and Storm clusters

-> * Build the topology

-> * Configure the topology

-> * Create the Kafka topic

-> * Start the topologies

-> * Stop the topologies

-> * Clean up resources

-## Prerequisites

-* Familiarity with creating Kafka topics. For more information, see the [Kafka on HDInsight quickstart](./kafk) document.

-* [Java JDK 1.8](https://www.oracle.com/technetwork/pt/java/javase/downloads/jdk8-downloads-2133151.html) or higher. HDInsight 3.5 or higher require Java 8.

-* [Maven 3.x](https://maven.apache.org/download.cgi)

-* An SSH client (you need the `ssh` and `scp` commands) - For information, see [Use SSH with HDInsight](hdinsight-hadoop-linux-use-ssh-unix.md).

-The following environment variables may be set when you install Java and the JDK on your development workstation. However, you should check that they exist and that they contain the correct values for your system.

-* `JAVA_HOME` - should point to the directory where the JDK is installed.

-* `PATH` - should contain the following paths:

-

- * `JAVA_HOME` (or the equivalent path).

- * `JAVA_HOME\bin` (or the equivalent path).

- * The directory where Maven is installed.

-> [!IMPORTANT]

-> The steps in this document require an Azure resource group that contains both a Storm on HDInsight and a Kafka on HDInsight cluster. These clusters are both located within an Azure Virtual Network, which allows the Storm cluster to directly communicate with the Kafka cluster.

->

-> For your convenience, this document links to a template that can create all the required Azure resources.

->

-> For more information on using HDInsight in a virtual network, see the [Plan a virtual network for HDInsight](hdinsight-plan-virtual-network-deployment.md) document.

-## Storm and Kafka

-Apache Storm provides the several components for working with Apache Kafka. The following components are used in this tutorial:

-* `org.apache.storm.kafka.KafkaSpout`: This component reads data from Kafka. This component relies on the following components:

- * `org.apache.storm.kafka.SpoutConfig`: Provides configuration for the spout component.

- * `org.apache.storm.spout.SchemeAsMultiScheme` and `org.apache.storm.kafka.StringScheme`: How the data from Kafka is transformed into a Storm tuple.

-* `org.apache.storm.kafka.bolt.KafkaBolt`: This component writes data to Kafka. This component relies on the following components:

- * `org.apache.storm.kafka.bolt.selector.DefaultTopicSelector`: Describes the topic that is written to.

- * `org.apache.kafka.common.serialization.StringSerializer`: Configures the bolt to serialize data as a string value.

- * `org.apache.storm.kafka.bolt.mapper.FieldNameBasedTupleToKafkaMapper`: Maps from the tuple data structure used inside the Storm topology to fields stored in Kafka.

-These components are available in the `org.apache.storm : storm-kafka` package. Use the package version that matches the Storm version. For HDInsight 3.6, the Storm version is 1.1.0.

-You also need the `org.apache.kafka : kafka_2.10` package, which contains additional Kafka components. Use the package version that matches the Kafka version. For HDInsight 3.6, the Kafka version is 1.1.1.

-The following XML is the dependency declaration in the `pom.xml` for an [Apache Maven](https://maven.apache.org/) project:

-```xml

-<!-- Storm components for talking to Kafka -->

-<dependency>

- <groupId>org.apache.storm</groupId>

- <artifactId>storm-kafka</artifactId>

- <version>1.1.0</version>

-</dependency>

-<!-- needs to be the same Kafka version as used on your cluster -->

-<dependency>

- <groupId>org.apache.kafka</groupId>

- <artifactId>kafka_2.10</artifactId>

- <version>1.1.1</version>

- <!-- Exclude components that are loaded from the Storm cluster at runtime -->

- <exclusions>

- <exclusion>

- <groupId>org.apache.zookeeper</groupId>

- <artifactId>zookeeper</artifactId>

- </exclusion>

- <exclusion>

- <groupId>log4j</groupId>

- <artifactId>log4j</artifactId>

- </exclusion>

- <exclusion>

- <groupId>org.slf4j</groupId>

- <artifactId>slf4j-log4j12</artifactId>

- </exclusion>

- </exclusions>

-</dependency>

-```

-## Understanding the code

-The code used in this document is available at [https://github.com/Azure-Samples/hdinsight-storm-java-kafka](https://github.com/Azure-Samples/hdinsight-storm-java-kafka).

-There are two topologies provided with this tutorial:

-* Kafka-writer: Generates random sentences and stores them to Kafka.

-* Kafka-reader: Reads data from Kafka and then stores it to the HDFS compatible file store for the Storm cluster.

- > [!WARNING]

- > To enable the Storm to work with the HDFS compatible storage used by HDInsight, a script action is required. The script installs several jar files to the `extlib` path for Storm. The template in this tutorial automatically uses the script during cluster creation.

- >

- > If you do not use the template in this document to create the Storm cluster, then you must manually apply the script action to your cluster.

- >

- > The script action is located at [https://hdiconfigactions.blob.core.windows.net/linuxstormextlibv01/stormextlib.sh](https://hdiconfigactions.blob.core.windows.net/linuxstormextlibv01/stormextlib.sh) and is applied to the supervisor and nimbus nodes of the Storm cluster. For more information on using script actions, see the [Customize HDInsight using script actions](hdinsight-hadoop-customize-cluster-linux.md) document.

-The topologies are defined using [Flux](https://storm.apache.org/releases/current/flux.html). Flux was introduced in Storm 0.10.x and allows you to separate the topology configuration from the code. For Topologies that use the Flux framework, the topology is defined in a YAML file. The YAML file can be included as part of the topology. It can also be a standalone file used when you submit the topology. Flux also supports variable substitution at run-time, which is used in this example.

-The following parameters are set at run time for these topologies:

-* `${kafka.topic}`: The name of the Kafka topic that the topologies read/write to.

-* `${kafka.broker.hosts}`: The hosts that the Kafka brokers run on. The broker information is used by the KafkaBolt when writing to Kafka.

-* `${kafka.zookeeper.hosts}`: The hosts that Zookeeper runs on in the Kafka cluster.

-* `${hdfs.url}`: The file system URL for the HDFSBolt component. Indicates whether the data is written to an Azure Storage account or Azure Data Lake Storage.

-* `${hdfs.write.dir}`: The directory that data is written to.

-For more information on Flux topologies, see [https://storm.apache.org/releases/current/flux.html](https://storm.apache.org/releases/current/flux.html).

-### Kafka-writer

-In the Kafka-writer topology, the Kafka bolt component takes two string values as parameters. These parameters indicate which tuple fields the bolt sends to Kafka as __key__ and __message__ values. The key is used to partition data in Kafka. The message is the data being stored.

-In this example, the `com.microsoft.example.SentenceSpout` component emits a tuple that contains two fields, `key` and `message`. The Kafka bolt extracts these fields and sends the data in them to Kafka.

-The fields don't have to use the names `key` and `message`. These names are used in this project to make the mapping easier to understand.

-The following YAML is the definition for the Kafka-writer component:

-```yaml

-# kafka-writer

-# topology definition

-# name to be used when submitting

-name: "kafka-writer"

-# Components - constructors, property setters, and builder arguments.

-# Currently, components must be declared in the order they are referenced

-components:

- # Topic selector for KafkaBolt

- - id: "topicSelector"

- className: "org.apache.storm.kafka.bolt.selector.DefaultTopicSelector"

- constructorArgs:

- - "${kafka.topic}"

- # Mapper for KafkaBolt

- - id: "kafkaMapper"

- className: "org.apache.storm.kafka.bolt.mapper.FieldNameBasedTupleToKafkaMapper"

- constructorArgs:

- - "key"

- - "message"

- # Producer properties for KafkaBolt

- - id: "producerProperties"

- className: "java.util.Properties"

- configMethods:

- - name: "put"

- args:

- - "bootstrap.servers"

- - "${kafka.broker.hosts}"

- - name: "put"

- args:

- - "acks"

- - "1"

- - name: "put"

- args:

- - "key.serializer"

- - "org.apache.kafka.common.serialization.StringSerializer"

- - name: "put"

- args:

- - "value.serializer"

- - "org.apache.kafka.common.serialization.StringSerializer"

-

-# Topology configuration

-config:

- topology.workers: 2

-# Spout definitions

-spouts:

- - id: "sentence-spout"

- className: "com.microsoft.example.SentenceSpout"

- parallelism: 8

-# Bolt definitions

-bolts:

- - id: "kafka-bolt"

- className: "org.apache.storm.kafka.bolt.KafkaBolt"

- parallelism: 8

- configMethods:

- - name: "withProducerProperties"

- args: [ref: "producerProperties"]

- - name: "withTopicSelector"

- args: [ref: "topicSelector"]

- - name: "withTupleToKafkaMapper"

- args: [ref: "kafkaMapper"]

-# Stream definitions

-streams:

- - name: "spout --> kafka" # Streams data from the sentence spout to the Kafka bolt

- from: "sentence-spout"

- to: "kafka-bolt"

- grouping:

- type: SHUFFLE

-```

-### Kafka-reader

-In the Kafka-reader topology, the spout component reads data from Kafka as string values. The data is then written the Storm log by the logging component and to the HDFS compatible file system for the Storm cluster by the HDFS bolt component.

-```yaml

-# kafka-reader

-# topology definition

-# name to be used when submitting

-name: "kafka-reader"

-# Components - constructors, property setters, and builder arguments.

-# Currently, components must be declared in the order they are referenced

-components:

- # Convert data from Kafka into string tuples in storm

- - id: "stringScheme"

- className: "org.apache.storm.kafka.StringScheme"

- - id: "stringMultiScheme"

- className: "org.apache.storm.spout.SchemeAsMultiScheme"

- constructorArgs:

- - ref: "stringScheme"

- - id: "zkHosts"

- className: "org.apache.storm.kafka.ZkHosts"

- constructorArgs:

- - "${kafka.zookeeper.hosts}"

- # Spout configuration

- - id: "spoutConfig"

- className: "org.apache.storm.kafka.SpoutConfig"

- constructorArgs:

- # brokerHosts

- - ref: "zkHosts"

- # topic

- - "${kafka.topic}"

- # zkRoot

- - ""

- # id

- - "readerid"

- properties:

- - name: "scheme"

- ref: "stringMultiScheme"

- # How often to sync files to HDFS; every 1000 tuples.

- - id: "syncPolicy"

- className: "org.apache.storm.hdfs.bolt.sync.CountSyncPolicy"

- constructorArgs:

- - 1

- # Rotate files when they hit 5 MB

- - id: "rotationPolicy"

- className: "org.apache.storm.hdfs.bolt.rotation.FileSizeRotationPolicy"

- constructorArgs:

- - 5

- - "KB"

- # File format; read the directory from filters at run time, and use a .txt extension when writing.

- - id: "fileNameFormat"

- className: "org.apache.storm.hdfs.bolt.format.DefaultFileNameFormat"

- configMethods:

- - name: "withPath"

- args: ["${hdfs.write.dir}"]

- - name: "withExtension"

- args: [".txt"]

- # Internal file format; fields delimited by `|`.

