+API Management emits [metrics](/azure/azure-monitor/essentials/data-platform-metrics) every minute, giving you near real-time visibility into the state and health of your APIs. The following are the most frequently used metrics. For a list of all available metrics, see [supported metrics](/azure/azure-monitor/reference/supported-metrics/microsoft-apimanagement-service-metrics).

+ > In the [v2 service tiers](v2-service-tiers-overview.md), API Management has replaced the capacity metric with separate CPU and memory utilization metrics. These metrics can also be used for scaling decisions and troubleshooting. [Learn more](api-management-capacity.md)

+> The following metrics have been retired: Total Gateway Requests, Successful Gateway Requests, Unauthorized Gateway Requests, Failed Gateway Requests, Other Gateway Requests. Please migrate to the Requests metric which provides closely similar functionality.

+1. To investigate metrics in detail, select **Monitoring** > **Metrics** from the left menu.

+1. Select **Monitoring** > **Alerts** from the left menu.

+1. On the **Condition** tab:

+ 1. In **Alert logic**, review or modify the default values for the alert. For example, update the static **Threshold**, which is the number of occurrences after which the alert should be triggered.

+1. Optionally test the alert rule by using an HTTP client to simulate a request that triggers the alert. For example, run the following command in a terminal, substituting the API Management hostname with the hostname of your API Management instance:

+ curl GET https://contoso.azure-api.net/non-existent-endpoint HTTP/1.1

+ An alert triggers based on the evaluation period, and it will send email to admin@contoso.com.

+> Activity logs do not include read (GET) operations or operations performed in the Azure portal.

+2. Select **Monitoring** > **Diagnostic settings**.

+## View logs and metrics in Azure Monitor

+* [Log Analytics tutorial](/azure/azure-monitor/logs/log-analytics-tutorial).

+1. In the left menu of your API Management instance, select **APIs** > **APIs** > **All APIs**.

+1. In the left menu of your API Management instance, select **APIs** > **APIs** and then the name of the API.

+> Your app code is responsible for validating the client certificate. App Service doesn't do anything with this client certificate other than forwarding it to your app.

+>

+1. Select **Client certificate mode** of choice. Select **Save** at the top of the page.

+|Client certificate modes|Description|

+|-|-|

+|Required|All requests require a client certificate.|

+|Optional|Requests may or may not use a client certificate. Clients will be prompted for a certificate by default. For example, browser clients will show a prompt to select a certificate for authentication.|

+|Optional Interactive User|Requests may or may not use a client certificate. Clients will not be prompted for a certificate by default. For example, browser clients will not show a prompt to select a certificate for authentication.|

+> Starting September 23 2021, if you haven't verified the domain in the last 395 days, App Service certificates require domain verification during a renew, auto-renew, or rekey process. The new certificate order remains in "pending issuance" mode during the renew, auto-renew, or rekey process until you complete the domain verification.

+## Use Azure Advisor for App Service certificate

+App Service certificate is integrated with [Azure Advisor](/azure/advisor/advisor-overview) to provide reliability recommendations for when your certificate requires domain verification. You must verify domain ownership for your certificate during renew, auto-renew, or rekey process if you haven't verified the domain in the last 395 days. To ensure you do not miss any certificate that requires verification or risk any certificate from expiring, you can utlize Azure Advisor to view and set up alerts for App Service certificate.

+### View Advisor recommendation

+To view Advisor recommendation for App Service certificate:

+1. Navigate to the [Azure Advisor page](https://portal.azure.com/#view/Microsoft_Azure_Expert/AdvisorMenuBlade/~/overview).

+1. From the left menu, select **Recommendations** > **Reliability**

+1. Select the filter option **Type equals** and search for **App Service Certificates** from the dropdown list. If the value does not exist on the dropdown menu, then that means no recommendation has been generated for your App Service certificate resources because none of them requires domain ownership verification.

+### Create Advisor Alerts

+You [create Azure Advisor alerts on new recommendations] using different configurations. To set up Advisor Alerts specifically for App Serivice certificate so you can get notifications when your certificate requires domain ownership validation:

+1. Navigate to the [Azure Advisor page](https://portal.azure.com/#view/Microsoft_Azure_Expert/AdvisorMenuBlade/~/overview).

+1. From the left menu, select **Monitoring** > **Alerts (Preview)**

+1. Click on **+ New Advisor Alert** on the action bar at the top. This will open a new blade called "Create Advisor Alerts".

+1. Under **Condition** select the following:

+ |Configured by| Recommendation Type|

+ |-|-|

+ |Recommendation Type|Domain verification required to issue your App Service Certificate|

+1. Fill out the rest of the required fields, then select the **Create alert** button at the bottom.

+

+ Title: Configure the latest iteration of Azure VMware Solution private cloud performance and health metrics

+description: Learn how to take advantage of the latest improvements made to Azure VMware Solution private cloud performance and health metrics

+#Customer intent: As an Azure service administrator, I want to collect key performance and reliability metrics from my Azure VMware Solution private cloud, so I can analyze for any diagnostic purposes.

+# Configure the latest iteration of Azure VMware Solution private cloud performance and health metrics

+In this article, you learn how to take advantage of the latest iteration of metrics available to monitor your Azure VMware Solution private cloud.

+Azure VMware Solution provides users with an array of high-level health and performance metrics to provide visibility into the health and performance of an Azure VMware Solution private cloud. Since early 2024, another set of identical metrics labeled with the word "(new)" were introduced, where a series of enhancements to the stability, reliability, and performance of these metrics were made to provide users a better experience relative to the older set of metrics.

+

+### View Azure VMware Solution metrics

+From your Azure VMware Solution private cloud, select **Metrics** under the **Monitoring** section. Then under the **Metric** dropdown, choose a metric that contains the word "(new)". These newer metrics are powered by our improved metrics engine, providing utmost reliability and stability. The metrics monitor items like memory consumption, datastore usage, and CPU across your Azure VMware Solution private cloud.

+### Setting up a chart

+Select a metric you'd like to build a chart for, such as "Percentage CPU (new)" in this example. Upon doing so, you will see a chart like the one below showing a time series for the metric you've selected.

+You can toggle the time window you are interested in this metric for by simply selecting the time window button in the top-right corner. The default window for your selected metric will be **24 hours**.

+Once you are ready to save, click **Save to Dashboard** and select one of the options presented for where this metric will live.

+### Send metrics to other monitoring solutions using the new metrics

+Additionally, you can hover over each metric in the **Metric** dropdown to see the Metric ID. You can use this Metric ID in your third-party monitoring tools to monitor your Azure VMware Solution private cloud.

+ >[!IMPORTANT]

+ >We strongly encourage all users - first time and repeat - to migrate to the new metrics suffixed with **"(new)"**.

+For those who have used the metrics previously and have built monitoring in downstream tools and configurations that rely on the old metric IDs, the following table provides the corresponding newer metric IDs you can use for the same set of metrics to seamlessly transition to using the newer set of metrics:

+| Metric Name (as viewed in the portal) | Current Metric ID | New Metric ID |

+| : | : | : |

+| Datastore Disk Used | UsedLatest | DiskUsedLatest |

+| Datastore Disk Total Capacity | CapacityLatest | CapacityLatest |

+| Average Effective Memory | EffectiveMemAverage | ClusterSummaryEffectiveMemory |

+| Average Total Memory | TotalMbAverage | ClusterSummaryTotalMemCapacityMB |

+| Average Memory Overhead | OverheadAverage | MemOverheadAverage |

+| Average Memory Usage | UsageAverage | MemUsageAverage |

+| Percentage CPU | EffectiveCpuAverage | CpuUsageAverage |

+| Percentage Datastore Disk Used | DiskUsedPercentage | DiskUsedPercentage |

+### <a name="aadj"></a>Does Bastion work with Entra ID extension-joined VMs?

+Bastion does work with Entra ID extension-joined VMs for Microsoft Entra users with RDP and SSH on the native client, and SSH only on the portal. Entra ID for RDP on the portal is not yet supported. For more information, see [Sign in to a Windows virtual machine in Azure by using Microsoft Entra ID](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md#requirements).

+### Rate Limits for SMS

+You can send a limited number of email messages. If you exceed the [email rate limits](#rate-limits-for-email) for your subscription, your requests are rejected. You can attempt these requests again, after the Retry-After time passes. Take action before reaching the limit by requesting to raise your sending volume limits if needed.

+The Azure Communication Services email service is designed to support high throughput. However, the service imposes initial rate limits to help customers onboard smoothly and avoid some of the issues that can occur when switching to a new email service.

+We recommend gradually increasing your email volume using Azure Communication Services Email over a period of two to four weeks, while closely monitoring the delivery status of your emails. This gradual increase enables third-party email service providers to adapt to the change in IP for your domain's email traffic. The gradual change gives you time to protect your sender reputation and maintain the reliability of your email delivery.

+Azure Communication Services email service supports high volume up to 1-2 million messages per hour. High throughput can be enabled based on several factors, including:

+- Customer peak traffic

+- Business needs

+- Ability to manage failure rates

+- Domain reputation

+### Failure Rate Requirements

+To enable a high email quota, your email failure rate must be less than one percent (1%). If your failure rate is high, you must resolve the issues before requesting a quota increase.

+Customers are expected to actively monitor their failure rates.

+If the failure rate increases after a quota increase, Azure Communication Services will contact the customer for immediate action and a resolution timeline. In extreme cases, if the failure rate isn't managed within the specified timeline, Azure Communication Services may reduce or suspend service until the issue is resolved.

+#### Related articles

+Azure Communication Services provides rich logs and analytics to help monitor and manage failure rates. For more information, see the following articles:

+- [Improve sender reputation in Azure Communication Services email](./email/sender-reputation-managed-suppression-list.md)

+- [Email Insights](./analytics/insights/email-insights.md)

+- [Enable logs via Diagnostic Settings in Azure Monitor](./analytics/enable-logging.md)

+- [Quickstart: Handle Email events](../quickstarts/email/handle-email-events.md)

+- [Quickstart: Manage domain suppression lists in Azure Communication Services using the management client libraries](../quickstarts/email/manage-suppression-list-management-sdks.md)

+> [!NOTE]

+> To request higher limits, follow the instructions at [Quota increase for email domains](./email/email-quota-increase.md). Higher quotas are only available for verified custom domains, not Azure-managed domains.

+### Rate Limits for Email

+### Size Limits for Email

+### Size Limits for Chat

+### Rate Limits for Chat

+> \* Read receipts and typing indicators are not supported on chat threads with more than 20 participants.

+### Rate Limits for Job Router

+Using a Teams interoperability scenario, you often use Microsoft Graph APIs to create [meetings](/graph/cloud-communications-online-meetings).

+## Media Action Compatibility Table

+The following table illustrates the what media operations are allowed to run/queue if a previous operation is still running/queued.

+| Existing Operation | Call Leg | Allowed | Disallowed |

+| -- | -- | -- | -- |

+| PlayToAll | Main | PlayToAll, Recognize(Non-Group Call), PlayTo, Recognize(Group Call), SendDTMF, StartContinuousDtmfRecognition | None |

+| Recognize(Non-Group Call) | Main | PlayToAll, Recognize(Non-Group Call), PlayTo, Recognize(Group Call), SendDTMF, StartContinuousDtmfRecognition | None |

+| PlayTo | Sub | PlayToAll, Recognize(Non-Group Call) | PlayTo, Recognize(Group Call), SendDTMF, StartContinuousDtmfRecognition |

+| Recognize(Group Call) | Sub | PlayToAll, Recognize(Non-Group Call) | PlayTo, Recognize(Group Call), SendDTMF, StartContinuousDtmfRecognition |

+| SendDTMF | Sub | PlayToAll, Recognize(Non-Group Call) | PlayTo, Recognize(Group Call), SendDTMF, StartContinuousDtmfRecognition |

+| StartContinuousDtmfRecognition | Sub | PlayToAll, Recognize(Non-Group Call),PlayTo, Recognize(Group Call), SendDTMF, StartContinuousDtmfRecognition | None |

+> By enabling this feature, you acknowledge that you are enabling open/click tracking and giving consent to collect your customers' email activity.

+ :::image type="content" source="./media/email-domains-custom-provision-domains.png" alt-text="Screenshot that shows how to get to overview page for Domain from provisioned domains list.":::

+ :::image type="content" source="./media/email-domains-custom-overview.png" alt-text="Screenshot that shows the overview page of the domain." lightbox="media/email-domains-custom-overview-expanded.png":::

+ :::image type="content" source="./media/email-domains-user-engagement.png" alt-text="Screenshot that shows the user engagement turn-on page of the domain." lightbox="media/email-domains-user-engagement-expanded.png":::

+> User Engagement Tracking cannot be enabled for Azure Managed Domains or custom domains with default sending limits. For more information, see [Service limits for Azure Communication Services](../../concepts/service-limits.md#rate-limits-for-email).

+- Familiarize yourself with the [Email client library](../../concepts/email/sdk-features.md).

+- [Quickstart: How to connect Email Communication Service with an Azure Communication Services resource](../../quickstarts/email/connect-email-communication-resource.md).

+This example uses the `--tail` argument to display the last 50 system log messages from the container app. Replace the `<PLACEHOLDERS>` with your container app's values.

+ --name <CONTAINER_APP_NAME> \

+ --resource-group <RESOURCE_GROUP> \

+ --name <CONTAINER_APP_NAME> `

+ --resource-group <RESOURCE_GROUP> `

+This example displays a continuous live stream of system log messages from the container app using the `--follow` argument. Replace the `<PLACEHOLDERS>` with your container app's values.

+ --name <CONTAINER_APP_NAME> \

+ --resource-group <RESOURCE_GROUP> \

+ --name <CONTAINER_APP_NAME> `

+ --resource-group <RESOURCE_GROUP> `

+You can get the revision names with the `az containerapp revision list` command. Replace the `<PLACEHOLDERS>` with your container app's values.

