-## September 2023

-This month, we renamed Azure Active Directory (Azure AD) to Microsoft Entra ID. For more information about the rebranding, see the [New name for Azure Active Directory](/azure/active-directory/fundamentals/new-name) article.

-## June 2023

-### New articles

-### Updated articles

-> [!NOTE]

-> The ```2023-07-31``` (GA) version of the general document model adds support for **normalized keys**.

-* Key names are spans of text within the document that are associated with a value. With the ```2023-07-31```(GA) API version, key names are normalized where applicable.

- Azure AI Document Intelligence supports a wide variety of models that enable you to add intelligent document processing to your apps and flows. You can use a prebuilt document analysis or domain specific model or train a custom model tailored to your specific business needs and use cases. Document Intelligence can be used with the REST API or Python, C#, Java, and JavaScript SDKs.

-The following lists include the currently GA languages in the most recent v3.0 version for Read, Layout, and Custom template (form) models.

-# Summarization language support

-Use this article to learn which natural languages are supported by document and conversation summarization.

-# [Document summarization](#tab/document-summarization)

-## Languages supported by extractive and abstractive document summarization

-# [Conversation summarization](#tab/conversation-summarization)

-## Languages supported by conversation summarization

-## Languages supported by custom summarization

-### VersionUpgradeOption

-You can check what model upgrade options are set for previously deployed models in [Azure OpenAI Studio](https://oai.azure.com). Select **Deployments** > Under the deployment name column select one of the deployment names that are highlighted in blue > The **Properties** will contain a value for **Version update policy**.

-The corresponding property can also be accessed via [REST](../how-to/working-with-models.md#model-deployment-upgrade-configuration), [Azure PowerShell](/powershell/module/az.cognitiveservices/get-azcognitiveservicesaccountdeployment), and [Azure CLI](/cli/azure/cognitiveservices/account/deployment#az-cognitiveservices-account-deployment-show).

-|Option| Read | Update |

-||||

-| [REST](../how-to/working-with-models.md#model-deployment-upgrade-configuration) | Yes. If `versionUpgradeOption` is not returned it means it is `null` |Yes |

-| [Azure PowerShell](/powershell/module/az.cognitiveservices/get-azcognitiveservicesaccountdeployment) | Yes.`VersionUpgradeOption` can be checked for `$null`| Yes |

-| [Azure CLI](/cli/azure/cognitiveservices/account/deployment#az-cognitiveservices-account-deployment-show) | Yes. It shows `null` if `versionUpgradeOption` is not set.| *No.* It is currently not possible to update the version upgrade option.|

-> [!NOTE]

-> `null` is equivalent to `AutoUpgradeWhenExpired`.

-**Azure PowerShell**

-Review the Azure PowerShell [getting started guide](/powershell/azure/get-started-azureps) to install Azure PowerShell locally or you can use the [Azure Cloud Shell](/azure/cloud-shell/overview).

-The steps below demonstrate checking the `VersionUpgradeOption` option property as well as updating it:

-```powershell

-// Step 1: Get Deployment

-$deployment = Get-AzCognitiveServicesAccountDeployment -ResourceGroupName {ResourceGroupName} -AccountName {AccountName} -Name {DeploymentName}

-

-// Step 2: Show Deployment VersionUpgradeOption

-$deployment.Properties.VersionUpgradeOption

-

-// VersionUpgradeOption can be null - one way to check is

-$null -eq $deployment.Properties.VersionUpgradeOption

-

-// Step 3: Update Deployment VersionUpgradeOption

-$deployment.Properties.VersionUpgradeOption = "NoAutoUpgrade"

-New-AzCognitiveServicesAccountDeployment -ResourceGroupName {ResourceGroupName} -AccountName {AccountName} -Name {DeploymentName} -Properties $deployment.Properties -Sku $deployment.Sku

-

-// repeat step 1 and 2 to confirm the change.

-// If not sure about deployment name, use this command to show all deployments under an account

-Get-AzCognitiveServicesAccountDeployment -ResourceGroupName {ResourceGroupName} -AccountName {AccountName}

-```

-> Any region where GPT-4 is listed as available will always have access to both the 8K and 32K versions of the model

-| Available to all subscriptions with Azure OpenAI access | | Canada East <br> Sweden Central <br> Switzerland North |

-| Available to subscriptions with current access to the model version in the region | East US <br> France Central <br> South Central US <br> UK South | Australia East <br> East US <br> East US 2 <br> France Central <br> Japan East <br> UK South |

-There are three distinct model deployment upgrade options which are configurable via REST API:

-|`NoAutoUpgrade` | The model deployment will never automatically upgrade. Once the retirement date is reached the model deployment will stop working. You will need to update your code referencing that deployment to point to a non-expired model deployment. |

-To query the current model deployment settings including the deployment upgrade configuration for a given resource use [`Deployments List`](/rest/api/cognitiveservices/accountmanagement/deployments/list?tabs=HTTP#code-try-0)

- "id": "/subscriptions/{Subcription-GUID}/resourceGroups/{Resource-Group-Name}/providers/Microsoft.CognitiveServices/accounts/{Resource-Name}/deployments/text-davinci-003",

- "name": "text-davinci-003",

- "capacity": 60

- "name": "text-davinci-003",

- "version": "1"

- "search": "true"

- "count": 60

- "count": 60000

- }

-curl -X PUT https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resource-group-temp/providers/Microsoft.CognitiveServices/accounts/docs-openai-test-001/deployments/text-embedding-ada-002-test-1?api-version=2023-05-01 \

- -d '{"sku":{"name":"Standard","capacity":1},"properties": {"model": {"format": "OpenAI","name": "text-embedding-ada-002","version": "2"},"versionUpgradeOption":"OnceCurrentVersionExpired"}}'

-{

- "id": "/subscriptions/{subscription-id}/resourceGroups/resource-group-temp/providers/Microsoft.CognitiveServices/accounts/docs-openai-test-001/deployments/text-embedding-ada-002-test-1",

- "name": "text-embedding-ada-002-test-1",

- "capacity": 1

- "name": "text-embedding-ada-002",

- "version": "2"

- "embeddings": "true",

- "embeddingsMaxInputs": "1"

- "ratelimits": [

- "count": 2

- "count": 1000

- "createdAt": "2023-06-13T00:12:38.885937Z",

- "lastModifiedAt": "2023-06-13T02:41:04.8410965Z"

- "etag": "\"{GUID}\""

-pip install openai num2words matplotlib plotly scipy scikit-learn pandas tiktoken

-pip install openai json requests os tiktoken time

-> Usage of pronunciation assessment costs the same as standard Speech to text, whether pay-as-you-go or commitment tier [pricing](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services). If you [purchase a commitment tier](../commitment-tier.md) for standard Speech to text, the spend for pronunciation assessment goes towards meeting the commitment.

-You must create a `PronunciationAssessmentConfig` object with the reference text, grading system, and granularity. Enabling miscue and other configuration settings are optional.

-var pronunciationAssessmentConfig = new PronunciationAssessmentConfig(

- referenceText: "good morning",

- gradingSystem: GradingSystem.HundredMark,

- granularity: Granularity.Phoneme,

- enableMiscue: true);

-auto pronunciationAssessmentConfig = PronunciationAssessmentConfig::CreateFromJson("{\"referenceText\":\"good morning\",\"gradingSystem\":\"HundredMark\",\"granularity\":\"Phoneme\",\"enableMiscue\":true}");

-PronunciationAssessmentConfig pronunciationAssessmentConfig = PronunciationAssessmentConfig.fromJson("{\"referenceText\":\"good morning\",\"gradingSystem\":\"HundredMark\",\"granularity\":\"Phoneme\",\"enableMiscue\":true}");

-pronunciation_assessment_config = speechsdk.PronunciationAssessmentConfig(json_string="{\"referenceText\":\"good morning\",\"gradingSystem\":\"HundredMark\",\"granularity\":\"Phoneme\",\"EnableMiscue\":true}")

-var pronunciationAssessmentConfig = SpeechSDK.PronunciationAssessmentConfig.fromJSON("{\"referenceText\":\"good morning\",\"gradingSystem\":\"HundredMark\",\"granularity\":\"Phoneme\",\"EnableMiscue\":true}");

-SPXPronunciationAssessmentConfiguration *pronunciationAssessmentConfig =

-[[SPXPronunciationAssessmentConfiguration alloc] init:@"good morning"

- gradingSystem:SPXPronunciationAssessmentGradingSystem_HundredMark

- granularity:SPXPronunciationAssessmentGranularity_Phoneme

- enableMiscue:true];

-var pronunciationAssessmentConfig: SPXPronunciationAssessmentConfiguration?

-do {

- try pronunciationAssessmentConfig = SPXPronunciationAssessmentConfiguration.init(referenceText, gradingSystem: SPXPronunciationAssessmentGradingSystem.hundredMark, granularity: SPXPronunciationAssessmentGranularity.phoneme, enableMiscue: true)

-} catch {

- print("error \(error) happened")

- pronunciationAssessmentConfig = nil

- return

-}

-| `ReferenceText` | The text that the pronunciation is evaluated against. |

-| `EnableMiscue` | Enables miscue calculation when the pronounced words are compared to the reference text. If this value is `True`, the `ErrorType` result value can be set to `Omission` or `Insertion` based on the comparison. Accepted values are `False` and `True`. Default: `False`. To enable miscue calculation, set the `EnableMiscue` to `True`. You can refer to the code snippet below the table.|

-This table lists some of the key pronunciation assessment results.

-| Parameter | Description |

-|--|-|

-| `AccuracyScore` | Pronunciation accuracy of the speech. Accuracy indicates how closely the phonemes match a native speaker's pronunciation. Syllable, word, and full text accuracy scores are aggregated from phoneme-level accuracy score, and refined with assessment objectives.|

-| `FluencyScore` | Fluency of the given speech. Fluency indicates how closely the speech matches a native speaker's use of silent breaks between words. |

-| `CompletenessScore` | Completeness of the speech, calculated by the ratio of pronounced words to the input reference text. |

-| `PronScore` | Overall score indicating the pronunciation quality of the given speech. `PronScore` is aggregated from `AccuracyScore`, `FluencyScore`, and `CompletenessScore` with weight. |

-| `ErrorType` | This value indicates whether a word is omitted, inserted, or mispronounced, compared to the `ReferenceText`. Possible values are `None`, `Omission`, `Insertion`, and `Mispronunciation`. The error type can be `Mispronunciation` when the pronunciation `AccuracyScore` for a word is below 60.|

-Pronunciation assessment results for the spoken word "hello" are shown as a JSON string in the following example. Here's what you should know:

-Pronunciation assessment supports uninterrupted streaming mode. The recording time can be unlimited through the Speech SDK. As long as you don't stop recording, the evaluation process doesn't finish and you can pause and resume evaluation conveniently. In streaming mode, the `AccuracyScore`, `FluencyScore` , and `CompletenessScore` will vary over time throughout the recording and evaluation process.

-The Azure AI service for Speech platform is a comprehensive collection of technologies and services aimed at accelerating the incorporation of speech into applications. Azure AI services for Speech can be used to learn languages.

-The [Pronunciation Assessment](pronunciation-assessment-tool.md) feature is designed to provide instant feedback to users on the accuracy, fluency, and prosody of their speech when learning a new language, so that they can speak and present in a new language with confidence. For information about availability of pronunciation assessment, see [supported languages](language-support.md?tabs=pronunciation-assessment) and [available regions](regions.md#speech-service).

-Pronunciation assessment provides various assessment results in different granularities, from individual phonemes to the entire text input.

-This article describes how to use the pronunciation assessment tool through the [Speech Studio](https://speech.microsoft.com). You can get immediate feedback on the accuracy and fluency of your speech without writing any code. For information about how to integrate pronunciation assessment in your speech applications, see [How to use pronunciation assessment](how-to-pronunciation-assessment.md).

-> Usage of pronunciation assessment costs the same as standard Speech to text, whether pay-as-you-go or commitment tier [pricing](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services). If you [purchase a commitment tier](../commitment-tier.md) for standard Speech to text, the spend for pronunciation assessment goes towards meeting the commitment.

->

-> For information about availability of pronunciation assessment, see [supported languages](language-support.md?tabs=pronunciation-assessment) and [available regions](regions.md#speech-service).

-1. Choose a supported [language](language-support.md?tabs=pronunciation-assessment) that you want to evaluate the pronunciation.

- :::image type="content" source="media/pronunciation-assessment/pa-language.png" alt-text="Screenshot of choosing a supported language that you want to evaluate the pronunciation.":::

-1. Choose from the provisioned text samples, or under the **Enter your own script** label, enter your own reference text.

- :::image type="content" source="media/pronunciation-assessment/pa-record.png" alt-text="Screenshot of where to record audio with a microphone.":::

- :::image type="content" source="media/pronunciation-assessment/pa-upload.png" alt-text="Screenshot of uploading recorded audio to be assessed.":::

-Once you've recorded the reference text or uploaded the recorded audio, the **Assessment result** will be output. The result includes your spoken audio and the feedback on the accuracy and fluency of spoken audio, by comparing a machine generated transcript of the input audio with the reference text. You can listen to your spoken audio, and download it if necessary.

-The complete transcription is shown in the **Display** window. If a word is omitted, inserted, or mispronounced compared to the reference text, the word will be highlighted according to the error type. The error types in the pronunciation assessment are represented using different colors. Yellow indicates mispronunciations, gray indicates omissions, and red indicates insertions. This visual distinction makes it easier to identify and analyze specific errors. It provides a clear overview of the error types and frequencies in the spoken audio, helping you focus on areas that need improvement. While hovering over each word, you can see accuracy scores for the whole word or specific phonemes.

-The complete transcription is shown in the `text` attribute. You can see accuracy scores for the whole word, syllables, and specific phonemes. You can get the same results using the Speech SDK. For information, see [How to use Pronunciation Assessment](how-to-pronunciation-assessment.md).

-### Assessment scores in streaming mode

-Pronunciation Assessment evaluates three aspects of pronunciation: accuracy, fluency, and completeness. At the bottom of **Assessment result**, you can see **Pronunciation score** as aggregated overall score which includes 3 sub aspects: **Accuracy score**, **Fluency score**, and **Completeness score**. In streaming mode, since the **Accuracy score**, **Fluency score and Completeness score** will vary over time throughout the recording process, we demonstrate an approach on Speech Studio to display approximate overall score incrementally before the end of the evaluation, which weighted only with Accuracy score and Fluency score. The **Completeness score** is only calculated at the end of the evaluation after you press the stop button, so the final overall score is aggregated from **Accuracy score**, **Fluency score**, and **Completeness score** with weight.

-After you press the stop button, you can see **Pronunciation score**, **Accuracy score**, **Fluency score**, and **Completeness score** at the bottom.

-This process takes several minutes to complete. When finished, the following example JSON snippet shows updating the existing cluster to the Standard tier in the Base SKU.

- - remover: remove used images with vulnerabilities

-> After you update the SSH key, AKS doesn't automatically reimage your node pool. At anytime you can choose to perform a [reimage operation][node-image-upgrade]. Only after reimage is complete does the update SSH key operation take effect.

- If prompted, sign in to your Azure account.

-1. Provisioned and activated a WS2012 Arc ESU License intended to be linked to regular Azure Arc-enabled servers running in production environments (i.e., normally billed ESU scenarios)

-1. Link the tagged license to your tagged Azure Arc-enabled Windows Server 2012 and Windows Server 2012 R2 machines.

- This linking will not trigger a compliance violation or enforcement block, allowing you to extend the application of a license beyond its provisioned cores.

-To install and configure the Connected Machine agent on the target machine, a master runbook named **Add-AzureConnectedMachines** runs in the Azure sandbox. Based on the operating system detected on the machine, the master runbook calls a child runbook named **Add-AzureConnectedMachineWindows** or **Add-AzureConnectedMachineLinux** that runs under the system [Hybrid Runbook Worker](../../automation/automation-hybrid-runbook-worker.md) role directly on the machine. Runbook job output is written to the job history, and you can view their [status summary](../../automation/automation-runbook-execution.md#job-statuses) or drill into details of a specific runbook job in the [Azure portal](../../automation/manage-runbooks.md#view-statuses-in-the-azure-portal) or using [Azure PowerShell](../../automation/manage-runbooks.md#retrieve-job-statuses-using-powershell). Execution of runbooks in Azure Automation writes details in an activity log for the Automation account. For details of using the log, see [Retrieve details from Activity log](../../automation/manage-runbooks.md#retrieve-details-from-activity-log).

-The Azure Connected Machine agent enables you to manage your Windows and Linux machines hosted outside of Azure on your corporate network or other cloud providers.

-Azure Arc-enabled SCVMM works with VMM 2016, 2019 and 2022 versions and supports SCVMM management servers with a maximum of 3500 VMs.