- - id: "recordFormat"

- className: "org.apache.storm.hdfs.bolt.format.DelimitedRecordFormat"

- configMethods:

- - name: "withFieldDelimiter"

- args: ["|"]

-# Topology configuration

-config:

- topology.workers: 2

-# Spout definitions

-spouts:

- - id: "kafka-spout"

- className: "org.apache.storm.kafka.KafkaSpout"

- constructorArgs:

- - ref: "spoutConfig"

- # Set to the number of partitions for the topic

- parallelism: 8

-# Bolt definitions

-bolts:

- - id: "logger-bolt"

- className: "com.microsoft.example.LoggerBolt"

- parallelism: 1

-

- - id: "hdfs-bolt"

- className: "org.apache.storm.hdfs.bolt.HdfsBolt"

- configMethods:

- - name: "withConfigKey"

- args: ["hdfs.config"]

- - name: "withFsUrl"

- args: ["${hdfs.url}"]

- - name: "withFileNameFormat"

- args: [ref: "fileNameFormat"]

- - name: "withRecordFormat"

- args: [ref: "recordFormat"]

- - name: "withRotationPolicy"

- args: [ref: "rotationPolicy"]

- - name: "withSyncPolicy"

- args: [ref: "syncPolicy"]

- parallelism: 1

-# Stream definitions

-streams:

- # Stream data to log

- - name: "kafka --> log" # name isn't used (placeholder for logging, UI, etc.)

- from: "kafka-spout"

- to: "logger-bolt"

- grouping:

- type: SHUFFLE

-

- # stream data to file

- - name: "kafka --> hdfs"

- from: "kafka-spout"

- to: "hdfs-bolt"

- grouping:

- type: SHUFFLE

-```

-### Property substitutions

-The project contains a file named `dev.properties` that is used to pass parameters used by the topologies. It defines the following properties:

-| dev.properties file | Description |

-| | |

-| `kafka.zookeeper.hosts` | The [Apache ZooKeeper](https://zookeeper.apache.org/) hosts for the Kafka cluster. |

-| `kafka.broker.hosts` | The Kafka broker hosts (worker nodes). |

-| `kafka.topic` | The Kafka topic that the topologies use. |

-| `hdfs.write.dir` | The directory that the Kafka-reader topology writes to. |

-| `hdfs.url` | The file system used by the Storm cluster. For Azure Storage accounts, use a value of `wasb://`. For Azure Data Lake Storage Gen2, use a value of `abfs://`. For Azure Data Lake Storage Gen1, use a value of `adl://`. |

-## Create the clusters

-Apache Kafka on HDInsight does not provide access to the Kafka brokers over the public internet. Anything that uses Kafka must be in the same Azure virtual network. In this tutorial, both the Kafka and Storm clusters are located in the same Azure virtual network.

-The following diagram shows how communication flows between Storm and Kafka:

-> [!NOTE]

-> Other services on the cluster such as SSH and [Apache Ambari](https://ambari.apache.org/) can be accessed over the internet. For more information on the public ports available with HDInsight, see [Ports and URIs used by HDInsight](hdinsight-hadoop-port-settings-for-services.md).

-To create an Azure Virtual Network, and then create the Kafka and Storm clusters within it, use the following steps:

-1. Use the following button to sign in to Azure and open the template in the Azure portal.

- <a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure-Samples%2Fhdinsight-storm-java-kafka%2Fmaster%2Fcreate-kafka-storm-clusters-in-vnet.json" target="_blank"><img src="./media/hdinsight-apache-storm-with-kafka/hdi-deploy-to-azure1.png" alt="Deploy to Azure button for new cluster"></a>

- The Azure Resource Manager template is located at **https://github.com/Azure-Samples/hdinsight-storm-java-kafka/blob/master/create-kafka-storm-clusters-in-vnet.json**. It creates the following resources:

- * Azure resource group

- * Azure Virtual Network

- * Azure Storage account

- * Kafka on HDInsight version 3.6 (three worker nodes)

- * Storm on HDInsight version 3.6 (three worker nodes)

- > [!WARNING]

- > To guarantee availability of Kafka on HDInsight, your cluster must contain at least three worker nodes. This template creates a Kafka cluster that contains three worker nodes.

-2. Use the following guidance to populate the entries on the **Custom deployment** section:

- 1. Use the following information to populate the entries on the **Customized template** section:

- | Setting | Value |

- | | |

- | Subscription | Your Azure subscription |

- | Resource group | The resource group that contains the resources. |

- | Location | The Azure region that the resources are created in. |

- | Kafka Cluster Name | The name of the Kafka cluster. |

- | Storm Cluster Name | The name of the Storm cluster. |

- | Cluster Login User Name | The admin user name for the clusters. |

- | Cluster Login Password | The admin user password for the clusters. |

- | SSH User Name | The SSH user to create for the clusters. |

- | SSH Password | The password for the SSH user. |

-

- :::image type="content" source="./media/hdinsight-apache-storm-with-kafka/storm-kafka-template.png" alt-text="Picture of the template parameters":::

-3. Read the **Terms and Conditions**, and then select **I agree to the terms and conditions stated above**.

-4. Finally, check **Pin to dashboard** and then select **Purchase**.

-> [!NOTE]

-> It can take up to 20 minutes to create the clusters.

-## Build the topology

-1. On your development environment, download the project from [https://github.com/Azure-Samples/hdinsight-storm-java-kafka](https://github.com/Azure-Samples/hdinsight-storm-java-kafka), open a command-line, and change directories to the location that you downloaded the project.

-2. From the **hdinsight-storm-java-kafka** directory, use the following command to compile the project and create a package for deployment:

- ```bash

- mvn clean package

- ```

- The package process creates a file named `KafkaTopology-1.0-SNAPSHOT.jar` in the `target` directory.

-3. Use the following commands to copy the package to your Storm on HDInsight cluster. Replace `sshuser` with the SSH user name for the cluster. Replace `stormclustername` with the name of the __Storm__ cluster.

- ```bash

- scp ./target/KafkaTopology-1.0-SNAPSHOT.jar sshuser@stormclustername-ssh.azurehdinsight.net:KafkaTopology-1.0-SNAPSHOT.jar

- ```

- When prompted, enter the password you used when creating the clusters.

-## Configure the topology

-1. Use one of the following methods to discover the Kafka broker hosts for the **Kafka** on HDInsight cluster:

- ```powershell

- $creds = Get-Credential -UserName "admin" -Message "Enter the HDInsight login"

- $clusterName = Read-Host -Prompt "Enter the Kafka cluster name"

- $resp = Invoke-WebRequest -Uri "https://$clusterName.azurehdinsight.net/api/v1/clusters/$clusterName/services/KAFKA/components/KAFKA_BROKER" `

- -Credential $creds `

- -UseBasicParsing

- $respObj = ConvertFrom-Json $resp.Content

- $brokerHosts = $respObj.host_components.HostRoles.host_name[0..1]

- ($brokerHosts -join ":9092,") + ":9092"

- ```

- > [!IMPORTANT]

- > The following Bash example assumes that `$CLUSTERNAME` contains the name of the __Kafka__ cluster name. It also assumes that [jq](https://stedolan.github.io/jq/) version 1.5 or greater is installed. When prompted, enter the password for the cluster login account.

- ```bash

- curl -su admin -G "https://$CLUSTERNAME.azurehdinsight.net/api/v1/clusters/$CLUSTERNAME/services/KAFKA/components/KAFKA_BROKER" | jq -r '["\(.host_components[].HostRoles.host_name):9092"] | join(",")' | cut -d',' -f1,2

- ```

- The value returned is similar to the following text:

- ```output

- <brokername1>.53qqkiavjsoeloiq3y1naf4hzc.ex.internal.cloudapp.net:9092,<brokername2>.53qqkiavjsoeloiq3y1naf4hzc.ex.internal.cloudapp.net:9092

- ```

- > [!IMPORTANT]

- > While there may be more than two broker hosts for your cluster, you do not need to provide a full list of all hosts to clients. One or two is enough.

-2. Use one of the following methods to discover the Zookeeper hosts for the __Kafka__ on HDInsight cluster:

- ```powershell

- $creds = Get-Credential -UserName "admin" -Message "Enter the HDInsight login"

- $clusterName = Read-Host -Prompt "Enter the Kafka cluster name"

- $resp = Invoke-WebRequest -Uri "https://$clusterName.azurehdinsight.net/api/v1/clusters/$clusterName/services/ZOOKEEPER/components/ZOOKEEPER_SERVER" `

- -Credential $creds `

- -UseBasicParsing

- $respObj = ConvertFrom-Json $resp.Content

- $zookeeperHosts = $respObj.host_components.HostRoles.host_name[0..1]

- ($zookeeperHosts -join ":2181,") + ":2181"

- ```

- > [!IMPORTANT]

- > The following Bash example assumes that `$CLUSTERNAME` contains the name of the __Kafka__ cluster. It also assumes that [jq](https://stedolan.github.io/jq/) is installed. When prompted, enter the password for the cluster login account.

- ```bash

- curl -su admin -G "https://$CLUSTERNAME.azurehdinsight.net/api/v1/clusters/$CLUSTERNAME/services/ZOOKEEPER/components/ZOOKEEPER_SERVER" | jq -r '["\(.host_components[].HostRoles.host_name):2181"] | join(",")' | cut -d',' -f1,2

- ```

- The value returned is similar to the following text:

- ```output

- <zookeepername1>.53qqkiavjsoeloiq3y1naf4hzc.ex.internal.cloudapp.net:2181,<zookeepername2>.53qqkiavjsoeloiq3y1naf4hzc.ex.internal.cloudapp.net:2181

- ```

- > [!IMPORTANT]

- > While there are more than two Zookeeper nodes, you do not need to provide a full list of all hosts to clients. One or two is enough.

- Save this value, as it is used later.

-3. Edit the `dev.properties` file in the root of the project. Add the Broker and Zookeeper hosts information for the __Kafka__ cluster to the matching lines in this file. The following example is configured using the sample values from the previous steps:

- ```bash

- kafka.zookeeper.hosts: <zookeepername1>.53qqkiavjsoeloiq3y1naf4hzc.ex.internal.cloudapp.net:2181,<zookeepername2>.53qqkiavjsoeloiq3y1naf4hzc.ex.internal.cloudapp.net:2181

- kafka.broker.hosts: <brokername1>.53qqkiavjsoeloiq3y1naf4hzc.ex.internal.cloudapp.net:9092,<brokername2>.53qqkiavjsoeloiq3y1naf4hzc.ex.internal.cloudapp.net:9092

- kafka.topic: stormtopic

- ```

- > [!IMPORTANT]

- > The `hdfs.url` entry is configured for a cluster that uses an Azure Storage account. To use this topology with a Storm cluster that uses Data Lake Storage, change this value from `wasb` to `adl`.

-4. Save the `dev.properties` file and then use the following command to upload it to the **Storm** cluster:

- ```bash

- scp dev.properties USERNAME@BASENAME-ssh.azurehdinsight.net:dev.properties

- ```

- Replace **USERNAME** with the SSH user name for the cluster. Replace **BASENAME** with the base name you used when creating the cluster.

-## Create the Kafka topic

-Kafka stores data into a _topic_. You must create the topic before starting the Storm topologies. To create the topology, use the following steps:

-1. Connect to the __Kafka__ cluster through SSH by using the following command. Replace `sshuser` with the SSH user name used when creating the cluster. Replace `kafkaclustername` with the name of the Kafka cluster:

- ```bash

- ssh sshuser@kafkaclustername-ssh.azurehdinsight.net

- ```

- When prompted, enter the password you used when creating the clusters.

-

- For information, see [Use SSH with HDInsight](hdinsight-hadoop-linux-use-ssh-unix.md).

-2. To create the Kafka topic, use the following command. Replace `$KAFKAZKHOSTS` with the Zookeeper host information you used when configuring the topology:

- ```bash

- /usr/hdp/current/kafka-broker/bin/kafka-topics.sh --create --replication-factor 3 --partitions 8 --topic stormtopic --zookeeper $KAFKAZKHOSTS

- ```

- This command connects to Zookeeper for the Kafka cluster and creates a new topic named `stormtopic`. This topic is used by the Storm topologies.