+ --name <CONTAINER_APP_NAME> \

+ --resource-group <RESOURCE_GROUP> \

+ --name <CONTAINER_APP_NAME> `

+ --resource-group <RESOURCE_GROUP> `

+Use the `az containerapp replica list` command to get the replica and container names. Replace the `<PLACEHOLDERS>` with your container app's values.

+ --name <CONTAINER_APP_NAME> \

+ --resource-group <RESOURCE_GROUP> \

+ --revision <REVISION_NAME> \

+ --name <CONTAINER_APP_NAME> `

+ --resource-group <RESOURCE_GROUP> `

+ --revision <REVISION_NAME> `

+Live stream the container console using the `az container app show` command with the `--follow` argument. Replace the `<PLACEHOLDERS>` with your container app's values.

+ --name <CONTAINER_APP_NAME> \

+ --resource-group <RESOURCE_GROUP> \

+ --revision <REVISION_NAME> \

+ --replica <REPLICA_NAME> \

+ --container <CONTAINER_NAME> \

+ --name <CONTAINER_APP_NAME> `

+ --resource-group <RESOURCE_GROUP> `

+ --revision <REVISION_NAME> `

+ --replica <REPLICA_NAME> `

+ --container <CONTAINER_NAME> `

+View the last 50 console log messages using the `az containerapp logs show` command with the `--tail` argument. Replace the `<PLACEHOLDERS>` with your container app's values.

+ --name <CONTAINER_APP_NAME> \

+ --resource-group <RESOURCE_GROUP> \

+ --revision <REVISION_NAME> \

+ --replica <REPLICA_NAME> \

+ --container <CONTAINER_NAME> \

+ --name <CONTAINER_APP_NAME> `

+ --resource-group <RESOURCE_GROUP> `

+ --revision <REVISION_NAME> `

+ --replica <REPLICA_NAME> `

+ --container <CONTAINER_NAME> `

+Use the following command with the `--follow` argument to view the live system log stream from the Container Apps environment. Replace the `<PLACEHOLDERS>` with your environment values.

+ --name <ENVIRONMENT_NAME> \

+ --resource-group <RESOURCE_GROUP> \

+ --name <ENVIRONMENT_NAME> `

+ --resource-group <RESOURCE_GROUP> `

+This example uses the `--tail` argument to display the last 50 environment system log messages. Replace the `<PLACEHOLDERS>` with your environment values.

+ --name <CONTAINER_APP_NAME> \

+ --resource-group <RESOURCE_GROUP> \

+ --name <CONTAINER_APP_NAME> `

+ --resource-group <RESOURCE_GROUP> `

+```

+Forecast costs are available in both smart and custom views when you select either an area or column stacked chart type. In either case, the forecast is calculated the same way based on your historical usage patterns for up to a year in the future. 

+ > [!NOTE]

+ > Currently ApplicationIntent and MultiSubnetFailover are not supported in SQL connection properties.

+| Details | Front Door (classic) | CDN Standard from Microsoft (classic) | CDN Standard from Akamai | CDN Standard/Premium from Edgio

+| | | | | |

+| Retirement Date | March 31, 2027 | September 30, 2027 | December 31, 2023 | November 4, 2025

+| Date till new resources can be created | March 31, 2025 | September 30, 2025 | Service is already retired | January 15, 2025

+| Documentation | [Azure update](https://azure.microsoft.com/updates/azure-front-door-classic-will-be-retired-on-31-march-2027/), [FAQ](classic-retirement-faq.md) | [Azure update](https://azure.microsoft.com/updates/v2/Azure-CDN-Standard-from-Microsoft-classic-will-be-retired-on-30-September-2027), [FAQ](../cdn/classic-cdn-retirement-faq.md) | [FAQ](../cdn/akamai-retirement-faq.md)|[FAQ](../cdn/edgio-retirement-faq.md)

+| Migration | [Considerations](tier-migration.md), [Step-by-step instructions](migrate-tier.md) | [Considerations](../cdn/tier-migration.md), [Step-by-step instructions](../cdn/migrate-tier.md) | Service is already retired | [Step-by-step instructions](migrate-cdn-to-front-door.md)

+|Customers can't access FHIR, DICOM, or Medtech through the portal. | October 31, 2024 1:00 pm PST | ARM calls are still operational, and there's no disruption to existing services. | -- |

+* An Azure Storage container *without* Private Endpoint enabled.

+ - If you're not sure if Private Endpoint is enabled, go to [Private Link Center](https://portal.azure.com/#blade/Microsoft_Azure_Network/PrivateLinkCenterBlade/overview), select "Private endpoints" on the left, then look for your Azure Storage account name in the "Resources" column.

+

+## Dataflows must use local MQTT broker endpoint

+When you create a dataflow, you specify the source and destination endpoints. The dataflow moves data from the source endpoint to the destination endpoint. You can use the same endpoint for multiple dataflows, and you can use the same endpoint as both the source and destination in a dataflow.

+However, using custom endpoints as both the source and destination in a dataflow isn't supported. This restriction means the built-in MQTT broker in Azure IoT Operations must be either the source or destination for every dataflow. To avoid dataflow deployment failures, use the [default MQTT dataflow endpoint](./howto-configure-mqtt-endpoint.md#default-endpoint) as either the source or destination for every dataflow.

+The specific requirement is each dataflow must have either the source or destination configured with an MQTT endpoint that has the host `aio-broker`. So it's not strictly required to use the default endpoint, and you can create additional dataflow endpoints pointing to the local MQTT broker as long as the host is `aio-broker`. However, to avoid confusion and manageability issues, the default endpoint is the recommended approach.

+The following table shows the supported scenarios:

+| Scenario | Supported |

+|-|--|

+| Default endpoint as source | Yes |

+| Default endpoint as destination | Yes |

+| Custom endpoint as source | Yes, if destination is default endpoint or an MQTT endpoint with host `aio-broker` |

+| Custom endpoint as destination | Yes, if source is default endpoint or an MQTT endpoint with host `aio-broker` |

+| Custom endpoint as source and destination | No, unless one of them is an MQTT endpoints with host `aio-broker` |

+Azure IoT Operations provides a [built-in local MQTT broker](../manage-mqtt-broker/overview-iot-mq.md) that you can use with dataflows. You can use the MQTT broker as a source to receive messages from other systems or as a destination to send messages to other systems.

+When you deploy Azure IoT Operations, an MQTT broker dataflow endpoint named "default" is created with default settings. You can use this endpoint as a source or destination for dataflows.

+> [!IMPORTANT]

+> The default endpoint **must always be used as either the source or destination in every dataflow**. To learn more about, see [Dataflows must use local MQTT broker endpoint](./howto-configure-dataflow-endpoint.md#dataflows-must-use-local-mqtt-broker-endpoint).

+The default endpoint uses the following settings:

+> [!CAUTION]

+> Don't delete the default endpoint. If you delete the default endpoint, you must recreate it with the same settings.

+You can also create new local MQTT broker endpoints with custom settings. For example, you can create a new MQTT broker endpoint using a different port, authentication, or authorization settings. However, you must still always use the default endpoint as either the source or destination in every dataflow, even if you create new endpoints.

+Azure Event Grid MQTT broker [doesn't support shared subscriptions](../../event-grid/mqtt-support.md#mqttv5-current-limitations), which means that you can't set the `instanceCount` to more than `1` in the dataflow profile if Event Grid is used as a source (where the dataflow subscribes to messages) for a dataflow. In this case, if you set `instanceCount` greater than `1`, the dataflow fails to start.

+To define the source and destination, you need to configure the dataflow endpoints. The transformation is optional and can include operations like enriching the data, filtering the data, and mapping the data to another field.

+> [!IMPORTANT]

+> Each dataflow must have the Azure IoT Operations local MQTT broker default endpoint [as *either* the source or destination](#proper-dataflow-configuration).

+### Use asset as source

+When using an asset as the source, the asset definition is used to infer the schema for the dataflow. The asset definition includes the schema for the asset's datapoints. To learn more, see [Manage asset configurations remotely](../discover-manage-assets/howto-manage-assets-remotely.md).

+Once configured, the data from the asset reached the dataflow via the local MQTT broker. So, when using an asset as the source, the dataflow uses the local MQTT broker default endpoint as the source in actuality.

+Here, `dataSources` allow you to specify multiple MQTT or Kafka topics without needing to modify the endpoint configuration. This flexibility means the same endpoint can be reused across multiple dataflows, even if the topics vary. To learn more, see [Configure data sources](#configure-data-sources-mqtt-or-kafka-topics).

+If the default endpoint isn't used as the source, it must be used as the [destination](#destination). To learn more about, see [Dataflows must use local MQTT broker endpoint](./howto-configure-dataflow-endpoint.md#dataflows-must-use-local-mqtt-broker-endpoint).

+You can specify multiple MQTT or Kafka topics in a source without needing to modify the dataflow endpoint configuration. This flexibility means the same endpoint can be reused across multiple dataflows, even if the topics vary. For more information, see [Reuse dataflow endpoints](./howto-configure-dataflow-endpoint.md#reuse-endpoints).

+If the instance count in the [dataflow profile](howto-configure-dataflow-profile.md) is greater than 1, shared subscription is automatically enabled for all dataflows that use MQTT source. In this case, the `$shared` prefix is added and the shared subscription group name automatically generated. For example, if you have a dataflow profile with an instance count of 3, and your dataflow uses an MQTT endpoint as source configured with topics `topic1` and `topic2`, they are automatically converted to shared subscriptions as `$shared/<GENERATED_GROUP_NAME>/topic1` and `$shared/<GENERATED_GROUP_NAME>/topic2`. If you want to use a different shared subscription group ID, you can override it in the topic, like `$shared/mygroup/topic1`.

+> [!IMPORTANT]

+> Dataflows requireing shared subscription when instance count is greater than 1 is important when using Event Grid MQTT broker as a source since it [doesn't support shared subscriptions](../../event-grid/mqtt-support.md#mqttv5-current-limitations). To avoid missing messages, set the dataflow profile instance count to 1 when using Event Grid MQTT broker as the source. That is when the dataflow is the subscriber and receiving messages from the cloud.

+To send data to a destination other than the local MQTT broker, create a dataflow endpoint. To learn how, see [Configure dataflow endpoints](howto-configure-dataflow-endpoint.md). If the destination isn't the local MQTT broker, it must be used as a source. To learn more about, see [Dataflows must use local MQTT broker endpoint](./howto-configure-dataflow-endpoint.md#dataflows-must-use-local-mqtt-broker-endpoint).

+The following example is a dataflow configuration that uses the MQTT endpoint for the source and destination. The source filters the data from the MQTT topic `azure-iot-operations/data/thermostat`. The transformation converts the temperature to Fahrenheit and filters the data where the temperature multiplied by the humiditiy is less than 100000. The destination sends the data to the MQTT topic `factory`.

+# [Portal](#tab/portal)

+See Bicep or Kubernetes tabs for the configuration example.

+# [Bicep](#tab/bicep)

+```bicep

+param aioInstanceName string = '<AIO_INSTANCE_NAME>'

+param customLocationName string = '<CUSTOM_LOCATION_NAME>'

+param dataflowName string = '<DATAFLOW_NAME>'

+resource aioInstance 'Microsoft.IoTOperations/instances@2024-09-15-preview' existing = {

+ name: aioInstanceName

+}

+resource customLocation 'Microsoft.ExtendedLocation/customLocations@2021-08-31-preview' existing = {

+ name: customLocationName

+}

+// Pointer to the default dataflow endpoint

+resource defaultDataflowEndpoint 'Microsoft.IoTOperations/instances/dataflowEndpoints@2024-09-15-preview' existing = {

+ parent: aioInstance

+ name: 'default'

+}

+// Pointer to the default dataflow profile

+resource defaultDataflowProfile 'Microsoft.IoTOperations/instances/dataflowProfiles@2024-09-15-preview' existing = {

+ parent: aioInstance

+ name: 'default'

+}

+resource dataflow 'Microsoft.IoTOperations/instances/dataflowProfiles/dataflows@2024-09-15-preview' = {

+ // Reference to the parent dataflow profile, the default profile in this case

+ // Same usage as profileRef in Kubernetes YAML

+ parent: defaultDataflowProfile

+ name: dataflowName

+ extendedLocation: {

+ name: customLocation.id

+ type: 'CustomLocation'

+ }

+ properties: {

+ mode: 'Enabled'

+ operations: [

+ {

+ operationType: 'Source'

+ sourceSettings: {

+ // Use the default MQTT endpoint as the source

+ endpointRef: defaultDataflowEndpoint.name

+ // Filter the data from the MQTT topic azure-iot-operations/data/thermostat

+ dataSources: [

+ 'azure-iot-operations/data/thermostat'

+ ]

+ }

+ }

+ // Transformation optional

+ {

+ operationType: 'BuiltInTransformation'

+ builtInTransformationSettings: {

+ // Filter the data where temperature * "Tag 10" < 100000

+ filter: [

+ {

+ inputs: [

+ 'temperature.Value'

+ '"Tag 10".Value'

+ ]

+ expression: '$1 * $2 < 100000'

+ }

+ ]

+ map: [

+ // Passthrough all values by default

+ {

+ inputs: [

+ '*'

+ ]

+ output: '*'

+ }

+ // Convert temperature to Fahrenheit and output it to TemperatureF

+ {

+ inputs: [

+ 'temperature.Value'

+ ]

+ output: 'TemperatureF'

+ expression: 'cToF($1)'

+ }

+ // Extract the "Tag 10" value and output it to Humidity

+ {

+ inputs: [

+ '"Tag 10".Value'

+ ]

+ output: 'Humidity'

+ }

+ ]

+ }

+ }

+ {

+ operationType: 'Destination'

+ destinationSettings: {

+ // Use the default MQTT endpoint as the destination

+ endpointRef: defaultDataflowEndpoint.name

+ // Send the data to the MQTT topic factory

+ dataDestination: 'factory'

+ }

+ }

+ ]

+ }

+}

+```

+# [Kubernetes](#tab/kubernetes)

+ # Reference to the default dataflow profile

+ # Use the default MQTT endpoint as the source

+ # Filter the data from the MQTT topic azure-iot-operations/data/thermostat

+ - azure-iot-operations/data/thermostat

+ # Transformation optional

+ # Filter the data where temperature * "Tag 10" < 100000

+ expression: '$1 * $2 < 100000'

+ # Passthrough all values by default

+ # Convert temperature to Fahrenheit and output it to TemperatureF

+ # Extract the "Tag 10" value and output it to Humidity

+ output: 'Humidity'

+ # Use the default MQTT endpoint as the destination

+ # Send the data to the MQTT topic factory

+To see more examples of dataflow configurations, see [Azure REST API - Dataflow](/rest/api/iotoperations/dataflow/create-or-update#examples) and the [quickstart Bicep](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/quickstarts/quickstart.bicep).