-[Create an Azure Arc VM](create-virtual-machine.md)

-| **SCVMM** | You need an SCVMM management server running version 2016 or later.<br/><br/> A private cloud with minimum free capacity of 16 GB of RAM, 4 vCPUs with 100 GB of free disk space. <br/><br/> A VM network with internet access, directly or through proxy. Appliance VM will be deployed using this VM network.<br/><br/> For dynamic IP allocation to appliance VM, DHCP server is required. For static IP allocation, VMM static IP pool is required. |

-| **Workstation** | The workstation will be used to run the helper script.<br/><br/> A Windows/Linux machine that can access both your SCVMM management server and internet, directly or through proxy.<br/><br/> The helper script can be run directly from the VMM server machine as well.<br/><br/> To avoid network latency issues, we recommend executing the helper script directly in the VMM server machine.<br/><br/> Note that when you execute the script from a Linux machine, the deployment takes a bit longer and you may experience performance issues. |

-| **Control Pane IP** | Provide a reserved IP address (a reserved IP address in your DHCP range or a static IP outside of DHCP range but still available on the network). The key thing is this IP address shouldn't be assigned to any other machine on the network. |

-When you [enable guest management](enable-guest-management-at-scale.md) on VMware VMs, Azure Arc agent is installed on the VMs. The Azure Connected Machine agent enables you to manage your Windows and Linux machines hosted outside of Azure on your corporate network or other cloud providers. This article provides an architectural overview of Azure connected machine agent.

-Azure Arc-enabled VMware vSphere (preview) works with vCenter Server versions 6.7, 7 and 8.

-| [Zone redundancy](cache-how-to-zone-redundancy.md) |-|-|Γ£ö|Γ£ö|Γ£ö|

-The [ILogger&lt;T&gt;] in this example was also obtained through dependency injection. It is registered automatically. To learn more about configuration options for logging, see [Logging](#logging).

-This section outlines options you can enable to improve performance around [cold start](./event-driven-scaling.md#cold-start).

-This section shows how to work with the underlying HTTP request and response objects using types from ASP.NET Core including [HttpRequest], [HttpResponse], and [IActionResult]. Use of this feature for local testing requires [Core Tools version 4.0.5240 or later](./functions-run-local.md) and that you set `AzureWebJobsFeatureFlags` to "EnableHttpProxying" in `local.settings.json` if you are using Core Tools version 4.0.5274 and earlier. This model is not available to [apps targeting .NET Framework][supported-versions], which should instead leverage the [built-in model](#built-in-http-model).

-Use the methods of [ILogger&lt;T&gt;] and [`ILogger`][ILogger] to write various log levels, such as `LogWarning` or `LogError`. To learn more about log levels, see the [monitoring article](functions-monitoring.md#log-levels-and-categories). You can customize the log levels for components added to your code by registering filters as part of the `HostBuilder` configuration:

-| Windows | .NET 8 RC1 |

-The following example shows an HTTP trigger that returns a "hello world" response as an [HttpResponseData](/dotnet/api/microsoft.azure.functions.worker.http.httpresponsedata) object:

-| `route` | Route for the http endpoint, if None, it will be set to function name if present or user defined python function name. |

-| `trigger_arg_name` | Argument name for HttpRequest, defaults to 'req'. |

-| `binding_arg_name` | Argument name for HttpResponse, defaults to '$return'. |

-| [HttpRequestData] | A projection of the full request object. |

-When using `HttpRequestData` or `HttpRequest`, custom types can also be bound to additional parameters using `Microsoft.Azure.Functions.Worker.Http.FromBodyAttribute`. Use of this attribute requires [`Microsoft.Azure.Functions.Worker.Extensions.Http` version 3.1.0 or later](https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker.Extensions.Http). Note that this is a different type than the similar attribute in `Microsoft.AspNetCore.Mvc`, and when using ASP.NET Core integration, you will need a fully qualified reference or `using` statement. The following example shows how to use the attribute to get just the body contents while still having access to the full `HttpRequest`, using the ASP.NET Core integration:

-| **genericJson**| A general-purpose webhook endpoint without logic for a specific provider. This setting restricts requests to only those using HTTP POST and with the `application/json` content type.|

-| **[github](#github-webhooks)** | The function responds to [GitHub webhooks](https://developer.github.com/webhooks/). Don't use the `authLevel` property with GitHub webhooks. |

-| **[slack](#slack-webhooks)** | The function responds to [Slack webhooks](https://api.slack.com/outgoing-webhooks). Don't use the `authLevel` property with Slack webhooks. |

-Use the following PowerShell script to generate a list of function apps in your subscription that currently use the in-process model:

-```powershell

-$Subscription = '<YOUR SUBSCRIPTION ID>'

-

-Set-AzContext -Subscription $Subscription | Out-Null

-Before you upgrade an app to the isolated worker model, you should thoroughly review the contents of this guide and familiarize yourself with the features of the [isolated worker model][isolated-guide].

-The following example is a .csproj project file that uses .NET 6 on version 4.x:

-# [.NET Framework 4.8](#tab/v4)

-# [.NET 8 (Preview)](#tab/net8)

-### Package and namespace changes

- When migrating to the isolated worker model, you need to change the packages your application references. Then you need to update the namespace of using statements and some types you reference. You can see the effect of these namespace changes on `using` statements in the [HTTP trigger template examples](#http-trigger-template) section later in this article.

-When migrating to run in an isolated worker process, you must add the following program.cs file to your project:

-# [.NET 6](#tab/net6-isolated)

-# [.NET 7](#tab/net7)

-# [.NET 8 (Preview)](#tab/net8)

-### local.settings.json file

-The local.settings.json file is only used when running locally. For information, see [Local settings file](functions-develop-local.md#local-settings-file).

-When migrating from running in-process to running in an isolated worker process, you need to change the `FUNCTIONS_WORKER_RUNTIME` value to "dotnet-isolated". Make sure that your local.settings.json file has at least the following elements:

-### Class name changes

-Some key classes change between the in-process model and the isolated worker model. The following table indicates key .NET classes used by Functions that change when migrating:

-| In-process model | Isolated worker model|

-| | | |

-| `FunctionName` (attribute) | `Function` (attribute) |

-| `ILogger` | `ILogger`, `ILogger<T>` |

-| `HttpRequest` | `HttpRequestData`, `HttpRequest` (using [ASP.NET Core integration])|

-| `IActionResult` | `HttpResponseData`, `IActionResult` (using [ASP.NET Core integration])|

-| `FunctionsStartup` (attribute) | Uses [`Program.cs`](#programcs-file) instead |

-[ASP.NET Core integration]: ./dotnet-isolated-process-guide.md#aspnet-core-integration

-There might also be class name differences in bindings. For more information, see the reference articles for the specific bindings.

-### HTTP trigger template

-The differences between in-process and isolated worker process can be seen in HTTP triggered functions. The HTTP trigger template for the in-process model looks like the following example:

-The HTTP trigger template for the migrated version looks like the following example:

-# [.NET 6](#tab/net6-isolated)

-You can also leverage [ASP.NET Core integration] to instead have the function look more like the following example:

-```csharp

-[Function("HttpFunction")]

-public IActionResult Run(

- [HttpTrigger(AuthorizationLevel.Anonymous, "get")] HttpRequest req)

- return new OkObjectResult($"Welcome to Azure Functions, {req.Query["name"]}!");

-# [.NET 7](#tab/net7)

-You can also leverage [ASP.NET Core integration] to instead have the function look more like the following example:

-[Function("HttpFunction")]

-public IActionResult Run(

- [HttpTrigger(AuthorizationLevel.Anonymous, "get")] HttpRequest req)

- return new OkObjectResult($"Welcome to Azure Functions, {req.Query["name"]}!");

-# [.NET Framework 4.8](#tab/v4)

-# [.NET 8 (Preview)](#tab/net8)

-You can also leverage [ASP.NET Core integration] to instead have the function look more like the following example:

-[Function("HttpFunction")]

-public IActionResult Run(

- [HttpTrigger(AuthorizationLevel.Anonymous, "get")] HttpRequest req)

- return new OkObjectResult($"Welcome to Azure Functions, {req.Query["name"]}!");

-For apps that run on servers (such as web services and service/daemon apps), if you prefer to avoid the overhead and complexity of managing secrets, consider [Managed Identities]. Managed identities can provide an identity for your web service to use when connecting to Azure Maps using Microsoft Entra authentication. If so, your web service uses that identity to obtain the required Microsoft Entra tokens. You should use Azure RBAC to configure what access the web service is given, using the [Least privileged roles] possible.

-[Azure Active Directory (Azure AD) authentication]: ../active-directory/fundamentals/active-directory-whatis.md

-Azure Maps supports three ways to authenticate requests: Shared Key authentication, [Microsoft Entra ID] authentication, and Shared Access Signature (SAS) Token authentication. This article explains authentication methods to help guide your implementation of Azure Maps services. The article also describes other account controls such as disabling local authentication for Azure Policy and Cross-Origin Resource Sharing (CORS).

-[Azure Active Directory (Azure AD)]: ../active-directory/fundamentals/active-directory-whatis.md

-[Azure AD authentication]: #azure-ad-authentication

-[Azure AD authentication]: azure-maps-authentication.md#azure-ad-authentication

-[Azure Maps and Azure AD]: azure-maps-authentication.md

-This code snippet shows how to use the `MapsSearch` method from the Azure Maps Search client library to create a `client` object with your Azure credentials. You can use either your Azure Maps subscription key or the [Microsoft Entra credential](#using-an-azure-ad-credential) from the previous section. The `path` parameter specifies the API endpoint, which is "/search/fuzzy/{format}" in this case. The `get` method sends an HTTP GET request with the query parameters, such as `query`, `coordinates`, and `countryFilter`. The query searches for Starbucks locations near Seattle in the US. The SDK returns the results as a [FuzzySearchResult] object and writes them to the console. For more information, see the [FuzzySearchRequest] documentation.

-

-| Scenario | Authentication | Authorization | Development effort | Operational effort |

-| --| -- | - | | |

-| [Trusted daemon app or non-interactive client app] | Shared Key | N/A | Medium | High |

-| [Trusted daemon or non-interactive client app] | Microsoft Entra ID | High | Low | Medium |

-| [Web single page app with interactive single-sign-on]| Microsoft Entra ID | High | Medium | Medium |

-| [Web single page app with non-interactive sign-on] | Microsoft Entra ID | High | Medium | Medium |

-| [Web app, daemon app, or non-interactive sign-on app]| SAS Token | High | Medium | Low |

-| [Web application with interactive single-sign-on] | Microsoft Entra ID | High | High | Medium |

-| [IoT device or an input constrained application] | Microsoft Entra ID | High | Medium | Medium |

-| Azure environment | Microsoft Entra token endpoint | Azure resource ID |

-[Azure AD authentication samples]: https://github.com/Azure-Samples/Azure-Maps-AzureAD-Samples

-[Authentication scenarios for Azure AD]: ../active-directory/develop/authentication-vs-authorization.md

-[Azure Active Directory (Azure AD)]: ../active-directory/fundamentals/active-directory-whatis.md