-## Start the writer

-1. Use the following to connect to the **Storm** cluster using SSH. Replace `sshuser` with the SSH user name used when creating the cluster. Replace `stormclustername` with the name the Storm cluster:

- ```bash

- ssh sshuser@stormclustername-ssh.azurehdinsight.net

- ```

- When prompted, enter the password you used when creating the clusters.

-

- For information, see [Use SSH with HDInsight](hdinsight-hadoop-linux-use-ssh-unix.md).

-2. From the SSH connection to the Storm cluster, use the following command to start the writer topology:

- ```bash

- storm jar KafkaTopology-1.0-SNAPSHOT.jar org.apache.storm.flux.Flux --remote -R /writer.yaml --filter dev.properties

- ```

- The parameters used with this command are:

- * `org.apache.storm.flux.Flux`: Use Flux to configure and run this topology.

- * `--remote`: Submit the topology to Nimbus. The topology is distributed across the worker nodes in the cluster.

- * `-R /writer.yaml`: Use the `writer.yaml` file to configure the topology. `-R` indicates that this resource is included in the jar file. It's in the root of the jar, so `/writer.yaml` is the path to it.

- * `--filter`: Populate entries in the `writer.yaml` topology using values in the `dev.properties` file. For example, the value of the `kafka.topic` entry in the file is used to replace the `${kafka.topic}` entry in the topology definition.

-## Start the reader

-1. From the SSH session to the Storm cluster, use the following command to start the reader topology:

- ```bash

- storm jar KafkaTopology-1.0-SNAPSHOT.jar org.apache.storm.flux.Flux --remote -R /reader.yaml --filter dev.properties

- ```

-2. Wait a minute and then use the following command to view the files created by the reader topology:

- ```bash

- hdfs dfs -ls /stormdata

- ```

- The output is similar to the following text:

- ```output

- Found 173 items

- -rw-r--r-- 1 storm supergroup 5137 2018-04-09 19:00 /stormdata/hdfs-bolt-4-0-1523300453088.txt

- -rw-r--r-- 1 storm supergroup 5128 2018-04-09 19:00 /stormdata/hdfs-bolt-4-1-1523300453624.txt

- -rw-r--r-- 1 storm supergroup 5131 2018-04-09 19:00 /stormdata/hdfs-bolt-4-10-1523300455170.txt

- ...

- ```

-3. To view the contents of the file, use the following command. Replace `filename.txt` with the name of a file:

- ```bash

- hdfs dfs -cat /stormdata/filename.txt

- ```

- The following text is an example of the file contents:

- > four score and seven years ago

- >

- > snow white and the seven dwarfs

- >

- > i am at two with nature

- >

- > snow white and the seven dwarfs

- >

- > i am at two with nature

- >

- > four score and seven years ago

- >

- > an apple a day keeps the doctor away

-## Stop the topologies

-From an SSH session to the Storm cluster, use the following commands to stop the Storm topologies:

- ```bash

- storm kill kafka-writer

- storm kill kafka-reader

- ```

-## Clean up resources

-To clean up the resources created by this tutorial, you can delete the resource group. Deleting the resource group also deletes the associated HDInsight cluster, and any other resources associated with the resource group.

-To remove the resource group using the Azure portal:

-1. In the Azure portal, expand the menu on the left side to open the menu of services, and then choose __Resource Groups__ to display the list of your resource groups.

-2. Locate the resource group to delete, and then right-click the __More__ button (...) on the right side of the listing.

-3. Select __Delete resource group__, and then confirm.

-## Next steps

-In this tutorial, you learned how to use an [Apache Storm](https://storm.apache.org/) topology to write to and read from [Apache Kafka](https://kafka.apache.org/) on HDInsight. You also learned how to store data to the [Apache Hadoop HDFS](https://hadoop.apache.org/docs/r1.2.1/hdfs_design.html) compatible storage used by HDInsight.

-> [!div class="nextstepaction"]

-> [Use Apache Kafka Producer and Consumer API](kafk)

-|[WANdisco Fusion HDI App](https://community.wandisco.com/s/article/Use-WANdisco-Fusion-for-parallel-operation-of-ADLS-Gen1-and-Gen2) |Hadoop, Spark,HBase,Storm,Kafka |Keeping data consistent in a distributed environment is a massive data operations challenge. WANdisco Fusion, an enterprise-class software platform, solves this problem by enabling unstructured data consistency across any environment. |

-|[Striim for Real-Time Data Integration to HDInsight](https://azuremarketplace.microsoft.com/marketplace/apps/striim.striimbyol) |Hadoop,HBase,Storm,Spark,Kafka |Striim (pronounced "stream") is an end-to-end streaming data integration + intelligence platform, enabling continuous ingestion, processing, and analytics of disparate data streams. |

-|[Unifi Data Platform](https://www.crunchbase.com/organization/unifi-software) |Hadoop,HBase,Storm,Spark |The Unifi Data Platform is a seamlessly integrated suite of self-service data tools designed to empower the business user to tackle data challenges that drive incremental revenue, reduce costs or operational complexity. |

- "types": ["Hadoop", "HBase", "Storm", "Spark"],

-| types |The cluster types that the application is compatible with. |Hadoop, HBase, Storm, Spark (or any combination of these) |

-| Version | Spark | Hive | Interactive Query | HBase | Kafka | Storm | ML |

-| HDInsight 3.6 without ESP | Yes | Yes | Yes* | No | No | No | No |

-| HDInsight 4.0 without ESP | Yes | Yes | Yes* | No | No | No | No |

-| HDInsight 3.6 with ESP | Yes | Yes | Yes* | No | No | No | No |

-| HDInsight 4.0 with ESP | Yes | Yes | Yes* | No | No | No | No |

-Note here that Jupyter Extension version (ms-jupyter): v2022.1.1001614873 and Python Extension version (ms-python): v2021.12.1559732655, python 3.6.x and 3.7.x are required for HDInsight interactive PySpark queries.

-| Grant/revoke access to HDInsight clusters using .NET SDK |See [Grant/revoke access to HDInsight clusters](hdinsight-administer-use-dotnet-sdk.md#grantrevoke-access) |

-When running OPC Publisher in production setups, network performance requirements (throughput and latency) and memory resources must be considered. OPC Publisher exposes the following command-line parameters to help meet these requirements:

-* Message queue capacity (`mq` for version 2.5 and below, not available in version 2.6, `om` for version 2.7)

-* IoT Hub send interval (`si`)

-* IoT Hub message size (`ms`)

-## Adjusting IoT Hub send interval and IoT Hub message size

-The `mq/om` parameter controls the upper limit of the capacity of the internal message queue. This queue buffers all messages before they are sent to IoT Hub. The default size of the queue is up to 2 MB for OPC Publisher version 2.5 and below and 4000 IoT Hub messages for version 2.7 (that is, if the setting for the IoT Hub message size is 256 KB, the size of the queue will be up to 1 GB). If OPC Publisher is not able to send messages to IoT Hub fast enough, the number of items in this queue increases. If this happens during test runs, one or both of the following can be done to mitigate:

-* decrease the IoT Hub send interval (`si`)

-* increase the IoT Hub message size (`ms`, the maximum this can be set to is 256 KB). In version 2.7 or later the default value is already set to 256 KB.

-If the queue keeps growing even though the `si` and `ms` parameters have been adjusted, eventually the maximum queue capacity will be reached and messages will be lost. This is due to the fact that both the `si` and `ms` parameter have physical limits and the Internet connection between OPC Publisher and IoT Hub is not fast enough for the number of messages that must be sent in a given scenario. In that case, only setting up several, parallel OPC Publishers will help. The `mq/om` parameter also has the biggest impact on the memory consumption by OPC Publisher.

-The `si` parameter forces OPC Publisher to send messages to IoT Hub at the specified interval. A message is sent either when the maximum IoT Hub message size of 256 KB of data is available (triggering the send interval to reset) or when the specified interval time has passed.

-The `ms` parameter enables batching of messages sent to IoT Hub. In most network setups, the latency of sending a single message to IoT Hub is high, compared to the time it takes to transmit the payload. This is mainly due to Quality of Service (QoS) requirements, since messages are acknowledged only once they have been processed by IoT Hub). Therefore, if a delay for the data to arrive at IoT Hub is acceptable, OPC Publisher should be configured to use the maximal message size of 256 KB by setting the `ms` parameter to 0. It is also the most cost-effective way to use OPC Publisher.

-In version 2.5 the default configuration sends data to IoT Hub every 10 seconds (`si=10`) or when 256 KB of IoT Hub message data is available (`ms=0`). This adds a maximum delay of 10 seconds, but has low probability of losing data because of the large message size. In version 2.7 or later the default configuration is 500 ms for orchestrated mode and 0 for standalone mode (no send interval). The metric `monitored item notifications enqueue failure` in OPC Publisher version 2.5 and below and `messages lost` in OPC Publisher version 2.7 shows how many messages were lost.

-When both `si` and `ms` parameters are set to 0, OPC Publisher sends a message to IoT Hub as soon as data is available. This results in an average IoT Hub message size of just over 200 bytes. However, the advantage of this configuration is that OPC Publisher sends the data from the connected asset without delay. The number of lost messages will be high for use cases where a large amount of data must be published and hence this is not recommended for these scenarios.

-To measure the performance of OPC Publisher, the `di` parameter can be used to print performance metrics to the trace log in the interval specified (in seconds).

-Now that you have learned how to tune the performance and memory of the OPC Publisher, you can check out the OPC Publisher GitHub repository for further resources:

-<!-- end 1.1 -->

-To improve robustness, it is highly recommended you specify the DNS server addresses used in your environment. To set your DNS server for IoT Edge, see the resolution for [Edge Agent module continually reports 'empty config file' and no modules start on device](troubleshoot-common-errors.md#edge-agent-module-reports-empty-config-file-and-no-modules-start-on-the-device) in the troubleshooting article.

-description: Use this article to resolve common issues encountered when deploying an IoT Edge solution

-# Common issues and resolutions for Azure IoT Edge

-Use this article to find steps to resolve common issues that you may experience when deploying IoT Edge solutions. If you need to learn how to find logs and errors from your IoT Edge device, see [Troubleshoot your IoT Edge device](troubleshoot.md).

-## IoT Edge agent stops after about a minute

-**Observed behavior:**

-The edgeAgent module starts and runs successfully for about a minute, then stops. The logs indicate that the IoT Edge agent attempts to connect to IoT Hub over AMQP, and then attempts to connect using AMQP over WebSocket. When that fails, the IoT Edge agent exits.

-**Root cause:**

-**Resolution:**

-Ensure that there is a route to the internet for the IP addresses assigned to this bridge/NAT network. Sometimes a VPN configuration on the host overrides the IoT Edge network.

-## IoT Edge agent can't access a module's image (403)

-**Observed behavior:**

-A container fails to run, and the edgeAgent logs show a 403 error.

-**Root cause:**

-The IoT Edge agent doesn't have permissions to access a module's image.

-**Resolution:**

-Make sure that your registry credentials are correctly specified in your deployment manifest.

-## Edge Agent module reports 'empty config file' and no modules start on the device

-**Observed behavior:**

-The device has trouble starting modules defined in the deployment. Only the edgeAgent is running but continually reporting 'empty config file...'.

-**Root cause:**

-**Resolution:**

-<!-- 1.1 -->

-## Could not start module due to OS mismatch

- **Observed behavior:**

-The edgeHub module fails to start in IoT Edge version 1.1.

-**Root cause:**

-Windows module uses a version of Windows that is incompatible with the version of Windows on the host. IoT Edge Windows version 1809 build 17763 is needed as the base layer for the module image, but a different version is in use.