+## Proper dataflow configuration

+To ensure the dataflow is working as expected, verify the following:

+- The default MQTT dataflow endpoint [must be used as either the source or destination](./howto-configure-dataflow-endpoint.md#dataflows-must-use-local-mqtt-broker-endpoint).

+- The [dataflow profile](./howto-configure-dataflow-profile.md) exists and is referenced in the dataflow configuration.

+- Source is either an MQTT endpoint, Kafka endpoint, or an asset. [Storage type endpoints can't be used as a source](./howto-configure-dataflow-endpoint.md).

+- When using Event Grid as the source, the [dataflow profile instance count](./howto-configure-dataflow-profile.md#scaling) is set to 1 because Event Grid MQTT broker doesn't support shared subscriptions.

+- When using Event Hubs as the source, each event hub in the namespace is a separate Kafka topic and must be specified as the data source.

+- Transformation, if used, is configured with proper syntax, including proper [escaping of special characters](./concept-dataflow-mapping.md#escaping).

+- When using storage type endpoints as destination, a [schema is specified](#serialize-data-according-to-a-schema).

+kubectl apply -f https://raw.githubusercontent.com/Azure-Samples/explore-iot-operations/main/samples/quickstarts/opc-plc-deployment.yaml

+wget https://raw.githubusercontent.com/Azure-Samples/explore-iot-operations/main/samples/quickstarts/quickstart.bicep -O quickstart.bicep

+Invoke-WebRequest -Uri https://raw.githubusercontent.com/Azure-Samples/explore-iot-operations/main/samples/quickstarts/quickstart.bicep -OutFile quickstart.bicep

+## Bring your own issuer

+For production deployments, we recommend that you set up Azure IoT Operations with an enterprise PKI to manage certificates and that you bring your own issuer which works with your enterprise PKI instead of using the default self-signed issuer to issue TLS certificates for internal communication.

+To set up Azure IoT Operations with your own issuer, use the following steps before deploying an instance to your cluster:

+1. Follow the steps in [Prepare your cluster](../deploy-iot-ops/howto-prepare-cluster.md) to set up your cluster.

+

+1. Install [cert-manager](https://cert-manager.io/docs/installation/).

+ Cert-manager manages TLS certificates.

+1. Install [trust-manager](https://cert-manager.io/docs/trust/trust-manager/installation/).

+ While installing trust manager, set the `trust namespace` to cert-manager. For example:

+ ```bash

+ helm upgrade trust-manager jetstack/trust-manager --install --namespace cert-manager --set app.trust.namespace=cert-manager --wait

+ ```

+

+ Trust-manager is used to distribute a trust bundle to components.

+

+1. Create the Azure IoT Operations namespace.

+

+ ```bash

+ kubectl create namespace azure-iot-operations

+ ```

+1. Deploy an issuer that works with cert-manager. For a list of all supported issuers, see [cert-manager issuers](https://cert-manager.io/docs/configuration/issuers/).

+ The issuer can be of type `ClusterIssuer` or `Issuer`. If using `Issuer`, the issuer resource must be created in the Azure IoT Operations namespace.

+1. Set up trust bundle in the Azure IoT Operations namespace.

+ 1. To set up trust bundle, create a ConfigMap in the Azure IoT Operations namespace. Place the public key portion of your CA certificate into the config map with a key name of your choice.

+ 1. Get the public key portion of your CA certificate. The steps to acquire the public key depend on the issuer you have chosen.

+ 1. Create the ConfigMap. For example:

+ ```bash

+ kubectl create configmap -n azure-iot-operations <YOUR_CONFIGMAP_NAME> --from-file=<CA_CERTIFICATE_FILENAME_PEM_OR_DER>

+ ```

+1. Follow steps in [Deploy Azure IoT Operations](../deploy-iot-ops/howto-deploy-iot-operations.md) to deploy, *with a few changes*.

+ 1. Add the `--user-trust` parameter while preparing cluster. For example:

+ ```bash

+ az iot ops init --subscription <SUBSCRIPTION_ID> --cluster <CLUSTER_NAME> -g <RESOURCE_GROUP> --user-trust

+ ```

+

+ 2. Add the `--trust-settings` parameter with the necessary information while deploying Azure IoT Operations. For example:

+ ```bash

+ az iot ops create --subscription <SUBSCRIPTION_ID> -g <RESOURCE_GROUP> --cluster <CLUSTER_NAME> --custom-location <CUSTOME_LOCATION> -n <iNSTANCE_NAME> --sr-resource-id <SCHEMAREGISTRY_RESOURCE_ID> --trust-settings configMapName=<CONFIGMAP_NAME> configMapKey=<CONFIGMAP_KEY_WITH_PUBLICKEY_VALUE> issuerKind=<CLUSTERISSUER_OR_ISSUER> issuerName=<ISSUER_NAME>

+ ```

+ Replace the version placeholder with the version number of the image that you want to check. For an existing instance of Azure IoT Operations, you can find the version number on the instance overview page in the Azure portal or by running [az iot ops show](/cli/azure/iot/ops#az-iot-ops-show). For a full list of available versions, see [azure-iot-operations releases](https://github.com/Azure/azure-iot-operations/releases).

+ notation verify --allow-referrers-api mcr.microsoft.com/azureiotoperations/aio-operator:<AZURE_IOT_OPERATIONS_VERSION>

+## Secret management

+If you see the following error message related to secret management, you need to update your Azure Key Vault contents:

+```output

+rpc error: code = Unknown desc = failed to mount objects, error: failed to get objectType:secret,

+objectName:nbc-eventhub-secret, objectVersion:: GET https://aio-kv-888f27b078.vault.azure.net/secrets/nbc-eventhub-secret/--

+RESPONSE 404: 404 Not FoundERROR CODE: SecretNotFound--{ "error": { "code": "SecretNotFound", "message": "A secret with (name/id) nbc-eventhub-secret was not found in this key vault.

+If you recently deleted this secret you may be able to recover it using the correct recovery command.

+For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182" }

+```

+This error occurs when Azure IoT Operations tries to synchronize a secret from Azure Key Vault that doesn't exist. To resolve this issue, you need to add the secret in Azure Key Vault before you create resources such as a secret provider class.

+## Connector for OPC UA

+An OPC UA server connection fails with a `BadSecurityModeRejected` error if the connector tries to connect to a server that only exposes endpoints with no security. There are two options to resolve this issue:

+- Overrule the restriction by explicitly setting the following values in the additional configuration for the asset endpoint profile:

+ | Property | Value |

+ |-|-|

+ | `securityMode` | `none` |

+ | `securityPolicy` | `http://opcfoundation.org/UA/SecurityPolicy#None` |

+- Add a secure endpoint to the OPC UA server and set up the certificate mutual trust to establish the connection.

+az network watcher test-connectivity --source-resource '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup1/providers/Microsoft.Compute/virtualMachines/VM1' --dest-resource '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup2/providers/Microsoft.Compute/virtualMachines/VM2' --protocol 'TCP' --dest-port '3389'

+ "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "nextHopId": "bbbbbbbb-1111-2222-3333-cccccccccccc",

+ "bbbbbbbb-1111-2222-3333-cccccccccccc"

+ "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1",

+ "id": "bbbbbbbb-1111-2222-3333-cccccccccccc",

+ "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"

+ "nextHopId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM2",

+ "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "nextHopId": "bbbbbbbb-1111-2222-3333-cccccccccccc",

+ "bbbbbbbb-1111-2222-3333-cccccccccccc"

+ "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1",

+ "id": "bbbbbbbb-1111-2222-3333-cccccccccccc",

+ "value": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/VM2-nsg/SecurityRules/Deny3389Inbound"

+ "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"

+ "nextHopId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM2",

+ "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "value": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/VM1-nsg/SecurityRules/Deny3389Outbound"

+ "nextHopId": "bbbbbbbb-1111-2222-3333-cccccccccccc",

+ "bbbbbbbb-1111-2222-3333-cccccccccccc"

+ "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1",

+ "id": "bbbbbbbb-1111-2222-3333-cccccccccccc",

+ "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"

+ "nextHopId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM2",

+ "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "nextHopId": "bbbbbbbb-1111-2222-3333-cccccccccccc",

+ "bbbbbbbb-1111-2222-3333-cccccccccccc"

+ "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1",

+ "id": "bbbbbbbb-1111-2222-3333-cccccccccccc",

+ "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"

+ "nextHopId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM2",

+ "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "nextHopId": "bbbbbbbb-1111-2222-3333-cccccccccccc",

+ "bbbbbbbb-1111-2222-3333-cccccccccccc"

+ "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1",

+ "id": "bbbbbbbb-1111-2222-3333-cccccccccccc",

+ "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"

+ "nextHopId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "value": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/VM1-nsg/SecurityRules/DenyInternetOutbound"

+ "nextHopId": "bbbbbbbb-1111-2222-3333-cccccccccccc",

+ "bbbbbbbb-1111-2222-3333-cccccccccccc"

+ "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1",

+ "id": "bbbbbbbb-1111-2222-3333-cccccccccccc",

+ "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"

+ "nextHopId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "nextHopId": "bbbbbbbb-1111-2222-3333-cccccccccccc",

+ "bbbbbbbb-1111-2222-3333-cccccccccccc"

+ "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1",

+ "id": "bbbbbbbb-1111-2222-3333-cccccccccccc",

+ "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"

+ "nextHopId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/vm2375/ipConfigurations/ipconfig1",

+ "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "nextHopId": "bbbbbbbb-1111-2222-3333-cccccccccccc",

+ "bbbbbbbb-1111-2222-3333-cccccccccccc"

+ "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1",

+ "id": "bbbbbbbb-1111-2222-3333-cccccccccccc",

+ "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"

+ "nextHopId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/vm2375/ipConfigurations/ipconfig1",

+ "id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "nextHopId": "bbbbbbbb-1111-2222-3333-cccccccccccc",

+ "bbbbbbbb-1111-2222-3333-cccccccccccc"

+ "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/VM1",

+ "id": "bbbbbbbb-1111-2222-3333-cccccccccccc",

+ "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"

+ "nextHopId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "ResourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGrou

+ "ResourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGrou

+ "ResourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGrou

+ "ResourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGrou

+ "ResourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/appNic0/ipConfigurations/ipconfig1",

+ "ResourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/appNic0/ipConfigurations/ipconfig1",

+ "ResourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/ContosoRG/providers/Microsoft.Network/networkInterfaces/appNic0/ipConfigurations/ipconfig1",

+ "NetworkSecurityGroupId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/NetworkAdmin/providers/Microsoft.Network/networkManagers/GlobalRules",

+ "NetworkSecurityGroupId": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/mySubnet-nsg",

+ "NetworkSecurityGroupId": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/myVM-nsg",

+ "appliedTo": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVNet",

+ "networkSecurityGroupId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/NetworkAdmin/providers/Microsoft.Network/networkManagers/GlobalRules",

+ "appliedTo": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVNet/subnets/mySubnet",

+ "networkSecurityGroupId": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/mySubnet-nsg",

+ "appliedTo": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/myvm36",

+ "networkSecurityGroupId": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/myVM-nsg",

+ "NetworkSecurityGroupId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/NetworkAdmin/providers/Microsoft.Network/networkManagers/GlobalRules",

+ "NetworkSecurityGroupId": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/mySubnet-nsg",

+ "NetworkSecurityGroupId": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/myVM-nsg",

+ "appliedTo": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVNet",

+ "networkSecurityGroupId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/NetworkAdmin/providers/Microsoft.Network/networkManagers/GlobalRules",

+ "appliedTo": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVNet/subnets/mySubnet",

+ "networkSecurityGroupId": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/mySubnet-nsg",

+ "appliedTo": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/myvm36",

+ "networkSecurityGroupId": "/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/myVM-nsg",

+ "resourceId": "/SUBSCRIPTIONS/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/RESOURCEGROUPS/MYRESOURCEGROUP/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/MYNSG",

+ "flowLogResourceID": "/SUBSCRIPTIONS/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/RESOURCEGROUPS/NETWORKWATCHERRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKWATCHERS/NETWORKWATCHER_EASTUS/FLOWLOGS/MYVNET-MYRESOURCEGROUP-FLOWLOG",

+ "targetResourceID": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVNet",

+ "Id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testrg/providers/Microsoft.Network/networkSecurityGroups/testvm1-nsg/securityRules/default-allow-rdp"

+ "Id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testrg/providers/Microsoft.Network/networkSecurityGroups/testvm1-nsg/securityRules/MyRuleDoNotDelete"

+ "Id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testrg/providers/Microsoft.Network/networkSecurityGroups/testvm1-nsg/securityRules/My2ndRuleDoNotDelete"