-[Azure AD authentication]: azure-maps-authentication.md#azure-ad-authentication

- ```javascript

-[Azure Active Directory credential]: ./how-to-dev-guide-js-sdk.md#using-an-azure-ad-credential

-Azure Monitor Agent doesn't rely on Syslog events being logged to `/var/log/`. Instead, it configures the rsyslog service to forward events over a socket directly to the `azuremonitoragent` service process (mdsd).

-If you're sending a high log volume through rsyslog and your system is set up to log events for these facilities, consider modifying the default rsyslog config to avoid logging and storing them under `/var/log/`. The events for this facility would still be forwarded to Azure Monitor Agent because rsyslog uses a different configuration for forwarding placed in `/etc/rsyslog.d/10-azuremonitoragent.conf`.

-On many Linux distributions, the rsyslogd daemon is responsible for consuming, storing, and routing log messages sent by using the Linux Syslog API. Azure Monitor Agent uses the UNIX domain socket output module (`omuxsock`) in rsyslog to forward log messages to Azure Monitor Agent.

-The built-in `omuxsock` module can't be loaded more than once. For this reason, the configurations for loading of the module and forwarding of the events with corresponding forwarding format template are split in two different files. Its default contents are shown in the following example. This example collects Syslog messages sent from the local agent for all facilities with all log levels.

-$ cat /etc/rsyslog.d/10-azuremonitoragent.conf

-$OMUxSockSocket /run/azuremonitoragent/default_syslog.socket

-template(name="AMA_RSYSLOG_TraditionalForwardFormat" type="string" string="<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg%")

-$OMUxSockDefaultTemplate AMA_RSYSLOG_TraditionalForwardFormat

-# Forwarding all events through Unix Domain Socket

-*.* :omuxsock:

-```

-$ cat /etc/rsyslog.d/05-azuremonitoragent-loadomuxsock.conf

-# Azure Monitor Agent configuration: load rsyslog forwarding module.

-$ModLoad omuxsock

-```

-The configuration file for syslog-ng is installed at `/etc/opt/microsoft/azuremonitoragent/syslog/syslog-ngconf/azuremonitoragent.conf`. When Syslog collection is added to a DCR, this configuration file is placed under the `/etc/syslog-ng/conf.d/azuremonitoragent.conf` system directory and syslog-ng is automatically restarted for the changes to take effect.

-$ cat /etc/syslog-ng/conf.d/azuremonitoragent.conf

-# Azure MDSD configuration: syslog forwarding config for mdsd agent options {};

-# during install time, we detect if s_src exist, if it does then we

-# replace it by appropriate source name like in redhat 's_sys'

-# Forwrding using unix domain socket

-destination d_azure_mdsd {

-unix-dgram("/run/azuremonitoragent/default_syslog.socket"

-flags(no_multi_line)

-);

-};

-log { source(s_src); # will be automatically parsed from /etc/syslog-ng/syslog-ng.conf

-destination(d_azure_mdsd); };

-

-

-

- [](media/itsm-connector-secure-webhook-connections-azure-configuration/azure-ad-expand.png#lightbox)

- 

- 

- 

-

-

-

-

-

- 

- 

-

-

- * Ensure that the web app is successfully deployed and that the hybrid connection is created. To verify that the connection is successfully established with the on-premises Service Manager computer, go to the web app URL as described in the [documentation for making a hybrid connection](./itsmc-connections-scsm.md#configure-the-hybrid-connection).

-**Cause**: There can be several reasons for this:

-**Cause**: There can be several reasons for this:

-* Values aren't shown in the dropdowns of the default fields as a part of the action definition and an error message is shown: "No values found for the following fields: \<field names\>."

-**Cause**: There can be several reasons for this:

-* The search results do not include the **Computer** or **Resource** column.

-* The values in the configuration item field do not match an entry in the CMDB.

-* If the search results do not have a Computer or Resource column, add them to the query. When you are defining a query in Log Search alerts you need to have in the query result the Configuration items names with one of the label names "Computer", "Resource", "_ResourceId" or "ResourceIdΓÇ¥. This mapping will enable to map the configuration items to the ITSM payload

-* Check that the values in the Computer and Resource columns are identical to the values in the CMDB. If they are not, add a new entry to the CMDB with the matching values.

-

- 

- 

-

-

- 

-

-

-| `[agent_settings.proxy_config] ignore_proxy_settings =` | Boolean | True or false | Set this value to true to ignore proxy settings. On both AKS & Arc K8s environments, if your cluster is configured with forward proxy, then proxy settings are automatically applied and used for the agent. For certain configurations, such as, with AMPLS + Proxy, you may with for the proxy config to be ignored. . By default, this setting is set to `false`. |

-You may have enabled Prometheus alert rules without disabling Container insights recommended alerts. See [Migrate from Container insights recommended alerts to Prometheus recommended alert rules (preview)](container-insights-metric-alerts.md#migrate-from-metric-rules-to-prometheus-rules-preview).

-This options enables Prometheus, Grafana, and Container insights on a cluster.

-While a single Azure Monitor workspace may be sufficient for many use cases using Azure Monitor, many organizations create multiple workspaces to better meet their needs. This article presents a set of criteria for deciding whether to use a single Azure Monitor workspace, multiple Azure Monitor workspaces, and the configuration and placement of those workspaces.

-|Azure regions |Each Azure Monitor workspace resides in a particular Azure region. Regulatory or compliance requirements may dictate the storage of data in particular locations. |

-* Compliance or regulatory requirements that mandate storage of data in specific regions: Create an Azure Monitor workspace per region as per requirements. There may be a need to manage the scale of metrics for large services or financial institutions with regional accounts.

-## Workspace move considerations

-> - It could take Azure Resource Manager a few hours to complete. Solutions might be unresponsive during the operation.

->

-> **Re-create alerts:** All alerts must be re-created because the permissions are based on the workspace resource ID, which changes during a workspace move or resource name change. Alerts in workspaces created after June 1, 2019, or in workspaces that were [upgraded from the legacy Log Analytics Alert API to the scheduledQueryRules API](../alerts/alerts-log-api-switch.md) can be exported in templates and deployed after the move. You can [check if the scheduledQueryRules API is used for alerts in your workspace](../alerts/alerts-log-api-switch.md#check-switching-status-of-workspace). Alternatively, you can configure alerts manually in the target workspace.

->

-> **Update resource paths:** After a workspace move, any Azure or external resources that point to the workspace must be reviewed and updated to point to the new resource target path.

->

-> Examples:

-> - [Azure Monitor alert rules](../alerts/alerts-resource-move.md)

-> - Third-party applications

-> - Custom scripting

->

-<a name='verify-the-azure-active-directory-tenant'></a>

-The workspace source and destination subscriptions must exist within the same Microsoft Entra tenant. Use Azure PowerShell to verify that both subscriptions have the same tenant ID.

-Billing calculation for a Standard capacity pool is at the hot-tier rate for the data that isn't tiered to the cool tier. When you enable tiering for volumes, the capacity in the cool tier will be at the rate of the cool tier, and the remaining capacity will be at the rate of the hot tier. The rate of the cool tier is lower than the hot tier's rate.

- * 4-TiB capacity at the hot tier rate

-| **First month total** || **`$471.41`** |

-| Storage cost for 30 days | 1 TiB of active data (hot tier) <br><br> 3 TiB of inactive data (cool tier) | `1 TiB x 1024 x 30 days x 730/30 hrs. x $0.000202/GiB/hr. = $151.00` <br><br> `3 TiB x 1024 x 30 days x 730/30 hrs. x $0.000082/GiB/hr. = $183.89` |

-| **Second and subsequent monthly total** || **`$347.18`** |

-* Cost without cool access: `4 TiB x 1024 x $0.000202/GiB/hr. x 730 hrs. x 6 months = $3,623.98`

- `First month + Second month + … + Sixth month = $471.41 + (5x $347.18) = $2,207.29`

-* Savings using cool access: **`39.09%`**

-* Cost without cool access: `4 TiB x 1024 x $0.000202/GiB/hr. x 730 hrs. x 11 months = $7,247.95`

-* Cost with cool access: `First month + Second month + … + twelfth month = $471.41 + (11 x $347.18)= $4,290.36`

-* Savings using cool access: **`40.81%`**

-All 4 TiB is active data (in hot tier) for the first month. Your storage cost for the *first month* would be:

-`4 TiB x 1024 x 730hr. x $0.000202/GiB/hr. = $604.00`

-| **Second month total** || **`$453.47`** |

-| Storage cost for 30 days | 1 TiB of active data (hot tier) <br><br> 3 TiB of inactive data (cool tier) | `1 TiB x 1024 x 30 days x 730/30 hrs. x $0.000202/GiB/hr. = $151.00` <br><br> `3 TiB x 1024 x 30 days x 730/30 hrs. x $0.000082/GiB/hr. = $183.89` |

-| **Third and subsequent monthly total** || **`$347.18`** |

-* Cost without cool access: `4 TiB x 1024 x $0.000202/GiB/hr. x 730 hrs. x 6 months = $3,623.98`

- `First month + Second month + … + Sixth month = $604.00 + $453.47 + (4 x $347.18) = $2,446.17`

-* Savings using cool access: **`32.50%`**

-* Cost without cool access: `4 TiB x 1024 x $0.000202/GiB/hr. x 730 hrs. x 11 months = $7,247.95`

-* Cost with cool access: `First month + Second month + … + twelfth month = $604.00 + $453.47 + (10 x $347.18) = $4,529.23`

-* Savings using cool access: **`37.51%`**

-All 4 TiB is active data (in hot tier) for the first two months. Your monthly storage cost for the *first and second months* would be: `4 TiB x 1024 x 730hr. x $0.000202/GiB/hr. = $604.00`

-| **Third month total** || **`$435.53`** |

-| Storage cost for 30 days | 1 TiB of active data (hot tier) <br><br> 3 TiB of inactive data (cool tier) | `1 TiB x 1024 x 30 days x 730/30 hrs. x $0.000202/GiB/hr. = $151.00` <br><br> `3 TiB x 1024 x 30 days x 730/30 hrs. x $0.000082/GiB/hr. = $183.89` |

-| **Fourth and subsequent monthly total** || **`$347.18`** |

-* Cost without cool access: `4 TiB x 1024 x $0.000202/GiB/hr. x 730 hrs. x 6 months = $3,623.98`

- `First month + Second month + … + Sixth month = (2 x $604.00) + $435.53 + (3 x $347.18) = $2,685.05`

-* Savings using cool access: **`25.91%`**

-* Cost without cool access: `4 TiB x 1024 x $0.000202/GiB/hr. x 730 hrs. x 11 months = $7,247.95`

-* Cost with cool access: `First month + Second month + … + twelfth month = (2 x $604.00) + $435.53 + (9 x $347.18) = $4,768.11`

-* Savings using cool access: **`34.21%`**

-By default, modern Linux kernels define the per-connection `sunrpc` slot table entry size `sunrpc.max_tcp_slot_table_entries` as supporting 65,536 outstanding operations, as shown in the following table.

-The `sunrpc.max_tcp_slot_table_entries` tunable is a connection-level tuning parameter. *As a best practice, set this value to 128 or less per connection, not surpassing 10,000 slots environment wide.*

-#### Example 1 ΓÇô One NFS client, 65,536 `sunrpc.max_tcp_slot_table_entries`, and no `nconnect` for a maximum concurrency of 128 based on the server-side limit of 128

-Example 1 is based on a single client workload with the default `sunrpc.max_tcp_slot_table_entry` value of 65,536 and a single network connection, that is, no `nconnect`. In this case, a concurrency of 128 is achievable.

-#### Example 2 ΓÇô One NFS client, 128 `sunrpc.max_tcp_slot_table_entries`, and no `nconnect` for a maximum concurrency of 128

-Example 2 is based on a single client workload with a `sunrpc.max_tcp_slot_table_entry` value of 128, but without the `nconnect` mount option. With this setting, a concurrency of 128 is achievable from a single network connection.

-#### Example 3 ΓÇô One NFS client, 100 `sunrpc.max_tcp_slot_table_entries`, and `nconnect=8` for a maximum concurrency of 800

-Example 3 is based on a single client workload, but with a lower `sunrpc.max_tcp_slot_table_entry` value of 100. This time, the `nconnect=8` mount option used spreading the workload across 8 connection. With this setting, a concurrency of 800 is achievable spread across the 8 connections. This amount is the concurrency needed to achieve 400,000 IOPS.

-#### Example 4 ΓÇô 250 NFS clients, 8 `sunrpc.max_tcp_slot_table_entries`, and no `nconnect` for a maximum concurrency of 2000

-Example 4 uses the reduced per-client `sunrpc.max_tcp_slot_table_entry` value of 8 for a 250 machine-count EDA environment. In this scenario, a concurrency of 2000 is reached environment wide, a value more than sufficient to drive 4,000 MiB/s of a backend EDA workload.

-When using NFSv3, *you should collectively keep the storage endpoint slot count to 10,000 or less*. It is best to set the per-connection value for `sunrpc.max_tcp_slot_table_entries` to less than 128 when an application scales out across many network connections (`nconnect` and HPC in general, and EDA in particular).

-### How to calculate the best `sunrpc.max_tcp_slot_table_entries`

-Given the need for 1,250 clients, you could safely set `sunrpc.max_tcp_slot_table_entries` to 2 per client to reach the 4,000 MiB/s. However, you might decide to build in extra headroom by setting the number per client to 4 or even 8, keeping well under the 10,000 recommended slot ceiling.

-### How to set `sunrpc.max_tcp_slot_table_entries` on the client

-1. Add `sunrpc.max_tcp_slot_table_entries=<n>` to the `/etc/sysctl.conf` configuration file.

- Yes, you can connect an Azure NetApp Files volume as a datastore to multiple clusters in different SDDCs. Each SDDC will need connectivity via the ExpressRoute gateway in the Azure NetApp Files virtual network.

-LRS, GRS, and RA-GRS redundancies are supported for reservations. For more information about redundancy options, see [Azure Storage redundancy](../storage/common/storage-redundancy.md).

- | Redundancy | The redundancy option for the reservation. Options include LRS, GRS, and RA-GRS. For more information about redundancy options, see [Azure Storage redundancy](../storage/common/storage-redundancy.md). |

-For all operations, an SAP HANA database running on an Azure VM requires connectivity to the Azure Backup service, Azure Storage, and Microsoft Entra ID. This can be achieved by using private endpoints or by allowing access to the required public IP addresses or FQDNs. Not allowing proper connectivity to the required Azure services may lead to failure in operations like database discovery, configuring backup, performing backups, and restoring data.

-| Allow access to service FQDNs/IPs | No additional costs. <br><br> Works with all network security appliances and firewalls. <br><br> You can also use service endpoints for *Storage*. However, for *Azure Backup* and *Microsoft Entra ID*, you need to assign the access to the corresponding IPs/FQDNs. | A broad set of IPs or FQDNs may be required to be accessed. |

-## Back up database instance snapshots (preview)

-Learn about [Azure Backup service to back up database instances (preview)](sap-hana-db-about.md#using-the-azure-backup-service-to-back-up-database-instances-preview).

-# Back up SAP HANA database instance snapshots on Azure VMs (preview)

-Azure Backup now performs an SAP HANA storage snapshot-based backup of an entire database instance. Backup combines an Azure managed disk full or incremental snapshot with HANA snapshot commands to provide instant HANA backup and restore.

-In this article, you'll learn how to:

->[!div class="checklist"]

->- Create and configure a Recovery Services vault.

->- Create a policy.

->- Discover database instances.

->- Configure backups.

->- Track a backup job.

->Because the policy doesnΓÇÖt call for differential or incremental backups, we do *not* recommend that you trigger on-demand differential backups from any client.

-Learn about the [permissions required for snapshot restore](sap-hana-database-instances-restore.md#permissions-required-for-the-snapshot-restore).

-1. On the **Select policy type** pane, select **SAP HANA in Azure VM (DB Instance via snapshot) [Preview]**.

- :::image type="content" source="./media/sap-hana-database-instances-backup/select-sap-hana-instance-policy-type.png" alt-text="Screenshot that shows a list of policy types.":::

- :::image type="content" source="./media/sap-hana-database-instances-backup/create-policy.png" alt-text="Screenshot that shows the 'Create policy' pane for configuring backup and restore.":::

- a. **Policy name**: Enter a unique policy name.

- b. **Snapshot Backup**: Set the **Time** and **Timezone** for backup in the dropdown lists. The default settings are *10:30 PM* and *(UTC) Coordinated Universal Time*.

- >[!Note]

- >Azure Backup currently supports **Daily** backup only.

- c. **Instant Restore**: Set the retention of recovery snapshots from *1* to *35* days. The default value is *2*.

- d. **Resource group**: Select the appropriate resource group in the drop-down list.

- e. **Managed Identity**: Select a managed identity in the dropdown list to assign permissions for taking snapshots of the managed disks and place them in the resource group that you've selected in the policy.

-## Configure snapshot backup

-Before you configure a snapshot backup in this section, [configure the backup for the database](backup-azure-sap-hana-database.md#configure-backup).

-Then, to configure a snapshot backup, do the following:

-1. In the Recovery Services vault, select **Backup**.

-1. Select **SAP HANA in Azure VM** as the data source type, select a Recovery Services vault to use for backup, and then select **Continue**.

-1. On the **Backup Goal** pane, under **Step 2: Configure Backup**, select **DB Instance via snapshot (Preview)**, and then select **Configure Backup**.

- :::image type="content" source="./media/sap-hana-database-instances-backup/select-db-instance-via-snapshot.png" alt-text="Screenshot that shows the 'DB Instance via snapshot' option.":::

-1. On the **Configure Backup** pane, in the **Backup policy** dropdown list, select the database instance policy, and then select **Add/Edit** to check the available database instances.

- :::image type="content" source="./media/sap-hana-database-instances-backup/add-database-instance-backup-policy.png" alt-text="Screenshot that shows where to select and add a database instance policy.":::

- To edit a DB instance selection, select the checkbox that corresponds to the instance name, and then select **Add/Edit**.

-1. On the **Select items to backup** pane, select the checkboxes next to the database instances that you want to back up, and then select **OK**.

- :::image type="content" source="./media/sap-hana-database-instances-backup/select-database-instance-for-backup.png" alt-text="Screenshot that shows the 'Select items to backup' pane and a list of database instances.":::

- When you select HANA instances for backup, the Azure portal validates for missing permissions in the system-assigned managed identity that's assigned to the policy.

- If the permissions aren't present, you need to select **Assign missing roles/identity** to assign all permissions.

- The Azure portal then automatically re-validates the permissions, and the **Backup readiness** column displays the status as *Success*.

-1. When the backup readiness check is successful, select **Enable backup**.

- :::image type="content" source="./media/sap-hana-database-instances-backup/enable-hana-database-instance-backup.png" alt-text="Screenshot that shows that the HANA database instance backup is ready to be enabled.":::

-

-## Run an on-demand backup

-To run an on-demand backup, do the following:

-1. In the Azure portal, select a Recovery Services vault.

-1. In the Recovery Services vault, on the left pane, select **Backup items**.

-1. By default, **Primary Region** is selected. Select **SAP HANA in Azure VM**.

-1. On the **Backup Items** pane, select the **View details** link next to the SAP HANA snapshot instance.

- :::image type="content" source="./media/sap-hana-database-instances-backup/hana-snapshot-view-details.png" alt-text="Screenshot that shows the 'View details' links next to the HANA database snapshot instances.":::

-1. Select **Backup now**.

- :::image type="content" source="./media/sap-hana-database-instances-backup/start-backup-hana-snapshot.png" alt-text="Screenshot that shows the 'Backup now' button for starting a backup of a HANA database snapshot instance.":::

-1. On the **Backup now** pane, select **OK**.

- :::image type="content" source="./media/sap-hana-database-instances-backup/trigger-backup-hana-snapshot.png" alt-text="Screenshot showing to trigger HANA database snapshot instance backup.":::

-## Track a backup job

-The Azure Backup service creates a job if you schedule backups or if you trigger an on-demand backup operation for tracking. To view the backup job status, do the following:

-1. In the Recovery Services vault, on the left pane, select **Backup Jobs**.

- The jobs dashboard displays the status of the jobs that were triggered in the past 24 hours. To modify the time range, select **Filter**, and then make the required changes.

-1. To review the details of a job, select the **View details** link next to the job name.

-# Restore SAP HANA database instance snapshots on Azure VMs (preview)

-## Restore the entire system to a snapshot restore point

-In the following sections, you'll learn how to restore the system to the snapshot restore point.

-### Select and mount the snapshot

-To select and mount the snapshot, do the following:

-1. In the Azure portal, go to the Recovery Services vault.

-1. On the left pane, select **Backup items**.

-1. Select **Primary Region**, and then select **SAP HANA in Azure VM**.

- :::image type="content" source="./media/sap-hana-database-instances-restore/select-vm-in-primary-region.png" alt-text="Screenshot that shows where to select the primary region option for VM selection.":::

-1. On the **Backup Items** page, select **View details** corresponding to the SAP HANA snapshot instance.

- :::image type="content" source="./media/sap-hana-database-instances-restore/select-view-details.png" alt-text="Screenshot that shows where to view the details of the HANA database snapshot.":::

-

-1. Select **Restore**.

- :::image type="content" source="./media/sap-hana-database-instances-restore/restore-hana-snapshot.png" alt-text="Screenshot that shows the 'Restore' option for the HANA database snapshot.":::

-1. On the **Restore** pane, select the target VM to which the disks should be attached, the required HANA instance, and the resource group.

-1. On the **Restore Point** pane, choose **Select**.

- :::image type="content" source="./media/sap-hana-database-instances-restore/restore-system-database-restore-point.png" alt-text="Screenshot showing to select HANA snapshot recovery point.":::

-1. On the **Select restore point** pane, select a recovery point, and then select **OK**.

-1. Select the corresponding resource group and the *managed identity* to which all permissions are assigned for restore.

-1. Select **Validate** to check to ensure that all the permissions are assigned to the managed identity for the relevant scopes.

-1. If the permissions aren't assigned, select **Assign missing roles/identity**.

- After the roles are assigned, the Azure portal automatically re-validates the permission updates.

-1. Select **Attach and mount snapshot** to attach the disks to the VM.

-1. Select **OK** to create disks from snapshots, attach them to the target VM, and mount them.

-### Restore the system database

-Recover the system database from the data snapshot by using HANA Studio. For more information, see the [SAP documentation](https://help.sap.com/docs/SAP_HANA_COCKPIT/afa922439b204e9caf22c78b6b69e4f2/9fd053d58cb94ac69655b4ebc41d7b05.html).

->[!Note]

->After you've restored the system database, you need to run the preregistration script on the target VM to update the user credentials.

-### Restore tenant databases

-When the system database is restored, recover all tenant databases from a data snapshot by using HANA Studio. For more information, see the [HANA documentation](https://help.sap.com/docs/SAP_HANA_COCKPIT/afa922439b204e9caf22c78b6b69e4f2/b2c283094b9041e7bdc0830c06b77bf8.html).

-## Restore the database to a different log point in time over a snapshot

-To restore the database to a different log point in time, do the following.

-First, identify the snapshot that's nearest to the required log point in time. Then [attach and mount that snapshot](#select-and-mount-the-snapshot) to the target VM.

- :::image type="content" source="./media/sap-hana-database-instances-restore/restore-logs-over-snapshot-restore-point.png" alt-text="Screenshot that shows how to select the log restore points of the system database instance for restore.":::

- :::image type="content" source="./media/sap-hana-database-instances-restore/log-over-snapshots-for-tenant-database-restore-point.png" alt-text="Screenshot that shows where to select the restore point of the log over snapshots for the tenant database.":::

->Support for HANA instance snapshots is in preview.

-description: Learn about the new features in Azure Backup.

-For more information, see [Back up databases' instance snapshots (preview)](sap-hana-database-about.md#back-up-database-instance-snapshots-preview).

-description: Sample Bicep templates to create Azure Chaos Studio Preview experiments.

-# Use Bicep to create an experiment in Azure Chaos Studio Preview

-This article includes a sample Bicep file to get started in Azure Chaos Studio Preview, including:

-resource chaosTarget 'Microsoft.Chaos/targets@2022-10-01-preview' = {

-resource chaosExperiment 'Microsoft.Chaos/experiments@2022-10-01-preview' = {

-description: Understand the available actions you can use with Azure Chaos Studio Preview, including any prerequisites and parameters.

-# Azure Chaos Studio Preview fault and action library

-The faults listed in this article are currently available for use. To understand which resource types are supported, see [Supported resource types and role assignments for Azure Chaos Studio Preview](./chaos-studio-fault-providers.md).

-# Azure Chaos Studio Preview limitations and known issues

-During the public preview of Azure Chaos Studio, there are a few limitations and known issues that the team is aware of and working to resolve.

-# What is Azure Chaos Studio Preview?

-[Azure Chaos Studio Preview](https://azure.microsoft.com/services/chaos-studio) is a managed service that uses chaos engineering to help you measure, understand, and improve your cloud application and service resilience. Chaos engineering is a methodology by which you inject real-world faults into your application to run controlled fault injection experiments.

-description: Understand how permissions work in Azure Chaos Studio Preview and how you can secure resources from accidental fault injection.

-# Permissions and security in Azure Chaos Studio Preview

-Azure Chaos Studio Preview enables you to improve service resilience by systematically injecting faults into your Azure resources. Fault injection is a powerful way to improve service resilience, but it can also be dangerous. Causing failures in your application can have more impact than originally intended and open opportunities for malicious actors to infiltrate your applications.

-description: Learn how to use virtual network injection with Azure Chaos Studio Preview.

-# Virtual network injection in Azure Chaos Studio Preview

-Virtual network injection allows an Azure Chaos Studio Preview resource provider to inject containerized workloads into your virtual network so that resources without public endpoints can be accessed via a private IP address on the virtual network. After you've configured virtual network injection for a resource in a virtual network and enabled the resource as a target, you can use it in multiple experiments. An experiment can target a mix of private and nonprivate resources if the private resources are configured according to the instructions in this article.

-description: Understand the steps to create and run an Azure Chaos Studio Preview experiment in 10 minutes.

-# Quickstart: Create and run a chaos experiment by using Azure Chaos Studio Preview

-Get started with Azure Chaos Studio Preview by using a virtual machine (VM) shutdown service-direct experiment to make your service more resilient to that failure in real-world scenarios.

-1. Search for **Chaos Studio (preview)** in the search bar.

-description: Get started with Azure Chaos Studio Preview by creating a DNS outage by using the network security group fault.

-The network security group (NSG) fault enables you to modify your existing NSG rules as part of a chaos experiment in Azure Chaos Studio Preview. By using this fault, you can block network traffic to your Azure resources and simulate a loss of connectivity or outages of dependent resources.

- az rest --method put --url "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/providers/microsoft.chaos/chaosProviderConfigurations/AzureNetworkSecurityGroupChaos?api-version=2021-06-21-preview" --body @AzureNetworkSecurityGroupChaos.json --resource "https://management.azure.com"

- az rest --method delete --url "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/providers/microsoft.chaos/chaosProviderConfigurations/AzureNetworkSecurityGroupChaos?api-version=2021-06-21-preview" --resource "https://management.azure.com"

-description: Understand how Azure Chaos Studio Preview makes chaos experiments and chaos targets available in Azure regions.

-# Regional availability of Azure Chaos Studio Preview

-This article describes the regional availability model for Azure Chaos Studio Preview. It explains the difference between a region where experiments can be deployed and one where resources can be targeted. It also provides an overview of the Chaos Studio high-availability model.

-description: Learn how to start, stop, view details, and view history for a chaos experiment in Azure Chaos Studio Preview.

-# Run and manage an experiment in Azure Chaos Studio Preview

-You can use a chaos experiment to verify that your application is resilient to failures by causing those failures in a controlled environment. This article provides an overview of how to use Azure Chaos Studio Preview with a chaos experiment that you've previously created.

-1. Search for **Chaos Studio (preview)** in the search bar.

-description: Run and manage a chaos experiment with Azure Chaos Studio Preview by using REST APIs.

-The Azure Chaos Studio Preview API provides support for starting experiments programmatically. You can also use the Azure Resource Manager client and the Azure CLI to execute these commands from the console. The examples in this article are for the Azure CLI.

-# Azure Chaos Studio Preview service limits

-This article provides service limits for Azure Chaos Studio Preview. For more information about Azure-wide service limits and quotas, see [Azure subscription and service limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md).

-description: Understand two different ways to select experiment targets in Azure Chaos Studio Preview.

-# Target selection in Azure Chaos Studio Preview

-The inputted query will run and add onboarded targets that match its result set upon experiment execution time. Thus, any resources onboarded to Chaos Studio after experiment creation time that match the query result set upon experiment execution time will be targeted by your experiment. You may preview your query's result set when adding it to your experiment, but be aware that it may not match the result set at experiment execution time. An example of a possible dynamic target query is shown below.

-description: Understand how to control resource onboarding in Azure Chaos Studio Preview by using targets and capabilities.

-# Targets and capabilities in Azure Chaos Studio Preview

-By using targets and capabilities [along with other security measures](chaos-studio-permissions-security.md), you can avoid accidental or malicious fault injection with Azure Chaos Studio Preview. For example, with targets and capabilities, you can allow the CPU pressure fault to run against your production virtual machines while preventing the kill process fault from running against them.

-az rest --method get --url "https://management.azure.com/subscriptions/fd9ccc83-faf6-4121-9aff-2a2d685ca2a2/resourceGroups/myRG/providers/Microsoft.Compute/virtualMachines/myVM/providers/Microsoft.Chaos/targets/Microsoft-VirtualMachine/capabilities/shutdown-1.0?api-version=2021-08-11-preview"

-You can use a chaos experiment to verify that your application is resilient to failures by causing those failures in a controlled environment. In this article, you induce an outage on an Azure Active Directory resource using a pre-populated experiment template and Azure Chaos Studio Preview.

-Azure Chaos Studio Preview can't inject faults against a resource until that resource is added to Chaos Studio. To add a resource to Chaos Studio, create a [target and capabilities](chaos-studio-targets-capabilities.md) on the resource. Network security groups have only one target type (service-direct) and one capability (set rules). Other resources might have up to two target types. One target type is for service-direct faults. Another target type is for agent-based faults. Other resources might have many other capabilities.

-You can use a chaos experiment to verify that your application is resilient to failures by causing those failures in a controlled environment. In this article, you cause a high CPU event on a Linux virtual machine (VM) by using a chaos experiment and Azure Chaos Studio Preview. Run this experiment to help you defend against an application from becoming resource starved.

- az rest --method put --uri https://management.azure.com/$RESOURCE_ID/providers/Microsoft.Chaos/targets/Microsoft-Agent?api-version=2021-09-15-preview --body @target.json --query properties.agentProfileId -o tsv

- az rest --method put --url "https://management.azure.com/$RESOURCE_ID/providers/Microsoft.Chaos/targets/Microsoft-Agent/capabilities/$CAPABILITY?api-version=2021-09-15-preview" --body "{\"properties\":{}}"

- az rest --method put --url "https://management.azure.com/subscriptions/b65f2fec-d6b2-4edd-817e-9339d8c01dc4/resourceGroups/myRG/providers/Microsoft.Compute/virtualMachines/myVM/providers/Microsoft.Chaos/targets/Microsoft-Agent/capabilities/CPUPressure-1.0?api-version=2021-09-15-preview" --body "{\"properties\":{}}"

- * **agentProfileId**: The property returned when you create the target. If you don't have this property, you can run `az rest --method get --uri https://management.azure.com/$RESOURCE_ID/providers/Microsoft.Chaos/targets/Microsoft-Agent?api-version=2021-09-15-preview` and copy the `agentProfileId` property.

- * **ClientId**: The client ID of the user-assigned managed identity used in the target. If you don't have this property, you can run `az rest --method get --uri https://management.azure.com/$RESOURCE_ID/providers/Microsoft.Chaos/targets/Microsoft-Agent?api-version=2021-09-15-preview` and copy the `clientId` property.

- az rest --method put --uri https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Chaos/experiments/$EXPERIMENT_NAME?api-version=2021-09-15-preview --body @experiment.json

- az rest --method post --uri https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Chaos/experiments/$EXPERIMENT_NAME/start?api-version=2021-09-15-preview

-You can use a chaos experiment to verify that your application is resilient to failures by causing those failures in a controlled environment. In this article, you cause a high CPU event on a Linux virtual machine (VM) by using a chaos experiment and Azure Chaos Studio Preview. Running this experiment can help you defend against an application from becoming resource starved.

-1. Search for **Chaos Studio (preview)** in the search bar.

-description: Create an experiment that uses an AKS Chaos Mesh fault by using Azure Chaos Studio Preview with the Azure CLI.

-You can use a chaos experiment to verify that your application is resilient to failures by causing those failures in a controlled environment. In this article, you cause periodic Azure Kubernetes Service (AKS) pod failures on a namespace by using a chaos experiment and Azure Chaos Studio Preview. Running this experiment can help you defend against service unavailability when there are sporadic failures.

- az rest --method put --url "https://management.azure.com/$RESOURCE_ID/providers/Microsoft.Chaos/targets/Microsoft-AzureKubernetesServiceChaosMesh?api-version=2021-09-15-preview" --body "{\"properties\":{}}"

- az rest --method put --url "https://management.azure.com/$RESOURCE_ID/providers/Microsoft.Chaos/targets/Microsoft-AzureKubernetesServiceChaosMesh/capabilities/$CAPABILITY?api-version=2021-09-15-preview" --body "{\"properties\":{}}"

- az rest --method put --url "https://management.azure.com/subscriptions/b65f2fec-d6b2-4edd-817e-9339d8c01dc4/resourceGroups/myRG/providers/Microsoft.ContainerService/managedClusters/myCluster/providers/Microsoft.Chaos/targets/Microsoft-AzureKubernetesServiceChaosMesh/capabilities/PodChaos-2.1?api-version=2021-09-15-preview" --body "{\"properties\":{}}"

- az rest --method put --uri https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Chaos/experiments/$EXPERIMENT_NAME?api-version=2021-09-15-preview --body @experiment.json

- az rest --method post --uri https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Chaos/experiments/$EXPERIMENT_NAME/start?api-version=2021-09-15-preview

-description: Create an experiment that uses an AKS Chaos Mesh fault by using Azure Chaos Studio Preview with the Azure portal.

-You can use a chaos experiment to verify that your application is resilient to failures by causing those failures in a controlled environment. In this article, you cause periodic Azure Kubernetes Service (AKS) pod failures on a namespace by using a chaos experiment and Azure Chaos Studio Preview. Running this experiment can help you defend against service unavailability when there are sporadic failures.

-1. Search for **Chaos Studio (preview)** in the search bar.

-Azure Chaos Studio Preview can't inject faults against a resource unless that resource was added to Chaos Studio first. To add a resource to Chaos Studio, create a [target and capabilities](chaos-studio-targets-capabilities.md) on the resource.

- az rest --method put --url "https://management.azure.com/$RESOURCE_ID/providers/Microsoft.Chaos/targets/Microsoft-VirtualMachineScaleSet?api-version=2022-10-01-preview" --body "{\"properties\":{}}"

- az rest --method put --url "https://management.azure.com/$RESOURCE_ID/providers/Microsoft.Chaos/targets/Microsoft-VirtualMachineScaleSet/capabilities/Shutdown-2.0?api-version=2022-10-01-preview" --body "{\"properties\":{}}"

- az rest --method put --uri https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Chaos/experiments/$EXPERIMENT_NAME?api-version=2022-10-01-preview --body @experiment.json

- az rest --method post --uri https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Chaos/experiments/$EXPERIMENT_NAME/start?api-version=2022-10-01-preview

-Azure Chaos Studio Preview can't inject faults against a resource until that resource is added to Chaos Studio. To add a resource to Chaos Studio, create a [target and capabilities](chaos-studio-targets-capabilities.md) on the resource.