-**Resolution:**

-Check the version of your various Windows operating systems in [Troubleshoot host and container image mismatches](/virtualization/windowscontainers/deploy-containers/update-containers#troubleshoot-host-and-container-image-mismatches). If the operating systems are different, update them to IoT Edge Windows version 1809 build 17763 and rebuild the Docker image used for that module.

-<!-- end 1.1 -->

-## IoT Edge hub fails to start

-**Observed behavior:**

-**Root cause:**

-**Resolution:**

-## IoT Edge security daemon fails with an invalid hostname

-**Observed behavior:**

-Attempting to [check the IoT Edge security manager logs](troubleshoot.md#check-the-status-of-the-iot-edge-security-manager-and-its-logs) fails and prints the following message:

-Error parsing user input data: invalid hostname. Hostname cannot be empty or greater than 64 characters

-**Root cause:**

-The IoT Edge runtime can only support hostnames that are shorter than 64 characters. Physical machines usually don't have long hostnames, but the issue is more common on a virtual machine. The automatically generated hostnames for Windows virtual machines hosted in Azure, in particular, tend to be long.

-**Resolution:**

-When you see this error, you can resolve it by configuring the DNS name of your virtual machine, and then setting the DNS name as the hostname in the setup command.

-<!-- 1.1 -->

-1. In the Azure portal, navigate to the overview page of your virtual machine.

-2. Select **configure** under DNS name. If your virtual machine already has a DNS name configured, you don't need to configure a new one.

- 

-3. Provide a value for **DNS name label** and select **Save**.

-4. Copy the new DNS name, which should be in the format **\<DNSnamelabel\>.\<vmlocation\>.cloudapp.azure.com**.

-5. Inside the virtual machine, use the following command to set up the IoT Edge runtime with your DNS name:

- * On Linux:

- ```bash

- sudo nano /etc/iotedge/config.yaml

- ```

- * On Windows:

- ```cmd

- notepad C:\ProgramData\iotedge\config.yaml

- ```

-<!-- end 1.1 -->

-<!-- iotedge-2020-11 -->

-1. In the Azure portal, navigate to the overview page of your virtual machine.

-2. Select **configure** under DNS name. If your virtual machine already has a DNS name configured, you don't need to configure a new one.

- 

-3. Provide a value for **DNS name label** and select **Save**.

-4. Copy the new DNS name, which should be in the format **\<DNSnamelabel\>.\<vmlocation\>.cloudapp.azure.com**.

-5. On the IoT Edge device, open the config file.

- ```bash

- sudo nano /etc/aziot/config.toml

- ```

-6. Replace the value of `hostname` with your DNS name.

-7. Save and close the file, then apply the changes to IoT Edge.

- ```bash

- sudo iotedge config apply

- ```

-<!-- end iotedge-2020-11 -->

-<!-- 1.1 -->

-## Can't get the IoT Edge daemon logs on Windows

-**Observed behavior:**

-You get an EventLogException when using `Get-WinEvent` on Windows.

-**Root cause:**

-The `Get-WinEvent` PowerShell command relies on a registry entry to be present to find logs by a specific `ProviderName`.

-**Resolution:**

-Set a registry entry for the IoT Edge daemon. Create a **iotedge.reg** file with the following content, and import in to the Windows Registry by double-clicking it or using the `reg import iotedge.reg` command:

-```reg

-Windows Registry Editor Version 5.00

-[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\iotedged]

-"CustomSource"=dword:00000001

-"EventMessageFile"="C:\\ProgramData\\iotedge\\iotedged.exe"

-"TypesSupported"=dword:00000007

-```

-## DPS client error

-**Observed behavior:**

-IoT Edge fails to start with error message `failed to provision with IoT Hub, and no valid device backup was found dps client error.`

-**Root cause:**

-A group enrollment is used to provision an IoT Edge device to an IoT Hub. The IoT Edge device is moved to a different hub. The registration is deleted in DPS. A new registration is created in DPS for the new hub. The device is not reprovisioned.

-**Resolution:**

-1. Verify your DPS credentials are correct.

-1. Apply your configuration using `sudo iotedge apply config`.

-1. If the device isn't reprovisioned, restart the device using `sudo iotedge system restart`.

-1. If the device isn't reprovisioned, force reprovisioning using `sudo iotedge system reprovision`.

-To automatically reprovision, set `dynamic_reprovisioning: true` in the device configuration file. Setting this flag to true opts in to the dynamic re-provisioning feature. IoT Edge detects situations where the device appears to have been reprovisioned in the cloud by monitoring its own IoT Hub connection for certain errors. IoT Edge responds by shutting itself and all Edge modules down. The next time the daemon starts up, it will attempt to reprovision this device with Azure to receive the new IoT Hub provisioning information.

-When using external provisioning, the daemon will also notify the external provisioning endpoint about the re-provisioning event before shutting down. For more information, see [IoT Hub device reprovisioning concepts](../iot-dps/concepts-device-reprovision.md).

-## Stability issues on smaller devices

-**Observed behavior:**

-You may experience stability problems on resource constrained devices like the Raspberry Pi, especially when used as a gateway. Symptoms include out of memory exceptions in the IoT Edge hub module, downstream devices failing to connect, or the device failing to send telemetry messages after a few hours.

-**Root cause:**

-The IoT Edge hub, which is part of the IoT Edge runtime, is optimized for performance by default and attempts to allocate large chunks of memory. This optimization is not ideal for constrained edge devices and can cause stability problems.

-**Resolution:**

-For the IoT Edge hub, set an environment variable **OptimizeForPerformance** to **false**. There are two ways to set environment variables:

-In the Azure portal:

-In your IoT Hub, select your IoT Edge device and from the device details page and select **Set Modules** > **Runtime Settings**. Create an environment variable for the IoT Edge hub module called *OptimizeForPerformance* that is set to *false*.

-

-In the deployment manifest:

-```json

-"edgeHub": {

- "type": "docker",

- "settings": {

- "image": "mcr.microsoft.com/azureiotedge-hub:1.1",

- "createOptions": <snipped>

- },

- "env": {

- "OptimizeForPerformance": {

- "value": "false"

- }

- },

-```

-## IoT Edge module fails to send a message to edgeHub with 404 error

-**Observed behavior:**

-A custom IoT Edge module fails to send a message to the IoT Edge hub with a 404 `Module not found` error. The IoT Edge daemon prints the following message to the logs:

-```output

-Error: Time:Thu Jun 4 19:44:58 2018 File:/usr/sdk/src/c/provisioning_client/adapters/hsm_client_http_edge.c Func:on_edge_hsm_http_recv Line:364 executing HTTP request fails, status=404, response_buffer={"message":"Module not found"}u, 04 )

-```

-**Root cause:**

-The IoT Edge daemon enforces process identification for all modules connecting to the edgeHub for security reasons. It verifies that all messages being sent by a module come from the main process ID of the module. If a message is being sent by a module from a different process ID than initially established, it will reject the message with a 404 error message.

-**Resolution:**

-As of version 1.0.7, all module processes are authorized to connect. For more information, see the [1.0.7 release changelog](https://github.com/Azure/iotedge/blob/master/CHANGELOG.md#iotedged-1).

-If upgrading to 1.0.7 isn't possible, complete the following steps. Make sure that the same process ID is always used by the custom IoT Edge module to send messages to the edgeHub. For instance, make sure to `ENTRYPOINT` instead of `CMD` command in your Docker file. The `CMD` command leads to one process ID for the module and another process ID for the bash command running the main program, but `ENTRYPOINT` leads to a single process ID.

-## IoT Edge module deploys successfully then disappears from device

-**Observed behavior:**

-After setting modules for an IoT Edge device, the modules are deployed successfully but after a few minutes they disappear from the device and from the device details in the Azure portal. Other modules than the ones defined might also appear on the device.

-**Root cause:**

-If an automatic deployment targets a device, it takes priority over manually setting the modules for a single device. The **Set modules** functionality in Azure portal or **Create deployment for single device** functionality in Visual Studio Code will take effect for a moment. You see the modules that you defined start on the device. Then the automatic deployment's priority kicks in and overwrites the device's desired properties.

-**Resolution:**

-Only use one type of deployment mechanism per device, either an automatic deployment or individual device deployments. If you have multiple automatic deployments targeting a device, you can change priority or target descriptions to make sure the correct one applies to a given device. You can also update the device twin to no longer match the target description of the automatic deployment.

-For more information, see [Understand IoT Edge automatic deployments for single devices or at scale](module-deployment-monitoring.md).

-## IoT Edge module reports connectivity errors

-**Observed behavior:**

-**Root cause:**

-Containers rely on IP packet forwarding in order to connect to the internet so that they can communicate with cloud services. IP packet forwarding is enabled by default in Docker, but if it gets disabled then any modules that connect to cloud services will not work as expected. For more information, see [Understand container communication](https://docs.docker.com/config/containers/container-networking/) in the Docker documentation.

-**Resolution:**

-## IoT Edge behind a gateway cannot perform HTTP requests and start edgeAgent module

-**Observed behavior:**

-The IoT Edge daemon is active with a valid configuration file, but it cannot start the edgeAgent module. The command `iotedge list` returns an empty list. The IoT Edge daemon logs report `Could not perform HTTP request`.

-**Root cause:**

-**Resolution:**

-## IoT Edge behind a gateway cannot connect when migrating from one IoT hub to another

-**Observed behavior:**

-When attempting to migrate a hierarchy of IoT Edge devices from one IoT hub to another, the top level parent IoT Edge device can connect to IoT Hub, but downstream IoT Edge devices cannot. The logs report `Unable to authenticate client downstream-device/$edgeAgent with module credentials`.

-**Root cause:**

-The credentials for the downstream devices were not updated properly when the migration to the new IoT hub happened. Because of this, `edgeAgent` and `edgeHub` modules were set to have authentication type of `none` (default if not set explicitly). During connection, the modules on the downstream devices use old credentials, causing the authentication to fail.

-**Resolution:**

-When migrating to the new IoT hub (assuming not using DPS), follow these steps in order:

-1. Follow [this guide to export and then import device identities](../iot-hub/iot-hub-bulk-identity-mgmt.md) from the old IoT hub to the new one

-1. Reconfigure all IoT Edge deployments and configurations in the new IoT hub

-1. Reconfigure all parent-child device relationships in the new IoT hub

-1. Update each device to point to the new IoT hub hostname (`iothub_hostname` under `[provisioning]` in `config.toml`)

-1. If you chose to exclude authentication keys during the device export, reconfigure each device with the new keys given by the new IoT hub (`device_id_pk` under `[provisioning.authentication]` in `config.toml`)

-1. Restart the top-level parent Edge device first, make sure it's up and running

-1. Restart each device in hierarchy level by level from top to the bottom

-## Security daemon couldn't start successfully

-**Observed behavior:**

-The security daemon fails to start and module containers aren't created. The `edgeAgent`, `edgeHub` and other custom modules aren't started by IoT Edge service. In `aziot-edged` logs, you see this error:

-> - The daemon could not start up successfully: Could not start management service

-> - caused by: An error occurred for path /var/run/iotedge/mgmt.sock

-> - caused by: Permission denied (os error 13)

-**Root cause:**

-For all Linux distros except CentOS 7, IoT Edge's default configuration is to use `systemd` socket activation. A permission error happens if you change the configuration file to not use socket activation but leave the URLs as `/var/run/iotedge/*.sock`, since the `iotedge` user can't write to `/var/run/iotedge` meaning it can't unlock and mount the sockets itself.