+ "Id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testrg/providers/Microsoft.Network/networkSecurityGroups/testvm1-nsg/securityRules/ThisRuleNeedsToStay"

+Id : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatcher

+Target : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testrg/providers/Microsoft.Compute/virtualMachines/testvm1

+ "StorageId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testrg/providers/Microsoft.Storage/storageA

+ "targetResourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/myNSG",

+ "storageId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myStorageAccount",

+ "targetResourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkSecurityGroups/myNSG",

+ "storageId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myStorageAccount",

+ "workspaceResourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/defaultresourcegroup-eus/providers/Microsoft.OperationalInsights/workspaces/DefaultWorkspace-aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e-EUS",

+$subscriptionId = "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"

+$subscriptionId = "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"

+$targetUri = "" # example /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/{resourceGroupName/providers/Microsoft.Network/networkSecurityGroups/{nsgName}"

+$storageId = "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/{resourceGroupName/providers/Microsoft.Storage/storageAccounts/{saName}"

+ "targetResourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkSecurityGroups/{nsgName}",

+ "storageId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{saName}",

+$subscriptionId = "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"

+$targetUri = "" # example /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/{resourceGroupName/providers/Microsoft.Network/networkSecurityGroups/{nsgName}"

+$storageId = "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/{resourceGroupName/providers/Microsoft.Storage/storageAccounts/{saName}"

+ "targetResourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkSecurityGroups/{nsgName}",

+ "storageId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{saName}",

+$subscriptionId = "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"

+$targetUri = "" # example /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/{resourceGroupName/providers/Microsoft.Network/networkSecurityGroups/{nsgName}"

+ "targetResourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkSecurityGroups/{nsgName}",

+ "storageId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{saName}",

+ "resourceId": "/SUBSCRIPTIONS/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/RESOURCEGROUPS/MYRESOURCEGROUP/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/MYVM-NSG",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}/extensions/NetworkWatcherAgentWindows",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westcentralus/packetCaptures/packetCaptureName",

+ "storageId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/gwteststorage123abc",

+ "storagePath": "https://gwteststorage123abc.blob.core.windows.net/network-watcher-logs/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/{resourceGroupName}/providers/microsoft.compute/virtualmachines/{vmName}/2017/05/25/packetcapture_16_22_34_630.cap"

+ "target": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westcentralus/packetCaptures/packetCaptureName",

+Succeeded myVM_1 /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM 0 1073741824 18000

+Get-AzStorageBlobContent -Container 'network-watcher-logs' -Blob 'subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/myresourcegroup/providers/microsoft.compute/virtualmachines/myvm/2024/01/25/packetcapture_22_44_54_342.cap' -Destination 'C:\Capture\myVM_1.cap'

+Remediation task fails with `PolicyAuthorizationFailed` error code: sample error example *The policy assignment `/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/DummyRG/providers/Microsoft.Authorization/policyAssignments/b67334e8770a4afc92e7a929/` resource identity doesn't have the necessary permissions to create deployment.*

+For Stock Keeping Unit (SKU) information please see [Operator Nexus Network Cloud SKUs](./reference-operator-nexus-skus.md).

+For more help:

+```console

+az networkcloud cluster update --secret-archive ?? --help

+```

+| AGGR_RACK_SKU | Rack SKU for Aggregator Rack *See [Operator Nexus Network Cloud SKUs](./reference-operator-nexus-skus.md) |

+| COMPX_RACK_SKU | Rack SKU for CompX Rack; repeat for each rack in compute-rack-definitions *See [Operator Nexus Network Cloud SKUs](./reference-operator-nexus-skus.md) |

+## Monitor Nexus Kubernetes cluster

+This how-to guide provides steps to enable monitoring agents for the collection of System logs from these VMs using [Azure Monitoring Agent](/azure/azure-monitor/agents/agents-overview).

+### Prerequisites

+### Monitor Nexus Kubernetes cluster

+#### Prerequisites

+Log data flows into the workspace whose Resource ID you provided during the installation of the Container Insights extension.

+Container Insights provides end-users functionality to fine-tune the collection of logs and metrics from Nexus Kubernetes Clusters. See the instructions for [Configure Container insights agent data collection](/azure/azure-monitor/containers/container-insights-data-collection-configure) for more information.

+> [!NOTE]

+> Container Insights does not collect logs from the `kube-system` namespace by default. To collect logs from the `kube-system` namespace, you must configure the agent to collect logs from the `kube-system` namespace.

+> This can be done by removing the `kube-system` namespace from the `excludedNamespaces` field in the ConfigMap following the [`configMap` configuraiton](/azure/azure-monitor/containers/container-insights-data-collection-configure?tabs=portal#configure-data-collection-using-configmap) approach.

+> ```

+> [log_collection_settings]

+> [log_collection_settings.stdout]

+> # In the absense of this configmap, default value for enabled is true

+> enabled = true

+> # exclude_namespaces setting holds good only if enabled is set to true

+> # kube-system,gatekeeper-system log collection are disabled by default in the absence of 'log_collection_settings.stdout' setting. If you want to enable kube-system,gatekeeper-system, remove them from the following setting.

+> # If you want to continue to disable kube-system,gatekeeper-system log collection keep the namespaces in the following setting and add any other namespace you want to disable log collection to the array.

+> # In the absense of this configmap, default value for exclude_namespaces = ["kube-system","gatekeeper-system"]

+> exclude_namespaces = ["gatekeeper-system"]

+> # If you want to collect logs from only selective pods inside system namespaces add them to the following setting. Provide namepace:controllerName of the system pod. NOTE: this setting is only for pods in system namespaces

+> # Valid values for system namespaces are: kube-system, azure-arc, gatekeeper-system, kube-public, kube-node-lease, calico-system. The system namespace used should not be present in exclude_namespaces

+> # collect_system_pod_logs = ["kube-system:coredns"]

+>

+> [log_collection_settings.stderr]

+> # Default value for enabled is true

+> enabled = true

+> # exclude_namespaces setting holds good only if enabled is set to true

+> # kube-system,gatekeeper-system log collection are disabled by default in the absence of 'log_collection_settings.stderr' setting. If you want to enable kube-system,gatekeeper-system, remove them from the following setting.

+> # If you want to continue to disable kube-system,gatekeeper-system log collection keep the namespaces in the following setting and add any other namespace you want to disable log collection to the array.

+> # In the absense of this configmap, default value for exclude_namespaces = ["kube-system","gatekeeper-system"]

+> exclude_namespaces = ["gatekeeper-system"]

+> # If you want to collect logs from only selective pods inside system namespaces add them to the following setting. Provide namepace:controllerName of the system pod. NOTE: this setting is only for pods in system namespaces

+> # Valid values for system namespaces are: kube-system, azure-arc, gatekeeper-system, kube-public, kube-node-lease, calico-system. The system namespace used should not be present in exclude_namespaces

+> # collect_system_pod_logs = ["kube-system:coredns"]

+>```

+### Pure FlashArray

+| SKU | Total raw storage capacity | Usable raw storage capacity |

+| -- | -- | |

+| Pure FlashArray X70R4-45TB | 45 TB | 25.74 TB |

+| Pure FlashArray X70R4-91TB | 91 TB | 54.75 TB |

+| Pure FlashArray X70R4-183TB | 183 TB | 114.66 TB |

+| Pure FlashArray X70R4-366TB | 366 TB | 272.36 TB |

+| Pure FlashArray X70R4-622TB | 622 TB | 457.23 TB |

+### Raw vs effective storage capacity

+The Pure FlashArray contains a variety of data reduction features. The effective capacity of the storage appliance, which gives the amount of data that can be stored from the workload's perspective, is typically larger than the raw capacity. The effective capacity depends strongly on the data being stored. For example, pre-compressed or application-encrypted data achieves lower data reduction ratios on the storage appliance than data with high levels of duplication. Pure storage can model likely achievable data reduction ratios and effective capacity for a wide variety of workloads to help you choose a SKU with a suitable amount of storage capacity.

+| Raw storage capacity | Determined by SKU - see [Available SKUs](#available-skus) |

+| Usable capacity | Determined by SKU - see [Available SKUs](#available-skus) |

+| Number of maximum I/O operations supported per second <br>(with 80/20 read/write ratio) | 250 K+ (4K) <br>150 K+ (16K) |

+| Number of I/O operations supported per volume per second | 50 K+ |

+ Title: Azure Operator Nexus SKUs

+description: SKU options for Azure Operator Nexus

+# Azure Operator Nexus SKUs

+Operator Nexus SKUs for Azure Operator Nexus are meticulously designed to streamline the procurement and deployment processes, offering standardized bill of materials (BOM), topologies, wiring, and workflows. Microsoft crafts and pre-validates each SKU in collaboration with OEM vendors, ensuring seamless integration and optimal performance for operators.

+Operator Nexus offer a comprehensive range of options, allowing operators to tailor their deployments according to their specific requirements. With pre-validated configurations and standardized BOMs, the procurement and deployment processes are streamlined, ensuring efficiency and performance across the board.

+## Fabric SKUs

+The following table outlines the various configurations of Operator Nexus Fabric SKUs, catering to different use-cases and functionalities required by operators.

+| S.No | Use-Case | Network Fabric SKU ID | Description | BOM Components |

+||--|--|||

+| 1 | Multi Rack Near-Edge | M4-A400-A100-C16-ab | - Support 400-Gbps link between Nexus fabric CEs and Provider Edge PEs.<br> - Support up to four compute rack deployment and aggregator rack.<br> - Each compute rack can have racks of up to 16 compute servers.<br> - One Network Packet Broker. | - Pair of Customer Edge Devices required for SKU.<br> - Pair of Top the rack switches per rack deployed.<br> - One Management switch per compute rack deployed.<br> - Network packet broker device.<br> - Terminal Server.<br> - Cable and optics. |

+| 2 | Multi Rack Near-Edge | M8-A400-A100-C16-ab | - Support 400-Gbps link between Nexus fabric CEs and Provider Edge PEs.<br> - Supports up to eight compute rack deployment and aggregator rack.<br> - Each compute rack can have racks of up to 16 compute servers.<br> - For deployments with 1 to 4 compute racks, one Network Packet Broker is required. <br> - For deployments with 5 to 8 compute racks, two Network Packet Brokers are needed. | - Pair of Customer Edge Devices required for SKU.<br> - Pair of Top the rack switches per rack deployed. <br> - One Management switch per compute rack deployed.<br> - Network packet broker device(s).<br> - Terminal Server.<br> - Cable and optics. |

+| 3 | Multi Rack Near-Edge | M8-A100-A25-C16-aa | - Support 100-Gbps link between Nexus fabric CEs and Provider Edge PEs.<br>Supports up to eight compute rack deployment and aggregator rack.<br> - Each compute rack can have racks of up to 16 compute servers.<br> - For deployments with 1 to 4 compute racks, one Network Packet Broker is required. <br> - For deployments with 5 to 8 compute racks, two Network Packet Brokers are needed. | - Pair of Customer Edge Devices required for SKU.<br> - Pair of Top the rack switches per rack deployed.<br> - One Management switch per compute rack deployed.<br> - Network packet broker device(s).<br> - Terminal Server.<br> - Cable and optics |

+| 4 | Single Rack Near-Edge | S-A100-A25-C12-aa | - Supports 100-Gbps link between Nexus fabric CEs and PEs<br>Single rack with shared aggregator and compute rack<br> - Each compute rack can have racks of up to 12 compute servers<br>One Network Packet Broker. | - Pair of Customer Edge Devices required for SKU.<br> - Pair of Management switches.<br> - Network packet broker device.<br> - Terminal Server.<br> - Cable and optics |

+## Compute SKUs

+The following table outlines the various configurations of Operator Nexus Network Cloud SKUs, catering to different use-cases and functionalities required by operators.