-You can use a chaos experiment to verify that your application is resilient to failures by causing those failures in a controlled environment. In this article, you cause a multi-read, single-write Azure Cosmos DB failover by using a chaos experiment and Azure Chaos Studio Preview. Running this experiment can help you defend against data loss when a failover event occurs.

- az rest --method put --url "https://management.azure.com/$RESOURCE_ID/providers/Microsoft.Chaos/targets/$TARGET_TYPE?api-version=2021-09-15-preview" --body "{\"properties\":{}}"

- az rest --method put --url "https://management.azure.com/subscriptions/b65f2fec-d6b2-4edd-817e-9339d8c01dc4/resourceGroups/myRG/providers/Microsoft.Compute/virtualMachines/myVM/providers/Microsoft.Chaos/targets/Microsoft-VirtualMachine?api-version=2021-09-15-preview" --body "{\"properties\":{}}"

- az rest --method put --url "https://management.azure.com/$RESOURCE_ID/providers/Microsoft.Chaos/targets/$TARGET_TYPE/capabilities/$CAPABILITY?api-version=2021-09-15-preview" --body "{\"properties\":{}}"

- az rest --method put --url "https://management.azure.com/subscriptions/b65f2fec-d6b2-4edd-817e-9339d8c01dc4/resourceGroups/myRG/providers/Microsoft.Compute/virtualMachines/myVM/providers/Microsoft.Chaos/targets/Microsoft-VirtualMachine/capabilities/shutdown-1.0?api-version=2021-09-15-preview" --body "{\"properties\":{}}"

- az rest --method put --uri https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Chaos/experiments/$EXPERIMENT_NAME?api-version=2021-09-15-preview --body @experiment.json

- az rest --method post --uri https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Chaos/experiments/$EXPERIMENT_NAME/start?api-version=2021-09-15-preview

-description: Create an experiment that uses a service-direct fault with Azure Chaos Studio Preview to fail over an Azure Cosmos DB instance.

-You can use a chaos experiment to verify that your application is resilient to failures by causing those failures in a controlled environment. In this article, you cause a multi-read, single-write Azure Cosmos DB failover by using a chaos experiment and Azure Chaos Studio Preview. Running this experiment can help you defend against data loss when a failover event occurs.

-1. Search for **Chaos Studio (preview)** in the search bar.

-description: Sample Azure policies to add resources to Azure Chaos Studio Preview by using targets and capabilities.

-# Azure Policy samples for adding resources to Azure Chaos Studio Preview

-This article includes sample [Azure Policy](../governance/policy/overview.md) definitions that create [targets and capabilities](chaos-studio-targets-capabilities.md) for a specific resource type. You can automatically add resources to Azure Chaos Studio Preview. First, you [deploy these samples as custom policy definitions](../governance/policy/tutorials/create-custom-policy-definition.md). Then you [assign the policy](../governance/policy/assign-policy-portal.md) to a scope.

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

-description: Sample Azure Resource Manager templates to create Azure Chaos Studio Preview experiments.

-# ARM template samples for experiments in Azure Chaos Studio Preview

-This article includes sample [Azure Resource Manager templates (ARM templates)](../azure-resource-manager/templates/syntax.md) to create a [chaos experiment](chaos-studio-chaos-experiments.md) in Azure Chaos Studio Preview. Each sample includes a template file and a parameters file with sample values to provide to the template.

- "apiVersion": "2021-09-15-preview",

-description: Sample ARM templates to add resources to Azure Chaos Studio Preview by using targets and capabilities.

-# ARM template samples for targets and capabilities in Azure Chaos Studio Preview

-This article includes sample [Azure Resource Manager templates (ARM templates)](../azure-resource-manager/templates/syntax.md) to create [targets and capabilities](chaos-studio-targets-capabilities.md) to add a resource to Azure Chaos Studio Preview. Each sample includes a template file and a parameters file with sample values to provide to the template.

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

- "apiVersion": "2021-09-15-preview",

-description: Learn to troubleshoot common problems when you use Azure Chaos Studio Preview.

-# Troubleshoot issues with Azure Chaos Studio Preview

-As you use Azure Chaos Studio Preview, you might occasionally encounter some problems. This article explains common problems and troubleshooting steps.

-description: Set up a logic app that schedules a chaos experiment in Azure Chaos Studio Preview to run periodically.

-# Tutorial: Schedule a recurring experiment with Azure Chaos Studio Preview

-Azure Chaos Studio Preview lets you run chaos experiments that intentionally fail part of your application or service to verify that it's resilient against those failures. It can be useful to run these chaos experiments periodically to ensure that your application's resilience hasn't regressed or to meet compliance requirements. In this tutorial, you use a [logic app](../logic-apps/logic-apps-overview.md) to trigger an experiment to run once a day.

- | **Client Api Version** | `2021-09-15-preview` | The Chaos Studio REST API version. |

-## 3. Create the virtual network by using the ARM template

-| **PSTN calls** | | |

- |The voice codecs to use between Azure Communications Gateway and your network. |**Call Handling: Supported codecs**|

- |A list of dial strings used for emergency calling.|**Call Handling: Emergency dial strings**|

-| IP addresses or address ranges (in CIDR format) in your network that should be allowed to connect to the Provisioning API, in a comma-separated list. Use of the Provisioning API is required to provision Azure Communications Gateway with numbers for Direct Routing. | **Options common to multiple communications

-## Collect test line and number configuration values

-Collect all of the values in the following table for all the test lines that you want to configure for Azure Communications Gateway.

- |**Value**|**Field name(s) in Azure portal**|

- |||

- |A name for the test line. |**Name**|

- |The phone number for the test line, in E.164 format and including the country code. |**Phone Number**|

- |The purpose of the test line: **Manual** (for manual test calls by you and/or Microsoft staff during integration testing) or **Automated** (for automated validation with Microsoft Teams test suites - Operator Connect and Teams Phone Mobile only).|**Testing purpose**|

-> [!IMPORTANT]

-> For Operator Connect and Teams Phone Mobile, you must configure at least six automated test lines. We recommend nine automated test lines (to allow simultaneous tests).

-1. Use the information that you collected in [Collect test line and number configuration values](#collect-test-line-and-number-configuration-values) to fill out the fields in the **Test Lines** configuration tab and then select **Next: Tags**.

-1. Meet any other requirements for your communications platform (for example, the *Network Connectivity Specification* for Operator Connect or Teams Phone Mobile). If you don't have access to Operator Connect or Teams Phone Mobile specifications, contact your onboarding team.

- - Required for Microsoft Teams Direct Routing.

-1. [Configure test numbers for Microsoft Teams Direct Routing](configure-test-numbers-teams-direct-routing.md) describes how to configure Azure Communications Gateway and Microsoft 365 with a test numbers.

-|Microsoft Teams Direct Routing |Required |- Configure the subdomain associated with each Direct Routing customer<br>- Generate DNS records specific to each customer (as required by the Microsoft 365 environment).<br>- Indicate that numbers are enabled for Direct Routing.<br>- (Optional) Configure a custom header for messages to your network|

- Architecture diagram showing Azure Communications Gateway connecting to the Microsoft Phone System, a softswitch in a fixed line deployment and a mobile IMS core. Azure Communications Gateway contains certified SBC function and the MCP application server for anchoring mobile calls.

-Calls flow from endpoints in your networks through Azure Communications Gateway and the Microsoft Phone System into Microsoft Teams clients.

-You must select the codecs that you want to support when you deploy Azure Communications Gateway. If the Microsoft Phone System doesn't support these codecs, Azure Communications Gateway can perform transcoding (converting between codecs) on your behalf.

-Calls flow from endpoints in your networks through Azure Communications Gateway and the Microsoft Phone System into Microsoft Teams clients.

-You must select the codecs that you want to support when you deploy Azure Communications Gateway. If the Microsoft Phone System doesn't support these codecs, Azure Communications Gateway can perform transcoding (converting between codecs) on your behalf.

-description: Understand the Included Benefits and your other options for onboarding

-To launch Operator Connect and/or Teams Phone Mobile, you need an onboarding partner. Launching requires changes to the Operator Connect or Teams Phone Mobile environments and your onboarding partner manages the integration process and coordinates with Microsoft Teams on your behalf. They can also help you design and set up your network for success.

-We provide a customer success program and onboarding service called _Included Benefits_ for operators deploying Azure Communications Gateway. We work with your team to enable rapid and effective solution design and deployment. The program includes tailored guidance from Azure for Operators engineers, using proven practices and architectural guides.

-description: Azure Communications Gateway provides telecoms operators with the capabilities and network functions required to connect their network to Microsoft Teams.

-Azure Communications Gateway enables Microsoft Teams calling through the Operator Connect, Teams Phone Mobile and Microsoft Teams Direct Routing programs. It provides Voice and IT integration with Microsoft Teams across both fixed and mobile networks. It's certified as part of the Operator Connect Accelerator program.

- Diagram that shows how Azure Communications Gateway connects to the Microsoft Phone System and to your fixed and mobile networks. Microsoft Teams clients connect to the Microsoft Phone system. Your fixed network connects to PSTN endpoints. Your mobile network connects to Teams Phone Mobile users.

-Azure Communications Gateway provides advanced SIP, RTP and HTTP interoperability functions (including Teams Certified SBC function) so that you can integrate with Operator Connect, Teams Phone Mobile or Microsoft Teams Direct Routing quickly, reliably and in a secure manner.

-Azure Communications Gateway acts as the edge of your network, ensuring compliance with the requirements of the Operator Connect and Teams Phone Mobile programs.

-To ensure availability, Azure Communications Gateway is deployed into two Azure Regions within a given Geography. It supports both active-active and primary-backup geographic redundancy models to fit with your network design.

-For more information about the networking requirements, see [Your network and Azure Communications Gateway](role-in-network.md) and [Reliability in Azure Communications Gateway](reliability-communications-gateway.md).

-Azure Communications Gateway supports the SIP and RTP requirements for Teams Certified SBCs. It can transform call flows to suit your network with minimal disruption to existing infrastructure.

-## Multitenant support and caller ID screening for Direct Routing

-Costs for Azure Communications Gateway are only a portion of the monthly costs in your Azure bill. Although this article explains how to plan for and manage costs for Azure Communications Gateway, you're billed for all Azure services and resources used in your Azure subscription. This billing includes third-party services.

- - Operator Connect and Microsoft Teams Direct Routing are fixed networks.

-> A Microsoft Teams Direct Routing user is any telephone number configured with Direct Routing on Azure Communications Gateway. Billing for the user starts as soon as you have configured the number.

-You can pay for Azure Communications Gateway charges with your Azure Prepayment credit. However, you can't use Azure Prepayment credit to pay for charges for third party products and services including those from the Azure Marketplace.

-In this article, you learn about the steps you and your onboarding team must take.

-> In many cases, your onboarding team is from Microsoft, provided through the [Included Benefits](onboarding.md) or through a separate arrangement.

-In this article, you learn about the steps you and your onboarding team must take.

-> [!TIP]

-> In many cases, your onboarding team is from Microsoft, provided through the [Included Benefits](onboarding.md) or through a separate arrangement.

-You need an onboarding partner to deploy Azure Communications Gateway. If you're not eligible for onboarding to Microsoft Teams through Azure Communications Gateway's [Included Benefits](onboarding.md) or you haven't arranged alternative onboarding with Microsoft through a separate arrangement, you need to arrange an onboarding partner yourself.

-If you plan to route emergency calls through Azure Communications Gateway for Operator Connect or Teams Phone Mobile, read [Emergency calling for Operator Connect and Teams Phone Mobile with Azure Communications Gateway](emergency-calling-operator-connect.md) to learn about your options.

-Service regions contain the voice and API infrastructure used for handling traffic between Microsoft Phone System and your network. Each instance of Azure Communications Gateway consists of two service regions that are deployed in an active-active mode. This geo-redundancy is mandated by the Operator Connect and Teams Phone Mobile programs. Fast failover between the service regions is provided at the infrastructure/IP level and at the application (SIP/RTP/HTTP) level.

-These service regions are identical in operation and provide resiliency to both Zone and Regional failures. Each service region can carry 100% of the traffic using the Azure Communications Gateway instance. As such, end-users should still be able to make and receive calls successfully during any Zone or Regional downtime.

-Azure Communications Gateway offers a 'successful redial' redundancy model: calls handled by failing peers are terminated, but new calls are routed to healthy peers. This model mirrors the redundancy model provided by Microsoft Teams itself.

-Each Azure Communications Gateway service region provides an SRV record. This record contains all the SIP peers providing SBC functionality (for routing calls to Microsoft Phone System) within the region.

-When your network routes calls to Microsoft Phone System (through Azure Communications Gateway's SIP peers), it must:

-A single deployment of Azure Communications Gateway is designed to handle your Operator Connect and Teams Phone Mobile traffic within a geographic area. Both service regions should be deployed within the same geographic area (for example North America) to ensure that latency on voice calls remain within the limits required by the Operator Connect and Teams Phone Mobile programs. Consider the following points when you choose your service region locations:

-The reliability design described in this document is implemented by Microsoft and isn't configurable. For more information on the Azure Communications Gateway service-level agreements (SLAs), see the Azure Communications Gateway SLA.

-If you notice problems with Azure Communications Gateway or you need Microsoft to make changes, you can raise a support request (also known as a support ticket). This article provides an overview of how to raise support requests for Azure Communications Gateway. For more detailed information on raising support requests, see [Create an Azure support request](../azure-portal/supportability/how-to-create-azure-support-request.md).

-Azure provides unlimited support for subscription management, which includes billing, quota adjustments, and account transfers. For technical support, you need a support plan, such as [Microsoft Unified Support](https://www.microsoft.com/en-us/unifiedsupport/overview) or [Premier Support](https://www.microsoft.com/en-us/unifiedsupport/premier).

-You must have an **Owner**, **Contributor**, or **Support Request Contributor** role in your Azure Communications Gateway subscription, or a custom role with [Microsoft.Support/*](../role-based-access-control/resource-provider-operations.md#microsoftsupport) at the subscription level.

-## 1. Generate a support request in the Azure portal

-## 2. Enter a description of the problem or the change

-## 3. Assess the recommended solutions

-## 4. Enter additional details

-## 5. Review and create your support request

-Azure Communications Gateway sits at the edge of your network. This position allows it to manipulate signaling and media to meet the requirements of your networks and your chosen communications services. Azure Communications Gateway includes many interoperability settings by default, and you can arrange further interoperability configuration.

- Architecture diagram showing Azure Communications Gateway connecting to the Microsoft Phone System, a softswitch in a fixed line deployment and a mobile IMS core. Azure Communications Gateway contains certified SBC function and the MCP application server for anchoring mobile calls.

-We manage the certificate that Azure Communications Gateway uses to connect to your network and Microsoft Phone System. Azure Communications Gateway's certificate uses the DigiCert Global Root G2 certificate as the root CA certificate. If your network doesn't already support this certificate as a root CA certificate, you must download and install this certificate when you [connect Azure Communications Gateway to your networks](deploy.md#connect-azure-communications-gateway-to-your-networks).

-| Functionality | dev service | Production managed service |

-# Welcome to Azure Cosmos DB

-Azure Cosmos DB is a fully managed NoSQL and relational database for modern app development. Azure Cosmos DB offers single-digit millisecond response times, automatic and instant scalability, along with guaranteed speed at any scale. Business continuity is assured with [SLA-backed](https://azure.microsoft.com/support/legal/sla/cosmos-db) availability and enterprise-grade security.

-Use Retrieval Augmented Generation (RAG) to bring the most semantically relevant data to enrich your AI-powered applications built with Azure OpenAI models like GPT-3.5 and GPT-4. For more information, see [Retrieval Augmented Generation (RAG) with Azure Cosmos DB](vector-search.md#retrieval-augmented-generation).

-Build fast with open source APIs, multiple SDKs, schemaless data and no-ETL analytics over operational data.

-[Azure Synapse Link for Azure Cosmos DB](synapse-link.md) is a cloud-native hybrid transactional and analytical processing (HTAP) capability that enables near real time analytics over operational data in Azure Cosmos DB. Azure Synapse Link creates a tight seamless integration between Azure Cosmos DB and Azure Synapse Analytics.

-## Solutions that benefit from Azure Cosmos DB

-[Web, mobile, gaming, and IoT applications](use-cases.md) that handle massive amounts of data, reads, and writes at a [global scale](distribute-data-globally.md) with near-real response times benefit from Azure Cosmos DB. Azure Cosmos DB's [guaranteed high availability](https://azure.microsoft.com/support/legal/sl#web-and-mobile-applications).

-## Next steps

-Get started with Azure Cosmos DB with one of our quickstarts:

- - If all you know is the number of vCores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](convert-vcore-to-request-unit.md)

- - If you know typical request rates for your current database workload, read about [estimating request units using Azure Cosmos DB capacity planner](estimate-ru-with-capacity-planner.md)