-**Resolution:**

-You do not need to disable socket activation on a distro where socket activation is supported. However, if you prefer to not use socket activation at all, put the sockets in `/var/lib/iotedge/`. To do this

-1. Run `systemctl disable iotedge.socket iotedge.mgmt.socket` to disable the socket units so that systemd doesn't start them unnecessarily

-1. Change the iotedge config to use `/var/lib/iotedge/*.sock` in both `connect` and `listen` sections

-1. If you already have modules, they have the old `/var/run/iotedge/*.sock` mounts, so `docker rm -f` them.

-1. Select **Update** or **Cancel**.

-1. Make a note of the name of your Stream Analytics module because you'll need it in the next step. Then, select **Next: Routes** to continue.

-1. On the **Routes** tab, you define how messages are passed between modules and the IoT Hub. Messages are constructed using name/value pairs. Replace the default `route` and `upstream` name and values with the pairs shown in following table, the following name/value pairs, replacing instances of _{moduleName}_ with the name of your Azure Stream Analytics module.

-1. You're returned to the device details page. Select **Refresh**.

-1. View all system logs and metrics data. Use the Stream Analytics module name:

-1. View the reset command affect the SimulatedTemperatureSensor by viewing the sensor logs:

-description: Use ML Studio (classic) to predict the chance of rain based on the temperature and humidity data your IoT hub collects from a sensor.

-keywords: weather forecast machine learning

-# Weather forecast using the sensor data from your IoT hub in Machine Learning Studio (classic)

-

-Machine learning is a technique of data science that helps computers learn from existing data to forecast future behaviors, outcomes, and trends. ML Studio (classic) is a cloud predictive analytics service that makes it possible to quickly create and deploy predictive models as analytics solutions. In this article, you learn how to use ML Studio (classic) to do weather forecasting (chance of rain) using the temperature and humidity data from your Azure IoT hub. The chance of rain is the output of a prepared weather prediction model. The model is built upon historic data to forecast chance of rain based on temperature and humidity.

-## Prerequisites

- - An active Azure subscription.

- - An Azure IoT hub under your subscription.

- - A client application that sends messages to your Azure IoT hub.

-> [!Note]

-> This article uses Azure Stream Analytics and several other paid services. Extra charges are incurred in Azure Stream Analytics when data must be transferred across Azure regions. For this reason, it would be good to ensure that your Resource Group, IoT Hub, and Azure Storage account -- as well as the Machine Learning Studio (classic) workspace and Azure Stream Analytics Job added later in this tutorial -- are all located in the same Azure region. You can check regional support for ML Studio (classic) and other Azure services on the [Azure product availability by region page](https://azure.microsoft.com/global-infrastructure/services/?products=machine-learning-studio&regions=all).

-## Deploy the weather prediction model as a web service

-In this section you get the weather prediction model from the Azure AI Library. Then you add an R-script module to the model to clean the temperature and humidity data. Lastly, you deploy the model as a predictive web service.

-### Get the weather prediction model

-In this section you get the weather prediction model from the Azure AI Gallery and open it in ML Studio (classic).

-1. Go to the [weather prediction model page](https://gallery.cortanaintelligence.com/Experiment/Weather-prediction-model-1).

- 

-1. Select **Open in Studio (classic)** to open the model in Microsoft ML Studio (classic). Select a region near your IoT hub and the correct workspace in the **Copy experiment from Gallery** pop-up.

- 

-### Add an R-script module to clean temperature and humidity data

-For the model to behave correctly, the temperature and humidity data must be convertible to numeric data. In this section, you add an R-script module to the weather prediction model that removes any rows that have data values for temperature or humidity that cannot be converted to numeric values.

-1. On the left-side of the ML Studio (classic) window, select the arrow to expand the tools panel. Enter "Execute" into the search box. Select the **Execute R Script** module.

- 

-1. Drag the **Execute R Script** module near the **Clean Missing Data** module and the existing **Execute R Script** module on the diagram. Delete the connection between the **Clean Missing Data** and the **Execute R Script** modules and then connect the inputs and outputs of the new module as shown.

- 

-1. Select the new **Execute R Script** module to open its properties window. Copy and paste the following code into the **R Script** box.

- ```r

- # Map 1-based optional input ports to variables

- data <- maml.mapInputPort(1) # class: data.frame

- data$temperature <- as.numeric(as.character(data$temperature))

- data$humidity <- as.numeric(as.character(data$humidity))

- completedata <- data[complete.cases(data), ]

- maml.mapOutputPort('completedata')

- ```

- When you're finished, the properties window should look similar to the following:

- 

-### Deploy predictive web service

-In this section, you validate the model, set up a predictive web service based on the model, and then deploy the web service.

-1. Select **Run** to validate the steps in the model. This step might take a few minutes to complete.

- 

-1. Select **SET UP WEB SERVICE** > **Predictive Web Service**. The predictive experiment diagram opens.

- 

-1. In the predictive experiment diagram, delete the connection between the **Web service input** module and the **Select Columns in Dataset** at the top. Then drag the **Web service input** module somewhere near the **Score Model** module and connect it as shown:

- 

-1. Select **RUN** to validate the steps in the model.

-1. Select **DEPLOY WEB SERVICE** to deploy the model as a web service.

-1. On the dashboard of the model, download the **Excel 2010 or earlier workbook** for **REQUEST/RESPONSE**.

- > [!Note]

- > Make sure that you download the **Excel 2010 or earlier workbook** even if you are running a later version of Excel on your computer.

- 

-1. Open the Excel workbook, make a note of the **WEB SERVICE URL** and **ACCESS KEY**.

-## Create, configure, and run a Stream Analytics job

-### Create a Stream Analytics job

-1. In the [Azure portal](https://portal.azure.com/), select **Create a resource**. Type "stream analytics job" in the Search box, and select **Stream Analytics job** from the results dropdown. When the **Stream Analytics job** pane opens, select **Create**.

-1. Enter the following information for the job.

- **Job name**: The name of the job. The name must be globally unique.

- **Subscription**: Select your subscription if it is different than the default.

- **Resource group**: Use the same resource group that your IoT hub uses.

- **Location**: Use the same location as your resource group.

- Leave all other fields at their default.

- 

-1. Select **Create**.

-### Add an input to the Stream Analytics job

-1. Open the Stream Analytics job.

-1. Under **Job topology**, select **Inputs**.

-1. In the **Inputs** pane, select **Add stream input**, and then select **IoT Hub** from the dropdown. On the **New input** pane, choose the **Select IoT Hub from your subscriptions** and enter the following information:

- **Input alias**: The unique alias for the input.

- **Subscription**: Select your subscription if it is different than the default.

- **IoT Hub**: Select the IoT hub from your subscription.

- **Shared access policy name**: Select **service**. (You can also use **iothubowner**.)

- **Consumer group**: Select the consumer group you created.

- Leave all other fields at their default.

- 

-1. Select **Save**.

-### Add an output to the Stream Analytics job

-1. Under **Job topology**, select **Outputs**.

-1. In the **Outputs** pane, select **Add**, and then select **Blob storage/Data Lake Storage** from the dropdown. On the **New output** pane, choose the **Select storage from your subscriptions** and enter the following information:

- **Output alias**: The unique alias for the output.

- **Subscription**: Select your subscription if it is different than the default.

- **Storage account**: The storage account for your blob storage. You can create a storage account or use an existing one.

- **Container**: The container where the blob is saved. You can create a container or use an existing one.

- **Event serialization format**: Select **CSV**.

- 

-1. Select **Save**.

-### Add a function to the Stream Analytics job to call the web service you deployed

-1. Under **Job Topology**, select **Functions**.

-1. In the **Functions** pane, select **Add**, and then select **Azure ML Studio** from the dropdown. (Make sure you select **Azure ML Studio**, not **Azure ML Service**.) On the **New function** pane, choose the **Provide Azure Machine Learning function settings manually** and enter the following information:

- **Function Alias**: Enter `machinelearning`.

- **URL**: Enter the WEB SERVICE URL that you noted down from the Excel workbook.

- **Key**: Enter the ACCESS KEY that you noted down from the Excel workbook.

- 

-1. Select **Save**.

-### Configure the query of the Stream Analytics job

-1. Under **Job topology**, select **Query**.

-1. Replace the existing code with the following code:

- ```sql

- WITH machinelearning AS (

- SELECT EventEnqueuedUtcTime, temperature, humidity, machinelearning(temperature, humidity) as result from [YourInputAlias]

- )

- Select System.Timestamp time, CAST (result.[temperature] AS FLOAT) AS temperature, CAST (result.[humidity] AS FLOAT) AS humidity, CAST (result.[scored probabilities] AS FLOAT ) AS 'probabalities of rain'

- Into [YourOutputAlias]

- From machinelearning

- ```

- Replace `[YourInputAlias]` with the input alias of the job.

- Replace `[YourOutputAlias]` with the output alias of the job.

-1. Select **Save query**.

-> [!Note]

-> If you select **Test query**, you'll be presented with the following message: Query testing with Machine Learning functions is not supported. Please modify the query and try again. You can safely ignore this message and select **OK** to close the message box. Make sure you save the query before proceeding to the next section.

-### Run the Stream Analytics job

-In the Stream Analytics job, select **Overview** on the left pane. Then select **Start** > **Now** > **Start**. Once the job successfully starts, the job status changes from **Stopped** to **Running**.

-

-## Use Microsoft Azure Storage Explorer to view the weather forecast

-Run the client application to start collecting and sending temperature and humidity data to your IoT hub. For each message that your IoT hub receives, the Stream Analytics job calls the weather forecast web service to produce the chance of rain. The result is then saved to your Azure blob storage. Azure Storage Explorer is a tool that you can use to view the result.

-1. [Download and install Microsoft Azure Storage Explorer](https://storageexplorer.com/).

-1. Open Azure Storage Explorer.

-1. Sign in to your Azure account.

-1. Select your subscription.

-1. Select your subscription > **Storage Accounts** > your storage account > **Blob Containers** > your container.

-1. Download a .csv file to see the result. The last column records the chance of rain.

- 

-## Summary

-YouΓÇÖve successfully used ML Studio (classic) to produce the chance of rain based on the temperature and humidity data that your IoT hub receives.

-description: Tutorial - Learn how to perform a manual failover of your IoT hub to a different region and confirm it's working, and then return it to the original region and check it again.

-Manual failover is a feature of the IoT Hub service that allows customers to [failover](https://en.wikipedia.org/wiki/Failover) their hub's operations from a primary region to the corresponding Azure geo-paired region. Manual failover can be done in the event of a regional disaster or an extended service outage. You can also perform a planned failover to test your disaster recovery capabilities, although we recommend using a test IoT hub rather than one running in production. The manual failover feature is offered to customers at no additional cost for IoT hubs created after May 18, 2017.

-> * Using the Azure portal, create an IoT hub.

-> * Perform a failover.

-* Make sure that port 8883 is open in your firewall. The device sample in this tutorial uses MQTT protocol, which communicates over port 8883. This port may be blocked in some corporate and educational network environments. For more information and ways to work around this issue, see [Connecting to IoT Hub (MQTT)](iot-hub-mqtt-support.md#connecting-to-iot-hub).

-1. Click **Resource groups** and then select your resource group. Click on your hub in the list of resources.

-1. Under **Hub settings** on the IoT Hub pane, click **Failover**.

-1. On the Manual failover pane, you see the **Current location** and the **Failover location**. The current location always indicates the location in which the hub is currently active. The failover location is the standard [Azure geo-paired region](../availability-zones/cross-region-replication-azure.md) that is paired to the current location. You cannot change the location values. For this tutorial, the current location is `West US 2` and the failover location is `West Central US`.

- 

-1. At the top of the Manual failover pane, click **Start failover**.

-1. In the confirmation pane, fill in the name of your IoT hub to confirm it's the one you want to failover. Then, to initiate the failover, click **Failover**.