+| Version | Use-Case | Network Cloud SKU ID | Description |

+|||--|-|

+| 1.7.3 | Multi Rack Near-Edge Aggregator | VNearEdge1_Aggregator_x70r3_9 | Aggregation Rack with Pure x70r3 |

+| 1.7.3 | Multi Rack Near-Edge Compute | VNearEdge1_Compute_DellR750_4C2M | 400G Fabric support up to eight Compute Racks where each rack can support four compute servers. |

+| 1.7.3 | Multi Rack Near-Edge Compute | VNearEdge1_Compute_DellR750_8C2M | 400G Fabric support up to eight Compute Racks where each rack can support eight compute servers. |

+| 1.7.3 | Multi Rack Near-Edge Compute | VNearEdge1_Compute_DellR750_12C2M | 400G Fabric support up to eight Compute Racks where each rack can support 12 compute servers. |

+| 1.7.3 | Multi Rack Near-Edge Compute | VNearEdge1_Compute_DellR750_16C2M | 400G Fabric support up to eight Compute Racks where each rack can support 16 compute servers. |

+| 1.7.3 | Multi Rack Near-Edge Compute | VNearEdge2_Compute_DellR650_4C2M | 100G Fabric support up to eight Compute Racks where each rack can support four compute servers. |

+| 1.7.3 | Multi Rack Near-Edge Compute | VNearEdge2_Compute_DellR650_8C2M | 100G Fabric support up to eight Compute Racks where each rack can support eight compute servers. |

+| 1.7.3 | Multi Rack Near-Edge Compute | VNearEdge2_Compute_DellR650_12C2M | 100G Fabric support up to eight Compute Racks where each rack can support 12 compute servers. |

+| 1.7.3 | Multi Rack Near-Edge Compute | VNearEdge2_Compute_DellR650_16C2M | 100G Fabric support up to eight Compute Racks where each rack can support 16 compute servers. |

+| 1.7.3 | Multi Rack Near-Edge Compute | VNearEdge3_Compute_DellR750_7C3M | 400G Fabric support up to eight Compute Racks where each rack can support seven Dell750 computes, one Dell750 high-iops controller, and two Dell650 controllers |

+| 1.7.3 | Multi Rack Near-Edge Compute | VNearEVNearEdge3_Compute_DellR750_11C3M | 400G Fabric support up to eight Compute Racks where each rack can support 11 Dell750 computes, one Dell750 high-iops controller, and two Dell650 controllers |

+| 1.7.3 | Multi Rack Near-Edge Compute | VNearEdge3_Compute_DellR750_15C3M | 400G Fabric support up to eight Compute Racks where each rack can support 15 Dell750 computes, one Dell750 high-iops controller, and two Dell650 controllers |

+| 2.0.0 | Multi Rack Near-Edge Aggregator | VNearEdge4_Aggregator_x70r4 | Aggregation Rack with Pure x70r4. |

+| 2.0.0 | Multi Rack Near-Edge Aggregator | VNearEdge4_Aggregator_x70r3 | Aggregation Rack with Pure x70r3. |

+| 2.0.0 | Multi Rack Near-Edge Aggregator | VNearEdge4_Aggregator_x20r4 | Aggregation Rack with Pure x70r4. |

+| 2.0.0 | Multi Rack Near-Edge Aggregator | VNearEdge4_Aggregator_x20r3 | Aggregation Rack with Pure x70r3. |

+| 2.0.0 | Multi Rack Near-Edge Compute | VNearEdge4_Compute_DellR760_4C2M | 400G Fabric support up to eight Compute Racks where each rack can support four compute servers. |

+| 2.0.0 | Multi Rack Near-Edge Compute | VNearEdge4_Compute_DellR760_8C2M | 400G Fabric support up to eight Compute Racks where each rack can support eight compute servers. |

+| 2.0.0 | Multi Rack Near-Edge Compute | VNearEdge4_Compute_DellR760_12C2M | 400G Fabric support up to eight Compute Racks where each rack can support 12 compute servers. |

+| 2.0.0 | Multi Rack Near-Edge Compute | VNearEdge4_Compute_DellR760_16C2M | 400G Fabric support up to eight Compute Racks where each rack can support 16 compute servers. |

+| 2.0.0 | Multi Rack Near-Edge Compute | VNearEdge4_Compute_DellR760_7C3M | 400G Fabric support up to eight Compute Racks where each rack can support seven Dell750 computes, 1 Dell750 high-iops controller, and 2 Dell650 controllers |

+| 2.0.0 | Multi Rack Near-Edge Compute | VNearEVNearEdge4_Compute_DellR760_11C3M | 400G Fabric support up to eight Compute Racks where each rack can support 11 Dell750 computes, one Dell750 high-iops controller, and two Dell650 controllers |

+| 2.0.0 | Multi Rack Near-Edge Compute | VNearEdge4_Compute_DellR760_15C3M | 400G Fabric support up to eight Compute Racks where each rack can support 15 Dell750 computes, one Dell750 high-iops controller, and two Dell650 controllers |

+**Notes:**

+- Bill of materials (BOM) adheres to nexus network fabric specifications.

+- All subscribed customers have the privilege to request BOM details.

+Azure Operator Service Manager (AOSM) cluster registry (CR) enables a local copy of container images in the Nexus K8s cluster. When the containerized network function (CNF) is installed with cluster registry enabled, the container images are pulled from the remote AOSM artifact store and saved to this local cluster registry. Using a mutating webhook, cluster registry automatically intercepts image requests and substitutes the local registry path, to avoid publisher packaging changes. With cluster register, CNF access to container images survives loss of connectivity to the remote artifact store.

+### Key use cases and benefits

+Benefits of using AOSM cluster registry:

+* Provides the necessary local images to prevent CNF disruption where connectivity to AOSM artifact store is lost.

+* Decreases the number of image pulls on AOSM artifact store, since each cluster node now pulls images only from the local registry.

+* Overcomes issues with malformed registry URLs, by using a mutating webhook to substitute the proper local registry URL path.

+AOSM cluster registry is enabled using the Network Function Operator (NFO) Arc K8s extension. The following CLI shows how cluster registry is enabled on a Nexus K8s cluster.

+### Cluster registry components

+The cluster registry feature deploys helper pods on the target edge cluster to assist the NFO extension.

+#### Component reconciler

+* This main pod takes care of reconciling component Custom Resource Objects (CROs) created by K8sBridge with the help of the Microsoft.Kubernetes resource provider (RP), Hybrid Relay, and Arc agent running on the cluster.

+#### Pod mutating webhook

+* These pods implement Kubernetes mutating admission webhooks, serving an instance of the mutate API. The mutate API does two things:

+ * It modifies the image registry path to the local registry IP, substituting out the AOSM artifact store Azure container registry (ACR).

+ * It creates an Artifact CR on the edge cluster.

+#### Artifact reconciler

+* This pod reconciles artifact CROs created by the mutating webhook.

+#### Registry

+* This pod stores and retrieves container images for CNF.

+* A policy disruption budget (PDB) protects pods from voluntary disruption and is deployed alongside Deployment, ReplicaSet, or StatefulSet objects. For AOSM operator pods, a PDB with minAvailable parameter of 2 is used.

+ * A minimum replica of three.

+ * A maximum replica of five.

+* The nexus-shared storage class is a network file system (NFS) storage service. This NFS storage service is available per Cloud Service Network (CSN). Any Nexus Kubernetes cluster attached to the CSN can provision persistent volume from this shared storage pool. The storage pool is currently limited to a maximum size of 1 TiB as of Network Cloud (NC) 3.10 where-as NC 3.12 has a 16-TiB option.

+ Title: Azure service reliability guides

+description: Reliability guides for Microsoft Azure products and services. View Azure service specific reliability guides.

+# Azure service reliability guides

+Below is a list of Azure service reliability guides, organized by service category.

+>[!NOTE]

+>Some service documents are in the process of, or are not yet updated into a single reliability guide format. These may contain more than one document that references reliability guidance.

+## AI and machine learning

+| Product| Guidance |

+|-||

+|Azure AI Health Insights| [Reliability in Azure AI Health Insights](reliability-health-insights.md)|

+|Azure AI Search| [Reliability in Azure AI Search](/azure/search/search-reliability?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+|Azure Bot Service | [Reliability in Azure Bot Service ](reliability-bot.md)|

+|Azure Machine Learning Service| [Failover for business continuity and disaster recovery](/azure/machine-learning/how-to-high-availability-machine-learning?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+

+## Analytics

+| Product| Guidance |

+|-||

+|Azure HDInsight| [Reliability in Azure HDInsight](reliability-hdinsight.md)|

+|Azure HDInsight on AKS| [Reliability in Azure HDInsight on AKS](reliability-hdinsight-on-aks.md)|

+|Azure Machine Learning Service| [Failover for business continuity and disaster recovery](/azure/machine-learning/how-to-high-availability-machine-learning?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+|Azure Stream Analytics| [Achieve geo-redundancy for Azure Stream Analytics jobs](../stream-analytics/geo-redundancy.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+|Azure Event Hubs| [Reliability in Azure Event Hubs](reliability-event-hubs.md)|

+|Azure Data Explorer| [Business continuity and disaster recovery overview](/azure/data-explorer/business-continuity-overview?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+|Azure Data Share| [Disaster recovery for Azure Data Share](../data-share/disaster-recovery.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+|Azure Chaos Studio| [Reliability in Azure Chaos Studio](reliability-chaos-studio.md)|

+|Microsoft Fabric| [Reliability in Microsoft Fabric](reliability-fabric.md)|

+|Microsoft Purview| [Reliability in Microsoft Purview](reliability-microsoft-purview.md)|

+## Compute

+| Product| Guidance |

+|-||

+|Azure App Service| [Reliability in Azure App Service](reliability-app-service.md)|

+|Azure Batch| [Reliability in Azure Batch](reliability-batch.md)|

+|Azure Container Apps| [Reliability in Azure Container Apps](reliability-azure-container-apps.md)|

+|Azure Container Instances| [Reliability in Azure Container Instances](reliability-containers.md)|

+|Azure Functions| [Reliability in Azure Functions ](reliability-functions.md)|

+|Azure Kubernetes Service (AKS)| [Create an Azure Kubernetes Service (AKS) cluster that uses availability zones](/azure/aks/availability-zones?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) </p> [High availability and disaster recovery overview for Azure Kubernetes Service (AKS)](/azure/aks/ha-dr-overview?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+|Azure Service Fabric| [Deploy an Azure Service Fabric cluster across Availability Zones](/azure/service-fabric/service-fabric-cross-availability-zones?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) </p> [Disaster recovery in Azure Service Fabric](/azure/service-fabric/service-fabric-disaster-recovery?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) |

+|Azure Spring Apps| [Reliability in Azure Spring Apps](reliability-spring-apps.md)|

+|Azure Virtual Machines| [Reliability in Azure Virtual Machines](reliability-virtual-machines.md)|

+|Azure Virtual Machine Image Builder| [Reliability in Azure Virtual Machine Image Builder](reliability-image-builder.md)|

+|Azure Virtual Machine Scale Sets| [Reliability in Azure Virtual Machine Scale Sets](reliability-virtual-machine-scale-sets.md)|

+|Azure VMware Solution| [Deploy disaster recovery using VMware HCX](../azure-vmware/deploy-disaster-recovery-using-vmware-hcx.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+

+## Containers

+| Product| Guidance |

+|-||

+|Azure App Configuration|[How does App Configuration ensure high data availability?](../azure-app-configuration/faq.yml?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json#how-does-app-configuration-ensure-high-data-availability) </p> [Resiliency and disaster recovery](../azure-app-configuration/concept-disaster-recovery.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json&tabs=core2x)|

+|Azure Container Apps| [Reliability in Azure Container Apps](reliability-azure-container-apps.md)|

+|Azure Container Instances| [Reliability in Azure Container Instances](reliability-containers.md)|

+|Azure Container Registry|[Enable zone redundancy in Azure Container Registry for resiliency and high availability](/azure/container-registry/zone-redundancy?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) </p> [Geo-replication in Azure Container Registry](/azure/container-registry/container-registry-geo-replication) |

+|Azure Kubernetes Service (AKS)| [Create an Azure Kubernetes Service (AKS) cluster that uses availability zones](/azure/aks/availability-zones?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) </p> [High availability and disaster recovery overview for Azure Kubernetes Service (AKS)](/azure/aks/ha-dr-overview?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+|Azure Service Fabric| [Deploy an Azure Service Fabric cluster across Availability Zones](/azure/service-fabric/service-fabric-cross-availability-zones?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) </p> [Disaster recovery in Azure Service Fabric](/azure/service-fabric/service-fabric-disaster-recovery?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) |

+## Databases

+

+| Product| Guidance |

+|-||

+|Azure SQL|[Azure SQL - High availability](/azure/azure-sql/database/high-availability-sla?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) </p> [Disaster recovery guidance - Azure SQL Database](/azure/azure-sql/database/disaster-recovery-guidance) |

+|Azure SQL-Managed Instance| [Failover groups overview & best practices - Azure SQL Managed Instance](/azure/azure-sql/managed-instance/failover-group-sql-mi?view=azuresql&preserve-view=true) |

+|Azure Database for MySQL| [Overview of business continuity with Azure Database for MySQL - Single Server](/azure/mysql/single-server/concepts-business-continuity?#recover-from-an-azure-regional-data-center-outage) |

+|Azure Database for MySQL - Flexible Server|[Azure Database for MySQL Flexible Server High availability](/azure/mysql/flexible-server/concepts-high-availability?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) </p>[Azure Database for MySQL Flexible Server - Restore to latest restore point](/azure/mysql/flexible-server/how-to-restore-server-portal?#geo-restore-to-latest-restore-point) |

+|Azure Database for PostgreSQL - Flexible Server| [Reliability in Azure Database for PostgreSQL - Flexible Server](reliability-postgresql-flexible-server.md)|

+|Azure Cosmos DB for NoSQL| [Reliability in Azure Cosmos DB for NoSQL](reliability-cosmos-db-nosql.md) |

+|Azure Cosmos DB for MongoDB vCore| [Reliability in Azure Cosmos DB for MongoDB vCore](reliability-cosmos-mongodb.md)|

+|Azure Cache for Redis|[Enable zone redundancy for Azure Cache for Redis](../azure-cache-for-redis/cache-how-to-zone-redundancy.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) </p> [Configure passive geo-replication for Premium Azure Cache for Redis instances](../azure-cache-for-redis/cache-how-to-geo-replication.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) |

+## Developer tools

+| Product| Guidance |

+|-||

+|Azure API Center| [Reliability in Azure API Center](reliability-api-center.md) |

+## DevOps

+| Product| Guidance |

+|-||

+|Azure Deployment Environments| [Reliability in Azure Deployment Environments](reliability-deployment-environments.md)|

+|Azure DevOps| [Data availability](/azure/devops/organizations/security/data-protection?view=azure-devops&branch=main&preserve-view=true#data-availability?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+|Azure Monitor-Log Analytics |[Enhance data and service resilience in Azure Monitor Logs with availability zones](/azure/azure-monitor/logs/availability-zones) </p> [Log Analytics workspace replication](/azure/azure-monitor/logs/workspace-replication) |

+## Hybrid + multicloud

+| Product| Guidance |

+|-||

+|Azure Operator Nexus| [Reliability in Azure Operator Nexus](reliability-operator-nexus.md)|

+## Industry solutions

+| Product| Guidance |

+|-||

+|Microsoft Community Training| [Reliability in Microsoft Community Training](reliability-community-training.md) |

+## Integration

+| Product| Guidance |

+|-||

+|Azure API for FHIR®|[Disaster recovery for Azure API for FHIR](../healthcare-apis/azure-api-for-fhir/disaster-recovery.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) |