-> [!div class="nextstepaction"]

-> [Try Azure Cosmos DB for free](https://azure.microsoft.com/try/cosmosdb/)

-The constraints on computed property query definitions are:

-description: Use Retrieval Augmented Generation (RAG) and vector search to ground your Azure OpenAI models with data stored in Azure Cosmos DB.

-# Vector search with data in Azure Cosmos DB

-The Large Language Models (LLMs) in Azure OpenAI are incredibly powerful tools that can take your AI-powered applications to the next level. The utility of LLMs can increase significantly when the models can have access to the right data, at the right time, from your application's data store. This process is known as Retrieval Augmented Generation (RAG) and there are many ways to do this today with Azure Cosmos DB.

-In this article, we review key concepts for RAG and then provide links to tutorials and sample code that demonstrate some of most powerful RAG patterns using *vector search* to bring the most semantically relevant data to your LLMs. These tutorials can help you become comfortable with using your Azure Cosmos DB data in Azure OpenAI models.

-To jump right into tutorials and sample code for RAG patterns with Azure Cosmos DB, use the following links:

-| | Description |

-| | |

-| **[Azure Cosmos DB for NoSQL with Azure Cognitive Search](#azure-cosmos-db-for-nosql-and-azure-cognitive-search)**. | Augment your Azure Cosmos DB data with semantic and vector search capabilities of Azure Cognitive Search. |

-| **[Azure Cosmos DB for Mongo DB vCore](#azure-cosmos-db-for-mongodb-vcore)**. | Featuring native support for vector search, store your application data and vector embeddings together in a single MongoDB-compatible service. |

-| **[Azure Cosmos DB for PostgreSQL](#azure-cosmos-db-for-postgresql)**. | Offering native support vector search, you can store your data and vectors together in a scalable PostgreSQL offering. |

-## Key concepts

-This section includes key concepts that are critical to implementing RAG with Azure Cosmos DB and Azure OpenAI.

-### Retrieval Augmented Generation (RAG) <a id="retrieval-augmented-generation"></a>

-RAG involves the process of retrieving supplementary data to provide the LLM with the ability to use this data when it generates responses. When presented with a user's question or prompt, RAG aims to select the most pertinent and current domain-specific knowledge from external sources, such as articles or documents. This retrieved information serves as a valuable reference for the model when generating its response. For example, a simple RAG pattern using Azure Cosmos DB for NoSQL could be:

-1. Insert data into an Azure Cosmos DB for NoSQL database and collection.

-2. Create embeddings from a data property using an Azure OpenAI Embeddings model

-3. Link the Azure Cosmos DB for NoSQL to Azure Cognitive Search (for vector indexing/search)

-4. Create a vector index over the embeddings properties.

-5. Create a function to perform vector similarity search based on a user prompt.

-6. Perform question answering over the data using an Azure OpenAI Completions model

-The RAG pattern, with prompt engineering, serves the purpose of enhancing response quality by offering more contextual information to the model. RAG enables the model to apply a broader knowledge base by incorporating relevant external sources into the generation process, resulting in more comprehensive and informed responses. For more information on "grounding" LLMs, see [grounding LLMs - Microsoft Community Hub](https://techcommunity.microsoft.com/t5/fasttrack-for-azure/grounding-llms/ba-p/3843857)

-### Prompts and prompt engineering

-A prompt refers to a specific text or information that can serve as an instruction to an LLM, or as contextual data that the LLM can build upon. A prompt can take various forms, such as a question, a statement, or even a code snippet. Prompts can serve as:

-The process of creating good prompts for a scenario is called *prompt engineering*. For more information about prompts and best practices for prompt engineering, see [Azure OpenAI Service - Azure OpenAI | Microsoft Learn](../ai-services/openai/concepts/prompt-engineering.md).

-### Tokens

-Tokens are small chunks of text generated by splitting the input text into smaller segments. These segments can either be words or groups of characters, varying in length from a single character to an entire word. For instance, the word `hamburger` would be divided into tokens such as `ham`, `bur`, and `ger` while a short and common word like `pear` would be considered a single token.

-In Azure OpenAI, input text provided to the API is turned into tokens (tokenized). The number of tokens processed in each API request depends on factors such as the length of the input, output, and request parameters. The quantity of tokens being processed also impacts the response time and throughput of the models. There are limits to the amount tokens each model can take in a single request/response from Azure OpenAI. [Learn more about Azure OpenAI Service quotas and limits here](../ai-services/openai/quotas-limits.md)

-### Vectors

-Vectors are ordered arrays of numbers (typically floats) that can represent information about some data. For example, an image can be represented as a vector of pixel values, or a string of text can be represented as a vector or ASCII values. The process for turning data into a vector is called *vectorization*.

-### Embeddings

-Embeddings are vectors that represent important features of data. Embeddings are often learned by using a deep learning model, and machine learning and AI models utilized them as features. Embeddings can also capture semantic similarity between similar concepts. For example, in generating an embedding for the words `person` and `human`, we would expect their embeddings (vector representation) to be similar in value since the words are also semantically similar.

- Azure OpenAI features models for creating embeddings from text data. The service breaks text out into tokens and generates embeddings using models pretrained by OpenAI. [Learn more about creating embeddings with Azure OpenAI here.](../ai-services/openai//concepts/understand-embeddings.md)

-### Vector search

-Vector search refers to the process of finding all vectors in a dataset that are semantically similar to a specific query vector. Therefore, a query vector for the word `human`, and I search the entire dictionary for semantically similar words, I would expect to find the word `person` as a close match. This closeness, or distance, is measured using a similarity metric such as cosine similarity. The more similar the vectors are, the smaller the distance between them.

-Consider a scenario where you have a query over millions of document and you want to find the most similar document in your data. You can create embeddings for your data and the query document using Azure OpenAI. Then, you can perform a vector search to find the most similar documents from your dataset. However, performing a vector search across a few examples is trivial. Performing this same search across thousands or millions of data points becomes challenging. There are also trade-offs between exhaustive search and approximate nearest neighbor (ANN) search methods including latency, throughput, accuracy, and cost, all of which can depend on the requirements of your application.

-Adding Azure Cosmos DB vector search capabilities to Azure OpenAI Service enables you to store long term memory and chat history to improve your Large Language Model (LLM) solution. Vector search allows you to efficiently query back the most relevant context to personalize Azure OpenAI prompts in a token-efficient manner. Storing vector embeddings alongside the data in an integrated solution minimizes the need to manage data synchronization and accelerates your time-to-market for AI app development.

-## Using Azure Cosmos DB data with Azure OpenAI

-The RAG pattern harnesses external knowledge and models to effectively handle custom data or domain-specific knowledge. It involves extracting pertinent information from an external data source and integrating it into the model request through prompt engineering.

-A robust mechanism is necessary to identify the most relevant data from the external source that can be passed to the model considering the limitation of a restricted number of tokens per request. This limitation is where embeddings play a crucial role. By converting the data in our database into embeddings and storing them as vectors for future use, we apply the advantage of capturing the semantic meaning of the text, going beyond mere keywords to comprehend the context.

-Prior to sending a request to Azure OpenAI, the user input/query/request is also transformed into an embedding, and vector search techniques are employed to locate the most similar embeddings within the database. This technique enables the identification of the most relevant data records in the database. These retrieved records are then supplied as input to the model request using prompt engineering.

-There are multiple ways to use RAG and vector search with your data stored in Azure Cosmos DB.

-## Azure Cosmos DB for NoSQL and Azure Cognitive Search

-Implement RAG-patterns with Azure Cosmos DB for NoSQL and Azure Cognitive Search. This approach enables powerful integration of your data residing in Azure Cosmos DB for NoSQL into your AI-oriented applications. Azure Cognitive Search empowers you to efficiently index, and query high-dimensional vector data, which is stored in Azure Cosmos DB for NoSQL.

-### Code samples

-## Azure Cosmos DB for MongoDB vCore

-RAG can be applied using the native vector search feature in Azure Cosmos DB for MongoDB vCore, facilitating a smooth merger of your AI-centric applications with your stored data in Azure Cosmos DB. The use of vector search offers an efficient way to store, index, and search high-dimensional vector data directly within Azure Cosmos DB for MongoDB vCore alongside other application data. This approach removes the necessity of migrating your data to costlier alternatives for vector search.

-### Code samples

-## Azure Cosmos DB for PostgreSQL

-You can employ RAG by utilizing native vector search within Azure Cosmos DB for PostgreSQL. This strategy provides a seamless integration of your AI-driven applications, including the ones developed using Azure OpenAI embeddings, with your data housed in Azure Cosmos DB. By taking advantage of vector search, you can effectively store, index, and execute queries on high-dimensional vector data directly within Azure Cosmos DB for PostgreSQL along with the rest of your data.

-### Code samples

-## Next steps

-description: Learn how to copy data to and from Microsoft Fabric Lakehouse Files (Preview) using Azure Data Factory or Azure Synapse Analytics pipelines.

-# Copy data in Microsoft Fabric Lakehouse Files (Preview) using Azure Data Factory or Azure Synapse Analytics

-This article outlines how to use Copy Activity to copy data from and to Microsoft Fabric Lakehouse Files (Preview). To learn more, read the introductory article for [Azure Data Factory](introduction.md) or [Azure Synapse Analytics](../synapse-analytics/overview-what-is.md).

-description: Learn how to copy data to and from Microsoft Fabric Lakehouse Table (Preview) using Azure Data Factory or Azure Synapse Analytics pipelines.

-# Copy data in Microsoft Fabric Lakehouse Table (Preview) using Azure Data Factory or Azure Synapse Analytics

-This article outlines how to use Copy Activity to copy data from and to Microsoft Fabric Lakehouse Table (Preview). To learn more, read the introductory article for [Azure Data Factory](introduction.md) or [Azure Synapse Analytics](../synapse-analytics/overview-what-is.md).

-We deprecated the old weather APIs from API version 2023-07-01. The old weather APIs have been replaced with new simple yet powerful provider agnostic weather APIs. Have a look at the API documentation [here](/rest/api/data-manager-for-agri/#weather).

-We've added support for Climate FieldView as a built-in data source. You can now auto sync planting, application and harvest activity files from FieldView accounts directly into Azure Data Manager for Agriculture. Learn more about this [here](concepts-farm-operations-data.md).

-WeΓÇÖve updated our data model to improve flexibility. The boundary object has been deprecated in favor of a geometry property that is now supported in nearly all data objects. This change brings consistency to how space is handled across hierarchy, activity and observation themes. It allows for more flexible integration when ingesting data from a provider with strict hierarchy requirements. You can now sync data that may not perfectly align with an existing hierarchy definition and resolve the conflicts with spatial overlap queries. Learn more [here](concepts-hierarchy-model.md).

-To support scalable ingestion of geometry-clipped imagery, we've partnered with Sentinel Hub by Sinergise to provide a seamless bring your own license (BYOL) experience. Read more about our satellite connector [here](concepts-ingest-satellite-imagery.md).

-description: Review support requirements for the Defender for Containers plan in Microsoft Defender for Cloud.

-# Defender for Containers support

-This article summarizes support information for the [Defender for Containers plan](defender-for-containers-introduction.md) in Microsoft Defender for Cloud.

-| Feature | Supported Resources | Linux release state | Windows release state | Agentless/Agent-based | Pricing Tier | Azure clouds availability |

-| [Agentless discovery for Kubernetes](defender-for-containers-introduction.md#agentless-discovery-for-kubernetes) | ACR, AKS | GA | GA | Agentless | Defender for Containers or Defender CSPM | Azure commercial clouds |

-| Compliance-Docker CIS | VM, Virtual Machine Scale Set | GA | - | Log Analytics agent | Defender for Servers Plan 2 | Commercial clouds<br><br> National clouds: Azure Government, Microsoft Azure operated by 21Vianet |

-| [Vulnerability assessment](defender-for-containers-vulnerability-assessment-azure.md) (powered by Qualys) - registry scan [OS packages](#registries-and-images-support-for-azurepowered-by-qualys) | ACR, Private ACR | GA | Preview | Agentless | Defender for Containers | Commercial clouds<br><br> National clouds: Azure Government, Azure operated by 21Vianet |

-| [Vulnerability assessment](defender-for-containers-vulnerability-assessment-azure.md) (powered by Qualys) -registry scan [language packages](#registries-and-images-support-for-azurepowered-by-qualys) | ACR, Private ACR | Preview | - | Agentless | Defender for Containers | Commercial clouds<br><br> National clouds: Azure Government, Azure operated by 21Vianet |

-| [Vulnerability assessment (powered by Qualys) - running images](defender-for-containers-vulnerability-assessment-azure.md#view-vulnerabilities-for-images-running-on-your-aks-clusters) | AKS | GA | Preview | Defender agent | Defender for Containers | Commercial clouds |

-| [Vulnerability assessment](agentless-container-registry-vulnerability-assessment.md) powered by MDVM - registry scan | ACR, Private ACR | Preview | | Agentless | Defender for Containers | Commercial clouds |

-| [Vulnerability assessment](agentless-container-registry-vulnerability-assessment.md) powered by MDVM - running images | AKS | Preview | | Defender agent | Defender for Containers | Commercial clouds |

-| [Hardening (control plane)](defender-for-containers-architecture.md) | ACR, AKS | GA | Preview | Agentless | Free | Commercial clouds<br><br> National clouds: Azure Government, Azure operated by 21Vianet |

-| Runtime threat detection (workload) | AKS | GA | - | Defender agent | Defender for Containers | Commercial clouds |

-| Discovery/provisioning-Unprotected clusters | AKS | GA | GA | Agentless | Free | Commercial clouds<br><br> National clouds: Azure Government, Azure operated by 21Vianet |

-| Discovery/provisioning-Collecting control plane threat data | AKS | GA | GA | Agentless | Defender for Containers | Commercial clouds<br><br> National clouds: Azure Government, Azure operated by 21Vianet |

-| Discovery/provisioning-Defender agent auto provisioning | AKS | GA | - | Agentless | Defender for Containers | Commercial clouds<br><br> National clouds: Azure Government, Azure operated by 21Vianet |

-| Discovery/provisioning-Azure Policy for Kubernetes auto provisioning | AKS | GA | - | Agentless | Free | Commercial clouds<br><br> National clouds: Azure Government, Azure operated by 21Vianet |

-| Hardening | Kubernetes data plane recommendations | EKS | Preview | - | Azure Policy for Kubernetes | Defender for Containers |

-### Private link restrictions

-Defender for Containers relies on the Defender agent for several features. The Defender agent doesn't support the ability to ingest data through Private Link. You can disable public access for ingestion, so that only machines that are configured to send traffic through Azure Monitor Private Link can send data to that workstation. You can configure a private link by navigating to **`your workspace`** > **Network Isolation** and setting the Virtual networks access configurations to **No**.

-Allowing data ingestion to occur only through Private Link Scope on your workspace Network Isolation settings, can result in communication failures and partial converge of the Defender for Containers feature set.

-Learn how to [use Azure Private Link to connect networks to Azure Monitor](../azure-monitor/logs/private-link-security.md).

-| Hardening | Kubernetes data plane recommendations | GKE | Preview | - | Azure Policy for Kubernetes | Defender for Containers |

-### Private link restrictions

-Defender for Containers relies on the Defender agent for several features. The Defender agent doesn't support the ability to ingest data through Private Link. You can disable public access for ingestion, so that only machines that are configured to send traffic through Azure Monitor Private Link can send data to that workstation. You can configure a private link by navigating to **`your workspace`** > **Network Isolation** and setting the Virtual networks access configurations to **No**.

-Allowing data ingestion to occur only through Private Link Scope on your workspace Network Isolation settings, can result in communication failures and partial converge of the Defender for Containers feature set.

-Learn how to [use Azure Private Link to connect networks to Azure Monitor](../azure-monitor/logs/private-link-security.md).

-| Hardening | Kubernetes data plane recommendations | Arc enabled K8s clusters | Preview | - | Azure Policy for Kubernetes | Defender for Containers |

-description: Learn how Microsoft Dev Box gives self-service access to high-performance, preconfigured, and ready-to-code cloud-based workstations.

-Microsoft Dev Box gives you self-service access to high-performance, preconfigured, and ready-to-code cloud-based workstations called dev boxes. You can set up dev boxes with tools, source code, and prebuilt binaries that are specific to a project, so developers can immediately start work. If you're a developer, you can use dev boxes in your day-to-day workflows.

-The Dev Box service was designed with three organizational roles in mind: platform engineers, developer team leads, and developers.

-Dev box definitions define the configuration of the dev boxes that are available to users. You can use an image from Azure Marketplace, like the **Visual Studio 2022 Enterprise on Windows 11 Enterprise + Microsoft 365 Apps 22H2** image. Or you can create your own custom image and store it in [Azure Compute Gallery](how-to-configure-azure-compute-gallery.md). Specify a SKU with compute and storage to complete the dev box definition.