- The amount of time it takes to perform the manual failover is proportional to the number of devices that are registered for your hub. For example, if you have 100,000 devices, it might take 15 minutes, but if you have five million devices, it might take an hour or longer.

- 

- While the manual failover process is running, a banner appears to tell you a manual failover is in progress.

- 

- If you close the IoT Hub pane and open it again by clicking it on the Resource Group pane, you see a banner that tells you the hub is in the middle of a manual failover.

- 

- After it's finished, the current and failover regions on the Manual Failover page are flipped and the hub is active again. In this example, the current location is now `WestCentralUS` and the failover location is now `West US 2`.

- 

- The overview page also shows a banner indicating that the failover is complete and the IoT Hub is running in `West Central US`.

- 

-## Perform a failback

-After you have performed a manual failover, you can switch the hub's operations back to the original primary region -- this is called a failback. If you have just performed a failover, you have to wait about an hour before you can request a failback. If you try to perform the failback in a shorter amount of time, an error message is displayed.

-A failback is performed just like a manual failover. These are the steps:

-1. To perform a failback, return to the Iot Hub pane for your Iot hub.

-2. Under **Settings** on the IoT Hub pane, click **Failover**.

-3. At the top of the Manual failover pane, click **Start failover**.

-4. In the confirmation pane, fill in the name of your IoT hub to confirm it's the one you want to failback. To then initiate the failback, click **OK**.

- 

- The banners are displayed as explained in the perform a failover section. After the failback is complete, it again shows `West US 2` as the current location and `West Central US` as the failover location, as set originally.

-## Clean up resources

-To remove the resources you've created for this tutorial, delete the resource group. This action deletes all resources contained within the group. In this case, it removes the IoT hub and the resource group itself.

-1. Click **Resource Groups**.

-2. Locate and select the resource group **ManlFailRG**. Click on it to open it.

-3. Click **Delete resource group**. When prompted, enter the name of the resource group and click **Delete** to confirm.

-In this tutorial, you learned how to configure and perform a manual failover, and how to request a failback by performing the following tasks:

-> [!div class="checklist"]

-> * Using the Azure portal, create an IoT hub.

-> * Perform a failover.

-> * See the hub running in the secondary location.

-> * Perform a failback to return the IoT hub's operations to the primary location.

-> * Confirm the hub is running correctly in the right location.

-Advance to the next tutorial to learn how to configure your device from a back-end service.

-> [Resouce Provider modes](../../governance/policy/concepts/definition-structure.md#resource-provider-modes),

-[App Service diagnostics](/azure/app-service/overview-diagnostics.md) is an intelligent and interactive way to help troubleshoot your app, with no configuration required. When you run into issues with your app, App Service diagnostics can help you resolve the issue easily and quickly.

-Availability zone redundancy is available for Standard logic apps, which are powered by Azure Functions extensibility. For more information, review [Azure Functions support for availability zone redundancy](../azure-functions/azure-functions-az-redundancy.md#overview).

-We recommend that you clone the repository into your users directory so that others will not make collisions directly on your working branch.

-After submitting a training run, a [Run](/python/api/azureml-core/azureml.core.run%28class%29) object is returned. The `properties` attribute of this object contains the logged git information. For example, the following code retrieves the commit hash:

-run.properties['azureml.git.commit']

-* [Use compute targets for model training](v1/how-to-set-up-training-targets.md)

-* [**Ubuntu Data Science Virtual Machine**](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.ubuntu-1804). For information about provisioning the virtual machine, see [Provision the Ubuntu Data Science Virtual Machine](./release-notes.md).

-[Data Science VM ΓÇô Ubuntu 18.04](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.ubuntu-1804?tab=overview) and [Data Science VM ΓÇô Ubuntu 20.04](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.ubuntu-2004?tab=Overview)

-[Data Science VM ΓÇô Ubuntu 18.04](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.ubuntu-1804?tab=overview)

-[Data Science VM ΓÇô Ubuntu 18.04](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.ubuntu-1804?tab=overview) and [Data Science VM ΓÇô Ubuntu 20.04](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.ubuntu-2004?tab=Overview)

-New Image for [Data Science VM ΓÇô Ubuntu 18.04](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.ubuntu-1804?tab=overview)

-New image for [Ubuntu 18.04](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.ubuntu-1804?tab=Overview).

-New image for [Ubuntu 18.04](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.ubuntu-1804?tab=Overview).

-New image for [Ubuntu 18.04](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.ubuntu-1804?tab=Overview).

-New image for [Ubuntu 18.04](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.ubuntu-1804?tab=Overview).

-New image for [Ubuntu 18.04](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.ubuntu-1804?tab=Overview).

-Data Science Virtual Machine images for [Ubuntu 18.04](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.ubuntu-1804?tab=Overview) and [Windows 2019](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.dsvm-win-2019?tab=Overview) images are now available.

-To keep track of whether a compute instance's operating system version is current, you could query an instance's version using the Studio UI, CLI and SDK.

-# [Python SDK](#tab/python)

-```python

-from azure.ai.ml.entities import ComputeInstance, AmlCompute

-# Display operating system version

-instance = ml_client.compute.get("myci")

-print instance.os_image_metadata

-```

-For more information on the classes, methods, and parameters used in this example, see the following reference documents:

-* [`AmlCompute` class](/python/api/azure-ai-ml/azure.ai.ml.entities.amlcompute)

-* [`ComputeInstance` class](/python/api/azure-ai-ml/azure.ai.ml.entities.computeinstance)

-# [Azure CLI](#tab/azure-cli)

-```azurecli

-az ml compute show --name "myci"

-```

-# [Studio](#tab/azure-studio)

-In your workspace in Azure Machine Learning studio, select Compute, then select compute instance on the top. Select a compute instance's compute name to see its properties including the current operating system. When a more recent instance OS version is, use the creation wizard to create a new instance. Enable 'audit and observe compute instance os version' under the previews management panel to see these preview properties.

-> * Python 3.6+.

- > Only Python 3.6 and 3.7 are compatible with automated ML support for computer vision tasks.

-* [Train TensorFlow DNN Models](../how-to-train-tensorflow.md)

- - python=3.6.2

-The exported dataset is a [TabularDataset](/python/api/azureml-core/azureml.data.tabular_dataset.tabulardataset). If you plan to use [download()](/python/api/azureml-core/azureml.data.tabulardataset#azureml-data-tabulardataset-download) or [mount()](/python/api/azureml-core/azureml.data.tabulardataset#azureml-data-tabulardataset-mount) methods, be sure to set the parameter `stream column ='image_url'`.

-> [!NOTE]

-> The public preview methods download() and mount() are [experimental](/python/api/overview/azure/ml/#stable-vs-experimental) preview features, and may change at any time.

-# download the images to local

-download_path = animal_labels.download(stream_column='image_url')

-#read images from downloaded path

-img = mpimg.imread(download_path[0])

- - python=3.6.2

- - python=3.6.2

-* Python 3.6 or 3.7 are supported for this feature

-|MySQL Version 5.7 | [5.7.29](https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-29.html) | [5.7.37](https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-37.html)|

-1. Select the **AllowInternetOutBound** rule, and then scroll down to **Destination**, as shown in the following picture:

-

- :::image type="content" source="./media/diagnose-vm-network-traffic-filtering-problem/security-rule-prefixes.png" alt-text="Screenshot of Security rule prefixes.":::

- One of the prefixes in the list is **12.0.0.0/8**, which encompasses the 12.0.0.1-15.255.255.254 range of IP addresses. Since 13.107.21.200 is within that address range, the **AllowInternetOutBound** rule allows the outbound traffic. Additionally, there are no higher priority (lower number) rules shown in the picture in step 2 that override this rule. Close the **Address prefixes** box. To deny outbound communication to 13.107.21.200, you could add a security rule with a higher priority, that denies port 80 outbound to the IP address.

-The connection troubleshoot feature of Network Watcher provides the capability to check a direct TCP connection from a virtual machine to a virtual machine (VM), fully qualified domain name (FQDN), URI, or IPv4 address. Network scenarios are complex, they are implemented using network security groups, firewalls, user-defined routes, and resources provided by Azure. Complex configurations make troubleshooting connectivity issues challenging. Network Watcher helps reduce the amount of time to find and detect connectivity issues. The results returned can provide insights into whether a connectivity issue is due to a platform or a user configuration issue. Connectivity can be checked with [PowerShell](network-watcher-connectivity-powershell.md), [Azure CLI](network-watcher-connectivity-cli.md), and [REST API](network-watcher-connectivity-rest.md).

-|Property |Description |

-|AvgLatencyInMs | Average latency during the connectivity check in milliseconds. (Only shown if check status is reachable) |

-|MinLatencyInMs | Minimum latency during the connectivity check in milliseconds. (Only shown if check status is reachable) |

-|MaxLatencyInMs | Maximum latency during the connectivity check in milliseconds. (Only shown if check status is reachable) |

-|Hops[].ResourceId | ResourceID of the hop if the hop is an Azure resource. If it is an internet resource, ResourceID is **Internet**. |

-|Type |Description |

-|GuestFirewall | Traffic is blocked due to a virtual machine firewall configuration. |

-### 13. What if you are using docker image of PgBouncer sidecar provided by Microsoft?

-A new docker image which supports both [**Baltimore**](https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem) and [**DigiCert**](https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem) is published to below [here](https://hub.docker.com/_/microsoft-azure-oss-db-tools-pgbouncer-sidecar) (Latest tag). You can pull this new image to avoid any interruption in connectivity starting December, 2022.

-### 14. What if I have further questions?

-|Metric|Metric Display Name|Unit|Description|

-|||||

-|cpu_percent|CPU percent|Percent|The percentage of CPU in use.|

-|memory_percent|Memory percent|Percent|The percentage of memory in use.|

-|io_consumption_percent|IO percent|Percent|The percentage of IO in use. (Not applicable for Basic tier servers.)|

-|storage_percent|Storage percentage|Percent|The percentage of storage used out of the server's maximum.|

-|storage_used|Storage used|Bytes|The amount of storage in use. The storage used by the service may include the database files, transaction logs, and the server logs.|

-|storage_limit|Storage limit|Bytes|The maximum storage for this server.|

-|serverlog_storage_percent|Server Log storage percent|Percent|The percentage of server log storage used out of the server's maximum server log storage.|

-|serverlog_storage_usage|Server Log storage used|Bytes|The amount of server log storage in use.|

-|serverlog_storage_limit|Server Log storage limit|Bytes|The maximum server log storage for this server.|

-|active_connections|Active Connections|Count|The number of active connections to the server.|

-|connections_failed|Failed Connections|Count|The number of established connections that failed.|

-|network_bytes_egress|Network Out|Bytes|Network Out across active connections.|

-|network_bytes_ingress|Network In|Bytes|Network In across active connections.|

-|backup_storage_used|Backup Storage Used|Bytes|The amount of backup storage used. This metric represents the sum of storage consumed by all the full database backups, differential backups, and log backups retained based on the backup retention period set for the server. The frequency of the backups is service managed and explained in the [concepts article](concepts-backup.md). For geo-redundant storage, backup storage usage is twice that of the locally redundant storage.|

-|pg_replica_log_delay_in_bytes|Max Lag Across Replicas|Bytes|The lag in bytes between the primary and the most-lagging replica. This metric is available on the primary server only.|

-|pg_replica_log_delay_in_seconds|Replica Lag|Seconds|The time since the last replayed transaction. This metric is available for replica servers only.|

-Get started creating a Private Link service that refers to your service. Give Private Link access to your service or resource deployed behind an Azure Standard Load Balancer. Users of your service have private access from their virtual network.

-## Sign in to the Azure portal

-Sign in to the Azure portal at https://portal.azure.com.