+|Azure API Management|[Ensure API Management availability and reliability](../api-management/high-availability.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) </p>[How to implement disaster recovery using service backup and restore](../api-management/api-management-howto-disaster-recovery-backup-restore.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) |

+|Azure Data Manager for Energy| [Reliability in Azure Data Manager for Energy](reliability-energy-data-services.md)|

+| Azure Data Factory| [Azure Data Factory data redundancy](../data-factory/concepts-data-redundancy.md?bc=%2fazure%2freliability%2fbreadcrumb%2ftoc.json&toc=%2fazure%2freliability%2ftoc.json) |

+|Azure Event Grid| [Reliability in Azure Event Grid](./reliability-event-grid.md)|

+|Azure Functions| [Reliability in Azure Functions ](reliability-functions.md)|

+|Azure Health Data

+| Azure Health Data

+|Azure Logic Apps|[Protect logic apps from region failures with zone redundancy and availability zones](../logic-apps/set-up-zone-redundancy-availability-zones.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)</p> [Business continuity and disaster recovery for Azure Logic Apps](../logic-apps/business-continuity-disaster-recovery-guidance.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) |

+|Azure Service Bus| [Best practices for insulating applications against Service Bus outages and disasters](../service-bus-messaging/service-bus-outages-disasters.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+## Internet of Things

+| Product| Guidance |

+|-||

+|Azure Device Registry |[Reliability in Azure Device Registry](reliability-device-registry.md)|

+|Azure IoT Hub| [IoT Hub high availability and disaster recovery](../iot-hub/iot-hub-ha-dr.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json#disable-disaster-recovery) |

+|Azure Notification Hubs| [Reliability in Azure Notification Hubs](reliability-notification-hubs.md)|

+## Media

+| Product| Guidance |

+|-||

+Azure Media Services| [High Availability with Media Services and Video on Demand (VOD)](/azure/media-services/latest/architecture-high-availability-encoding-concept?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+## Management and governance

+| Product| Guidance |

+|-||

+|Azure Backup| [Reliability in Azure Backup](reliability-backup.md)|

+|Azure Guest Configuration|[Azure Guest Configuration Availability](../governance/machine-configuration/overview.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json#availability) |

+|Azure Monitor-Log Analytics |[Enhance data and service resilience in Azure Monitor Logs with availability zones](/azure/azure-monitor/logs/availability-zones) </p> [Log Analytics workspace replication](/azure/azure-monitor/logs/workspace-replication) |

+|Azure Site Recovery| [Set up disaster recovery for Azure VMs](../site-recovery/azure-to-azure-tutorial-enable-replication.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+## Migration

+| Product| Guidance |

+|-||

+|Azure Migrate | [Does Azure Migrate offer Backup and Disaster Recovery?](../migrate/resources-faq.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json#does-azure-migrate-offer-backup-and-disaster-recovery)|

+|Azure Site Recovery|[Set up disaster recovery for Azure VMs](../site-recovery/azure-to-azure-tutorial-enable-replication.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) |

+## Networking

+| Product| Guidance |

+|-||

+|Azure Application Gateway (V2)|[Autoscaling and High Availability](../application-gateway/application-gateway-autoscaling-zone-redundant.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+|Azure Application Gateway for Containers| [Reliability in Azure Application Gateway for Containers](reliability-app-gateway-containers.md ) |

+|Azure Bastion| [Reliability in Azure Bastion](reliability-bastion.md)|

+|Azure Communications Gateway| [Reliability in Azure Communications Gateway](../communications-gateway/reliability-communications-gateway.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+|Azure DNS| [Reliability in Azure DNS ](reliability-dns.md)|

+|Azure DDoS Protection| [Reliability in Azure DDoS Protection](reliability-ddos.md)|

+|Azure ExpressRoute| [Designing for high availability with ExpressRoute](../expressroute/designing-for-high-availability-with-expressroute.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) </p>[Designing for disaster recovery with ExpressRoute private peering](../expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+|Azure Firewall| [Deploy an Azure Firewall with Availability Zones using Azure PowerShell](../firewall/deploy-availability-zone-powershell.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+|Azure Load Balancer| [Reliability in Azure Load Balancer](reliability-load-balancer.md )|

+|Azure Network Watcher| [Azure Network Watcher service availability and redundancy](../network-watcher/frequently-asked-questions.yml?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json#service-availability-and-redundancy)|

+|Azure Private Link| [Azure Private Link availability](../private-link/availability.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) |

+|Azure Public IP| [Azure Public IP Availability Zone](../virtual-network/ip-services/public-ip-addresses.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json#availability-zone) |

+|Azure Route Server| [Azure Route Server frequently asked questions (FAQ)](../route-server/route-server-faq.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+|Azure Traffic Manager| [Reliability in Azure Traffic Manager](reliability-traffic-manager.md)|

+|Azure Virtual Network| [Virtual networks and availability zones](../virtual-network/virtual-networks-overview.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json#virtual-networks-and-availability-zones)</p> [Virtual Network ΓÇô Business Continuity](../virtual-network/virtual-network-disaster-recovery-guidance.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json#business-continuity) |

+|Azure Virtual WAN|[How are Availability Zones and resiliency handled in Virtual WAN?](../virtual-wan/virtual-wan-faq.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json#how-are-availability-zones-and-resiliency-handled-in-virtual-wan)</p> [Disaster recovery design](/azure/virtual-wan/disaster-recovery-design) |

+|Azure VPN Gateway| [About zone-redundant virtual network gateway in Azure availability zones](../vpn-gateway/about-zone-redundant-vnet-gateways.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)</p>[Highly Available cross-premises and VNet-to-VNet connectivity](../vpn-gateway/vpn-gateway-highlyavailable.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) |

+|Azure Private 5G Core|[Reliability in Azure Private 5G Core](../private-5g-core/reliability-private-5g-core.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+|Azure Web Application Firewall | [Deploy an Azure Firewall with Availability Zones using Azure PowerShell](../firewall/deploy-availability-zone-powershell.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) </p> [How do I achieve a disaster recovery scenario across datacenters by using Application Gateway?](../application-gateway/application-gateway-faq.yml?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json#how-do-i-achieve-a-disaster-recovery-scenario-across-datacenters-by-using-application-gateway)|

+## Security

+| Product| Guidance |

+|-||

+|Azure Disk Encryption| [Redundancy options for managed disks](/azure/virtual-machines/disks-redundancy?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) |

+|Azure Firewall| [Deploy an Azure Firewall with Availability Zones using Azure PowerShell](../firewall/deploy-availability-zone-powershell.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+|Azure Key Vault| [Azure Key Vault availability and redundancy](/azure/key-vault/general/disaster-recovery-guidance?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) |

+|Azure Web Application Firewall | [Deploy an Azure Firewall with Availability Zones using Azure PowerShell](../firewall/deploy-availability-zone-powershell.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) </p> [How do I achieve a disaster recovery scenario across datacenters by using Application Gateway?](../application-gateway/application-gateway-faq.yml?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json#how-do-i-achieve-a-disaster-recovery-scenario-across-datacenters-by-using-application-gateway)|

+## Storage

+| Product| Guidance |

+|-||

+|Azure Backup| [Reliability in Azure Backup](reliability-backup.md)|

+|Azure Blob Storage|[Choose the right redundancy option](/azure/storage/common/storage-disaster-recovery-guidance?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json#choose-the-right-redundancy-option)</p>[Azure storage disaster recovery planning and failover](/azure/storage/common/storage-disaster-recovery-guidance?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+|Azure Databox| [How can I recover my data if an entire region fails?](../databox/data-box-disk-faq.yml?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json#how-can-i-recover-my-data-if-an-entire-region-fails-)|

+|Azure Elastic SAN| [Reliability in Azure Elastic SAN](reliability-elastic-san.md)|

+|Azure NetApp Files| [Manage disaster recovery using Azure NetApp Files](../azure-netapp-files/cross-region-replication-manage-disaster-recovery.md?toc=/azure.reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+|Azure Storage Actions|[Reliability in Azure Storage Actions](reliability-storage-actions.md)|

+|Azure Storage-Disk Storage| [Best practices for achieving high availability with Azure virtual machines and managed disks](/azure/virtual-machines/disks-high-availability?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+|Azure Storage Mover| [Reliability in Azure Storage Mover](reliability-azure-storage-mover.md)|

+## Web

+| Product| Guidance |

+|-||

+|Azure AI Search| [Reliability in Azure AI Search](/azure/search/search-reliability?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+|Azure API Management|[Ensure API Management availability and reliability](../api-management/high-availability.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) </p> [How to implement disaster recovery using service backup and restore](../api-management/api-management-howto-disaster-recovery-backup-restore.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json) |

+|Azure App Service| [Reliability in Azure App Service](reliability-app-service.md)|

+|Azure Container Apps| [Reliability in Azure Container Apps](reliability-azure-container-apps.md)|

+|Azure Notification Hubs| [Reliability in Azure Notification Hubs](reliability-notification-hubs.md)|

+|Azure SignalR Service| [Resiliency and disaster recovery in Azure SignalR Service](../azure-signalr/signalr-concept-disaster-recovery.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

+## Related content

+- [Azure services and regions with availability zones](availability-zones-service-support.md)

+- [Build solutions for high availability using availability zones](/azure/architecture/high-availability/building-solutions-for-high-availability)

+This article describes reliability support in Azure Bastion. It covers intra-regional resiliency via [availability zones](#availability-zone-support). It also covers [multi-region deployments](#multi-region-support).

+Because resiliency is a shared responsibility between you and Microsoft, this article also covers ways for you to create a resilient solution that meets your needs.

+> Zone redundancy features for Azure Bastion resources are currently in preview.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability.

+Azure Bastion is a fully managed platform as a service (PaaS) that you provision to provide high-security connections to virtual machines via a private IP address. It provides seamless RDP/SSH connectivity to your virtual machines directly over TLS from the Azure portal, or via the native SSH or RDP client that's already installed on your local computer. When you connect via Azure Bastion, your virtual machines don't need a public IP address, an agent, or special client software.

+For production deployments, you should [enable zone redundancy](#availability-zone-support) if your Azure Bastion resources are in a supported region.

+*Transient faults* are short intermittent failures in components. They occur frequently in a distributed environment like the cloud, and they're a normal part of operations. They correct themselves after a short period of time. It's important that your applications handle transient faults, usually by retrying affected requests.

+If transient faults affect your virtual machine or Azure Bastion host, clients using the secure sockets host (SSH) and Remote Desktop Protocol (RDP) protocols typically retry automatically.

+You can configure Azure Bastion to be *zone redundant* so that your resources are spread across multiple [availability zones](../reliability/availability-zones-overview.md). When you spread resources across availability zones, you can achieve resiliency and reliability for your production workloads.

+You can specify which availability zone or zones an Azure Bastion resource should be deployed to. Azure Bastion spreads your instances across those zones. The following diagram shows Azure Bastion instances spread across three zones:

+> If you specify more availability zones than you have instances, Azure Bastion spreads instances across as many zones as it can. If an availability zone is unavailable, the instance in the faulty zone is replaced with another instance in a healthy zone.

+To configure Azure Bastion resources with zone redundancy, you must deploy with the Basic, Standard, or Premium SKUs.

+Bastion requires a Standard SKU zone-redundant Public IP.

+**New resources:** When you deploy a new Azure Bastion resource in a [region that supports availability zones](#regions-supported), you select the specific zones that you want to deploy to. For zone redundancy, you must select multiple zones.

+ > You can't change the availability zone setting after you deploy your Azure Bastion resource.

+When you select which availability zones to use, you're actually selecting the *logical availability zone*. If you deploy other workload components in a different Azure subscription, they might use a different logical availability zone number to access the same physical availability zone. For more information, see [Physical and logical availability zones](./availability-zones-overview.md#physical-and-logical-availability-zones).

+**Migration:** It's not possible to add availability zone support to an existing resource that doesn't have it. Instead, you need to create an Azure Bastion resource in the new region and delete the old one.

+A session might be sent to an Azure Bastion instance in an availability zone that's different from the virtual machine you're connecting to. In the following diagram, a request from the user is sent to an Azure Bastion instance in zone 2, although the virtual machine is in zone 1:

+In most scenarios, the small amount of cross-zone latency isn't significant. However, if you have unusually stringent latency requirements for your Azure Bastion workloads, you should deploy a dedicated single-zone Azure Bastion instance in the virtual machine's availability zone. This configuration doesn't provide zone redundancy, and we don't recommend it for most customers.

+**Detection and response:** Azure Bastion detects and responds to failures in an availability zone. You don't need to do anything to initiate an availability zone failover.

+**Traffic rerouting:** New connections use Azure Bastion instances in the surviving availability zones. Overall, Azure Bastion remains operational.

+- Removes any temporary instances created in the other availability zones.

+Azure Bastion is deployed within virtual networks or peered virtual networks and is associated with an Azure region. Azure Bastion is a single-region service. If the region becomes unavailable, your Azure Bastion resource is also unavailable.

+Azure Bastion supports reaching virtual machines in globally peered virtual networks, but if the region that hosts your Azure Bastion resource is unavailable, you won't be able to use your Azure Bastion resource. For higher resiliency, if you deploy your overall solution into multiple regions with separate virtual networks in each region, you should deploy Azure Bastion into each region.

+If you have a disaster recovery site in another Azure region, be sure to deploy Azure Bastion into the virtual network in that region.

+## Service-level agreement

+The service-level agreement (SLA) for Azure Bastion describes the expected availability of the service and the conditions that must be met to achieve that availability expectation. To understand those conditions, it's important that you review the [SLA for Online Services](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services).

+ Title: Reliability in Microsoft Community Training

+description: Find out about reliability in Microsoft Community Training.