-All domains added to Azure Front Door must be validated. Validation helps to protect you from accidental misconfiguration, and also helps to protect other people from domain spoofing. In some situation, domains can be *pre-validated* by another Azure service. Otherwise, you need to follow the Azure Front Door domain validation process to prove your ownership of the domain name.

-* **Azure pre-validated domains** are domains that have been validated by another supported Azure service. If you onboard and validate a domain to another Azure service, and then configure Azure Front Door later, you might work with a pre-validated domain. You don't need to validate the domain through Azure Front Door when you use this type of domain.

-| Pending re-validation | The managed certificate is less than 45 days from expiring. <br /><br /> If you have a CNAME record already pointing to the Azure Front Door endpoint, no action is required for certificate renewal. If the custom domain is pointed to another CNAME record, select the **Pending re-validation** status, and then select **Regenerate** on the *Validate the custom domain* page. Lastly, select **Add** if you're using Azure DNS or manually add the TXT record with your own DNS providerΓÇÖs DNS management. |

-| Refreshing validation token | A domain goes into a *Refreshing Validation Token* state for a brief period after the **Regenerate** button is selected. Once a new TXT record value is issued, the state will change to **Pending**. <br /> No action is required. |

-* When switching to a managed certificate, Azure Front Door continues to use the previous certificate until the domain ownership is re-validated and the domain state becomes *Approved*.

-* If you switch from BYOC to managed certificate, domain re-validation is required. If you switch from managed certificate to BYOC, you're not required to re-validate the domain.

-If one of the scenarios above applies to your custom domain, then 45 days before the managed certificate expires, the domain validation state becomes *Pending Revalidation*. The *Pending Revalidation* state indicates that you need to create a new DNS TXT record to revalidate your domain ownership.

-#### Renew Azure-managed certificates for domains pre-validated by other Azure services

-> If you delete this HSM the private endpiont will stop working. If your recover (undelete) this HSM later, you must re-create a new private endpoint.

-$secretVaule = ConvertTo-SecureString -String '<key1Value>' -AsPlainText -Force

-Set-AzKeyVaultSecret -Name storageKey -VaultName vaultrotation-kv -SecretValue $secretVaule -Tag $tags -Expires $tomorrowDate

-$secretVaule = ConvertTo-SecureString -String '<key1Value>' -AsPlainText -Force

-Set-AzKeyVaultSecret -Name storageKey2 -VaultName vaultrotation-kv -SecretValue $secretVaule -Tag $tags -Expires $tomorrowDate

-|IP protection |Yes (IP can remain in the service provider's tenant) |Yes (by design, resource group is locked to customers) |

-[Azure managed applications](../../azure-resource-manager/managed-applications/overview.md) allow a service provider or ISV to offer cloud solutions that are easy for customers to deploy and use in their own subscriptions.

-In a managed application, the resources used by the application are bundled together and deployed to a resource group that's managed by the publisher. This resource group is present in the customer's subscription, but an identity in the publisher's tenant has access to it. The ISV continues to manage and maintain the managed application, while the customer does not have direct access to work in its resource group, or any access to its resources.

- - For the purposes of this tutorial, the load balancer in the examples is named **myLoadBalancer**.

-## Create virtual network

-A virtual network is needed for the resources that are in the backend pool of the gateway load balancer.

-1. In the search box at the top of the portal, enter **Virtual network**. Select **Virtual Networks** in the search results.

-2. In **Virtual networks**, select **+ Create**.

-3. In **Create virtual network**, enter or select this information in the **Basics** tab:

- | **Setting** | **Value** |

- ||--|

- | **Project Details** | |

- | Subscription | Select your Azure subscription |

- | Resource Group | Select **Create new**. </br> In **Name** enter **TutorGwLB-rg**. </br> Select **OK**. |

- | **Instance details** | |

- | Name | Enter **myVNet** |

- | Region | Select **East US** |

-4. Select the **IP Addresses** tab or select the **Next: IP Addresses** button at the bottom of the page.

-5. In the **IP Addresses** tab, enter this information:

- | Setting | Value |

- |--|-|

- | IPv4 address space | Enter **10.1.0.0/16** |

-6. Under **Subnet name**, select the word **default**.

-7. In **Edit subnet**, enter this information:

- | Setting | Value |

- |--|-|

- | Subnet name | Enter **myBackendSubnet** |

- | Subnet address range | Enter **10.1.0.0/24** |

-8. Select **Save**.

-9. Select the **Security** tab.

-10. Under **BastionHost**, select **Enable**. Enter this information:

- | Setting | Value |

- |--|-|

- | Bastion name | Enter **myBastionHost** |

- | AzureBastionSubnet address space | Enter **10.1.1.0/26** |

- | Public IP Address | Select **Create new**. </br> For **Name**, enter **myBastionIP**. </br> Select **OK**. |

-11. Select the **Review + create** tab or select the **Review + create** button.

-12. Select **Create**.

-> [!IMPORTANT]

-> [!INCLUDE [Pricing](../../includes/bastion-pricing.md)]

->

-Use the following example to create a network security group. You'll configure the NSG rules needed for network traffic in the virtual network created previously.

-2. Select **+ Create**.

-3. In the **Basics** tab of **Create network security group**, enter, or select the following information:

- | Resource group | Select **TutorGwLB-rg** |

- | Name | Enter **myNSG**. |

-4. Select the **Review + create** tab or select the **Review + create** button.

-5. Select **Create**.

-6. In the search box at the top of the portal, enter **Network Security**. Select **Network security groups** in the search results.

-7. Select **myNSG**.

-8. Select **Inbound security rules** in **Settings** in **myNSG**.

-9. Select **+ Add**.

-10. In **Add inbound security rule**, enter or select the following information.

- | Name | Enter **myNSGRule-AllowAll-All** |

-11. Select **Add**.

-12. Select **Outbound security rules** in **Settings**.

-13. Select **+ Add**.

-14. In **Add outbound security rule**, enter or select the following information.

- | Name | Enter **myNSGRule-AllowAll-TCP-Out** |

-15. Select **Add**.

-In this section, you'll create the configuration and deploy the gateway load balancer.

-2. In the **Load balancer** page, select **Create**.

-3. In the **Basics** tab of the **Create load balancer** page, enter, or select the following information:

- | Resource group | Select **TutorGwLB-rg**. |

- | Name | Enter **myLoadBalancer-gw** |

-4. Select **Next: Frontend IP configuration** at the bottom of the page.

-5. In **Frontend IP configuration**, select **+ Add a frontend IP**.

-6. Enter **MyFrontEnd** in **Name**.

-7. Select **myBackendSubnet** in **Subnet**.

-8. Select **Dynamic** for **Assignment**.

-9. Select **Add**.

-10. Select **Next: Backend pools** at the bottom of the page.

-11. In the **Backend pools** tab, select **+ Add a backend pool**.

-12. In **Add backend pool**, enter or select the following information.

- | Name | Enter **myBackendPool**. |

-13. Select **Add**.

-14. Select the **Next: Inbound rules** button at the bottom of the page.

-15. In **Load balancing rule** in the **Inbound rules** tab, select **+ Add a load balancing rule**.

-16. In **Add load balancing rule**, enter or select the following information:

- | Name | Enter **myLBRule** |

- | Frontend IP address | Select **MyFrontend**. |

- | Backend pool | Select **myBackendPool**. |

- | Health probe | Select **Create new**. </br> In **Name**, enter **myHealthProbe**. </br> Select **TCP** in **Protocol**. </br> Leave the rest of the defaults, and select **OK**. |

-17. Select **Add**.

-18. Select the blue **Review + create** button at the bottom of the page.

-19. Select **Create**.

-You'll add the frontend to the frontend IP of an existing load balancer in your subscription.

-2. In **Load balancers**, select **myLoadBalancer** or your existing load balancer name.

-4. Select the frontend IP of the load balancer. In this example, the name of the frontend is **myFrontendIP**.

-5. Select **myFrontendIP (10.1.0.4)** in the pull-down box next to **Gateway load balancer**.

-You'll add the gateway load balancer's frontend to an existing VM's NIC IP configuration.

-6. Select **myFrontend** in **Gateway Load balancer**.

-When no longer needed, delete the resource group, load balancer, and all related resources. To do so, select the resource group **TutorGwLB-rg** that contains the resources and then select **Delete**.

- from azure.ai.ml.entities import AzureBlobDatastore

-When attempting to modify the User assigned managed identity and Key identifier in a single request while changing the CMK settings, the operation gets struck. We are working on the upcoming deployment for the permanent solution to address this issue, in the meantime, please ensure that you perform the two operations of updating the User Assigned Managed Identity and Key identifier in separate requests. The sequence of these operations is not critical, as long as the user-assigned identities have the necessary access to both Key Vault

-* Azure virtual machine (VM) instances in a private subnet

- * Upgrade a load balancer from basic to standard, see [Upgrade a public basic Azure Load Balancer](../load-balancer/upgrade-basic-standard.md).

-description: This article describes how to install Azure Connected Machine agent

-#Customer intent: I need to monitor a connection by using Azure Monitor Agent.

-* Administrator permissions to install and configure the Connected Machine agent. On Linux, you install and configure it by using the root account, and on Windows, you use an account that's a member of the Local Administrators group.

-## Install the agent by using the script

-After you've generated the script, the next step is to run it on the server that you want to onboard to Azure Arc. The script will download the Connected Machine agent from the Microsoft Download Center, install the agent on the server, create the Azure Arc-enabled server resource, and associate it with the agent.

-## Next steps

-> - [Azure REST API](network-watcher-packet-capture-manage-rest.md)

-> - [Azure REST API](network-watcher-packet-capture-manage-rest.md)

-> - [Azure REST API](network-watcher-packet-capture-manage-rest-vmss.md)

-> - [Azure REST API](network-watcher-packet-capture-manage-rest.md)

-description: Learn how to manage packet captures in virtual machine scale sets with the packet capture feature of Network Watcher using Azure REST API.

-# Manage packet captures in Virtual machine scale set with Azure Network Watcher using Azure REST API

-> [!div class="op_single_selector"]

-> - [Azure portal](network-watcher-packet-capture-manage-portal-vmss.md)

-> - [PowerShell](network-watcher-packet-capture-manage-powershell-vmss.md)

-> - [Azure REST API](network-watcher-packet-capture-manage-rest-vmss.md)

-Network Watcher packet capture allows you to create capture sessions to track traffic to and from a virtual machine scale set instance/(s). Filters are provided for the capture session to ensure you capture only the traffic you want. Packet capture helps to diagnose network anomalies, both reactively, and proactively. Other uses include gathering network statistics, gaining information on network intrusions, to debug client-server communication, and much more. Being able to remotely trigger packet captures, eases the burden of running a packet capture manually on a desired virtual machine, which saves valuable time.

-This article takes you through the different management tasks that are currently available for packet capture.

-> [!Note]

-> Currently, Azure Kubernetes Service (AKS) is not supported for Packet Capture.

-## Before you begin

-ARMclient is used to call the REST API using PowerShell. ARMClient is found on chocolatey at [ARMClient on Chocolatey](https://chocolatey.org/packages/ARMClient)

-This scenario assumes you've already followed the steps in [Create a Network Watcher](network-watcher-create.md) to create a Network Watcher.

-> Packet capture requires a virtual machine extension `AzureNetworkWatcherExtension`. For installing the extension on a Windows VM visit [Azure Network Watcher Agent virtual machine extension for Windows](../virtual-machines/extensions/network-watcher-windows.md) and for Linux VM visit [Azure Network Watcher Agent virtual machine extension for Linux](../virtual-machines/extensions/network-watcher-linux.md).

-## Log in with ARMClient

-```powershell

-armclient login

-```

-## Retrieve a virtual machine

-Run the following script to return a virtual machine. This information is needed for starting a packet capture.

-The following code needs variables:

-```powershell

-$subscriptionId = "<subscription id>"

-$resourceGroupName = "<resource group name>"

-Get List of all VM scale sets under a resource group

-armclient get https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachineScaleSets?api-version=2022-03-01

-Display information about a virtual machine scale set

-armclient GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachineScaleSets/{vmScaleSetName}?api-version=2022-03-01

-```

-## Get a packet capture

-The following example gets the status of a single packet capture

-```powershell

-$subscriptionId = "<subscription id>"

-$resourceGroupName = "NetworkWatcherRG"

-$networkWatcherName = "NetworkWatcher_westcentralus"

-armclient post "https://management.azure.com/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/packetCaptures/${packetCaptureName}/querystatus?api-version=2016-12-01"

-```

-The following responses are examples of a typical response returned when querying the status of a packet capture.

-```json

-{

- "name": "TestPacketCapture5",

- "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westcentralus/packetCaptures/TestPacketCapture6",

- "captureStartTime": "2016-12-06T17:20:01.5671279Z",

- "packetCaptureStatus": "Running",

- "packetCaptureError": []

-}

-```

-```json

-{

- "name": "TestPacketCapture5",

- "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westcentralus/packetCaptures/TestPacketCapture6",

- "captureStartTime": "2016-12-06T17:20:01.5671279Z",

- "packetCaptureStatus": "Stopped",

- "stopReason": "TimeExceeded",

- "packetCaptureError": []

-}

-```

-## List all packet captures

-The following example gets all packet capture sessions in a region.

-```powershell

-$subscriptionId = "<subscription id>"

-$resourceGroupName = "NetworkWatcherRG"

-$networkWatcherName = "NetworkWatcher_westcentralus"

-armclient get "https://management.azure.com/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/packetCaptures?api-version=2016-12-01"

-```

-The following response is an example of a typical response returned when getting all packet captures

-```json

-{

- "value": [

- {

- "name": "TestPacketCapture6",

- "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westcentralus/packetCaptures/TestPacketCapture6",

- "etag": "W/\"091762e1-c23f-448b-89d5-37cf56e4c045\"",

- "properties": {

- "provisioningState": "Succeeded",

- "target": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoExampleRG/providers/Microsoft.Compute/virtualMachines/ContosoVM",

- "bytesToCapturePerPacket": 0,

- "totalBytesPerSession": 1073741824,

- "timeLimitInSeconds": 60,

- "storageLocation": {

- "storageId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoExampleRG/providers/Microsoft.Storage/storageAccounts/contosoexamplergdiag374",

- "storagePath": "https://contosoexamplergdiag374.blob.core.windows.net/network-watcher-logs/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/contosoexamplerg/providers/microsoft.compute/virtualmachines/contosovm/2016/12/06/packetcap

-ture_17_19_53_056.cap",

- "filePath": "c:\\temp\\packetcapture.cap"

- },

- "filters": [

- {

- "protocol": "Any",

- "localIPAddress": "",

- "localPort": "",

- "remoteIPAddress": "",

- "remotePort": ""

- }

- ]

- }

- },

- {

- "name": "TestPacketCapture7",

- "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westcentralus/packetCaptures/TestPacketCapture7",

- "etag": "W/\"091762e1-c23f-448b-89d5-37cf56e4c045\"",

- "properties": {

- "provisioningState": "Failed",

- "target": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoExampleRG/providers/Microsoft.Compute/virtualMachines/ContosoVM",

- "bytesToCapturePerPacket": 0,

- "totalBytesPerSession": 1073741824,

- "timeLimitInSeconds": 60,

- "storageLocation": {

- "storageId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoExampleRG/providers/Microsoft.Storage/storageAccounts/contosoexamplergdiag374",

- "storagePath": "https://contosoexamplergdiag374.blob.core.windows.net/network-watcher-logs/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/contosoexamplerg/providers/microsoft.compute/virtualmachines/contosovm/2016/12/06/packetcap

-ture_17_23_15_364.cap",

- "filePath": "c:\\temp\\packetcapture.cap"

- },

- "filters": [

- {

- "protocol": "Any",

- "localIPAddress": "",

- "localPort": "",

- "remoteIPAddress": "",

- "remotePort": ""

- }

- ]

- }

- }

- ]

-}

-```

-## Query packet capture status

-The following example gets all packet capture sessions in a region.

-```powershell

-$subscriptionId = "<subscription id>"

-$resourceGroupName = "NetworkWatcherRG"

-$networkWatcherName = "NetworkWatcher_westcentralus"

-$packetCaptureName = "TestPacketCapture5"

-armclient get "https://management.azure.com/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/packetCaptures/${packetCaptureName}/querystatus?api-version=2016-12-01"

-```

-The following response is an example of a typical response returned when querying the status of a packet capture.

-```json

-{

- "name": "vm1PacketCapture",

- "id": "/subscriptions/{guid}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkWatchers/{networkWatcherName}/packetCaptures/{packetCaptureName}",

- "captureStartTime" : "9/7/2016 12:35:24PM",

- "packetCaptureStatus" : "Stopped",

- "stopReason" : "TimeExceeded",

- "packetCaptureError" : [ ]

-}

-```

-## Start packet capture

-The following example creates a packet capture on a virtual machine. The example is parameterized to allow for flexibility in creating an example.

-```powershell

-$subscriptionId = '<subscription id>'

-$resourceGroupName = "NetworkWatcherRG"

-$networkWatcherName = "NetworkWatcher_westcentralus"

-$packetCaptureName = "TestPacketCapture5"

-$storageaccountname = "contosoexamplergdiag374"

-$vmssName = "ContosoVMSS"

-$targetType = "AzureVMSS"

-$bytestoCaptureperPacket = "0"

-$bytesPerSession = "1073741824"

-$captureTimeinSeconds = "60"

-$localIP = ""

-$localPort = "" # Examples are: 80, or 80-120

-$remoteIP = ""

-$remotePort = "" # Examples are: 80, or 80-120

-$protocol = "" # Valid values are TCP, UDP and Any.

-$targetUri = "" # Example: /subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.compute/virtualMachineScaleSet/$vmssName

-$storageId = "" #Example "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoExampleRG/providers/Microsoft.Storage/storageAccounts/contosoexamplergdiag374"

-$storagePath = "" # Example: "https://mytestaccountname.blob.core.windows.net/capture/vm1Capture.cap"

-$localFilePath = "c:\\temp\\packetcapture.cap" # Example: "d:\capture\vm1Capture.cap"

-$requestBody = @"

-{

- 'properties': {

- 'target': '/${targetUri}',

- 'targetType': '/${targetType}',

- 'bytesToCapturePerPacket': '${bytestoCaptureperPacket}',

- 'totalBytesPerSession': '${bytesPerSession}',

- 'scope': {

- 'include': [ "1", "2" ],

- 'exclude': [ "3", "4" ],

- },

- 'timeLimitinSeconds': '${captureTimeinSeconds}',