-### Virtual network

-In this section, you create a virtual network and subnet to host the load balancer that accesses your Private Link service.

-2. On the upper-left side of the screen, select **Create a resource > Networking > Virtual network** or search for **Virtual network** in the search box.

-3. Select **Create**.

- | Region | Select **(US) East US 2** |

-In this section, you create a load balancer that load balances virtual machines.

-1. In the **Load balancer** page, select **Create**.

-1. In the **Basics** tab of the **Create load balancer** page, enter, or select the following information:

- | Region | Select **(US) East US 2**. |

-1. Select **Next: Frontend IP configuration** at the bottom of the page.

-1. In **Frontend IP configuration**, select **+ Add a frontend IP**.

-1. Enter **LoadBalancerFrontend** in **Name**.

-1. Select **myBackendSubnet** in **Subnet**.

-1. Select **Dynamic** for **Assignment**.

-1. Select **Zone-redundant** in **Availability zone**.

-1. Select **Add**.

-1. Select **Next: Backend pools** at the bottom of the page.

-1. In the **Backend pools** tab, select **+ Add a backend pool**.

-1. Enter **myBackendPool** for **Name** in **Add backend pool**.

-1. Select **NIC** or **IP Address** for **Backend Pool Configuration**.

-1. Select **Save**.

-1. Select the **Next: Inbound rules** button at the bottom of the page.

-1. In **Load balancing rule** in the **Inbound rules** tab, select **+ Add a load balancing rule**.

-1. In **Add load balancing rule**, enter or select the following information:

- | Backend pool | Select **myBackendPool**. |

- | HA Ports | Check box. |

-1. Select **Add**.

-1. Select the blue **Review + create** button at the bottom of the page.

-1. Select **Create**.

-In this section, you'll create a Private Link service behind a standard load balancer.

-1. On the upper-left part of the page in the Azure portal, select **Create a resource**.

-1. Search for **Private Link** in the **Search the Marketplace** box.

-1. Select **Create**.

-1. In **Overview** under **Private Link Center**, select the blue **Create private link service** button.

-1. In the **Basics** tab under **Create private link service**, enter, or select the following information:

- | Region | Select **(US) East US 2**. |

-1. Select the **Outbound settings** tab or select **Next: Outbound settings** at the bottom of the page.

-1. In the **Outbound settings** tab, enter or select the following information:

- | Source NAT subnet | Select **mySubnet (10.1.0.0/24)**. |

-1. Select the **Access security** tab or select **Next: Access security** at the bottom of the page.

-1. Leave the default of **Role-based access control only** in the **Access security** tab.

-1. Select the **Tags** tab or select **Next: Tags** at the bottom of the page.

-1. Select the **Review + create** tab or select **Next: Review + create** at the bottom of the page.

-1. Select **Create** in the **Review + create** tab.

-1. On the upper-left side of the screen, select **Create a resource > Networking > Virtual network** or search for **Virtual network** in the search box.

-1. In **Create virtual network**, enter or select this information in the **Basics** tab:

- | Region | Select **(US) East US 2** |

-1. Select the **IP Addresses** tab or select the **Next: IP Addresses** button at the bottom of the page.

-1. In the **IP Addresses** tab, enter this information:

- | IPv4 address space | Enter **11.1.0.0/16** |

-1. Under **Subnet name**, select the word **default**.

-1. In **Edit subnet**, enter this information:

- | Subnet address range | Enter **11.1.0.0/24** |

-1. Select **Save**.

-1. Select the **Review + create** tab or select the **Review + create** button.

-1. Select **Create**.

-1. On the upper-left side of the screen in the portal, select **Create a resource** > **Networking** > **Private Link**, or in the search box enter **Private Link**.

-1. Select **Create**.

-1. In **Private Link Center**, select **Private endpoints** in the left-hand menu.

-1. In **Private endpoints**, select **+ Add**.

-1. In the **Basics** tab of **Create a private endpoint**, enter, or select this information:

- | Region | Select **(US) East US 2**. |

-1. Select the **Next: Resource** button at the bottom of the page.

-1. In **Resource**, enter or select this information:

-1. Select the **Next: Virtual Network** button at the bottom of the screen.

-1. In **Configuration**, enter or select this information:

- | Virtual Network | Select **myVNetPE**. |

- | Subnet | Select **mySubnetPE**. |

-1. Select **Next** until the **Review + create** tab then select **Create**.

-1. In the left-hand column of the Azure portal, select **Resource groups**.

-2. Select the **CreatePrivLinkService-rg** resource group.

-3. In the **CreatePrivLinkService-rg** resource group, select **myPrivateEndpoint**.

-4. In the **Overview** page of **myPrivateEndpoint**, select the name of the network interface associated with the private endpoint. The network interface name begins with **myPrivateEndpoint.nic**.

-1. Enter **CreatePrivLinkService-rg** in the search box at the top of the portal, and select **CreatePrivLinkService-rg** from the search results.

-|Create task and wait for task completion |Creates, assigns, and tracks a task to a user or Azure Active Directory group as part of a workflow | <br> - Assigned to <br> - Task title <br> - Task body | <br> - Renamable: Yes <br> - Deletable: Yes <br> - Multiple per workflow |All workflows templates |

-|Start and wait for an approval |Generates approval requests and assign the requests to individual users or Microsoft Azure Active Directory groups. Microsoft Purview workflow approval connector currently supports two types of approval types: <br> - First to Respond ΓÇô This implies that the first approver's outcome (Approve/Reject) is considered final. <br> - Everyone must approve ΓÇô This implies everyone identified as an approver must approve the request for the request to be considered approved. If one approver rejects the request, regardless of other approvers, the request is rejected. | <br> - Approval Type <br> - Title <br> - Assigned To | <br> - Renamable: Yes <br> - Deletable: Yes <br> - Multiple per workflow |All workflows templates |

-The [Data Map](#data-map): Microsoft Purview automates data discovery by providing data scanning and classification as a service for assets across your data estate. Metadata and descriptions of discovered data assets are integrated into a holistic map of your data estate. Atop this map, there are purpose-built apps that create environments for data discovery, access management, and insights about your data landscape.

-## Data Map

-Microsoft Purview Data Map provides the foundation for data discovery and effective data governance. Microsoft Purview Data Map is a cloud native PaaS service that captures metadata about enterprise data present in analytics and operation systems on-premises and cloud. Microsoft Purview Data Map is automatically kept up to date with built-in automated scanning and classification system. Business users can configure and use the Microsoft Purview Data Map through an intuitive UI and developers can programmatically interact with the Data Map using open-source Apache Atlas 2.2 APIs.

-| [Azure Functions](../azure-functions/azure-functions-az-redundancy.md) |  |

-1. Create a Premium plan in one of the supported regions and the resource group. Ensure the [new Premium plan has zone redundancy enabled](../azure-functions/azure-functions-az-redundancy.md#how-to-deploy-a-function-app-on-a-zone-redundant-premium-plan).

-> [Learn about Azure Functions support for availability zone redundancy](../azure-functions/azure-functions-az-redundancy.md)

-**Component** | **Details**

- |

-**Resource Mover** | Resource Mover coordinates with [Azure resource providers](../azure-resource-manager/management/resource-providers-and-types.md) to orchestrate the move of resources between regions. Resource Mover analyzes resource dependencies, and maintains and manages the state of resources during the move process.

-**Move collection** | A move collection is an [Azure Resource Manager](../azure-resource-manager/management/overview.md) object.<br/><br/> The move collection is created during the region move process, for each paired combination of source and target regions in a subscription. The collection contains metadata and configuration information about the resources you want to move.<br/><br/>Resources added to a move collection must be in the same subscription, but can be in different resource groups.

-**Move resource** | When you add a resource to a move collection, it's tracked by Resource Mover as a move resource.<br/><br/> Resource Mover maintains information for all of the move resources in the move collection, and maintains a one-to-one relationship between the source and target resource.

-**Dependencies** | Resource Mover validates resources that you add to a collection, and checks whether resources have any dependencies that aren't in the move collection.<br/><br/> After identifying dependencies for a resource, you can either add them dependencies to the move collection and move them too, or you can select alternate existing resources in the target region. All dependencies must be resolved before you start the move.

-**Behavior** | **Across regions**

- | |

-**Data** | Resource data and metadata are moved.<br/><br/> Metadata is stored temporarily to track status of resource dependencies and operations.

-**Resource** | The source resource stays intact to ensure that apps continue to work, and can optionally be removed after the move.<br/><br/> A resource is created in the target region.

-**Move process** | Multi-step process requiring manual intervention and monitoring.

-**Testing** | Testing the move is important, since the apps should continue to work as expected in the target region, after the move.

-**Downtime** | No data loss expected, but some downtime to move resources.

-VNET Peering | Not Retained | The VNET which is moved to the target region will not retain itΓÇÖs VNET peering configuration present in the source region. To retain the peering, it needs to do be done again manually in the target region.

-**Feature** | **Supported/Not supported** | **Details**

- | |

-**Azure SQL Database Hyperscale** | Not supported | Can't move databases in the Azure SQL Hyperscale service tier with Resource Mover.

-**Zone redundancy** | Supported | Supported move options:<br/><br/> - Between regions that support zone redundancy.<br/><br/> - Between regions that don't support zone redundancy.<br/><br/> - Between a region that supports zone redundancy to a region that doesn't support zone redundancy.<br/><br/> - Between a region that doesn't support zone redundancy to a region that does support zone redundancy.

-**Data sync** | Hub/sync database: Not supported<br/><br/> Sync member: Supported. | If a sync member is moved, you need to set up data sync to the new target database.

-**Existing geo-replication** | Supported | Existing geo replicas are remapped to the new primary in the target region.<br/><br/> Seeding must be initialized after the move. [Learn more](/azure/azure-sql/database/active-geo-replication-configure-portal)

-**Transparent Data Encryption (TDE) with Bring Your Own Key (BYOK)** | Supported | [Learn more](../key-vault/general/move-region.md) about moving key vaults across regions.

-**TDE with service-managed key** | Supported. | [Learn more](../key-vault/general/move-region.md) about moving key vaults across regions.

-**Dynamic data masking rules** | Supported. | Rules are automatically copied over to the target region as part of the move. [Learn more](/azure/azure-sql/database/dynamic-data-masking-configure-portal).

-**Advanced data security** | Not supported. | Workaround: Set up at the SQL Server level in the target region. [Learn more](/azure/azure-sql/database/azure-defender-for-sql).

-**Firewall rules** | Not supported. | Workaround: Set up firewall rules for SQL Server in the target region. Database-level firewall rules are copied from the source server to the target server. [Learn more](/azure/azure-sql/database/firewall-create-server-level-portal-quickstart).

-**Auditing policies** | Not supported. | Policies will reset to default after the move. [Learn](/azure/azure-sql/database/auditing-overview) how to reset.

-**Backup retention** | Supported. | Backup retention policies for the source database are carried over to the target database. [Learn](/azure/azure-sql/database/long-term-backup-retention-configure) how to modify settings after the move.

-**Auto tuning** | Not supported. | Workaround: Set auto tuning settings after the move. [Learn more](/azure/azure-sql/database/automatic-tuning-enable).

-**Database alerts** | Not supported. | Workaround: Set alerts after the move. [Learn more](/azure/azure-sql/database/alerts-insights-configure-portal).

-**Azure SQL Server stretch database** | Not Supported | Can't move SQL server stretch databases with Resource Mover.