+# Reliability in Microsoft Community Training

+Microsoft Community Training is an Azure-powered cloud-based solution that can deliver large-scale, far-spread training programs with high quality and efficiency. With Community Training, organizations of all sizes and types can run large scale training programs for their internal and external communities. Communities can include frontline workers, extended workforces, a partner ecosystem, a volunteer network, and program beneficiaries.

+This article describes high availability (reliability) support in Azure Cosmos DB for NoSQL and covers both [availability zones](#availability-zone-support), as well as [cross-region disaster recovery and business continuity](#cross-region-disaster-recovery-and-business-continuity).

+Because availability zones are physically separate and provide distinct power source, network, and cooling, Availability SLAs (Service-level agreements) are higher (99.995%) than accounts with a single region (99.99%). Regions where availability zones are enabled are charged at 25% premium, while those without availability zones don't incur the premium. Moreover, the premium pricing for availability zones is waived for accounts configured with multi-region writes and/or for collections configured with autoscale mode.

+Enabling AZs, adding additional region(s), or turning on multi-region writes can be thought as a layering approach that increases resiliency and availability of a given Cosmos DB account at each step of the way - from 4 9's availability for single region no-AZ configuration, through 4 and half 9's for single region with AZs, all the way to 5 9's of availability for multi-region configuration with the multi-region write option enabled. Please refer to the following table for a summary of SLAs for each configuration.

+ Title: Reliability in Azure Device Registry

+description: Find out about reliability in Azure Device Registry, including availability zones and multi-region deployments.

+# Reliability in Azure Device Registry Preview

+This article describes reliability support in Azure Device Registry Preview. It covers both intra-regional resiliency with [availability zones](#availability-zone-support) and information on [multi-region deployments](#multi-region-support).

+Because resiliency is a shared responsibility between you and Microsoft, this article also covers ways for you to build a resilient solution that meets your needs.

+## Transient faults

+Transient faults are short, intermittent failures in components. They occur frequently in a distributed environment like the cloud, and they're a normal part of operations. They correct themselves after a short period of time.

+It's important that your applications handle transient faults, usually by retrying affected requests.

+## Availability zone support

+Azure Device Registry is zone-redundant, which means that it automatically replicates across multiple [availability zones](../reliability/availability-zones-overview.md). This setup enhances the resiliency of the service by providing high availability. If there's a failure in one zone, the service can continue to operate seamlessly from another zone.

+Microsoft manages setup and configuration for zone redundancy in Azure Device Registry. You don't need to perform any more configuration to enable this zone redundancy. Microsoft ensures that the service is configured to provide the highest level of availability and reliability.

+### Regions supported

+The following list of regions support availability zones in Azure Device Registry:

+| Americas | Europe | Middle East | Africa | Asia Pacific |

+||-||--|-|

+| East US | North Europe | | | |

+| East US 2 | West Europe | | | |

+| West US 2 | | | | |

+| West US 3 | | | | |

+### Cost

+There's no extra cost to use zone redundancy for Azure Device Registry.

+### Configure availability zone support

+**New resources:** When you create an Azure Device Registry resource in Azure IoT Operations, it automatically includes zone-redundancy by default. There's no need for you to perform any more configuration.

+### Zone-down experience

+During a zone-wide outage, you don't need to take any action to failover to a healthy zone. The service automatically self-heals and rebalances itself to take advantage of the healthy zone automatically.

+**Detection and response:** Because Azure Device Registry detects and responds automatically to failures in an availability zone, you don't need to do anything to initiate an availability zone failover.

+## Multi-region support

+Azure Device Registry is a regional service with automatic geographical data replication. In a region-wide outage, Microsoft initiates compute failover from one region to another. If Azure Device Registry fails over, it continues to support its primary region, and no more actions by you're required.

+When using Azure IoT Operations (Azure IoT Operations), Azure Device Registry projects assets as Azure resources in the cloud within a single registry. The single registry is a source of truth for asset metadata and asset management capabilities. However, Azure IoT Operations includes various other components beyond Azure Device Registry. For detailed information on the high availability and zero data loss features of Azure IoT Operations components, refer to [Azure IoT Operations frequently asked questions](/azure/iot-operations/troubleshoot/iot-operations-faq#does-azure-iot-operations-offer-high-availability-and-zero-data-loss-features-).

+### Region down experience

+During a region outage, Microsoft adheres to the Recovery Time Objective (RTO) to recover the service. During this time, the customer can expect some service interruption until the service is fully recovered.

+In a complete region loss scenario, you can expect a manual recovery from Microsoft.

+For Azure Device Registry, Recovery Time Objective (RTO) is approximately 24 hours. For Recovery Point Objective (RPO), you can expect less than 15 minutes.

+## Service-level agreement (SLA)

+The service-level agreement (SLA) for Azure Device Registry describes the expected availability of the service, and the conditions that must be met to achieve that availability expectation. To understand those conditions, it's important that you review the [Service Level Agreements (SLA) for Online Services](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services).

+## Related content

+- [What is Azure IoT Operations? - Azure IoT Operations Preview](/azure/iot-operations/overview-iot-operations)

+- [Reliability in Azure](/azure/availability-zones/overview)

+This article describes reliability support in [Azure HDInsight on Azure Kubernetes Service (AKS)](../hdinsight-aks/overview.md), and [disaster recovery and business continuity](#disaster-recovery-and-business-continuity).

+This article contains [cross-region disaster recovery and business continuity](#cross-region-disaster-recovery-and-business-continuity).

+This article contains detailed information on Load Balancer regional resiliency with [availability zones](#availability-zone-support) and [cross-region disaster recovery and business continuity](#cross-region-disaster-recovery-and-business-continuity).

+This article contains [cross-region disaster recovery and business continuity](#cross-region-disaster-recovery-and-business-continuity) support for Azure Traffic Manager.

+This article contains information on [availability zones support](#availability-zone-support) for Virtual Machine Scale Sets.

+- **Max spreading (platformFaultDomainCount = 1)**. Max spreading is the recommended deployment option, as it provides the best spreading in most cases. If you spread replicas across distinct hardware isolation units, it's recommended that you spread across availability zones and utilize max spreading within each zone.

+> [Use autoscale with Virtual Machine Scale Sets](/azure/virtual-machine-scale-sets/tutorial-autoscale-cli).

+This article contains detailed information on VM regional resiliency with [availability zones](#availability-zone-support) and [cross-region disaster recovery and business continuity](#cross-region-disaster-recovery-and-business-continuity).

+> | microsoft.app/containerapps/builds/read | Get a ContainerApp's Build by Build name |

+> | microsoft.app/containerapps/builds/delete | Delete a Container App's Build |

+> | microsoft.app/containerapps/patches/read | Get a ContainerApp's Patch |

+> | microsoft.app/containerapps/patches/delete | Delete a ContainerApp's Patch |

+> | microsoft.app/containerapps/patches/skip/action | Skip a ContainerApp's Patch |

+> | microsoft.app/containerapps/patches/apply/action | Apply a ContainerApp's Patch |

+> | microsoft.app/jobs/suspend/action | Suspend Container Apps Job |

+> | microsoft.app/jobs/resume/action | Resume Container Apps Job |

+> | microsoft.app/locations/connectedoperationresults/read | Get a Long Running Operation Result |

+> | microsoft.app/locations/connectedoperationstatuses/read | Get a Long Running Operation Status |

+> | microsoft.app/managedenvironments/maintenanceconfigurations/read | Get maintenance configuration for a Managed Environment. |

+> | microsoft.app/managedenvironments/maintenanceconfigurations/write | Create or Update a maintenance configuration of Managed Environment. |

+> | microsoft.app/managedenvironments/maintenanceconfigurations/delete | Delete a maintenance configuration of Managed Environment. |

+With SAP HANA HA hooks SAPHanaSR/susHanaSR for [SLES](./sap-hana-high-availability.md#implement-hana-resource-agents) and [RHEL](./sap-hana-high-availability-rhel.md#implement-sap-hana-system-replication-hooks), you can add additional sites to HANA system replication. The Pacemaker environment is aware of a HANA multitarget setup.

+- November 1, 2024: Adding HANA high-availability hook ChkSrv for [dying indexserver for RHEL based cluster setups](./sap-hana-high-availability-rhel.md#implement-sap-hana-system-replication-hooks).

+This step is an important one to optimize the integration with the cluster and improve the detection when a cluster failover is needed. We highly recommend that you configure the SAPHanaSR Python hook. Follow the steps in [Implement the Python system replication hook SAPHanaSR](sap-hana-high-availability-rhel.md#implement-sap-hana-system-replication-hooks).

+1. **[A]** Install SAP HANA, following [SAP's documentation](https://help.sap.com/docs/SAP_HANA_PLATFORM/2c1988d620e04368aa4103bf26f17727/2d4de94c8bf14cda8d37278647fff8ab.html).

+## Implement SAP HANA system replication hooks

+This important step optimizes the integration with the cluster and improves the detection when a cluster failover is needed. It is mandatory for correct cluster operation to enable the SAPHanaSR hook. We highly recommend that you configure both SAPHanaSR and ChkSrv Python hooks.

+1. **[A]** Install the SAP HANA resource agents on **all nodes**. Make sure to enable a repository that contains the package. You don't need to enable more repositories, if you're using an RHEL 8.x or higher HA-enabled image.

+ sudo dnf install -y resource-agents-sap-hana

+1. **[A]** Install the HANA `system replication hooks`. The configuration for the replication hooks needs to be installed on both HANA DB nodes.

+ path = /usr/share/SAPHanaSR/srHook

+ [ha_dr_provider_chksrv]

+ provider = ChkSrv

+ path = /usr/share/SAPHanaSR/srHook

+ execution_order = 2

+ action_on_lost = kill

+

+ ha_dr_chksrv = info

+ If you point parameter `path` to the default `/usr/share/SAPHanaSR/srHook` location, the Python hook code updates automatically through OS updates or package updates. HANA uses the hook code updates when it next restarts. With an optional own path like `/hana/shared/myHooks`, you can decouple OS updates from the hook version that HANA will use.

+ You can adjust the behavior of `ChkSrv` hook by using the `action_on_lost` parameter. Valid values are [ `ignore` | `stop` | `kill` ].

+1. **[1]** Verify the SRHanaSR hook installation. Run as <sid\>adm on the active HANA system replication site.

+1. **[1]** Verify the ChkSrv hook installation. Run as <sid\>adm on the active HANA system replication site.

+ ```bash

+ cdtrace

+ tail -20 nameserver_chksrv.trc

+ ```

+For more information on the implementation of the SAP HANA hooks, see [Enabling the SAP HANA srConnectionChanged() hook](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux_for_sap_solutions/8/html-single/automating_sap_hana_scale-up_system_replication_using_the_rhel_ha_add-on/index#con_enable_hook_automating-sap-hana-scale-up-system-replication) and [Enabling the SAP HANA srServiceStateChanged() hook for hdbindexserver process failure action (optional)](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux_for_sap_solutions/8/html-single/automating_sap_hana_scale-up_system_replication_using_the_rhel_ha_add-on/index#con_enable_hdbindexserver_automating-sap-hana-scale-up-system-replication).

+| -- | - |

+| ActiveMessageCount | Number of messages in the queue or subscription that are in the active state and ready for delivery. This includes deferred messages. |

+> The messages that are sent to a Service Bus topic are forwarded to subscriptions for that topic. So, the active message count on the topic itself is 0, as those messages have been successfully forwarded to the subscription. Get the message count at the subscription and verify that it's greater than 0. Even though you see messages at the subscription, they are actually stored in a storage owned by the topic. If you look at the subscriptions, then they would have non-zero message count, which contribute to the storage used by the topic.

+The feature is enabled using the **auto delete on idle** property on the entity. This property is set to the duration for which an entity must be idle (unused) before it's automatically deleted. The minimum value for this property is 5 minutes.

+A **SqlFilter** holds a SQL-like conditional expression that is evaluated in the broker against the arriving messages' user-defined properties and system properties. All system properties must be prefixed with `sys.` in the conditional expression. The [SQL-language subset for filter conditions](service-bus-messaging-sql-filter.md) tests for the existence of properties (`EXISTS`), null-values (`IS NULL`), logical `NOT`/`AND`/`OR`, relational operators, simple numeric arithmetic, and simple text pattern matching with `LIKE`.

+> [!IMPORTANT]

+> When you update system properties through rule actions, note that it might change the expected behavior. Some properties are only evaluated when a message is received in a queue or a topic. Therefore, when you update these properties in a rule action and then deliver them in a subscription, they are ignored. Although, when auto-forwarding to another queue or topic, they are re-evaluated.

+>

+> - **ScheduledEnqueueTime**: When you set or update this property, it's ignored on the subscription.

+> - **MessageID with deduplication**: No deduplication is performed in the subscription when the MessageID is updated and results in a duplicate.

+> - **SessionID with partitioning**: In this scenario, the session ID is the partition key for partitioned entities and is used to decide the partition the message is sent to. Changing the sessionID in a rule action means that the partition key is changed after a message has landed in a partition. As a result, the consumer might not receive some of these messages in the session. Even if consumer receives the message, it appears as though they are coming from the wrong partition due to the changed partition key.

+The following are the prerequisites to the definition the migration of your source shares:

+- **A job definition to define migration.**<br/>

+ - **Storage account access in case of firewall setting.**<br/>

+ If you have storage account firewall (security system) restrictions set, ensure that the traffic from agent VM is permitted to the storage account.

+- **Accessible endpoints.**<br/>

+ The below endpoints must be accessible from the agent.