- 'storageLocation': {

- 'storageId': '${storageId}',

- 'storagePath': '${storagePath}',

- 'filePath': '${localFilePath}'

- },

- 'filters': [

- {

- 'protocol': '${protocol}',

- 'localIPAddress': '${localIP}',

- 'localPort': '${localPort}',

- 'remoteIPAddress': '${remoteIP}',

- 'remotePort': '${remotePort}'

- }

- ]

- }

-}

-"@

-armclient PUT "https://management.azure.com/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/packetCaptures/${packetCaptureName}?api-version=2016-07-01" $requestbody

-```

-## Stop packet capture

-The following example stops a packet capture on a virtual machine. The example is parameterized to allow for flexibility in creating an example.

-```powershell

-$subscriptionId = '<subscription id>'

-$resourceGroupName = "NetworkWatcherRG"

-$networkWatcherName = "NetworkWatcher_westcentralus"

-$packetCaptureName = "TestPacketCapture5"

-armclient post "https://management.azure.com/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/packetCaptures/${packetCaptureName}/stop?api-version=2016-12-01"

-```

-## Delete packet capture

-The following example deletes a packet capture on a virtual machine. The example is parameterized to allow for flexibility in creating an example.

-```powershell

-$subscriptionId = '<subscription id>'

-$resourceGroupName = "NetworkWatcherRG"

-$networkWatcherName = "NetworkWatcher_westcentralus"

-$packetCaptureName = "TestPacketCapture5"

-armclient delete "https://management.azure.com/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/packetCaptures/${packetCaptureName}?api-version=2016-12-01"

-```

-> [!NOTE]

-> Deleting a packet capture does not delete the file in the storage account

-## Next steps

-For instructions on downloading files from Azure storage accounts, refer to [Get started with Azure Blob storage using .NET](../storage/blobs/storage-quickstart-blobs-dotnet.md). Another tool that can be used is Storage Explorer. More information about Storage Explorer can be found here at the following link: [Storage Explorer](https://storageexplorer.com/)

-description: Learn how to manage packet captures in virtual machines with the packet capture feature of Network Watcher using Azure REST API.

-# Manage packet captures with Azure Network Watcher using Azure REST API

-> [!div class="op_single_selector"]

-> - [Azure portal](network-watcher-packet-capture-manage-portal.md)

-> - [PowerShell](network-watcher-packet-capture-manage-powershell.md)

-> - [Azure CLI](network-watcher-packet-capture-manage-cli.md)

-> - [Azure REST API](network-watcher-packet-capture-manage-rest.md)

-Network Watcher packet capture allows you to create capture sessions to track traffic to and from a virtual machine. Filters are provided for the capture session to ensure you capture only the traffic you want. Packet capture helps to diagnose network anomalies both reactively and proactively. Other uses include gathering network statistics, gaining information on network intrusions, to debug client-server communications and much more. By being able to remotely trigger packet captures, this capability eases the burden of running a packet capture manually and on the desired machine, which saves valuable time.

-This article takes you through the different management tasks that are currently available for packet capture.

-## Before you begin

-In this scenario, you call the Network Watcher REST API to run IP Flow Verify. ARMclient is used to call the REST API using PowerShell. ARMClient is found on chocolatey at [ARMClient on Chocolatey](https://chocolatey.org/packages/ARMClient)

-This scenario assumes you have already followed the steps in [Create a Network Watcher](network-watcher-create.md) to create a Network Watcher.

-> Packet capture requires a virtual machine extension `AzureNetworkWatcherExtension`. For installing the extension on a Windows VM visit [Azure Network Watcher Agent virtual machine extension for Windows](../virtual-machines/extensions/network-watcher-windows.md) and for Linux VM visit [Azure Network Watcher Agent virtual machine extension for Linux](../virtual-machines/extensions/network-watcher-linux.md).

-## Log in with ARMClient

-```powershell

-armclient login

-```

-## Retrieve a virtual machine

-Run the following script to return a virtual machine. This information is needed for starting a packet capture.

-The following code needs variables:

-```powershell

-$subscriptionId = "<subscription id>"

-$resourceGroupName = "<resource group name>"

-armclient get https://management.azure.com/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Compute/virtualMachines?api-version=2015-05-01-preview

-```

-From the following output, the id of the virtual machine is used in the next example.

-```json

-...

-,

- "type": "Microsoft.Compute/virtualMachines",

- "location": "westcentralus",

- "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoExampleRG/providers/Microsoft.Compute

-/virtualMachines/ContosoVM",

- "name": "ContosoVM"

- }

- ]

-}

-```

-## Get a packet capture

-The following example gets the status of a single packet capture

-```powershell

-$subscriptionId = "<subscription id>"

-$resourceGroupName = "NetworkWatcherRG"

-$networkWatcherName = "NetworkWatcher_westcentralus"

-armclient post "https://management.azure.com/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/packetCaptures/${packetCaptureName}/querystatus?api-version=2016-12-01"

-```

-The following responses are examples of a typical response returned when querying the status of a packet capture.

-```json

-{

- "name": "TestPacketCapture5",

- "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westcentralus/packetCaptures/TestPacketCapture6",

- "captureStartTime": "2016-12-06T17:20:01.5671279Z",

- "packetCaptureStatus": "Running",

- "packetCaptureError": []

-}

-```

-```json

-{

- "name": "TestPacketCapture5",

- "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westcentralus/packetCaptures/TestPacketCapture6",

- "captureStartTime": "2016-12-06T17:20:01.5671279Z",

- "packetCaptureStatus": "Stopped",

- "stopReason": "TimeExceeded",

- "packetCaptureError": []

-}

-```

-## List all packet captures

-The following example gets all packet capture sessions in a region.

-```powershell

-$subscriptionId = "<subscription id>"

-$resourceGroupName = "NetworkWatcherRG"

-$networkWatcherName = "NetworkWatcher_westcentralus"

-armclient get "https://management.azure.com/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/packetCaptures?api-version=2016-12-01"

-```

-The following response is an example of a typical response returned when getting all packet captures

-```json

-{

- "value": [

- {

- "name": "TestPacketCapture6",

- "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westcentralus/packetCaptures/TestPacketCapture6",

- "etag": "W/\"091762e1-c23f-448b-89d5-37cf56e4c045\"",

- "properties": {

- "provisioningState": "Succeeded",

- "target": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoExampleRG/providers/Microsoft.Compute/virtualMachines/ContosoVM",

- "bytesToCapturePerPacket": 0,

- "totalBytesPerSession": 1073741824,

- "timeLimitInSeconds": 60,

- "storageLocation": {

- "storageId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoExampleRG/providers/Microsoft.Storage/storageAccounts/contosoexamplergdiag374",

- "storagePath": "https://contosoexamplergdiag374.blob.core.windows.net/network-watcher-logs/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/contosoexamplerg/providers/microsoft.compute/virtualmachines/contosovm/2016/12/06/packetcap

-ture_17_19_53_056.cap",

- "filePath": "c:\\temp\\packetcapture.cap"

- },

- "filters": [

- {

- "protocol": "Any",

- "localIPAddress": "",

- "localPort": "",

- "remoteIPAddress": "",

- "remotePort": ""

- }

- ]

- }

- },

- {

- "name": "TestPacketCapture7",

- "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westcentralus/packetCaptures/TestPacketCapture7",

- "etag": "W/\"091762e1-c23f-448b-89d5-37cf56e4c045\"",

- "properties": {

- "provisioningState": "Failed",

- "target": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoExampleRG/providers/Microsoft.Compute/virtualMachines/ContosoVM",

- "bytesToCapturePerPacket": 0,

- "totalBytesPerSession": 1073741824,

- "timeLimitInSeconds": 60,

- "storageLocation": {

- "storageId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoExampleRG/providers/Microsoft.Storage/storageAccounts/contosoexamplergdiag374",

- "storagePath": "https://contosoexamplergdiag374.blob.core.windows.net/network-watcher-logs/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/contosoexamplerg/providers/microsoft.compute/virtualmachines/contosovm/2016/12/06/packetcap

-ture_17_23_15_364.cap",

- "filePath": "c:\\temp\\packetcapture.cap"

- },

- "filters": [

- {

- "protocol": "Any",

- "localIPAddress": "",

- "localPort": "",

- "remoteIPAddress": "",

- "remotePort": ""

- }

- ]

- }

- }

- ]

-}

-```

-## Query packet capture status

-The following example gets all packet capture sessions in a region.

-```powershell

-$subscriptionId = "<subscription id>"

-$resourceGroupName = "NetworkWatcherRG"

-$networkWatcherName = "NetworkWatcher_westcentralus"

-$packetCaptureName = "TestPacketCapture5"

-armclient get "https://management.azure.com/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/packetCaptures/${packetCaptureName}/querystatus?api-version=2016-12-01"

-```

-The following response is an example of a typical response returned when querying the status of a packet capture.

-```json

-{

- "name": "vm1PacketCapture",

- "id": "/subscriptions/{guid}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkWatchers/{networkWatcherName}/packetCaptures/{packetCaptureName}",

- "captureStartTime" : "9/7/2016 12:35:24PM",

- "packetCaptureStatus" : "Stopped",

- "stopReason" : "TimeExceeded",

- "packetCaptureError" : [ ]

-}

-```

-## Start packet capture

-The following example creates a packet capture on a virtual machine. The example is parameterized to allow for flexibility in creating an example.

-```powershell

-$subscriptionId = '<subscription id>'

-$resourceGroupName = "NetworkWatcherRG"

-$networkWatcherName = "NetworkWatcher_westcentralus"

-$packetCaptureName = "TestPacketCapture5"

-$storageaccountname = "contosoexamplergdiag374"

-$vmName = "ContosoVM"

-$bytestoCaptureperPacket = "0"

-$bytesPerSession = "1073741824"

-$captureTimeinSeconds = "60"

-$localIP = ""

-$localPort = "" # Examples are: 80, or 80-120

-$remoteIP = ""

-$remotePort = "" # Examples are: 80, or 80-120

-$protocol = "" # Valid values are TCP, UDP and Any.

-$targetUri = "" # Example: /subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.compute/virtualMachine/$vmName

-$storageId = "" #Example "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoExampleRG/providers/Microsoft.Storage/storageAccounts/contosoexamplergdiag374"

-$storagePath = "" # Example: "https://mytestaccountname.blob.core.windows.net/capture/vm1Capture.cap"

-$localFilePath = "c:\\temp\\packetcapture.cap" # Example: "d:\capture\vm1Capture.cap"

-$requestBody = @"

-{

- 'properties': {

- 'target': '/${targetUri}',

- 'bytesToCapturePerPacket': '${bytestoCaptureperPacket}',

- 'totalBytesPerSession': '${bytesPerSession}',

- 'timeLimitinSeconds': '${captureTimeinSeconds}',

- 'storageLocation': {

- 'storageId': '${storageId}',

- 'storagePath': '${storagePath}',

- 'filePath': '${localFilePath}'

- },

- 'filters': [

- {

- 'protocol': '${protocol}',

- 'localIPAddress': '${localIP}',

- 'localPort': '${localPort}',

- 'remoteIPAddress': '${remoteIP}',

- 'remotePort': '${remotePort}'

- }

- ]

- }

-}

-"@

-armclient PUT "https://management.azure.com/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/packetCaptures/${packetCaptureName}?api-version=2016-07-01" $requestbody

-```

-## Stop packet capture

-The following example stops a packet capture on a virtual machine. The example is parameterized to allow for flexibility in creating an example.

-```powershell

-$subscriptionId = '<subscription id>'

-$resourceGroupName = "NetworkWatcherRG"

-$networkWatcherName = "NetworkWatcher_westcentralus"

-$packetCaptureName = "TestPacketCapture5"

-armclient post "https://management.azure.com/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/packetCaptures/${packetCaptureName}/stop?api-version=2016-12-01"

-```

-## Delete packet capture

-The following example deletes a packet capture on a virtual machine. The example is parameterized to allow for flexibility in creating an example.

-```powershell

-$subscriptionId = '<subscription id>'

-$resourceGroupName = "NetworkWatcherRG"

-$networkWatcherName = "NetworkWatcher_westcentralus"

-$packetCaptureName = "TestPacketCapture5"

-armclient delete "https://management.azure.com/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/packetCaptures/${packetCaptureName}?api-version=2016-12-01"

-```

-> [!NOTE]

-> Deleting a packet capture does not delete the file in the storage account

-## Next steps

-For instructions on downloading files from azure storage accounts, refer to [Get started with Azure Blob storage using .NET](../storage/blobs/storage-quickstart-blobs-dotnet.md). Another tool that can be used is Storage Explorer. More information about Storage Explorer can be found here at the following link: [Storage Explorer](https://storageexplorer.com/)

-Learn how to automate packet captures with Virtual machine alerts by viewing [Create an alert triggered packet capture](network-watcher-alert-triggered-packet-capture.md)

-Azure Operator Service Manager is a service that allows network equipment providers (NEPs) to publish their NFs in Azure Marketplace. Operators can deploy the NFs by using familiar Azure APIs.

-description: Learn about Azure Operator Service Manager, an Azure Service for the management of Network Services for telecom operators.

-# About Azure Operator Service Manager

-Azure Operator Service Manager is an Azure service designed to assist telecom operators in managing their network services. It provides streamlined management capabilities for intricate, multi-part, multi-vendor applications across numerous hybrid cloud sites, encompassing Azure regions, edge platforms, and Arc-connected sites. Initially, Azure Operator Service Manager caters to the needs of telecom operators who are in the process of migrating their workloads to Azure and Arc-connected cloud environments.

-Azure Operator Service Manager expands and improves the Network Function Manager by incorporating technology and ideas from Azure for Operators' on-premises management tools. Its purpose is to manage the convergence of comprehensive, multi-vendor service solutions on a per-site basis. It uses a declarative software and configuration model for the system.

-## Product features

-Azure Operator Service Manager provides an Azure-native abstraction for modeling and realizing a distributed network service using extra resource types in Azure Resource Manager (ARM) through our cloud service. A network service is represented as a network graph comprising multiple network functions, with appropriate policies controlling the data plane to meet each telecom operator's operational needs. Creation of templates of configuration schemas allows for per-site variation that is often required in such deployments.

-## Benefits

-Azure Operator Service Manager provides the following benefits:

-## Get access to Azure Operator Service Manager

-Azure Operator Service Manager is currently in public preview. To get started, contact us at [aosmpartner@microsoft.com](mailto:aosmpartner@microsoft.com?subject=Azure%20Operator%20Service%20Manager%20preview%20request&Body=Hello%2C%0A%0AI%20would%20like%20to%20request%20access%20to%20the%20Azure%20Operator%20Service%20Manager%20preview%20documentation.%0A%0AMy%20GitHub%20username%20is%3A%20%0A%0AThank%20you%21), provide your GitHub username, and request access to our preview documentation.

-| Japan East | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |

-Configure [VNet-to-VNet VPN gateway connection](../../vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal.md) to establish connectivity to a Azure Database for PostgreSQL - Single server from an Azure VM in a different region or subscription.

- {ΓÇ»

- ΓÇ» "version": 1,ΓÇ»

- ΓÇ» "azureKey": 1,ΓÇ»

- ΓÇ» "vendorKeyFingerprint": "A5719BCEFD6A2021A11D7649942ECC14",

- ΓÇ» "encryptedTransportKey": "0EBAE5E2D31A1BE48495F6DCA65983EEAE6BA6B75A92040562EAD84079BF701CBD3BB1602DB74E85921184820B78A02EC709951195DC87E44481FDB6B826DF775E29B7073644EA66649A14B6CA6B0EE75DE8B4A8D0D5186319E37FBF165A691E607CFF8B65F3E5E9D448049704DE4EA047101ADA4554A543F405B447B8DB687C0B7624E62515445F3E887B3328AA555540D9959752C985490586EF06681501A89594E28F98BF66F179FE3F1D2EE13C69BC42C30A8D3DC6898B8160FC66CDDEE164760F27B68A07BA4C4AE5AFFEA45EE8342E1CA8470150ED6AF4215CEF173418E60E2B1DF4A8C2AE6F0C9A291F5D185ECAD0D94D48EFD06570A0C1AE27D5EC20",ΓÇ»

- ΓÇ» "signedTransportKey": "83515CC47C8890F62D4A0D16DE58C2F2DCFD827C317047693A46B9CA1F9EBC33CCDB8CABE04A275D65E180813CCFF43FC2DA95E19E2B9FF2588AE0914418DC9CB5506EB7AEADB272F5DAB9F0B1CCFAD62B95C91D4F4680A350F56D2A7F8EC863F4D61E1D7A38746AEE6C6391D619CCFCFA2B6D554671D91A26484CD6E120D84917FBF69D3B56B2AA8F2B36AF88492F1A7E267594B6C1596B81A81079540EC3F31869294BFEB225DFB171DE557B8C05D7C963E047E3AF36D1387FEDA28E55E411E5FB6AED178FB9C92D674D71AF8FEB6462F509E6423D4EBE0EC84E4135AA6C7A36F849A14A6A70E7188E08278D515BD95A549645E9D595D1DEC13E1A68B9CB67",ΓÇ»

- ΓÇ» "sims": [ΓÇ»

-     { 

-       "name": "SIM 1", 

-       "properties": { 

-         "deviceType": "Sensor", 

-        "integratedCircuitCardIdentifier": "8922345678901234567", 

-         "internationalMobileSubscriberIdentity": "001019990010002", 

-         "encryptedCredentials": "3ED205BE2DD7F0E467283EC55F9E8F3588B68DC98811BE671070C65EFDE0CCCAD18C8B663231C80FB478F753A6B09142D06982421261679B7BB112D36473EA7EF973DCF7F634124B58DD945FE61D4B16978438CB33E64D3AA58B5C38A0D97030B5F95B16E308D919EB932ACCD36CB8C2838C497B3B38A60E3DD385", 

-         "simPolicy": { 

-           "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.MobileNetwork/mobileNetworks/testMobileNetwork/simPolicies/MySimPolicy" 

-         }, 

-         "staticIpConfiguration": [

- {

- "attachedDataNetwork": {

- "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.MobileNetwork/packetCoreControlPlanes/TestPacketCoreCP/packetCoreDataPlanes/TestPacketCoreDP/attachedDataNetworks/TestAttachedDataNetwork"

- },

- "slice": {

- "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.MobileNetwork/mobileNetworks/testMobileNetwork/slices/testSlice"

- },

- "staticIp": {

- "ipv4Address": "2.4.0.1"

- }

-           } 

-         ] 

-       } 

-     }

- {ΓÇ»

-       "name": "SIM 2", 

-       "properties": { 

-         "deviceType": "Cellphone", 

-        "integratedCircuitCardIdentifier": "1234545678907456123", 

-         "internationalMobileSubscriberIdentity": "001019990010003", 

-         "encryptedCredentials": "3ED205BE2DD7F0E467283EC55F9E8F3588B68DC98811BE671070C65EFDE0CCCAD18C8B663231C80FB478F753A6B09142D06982421261679B7BB112D36473EA7EF973DCF7F634124B58DD945FE61D4B16978438CB33E64D3AA58B5C38A0D97030B5F95B16E308D919EB932ACCD36CB8C2838C497B3B38A60E3DD385", 

-         "simPolicy": { 

-           "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.MobileNetwork/mobileNetworks/testMobileNetwork/simPolicies/MySimPolicy" 

-         }, 

-         "staticIpConfiguration": [

- {

- "attachedDataNetwork": {

- "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.MobileNetwork/packetCoreControlPlanes/TestPacketCoreCP/packetCoreDataPlanes/TestPacketCoreDP/attachedDataNetworks/TestAttachedDataNetwork"

- },

- "slice": {

- "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.MobileNetwork/mobileNetworks/testMobileNetwork/slices/testSlice"

- },

- "staticIp": {

- "ipv4Address": "2.4.0.2"

- }

-           } 

-         ] 

-       } 

-     } 

- ΓÇ» ]ΓÇ»

- }ΓÇ»