-| [search-website](https://github.com/azure-samples/azure-search-dotnet-samples/tree/master/search-website) | Source code for [Tutorial: Add search to web apps](tutorial-csharp-overview.md). Demonstrates an end-to-end search app that includes a rich client plus components for hosting the app and handling search requests.|

-| [search-website](https://github.com/azure-samples/azure-search-javascript-samples/tree/master/search-website) | Source code for [Tutorial: Add search to web apps](tutorial-javascript-overview.md). Demonstrates an end-to-end search app that includes a rich client plus components for hosting the app and handling search requests.|

-| [search-website](https://github.com/azure-samples/azure-search-python-samples/tree/master/search-website) | Source code for [Tutorial: Add search to web apps](tutorial-python-overview.md). Demonstrates an end-to-end search app that includes a rich client plus components for hosting the app and handling search requests.|

-+ [Postman Desktop App](https://www.postman.com/downloads/) using the [2021-04-30-Preview REST APIs](/rest/api/searchservice/preview-api/). See this [Quickstart](search-get-started-rest.md) for help with setting up your requests.

-In [fuzz testing](https://cloudblogs.microsoft.com/microsoftsecure/2007/09/20/fuzz-testing-at-microsoft-and-the-triage-process/), you induce program failure by deliberately introducing malformed or random data to an application. Inducing program failure helps reveal potential security issues before the application is released.

-| **Azure AD** | <ul><li>[Use standard authentication scenarios supported by Azure Active Directory](#authn-aad)</li><li>[Override the default ADAL token cache with a scalable alternative](#adal-scalable)</li><li>[Ensure that TokenReplayCache is used to prevent the replay of ADAL authentication tokens](#tokenreplaycache-adal)</li><li>[Use ADAL libraries to manage token requests from OAuth2 clients to AAD (or on-premises AD)](#adal-oauth2)</li></ul> |

-## <a id="adal-scalable"></a>Override the default ADAL token cache with a scalable alternative

-| **References** | [Modern Authentication with Azure Active Directory for Web Applications](/archive/blogs/microsoft_press/new-book-modern-authentication-with-azure-active-directory-for-web-applications), [Using Redis as ADAL token cache](https://blogs.msdn.microsoft.com/mrochon/2016/09/19/using-redis-as-adal-token-cache/) |

-| **Steps** | <p>The default cache that ADAL (Active Directory Authentication Library) uses is an in-memory cache that relies on a static store, available process-wide. While this works for native applications, it does not scale for mid tier and backend applications for the following reasons:</p><ul><li>These applications are accessed by many users at once. Saving all access tokens in the same store creates isolation issues and presents challenges when operating at scale: many users, each with as many tokens as the resources the app accesses on their behalf, can mean huge numbers and very expensive lookup operations</li><li>These applications are typically deployed on distributed topologies, where multiple nodes must have access to the same cache</li><li>Cached tokens must survive process recycles and deactivations</li></ul><p>For all the above reasons, while implementing web apps, it is recommended to override the default ADAL token cache with a scalable alternative such as Azure Cache for Redis.</p>|

-## <a id="tokenreplaycache-adal"></a>Ensure that TokenReplayCache is used to prevent the replay of ADAL authentication tokens

-// ITokenReplayCache defined in ADAL

-## <a id="adal-oauth2"></a>Use ADAL libraries to manage token requests from OAuth2 clients to AAD (or on-premises AD)

-| **References** | [ADAL](../../active-directory/azuread-dev/active-directory-authentication-libraries.md) |

-| **Steps** | <p>The Azure AD authentication Library (ADAL) enables client application developers to easily authenticate users to cloud or on-premises Active Directory (AD), and then obtain access tokens for securing API calls.</p><p>ADAL has many features that make authentication easier for developers, such as asynchronous support, a configurable token cache that stores access tokens and refresh tokens, automatic token refresh when an access token expires and a refresh token is available, and more.</p><p>By handling most of the complexity, ADAL can help a developer focus on business logic in their application and easily secure resources without being an expert on security. Separate libraries are available for .NET, JavaScript (client and Node.js), Python, iOS, Android and Java.</p>|

-| **Steps** | <p>Using a shared access signature (SAS) is a powerful way to grant limited access to objects in a storage account to other clients, without having to expose account access key. The SAS is a URI that encompasses in its query parameters all of the information necessary for authenticated access to a storage resource. To access storage resources with the SAS, the client only needs to pass in the SAS to the appropriate constructor or method.</p><p>You can use a SAS when you want to provide access to resources in your storage account to a client that can't be trusted with the account key. Your storage account keys include both a primary and secondary key, both of which grant administrative access to your account and all of the resources in it. Exposing either of your account keys opens your account to the possibility of malicious or negligent use. Shared access signatures provide a safe alternative that allows other clients to read, write, and delete data in your storage account according to the permissions you've granted, and without need for the account key.</p><p>If you have a logical set of parameters that are similar each time, using a Stored Access Policy (SAP) is a better idea. Because using a SAS derived from a Stored Access Policy gives you the ability to revoke that SAS immediately, it is the recommended best practice to always use Stored Access Policies when possible.</p>|

-| **Azure AD** | <ul><li>[Implement proper logout using ADAL methods when using Azure AD](#logout-adal)</li></ul> |

-## <a id="logout-adal"></a>Implement proper logout using ADAL methods when using Azure AD

-| **References** | N/A |

-| **Steps** | If the application relies on access token issued by Azure AD, the logout event handler should call |

-### Example

-```csharp

-HttpContext.GetOwinContext().Authentication.SignOut(OpenIdConnectAuthenticationDefaults.AuthenticationType, CookieAuthenticationDefaults.AuthenticationType)

-```

-It should also destroy user's session by calling Session.Abandon() method. Following method shows secure implementation of user logout:

- [HttpPost]

- [ValidateAntiForgeryToken]

- public void LogOff()

- {

- string userObjectID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;

- AuthenticationContext authContext = new AuthenticationContext(Authority + TenantId, new NaiveSessionCache(userObjectID));

- authContext.TokenCache.Clear();

- Session.Clear();

- Session.Abandon();

- Response.SetCookie(new HttpCookie("ASP.NET_SessionId", string.Empty));

- HttpContext.GetOwinContext().Authentication.SignOut(

- OpenIdConnectAuthenticationDefaults.AuthenticationType,

- CookieAuthenticationDefaults.AuthenticationType);

- }

-[Data encryption at rest](https://cloudblogs.microsoft.com/microsoftsecure/2015/09/10/cloud-security-controls-series-encrypting-data-at-rest/) is a mandatory step toward data privacy, compliance, and data sovereignty.

-* [Microsoft Security Response Center](https://technet.microsoft.com/library/dn440717.aspx) - where Microsoft security vulnerabilities, including issues with Azure, can be reported or via email to secure@microsoft.com

-* [Fuzz testing](https://cloudblogs.microsoft.com/microsoftsecure/2007/09/20/fuzz-testing-at-microsoft-and-the-triage-process/) of your endpoints

-In this tutorial, you learn how to use the [@azure/service-bus](https://www.npmjs.com/package/@azure/service-bus) package in a JavaScript program to send messages to and receive messages from a Service Bus queue.

-### Use Node Package Manager (NPM) to install the package

-To install the npm package for Service Bus, open a command prompt that has `npm` in its path, change the directory to the folder where you want to have your samples and then run this command.

-```bash

-npm install @azure/service-bus

-```

-The following sample code shows you how to send a message to a queue.

-2. Create a file called `send.js` and paste the below code into it. This code sends the names of scientists as messages to your queue.

-1. Replace `<QUEUE NAME>` with the name of the queue.

-1. Then run the command in a command prompt to execute this file.

-1. You should see the following output.

-1. Replace `<QUEUE NAME>` with the name of the queue.

-1. Then, run the command in a command prompt to execute this file.

- ```console

- node receive.js

- ```

-1. You should see the following output.

- Received message: Albert Einstein

- Received message: Werner Heisenberg

- Received message: Marie Curie

- Received message: Steven Hawking

- Received message: Isaac Newton

- Received message: Niels Bohr

- Received message: Michael Faraday

- Received message: Galileo Galilei

- Received message: Johannes Kepler

- Received message: Nikolaus Kopernikus

-In this tutorial, you learn how to use the [@azure/service-bus](https://www.npmjs.com/package/@azure/service-bus) package in a JavaScript program to send messages to a Service Bus topic and receive messages from a Service Bus subscription to that topic.

-### Use Node Package Manager (NPM) to install the package

-To install the npm package for Service Bus, open a command prompt that has `npm` in its path, change the directory to the folder where you want to have your samples and then run this command.

-```bash

-npm install @azure/service-bus

-```

-1. Replace `<TOPIC NAME>` with the name of the topic.

-1. Replace `<SUBSCRIPTION NAME>` with the name of the subscription to the topic.

-1. Then run the command in a command prompt to execute this file.

-1. You should see the following output.

- ```console

- Received message: Albert Einstein

- Received message: Werner Heisenberg

- Received message: Marie Curie

- Received message: Steven Hawking

- Received message: Isaac Newton

- Received message: Niels Bohr

- Received message: Michael Faraday

- Received message: Galileo Galilei

- Received message: Johannes Kepler

- Received message: Nikolaus Kopernikus

- ```

-Number of disks | 3, including the OS disk - 80 GB, data disk 1 - 620 GB, data disk 2 - 620 GB

- |`*.vault.azure.net `|Manage secrets in the Azure Key Vault. Note: Ensure machines to replicate have access to this. |

-#### If Antivirus software is active on Source machine

-

-To do this, go to the machine > **Re-protect**, select the appliance of your choice, select the replication policy and proceed.

-> [Reprotect Azure VMs](vmware-azure-reprotect.md)

-> [Fail back from Azure](vmware-azure-failback.md)

-We recommend that the domain name, as seen by the browser, is the same as the host name which Application Gateway uses to direct traffic to the Azure Spring Apps back end. This recommendation provides the best experience when using Application Gateway to expose applications hosted in Azure Spring Apps and residing in a virtual network. If the domain exposed by Application Gateway is different from the domain accepted by Azure Spring Apps, cookies and generated redirect URLs (for example) can be broken. For more information, see [Host name preservation](/azure/architecture/best-practices/host-name-preservation.md).

-We recommend that the domain name, as seen by the browser, is the same as the host name which Application Gateway uses to direct traffic to the Azure Spring Apps back end. This recommendation provides the best experience when using Application Gateway to expose applications hosted in Azure Spring Apps and residing in a virtual network. If the domain exposed by Application Gateway is different from the domain accepted by Azure Spring Apps, cookies and generated redirect URLs (for example) can be broken. For more information, see [Host name preservation](/azure/architecture/best-practices/host-name-preservation.md).

-We recommend that the domain name, as seen by the browser, is the same as the host name which the load balancer uses to direct traffic to the Azure Spring Apps back end. This recommendation provides the best experience when using a load balancer to expose applications hosted in Azure Spring Apps. If the domain exposed by the load balancer is different from the domain accepted by Azure Spring Apps, cookies and generated redirect URLs (for example) can be broken. For more information, see [Host name preservation](/azure/architecture/best-practices/host-name-preservation.md).

-1. The key point is to select *No* for **Pick host name from backend HTTP settings** option and explicitly specify the host name. For more information, see [Application Gateway configuration for host name preservation](/azure/architecture/best-practices/host-name-preservation.md#application-gateway).

-1. Keep the **origin host header** empty, so that the incoming host header will be used towards the backend. For more information, see [Azure Front Door configuration for host name preservation](/azure/architecture/best-practices/host-name-preservation.md#azure-front-door).

-(1) [Configuration file](#configuration-file)

-(2) [Environment variables](#environment-variables)

-(3) [CLI parameters](#cli-parameters)

-The BlobFuse2 project is [licensed under MIT](https://github.com/Azure/azure-storage-fuse/blob/main/LICENSE).