+|Source protocol |Target |Azure Endpoint |Description |

+||-||-|

+|SMB 2.x mount |Azure file share (SMB) |`< your-storage-account-name>.file.core.windows.net` |Azure Files endpoint. |

+|SMB 2.x mount |Azure file share (SMB) |`<your-keyvault-name>.vault.azure.net` |Azure Key Vault endpoint. |

+|NFS 3 & 4 mount |Azure blob storage container |`< your-storage-account-name>.blob.core.windows.net` |Azure Blob container endpoint. |

+

+| `Basic` | 12.5% of total VM cores | Up to 120,000 | Up to 90,000 |

+| `Standard` (default)| 25% of total VM cores | Up to 220,000 | Up to 180,000 |

+| `Premium` | 50% of total VM cores | Up to 550,000 | Up to 360,000 |

+**Single-zone replication**

+| **Tier** | **Number of vCPUs** | **100% Read IOPS** | **100% Write IOPS** |

+||--|--||

+| `Basic` | 12.5% of total VM cores | Up to 120,000 | Up to 45,000 |

+| `Standard` (default) | 25% of total VM cores | Up to 220,000 | Up to 90,000 |

+| `Premium` | 50% of total VM cores | Up to 550,000 | Up to 180,000 |

+**Multi-zone replication**

+| **Tier** | **Number of vCPUs** | **100% Read IOPS** | **100% Write IOPS** |

+||--|--||

+| `Basic` | 12.5% of total VM cores | Up to 120,000 | Up to 45,000 |

+| `Standard` (default) | 25% of total VM cores | Up to 220,000 | Up to 90,000 |

+| `Premium` | 50% of total VM cores | Up to 550,000 | Up to 180,000 |

+|Synapse Administrator|workspaces/read</br>workspaces/roleAssignments/write</br>workspaces/roleAssignments/delete</br>workspaces/managedPrivateEndpoint/write</br>workspaces/managedPrivateEndpoint/delete</br>workspaces/bigDataPool/useCompute/action</br>workspaces/bigDataPool/viewLogs/action</br>workspaces/scopePool/useCompute/action</br>workspaces/scopePool/viewLogs/action</br>workspaces/integrationRuntime/useCompute/action</br>workspaces/integrationRuntime/viewLogs/action</br>workspaces/artifacts/read</br>workspaces/notebooks/write</br>workspaces/sparkJobDefinitions/write</br>workspaces/scopeJobDefinitions/write</br>workspaces/sqlScripts/write</br>workspaces/dataFlows/write</br>workspaces/dataMappers/write</br>workspaces/pipelines/write</br>workspaces/triggers/write</br>workspaces/datasets/write</br>workspaces/linkedServices/write</br>workspaces/credentials/write</br>workspaces/notebooks/delete</br>workspaces/sparkJobDefinitions/delete</br>workspaces/scopeJobDefinitions/delete</br>workspaces/sqlScripts/delete</br>workspaces/dataFlows/delete</br>workspaces/dataMappers/delete</br>workspaces/pipelines/delete</br>workspaces/triggers/delete</br>workspaces/datasets/delete</br>workspaces/linkedServices/delete</br>workspaces/credentials/delete</br>workspaces/cancelPipelineRun/action</br>workspaces/notebooksViewOutputs/action</br>workspaces/pipelinesViewOutputs/action</br>workspaces/linkedServicesUseSecret/action</br>workspaces/credentialsUseSecret/action</br>workspaces/libraries/delete</br>workspaces/libraries/write</br>workspaces/kQLScripts/write</br>workspaces/kQLScripts/delete</br>workspaces/sparkConfigurations/write</br>workspaces/sparkConfigurations/delete</br>workspaces/synapseLinkConnections/read</br>workspaces/synapseLinkConnections/write</br>workspaces/synapseLinkConnections/delete</br>workspaces/synapseLinkConnections/useCompute/action|

+|Synapse Contributor|workspaces/read</br>workspaces/bigDataPool/useCompute/action</br>workspaces/bigDataPool/viewLogs/action</br>workspaces/scopePool/useCompute/action</br>workspaces/scopePool/viewLogs/action</br>workspaces/integrationRuntime/useCompute/action</br>workspaces/integrationRuntime/viewLogs/action</br>workspaces/artifacts/read</br>workspaces/notebooks/write</br>workspaces/sparkJobDefinitions/write</br>workspaces/sqlScripts/write</br>workspaces/dataFlows/write</br>workspaces/dataMappers/write</br>workspaces/pipelines/write</br>workspaces/triggers/write</br>workspaces/datasets/write</br>workspaces/linkedServices/write</br>workspaces/credentials/write</br>workspaces/notebooks/delete</br>workspaces/sparkJobDefinitions/delete</br>workspaces/sqlScripts/delete</br>workspaces/dataFlows/delete</br>workspaces/dataMappers/delete</br>workspaces/pipelines/delete</br>workspaces/triggers/delete</br>workspaces/datasets/delete</br>workspaces/linkedServices/delete</br>workspaces/credentials/delete</br>workspaces/cancelPipelineRun/action</br>workspaces/notebooksViewOutputs/action</br>workspaces/pipelinesViewOutputs/action</br>workspaces/libraries/delete</br>workspaces/libraries/write</br>workspaces/kQLScripts/write</br>workspaces/kQLScripts/delete</br>workspaces/sparkConfigurations/write</br>workspaces/sparkConfigurations/delete</br>workspaces/synapseLinkConnections/read</br>workspaces/synapseLinkConnections/write</br>workspaces/synapseLinkConnections/delete</br>workspaces/synapseLinkConnections/useComputeAction|

+|Synapse Artifact Publisher|workspaces/read</br>workspaces/artifacts/read</br>workspaces/notebooks/write</br>workspaces/sparkJobDefinitions/write</br>workspaces/scopeJobDefinitions/write</br>workspaces/sqlScripts/write</br>workspaces/dataFlows/write</br>workspaces/dataMappers/write</br>workspaces/pipelines/write</br>workspaces/triggers/write</br>workspaces/datasets/write</br>workspaces/linkedServices/write</br>workspaces/credentials/write</br>workspaces/notebooks/delete</br>workspaces/sparkJobDefinitions/delete</br>workspaces/scopeJobDefinitions/delete</br>workspaces/sqlScripts/delete</br>workspaces/dataFlows/delete</br>workspaces/dataMappers/delete</br>workspaces/pipelines/delete</br>workspaces/triggers/delete</br>workspaces/datasets/delete</br>workspaces/linkedServices/delete</br>workspaces/credentials/delete</br>workspaces/notebooksViewOutputs/action</br>workspaces/pipelinesViewOutputs/action</br>workspaces/libraries/delete</br>workspaces/libraries/write</br>workspaces/kQLScripts/write</br>workspaces/kQLScripts/delete</br>workspaces/sparkConfigurations/write</br>workspaces/sparkConfigurationsDeleteAction|

+# Performance tuning with ordered clustered columnstore index in Azure Synapse Analytics

+**Applies to:** Azure Synapse Analytics dedicated SQL pools

+> [!NOTE]

+> This article applies to Azure Synapse Analytics dedicated SQL pools. For information on ordered columnstore indexes in SQL Server and other SQL platforms, see [Performance tuning with ordered clustered columnstore indexes](/sql/relational-databases/indexes/columnstore-indexes-overview#ordered-columnstore-indexes).

+ Title: Renew and delete Trusted Signing Identity Validation

+description: How-to renew and delete a Trusted Signing Identity Validation.

+# Renew or delete Trusted Signing Identity Validations

+You can renew or delete your Trusted Signing Identity Validations with the right role.

+## Renew Identity Validation

+ - Select the Identity Validation from the pull-down. Once the certificate profile is created successfully, signing resumes requiring no configuration changes on your end.

+

+## Delete Identity Validation

+You can delete an Identity Validation that is not in "In Progress" state from the Identity Validation page.

+>[!Note]

+>Deleting an Identity Validation before stops the renewal of linked certificate profiles across all the accounts within a subscription where Identtiy Validation was done. This impacts signing.

+>Deleted identity validation requests cannot be recovered.

+1. Navigate to your Trusted Signing account in the [Azure portal](https://portal.azure.com/).

+2. Confirm you have the **Trusted Signing Identity Verifier role**.

+ - To learn more about Role Based Access management (RBAC) access management, see [Assigning roles in Trusted Signing](tutorial-assign-roles.md).

+3. From either the Trusted Signing account overview page or from Objects, select **Identity Validation**.

+4. Select the Identity Validation request that needs to be deleted. Select **Delete** on the top.

+5. A blade opens on the right hand side and lists the number of associated accounts and shows the certificate profiles linked to this Identity Validation.

+ - Ensure you have read permissions at the subscription level or on all trusted signing accounts to verify the usage of the current identity validation request across all certificate profiles.

+

+ :::image type="content" source="media/trusted-signing-delete-identity-validation-linked-profiles.png" alt-text="Screenshot of trusted signing delete identity-validation showing linked-profiles.png." lightbox="media/trusted-signing-delete-identity-validation-linked-profiles.png":::

+6. Select **Delete**, if you wish to continue with the deletion of the certificate profile. A deleted Identity Validation request cannot be recovered.

+

+To create an identity validation request for an Organization:

+ To learn how to manage, access by using role-based access control (RBAC), see [Tutorial: Assign roles in Trusted Signing](tutorial-assign-roles.md).

+ | **Organization Name** | For public identity validation, provide the legal business entity to which the certificate is issued. For private identity validation, the value defaults to your Microsoft Entra tenant name. |

+ | **Secondary Email** | This email address must be different from the primary email address. For organizations, the domain must match the email address that is provided in the primary email address. Ensure that the email address can receive emails from external email addresses that have links.|

+| Accuracy | Ensure that you provide the correct information for public identity validation. If you need to make any changes after it's created, you must complete a new identity validation request. This change affects the associated certificates that are being used for signing. |

+| More documentation | If we need more documentation to process the identity validation request, you're notified through email. You can upload the documents in the Azure portal. The documentation request email contains information about file size requirements. Ensure that any documents you provide are the most current. <br>- All documents submitted must be issued within the previous 12 months or where the expiration date is a future date that is at least two months away. <br> - If it isn't possible to provide additional documentation, update your account information to match any legal documents already provided or your official Company registration details. <br> - When providing official business document, such as business registration form, business charter, or articles of incorporation that list the company name and address as it is provided at the time of Identity Validation request creation. <br> - Ensure the domain registration or domain invoice from registration or renewal that lists the entity/contact name and domain as it is state on the request.|

+To enable or disable hotpatching at scale, follow these steps:

+> RDP Shortpath for public networks via TURN for Azure Virtual Desktop is available in the Azure public cloud and Azure Government cloud.

+> RDP Shortpath for public networks via TURN for Azure Virtual Desktop is available in the Azure public cloud and Azure Government cloud.

+## Known Issues, Limitations and Considerations

+The following section describes known issues, limitations and considerations associatd with the Internet Inbound feature.

+### Known Issues

+The following table describes known issues related to the internet inbound/DNAT feature.

+|Issue | Description| Mitigation|

+|--|--|--|

+| DNAT traffic is not forwarded to the NVA after associating an additional IP address.| After associating additional IP address(es) to an NVA that already has active inbound security rules, DNAT traffic is not forwarded properly to the NVA due to a code defect. | Use partner orchestration/management software to modify (create or delete existing) configured inbound-security rules to restore connectivity. |

+|Inbound security rule configuration scalability| Inbound security rule configuration may fail when a large number (approximately 100) rules are configured.| No mitigation, reach out to Azure Support for fix timelines.|

+* The following table describes the avaiablility of routing intent in different Azure environments.

+ * Routing intent is not available in Mirosoft Azure operated by 21 Vianet.

+ * Palo Alto Cloud NGFW is only available in Azure Public. Reach out to Palo Alto Networks regarding avaialbility of Cloud NGFW in Azure Government and Microsoft Azure operated by Viacom.

+ * Network Virtual Appliances are not available in all Azure Government regions. Contact your NVA partner regarding availability in Azure Government.

+| Cloud Environment| Azure Firewall| Network Virtual Appliance| SaaS solutions|

+|--|--|--| --|

+| Azure Public | Yes | Yes | Yes|

+|Azure Government|Yes| Limited | No|

+|Microsoft Azure operated by 21 Vianet|No|No|No|

+

+| **Count Of Routes Advertised To Peer** | The Virtual WAN hub router exchanges routes with all active instances of ExpressRoute gateways, VPN gateways and NVAs deployed in the Virtual WAN hub or in a connected Virtual Network spoke. When the Virtual WAN hub router learns a prefix with the same AS-PATH length from multiple peers, the router internally selects a peer to prefer for that specific route and re-advertises that route to all **other** peers (including the other gateway or NVA instance). This internal route selection process occurs for every route processed and the selected instance can change due to various factors such as network changes or maintenance events. As a result the number of routes advertised to an individual peer may fluctuate. When this metric is viewed with the maximum aggregation, Azure Monitor displays the data associated with a **single** BGP session between the Virtual WAN hub router and gateway or NVA. To effectively monitor changes or potential issues in your network, apply a split in Azure Monitor on the Count of Routes Advertised to Peer metric on a per peer IP address and ensure that the total number of routes advertised to your ExpressRoute, VPN or NVA is stable or in-line with any network changes. The total count of routes advertised must be calculated manually as the Azure Monitor **sum** aggregation type sums up data-points over the aggregation window, which does not accurately reflect routes advertised count. |

+|10| DNAT traffic is not forwarded to the NVA after associating an additional IP address.|After associating additional IP address(es) to an NVA that already has active inbound security rules, DNAT traffic is not forwarded properly to the NVA due to a code defect. | November 2024 | Use partner orchestration/management software to modify (create or delete existing) configured inbound-security rules to restore connectivity.|

+|11| Inbound security rule configuration scalability | Inbound security rule configuration may fail when a large number (approximately 100) rules are configured. | November 2024 | None, reach out Azure Support for more information.|

+VPN gateways consist of two instances in an active-standby configuration unless you specify active-active mode.

+### Active-standby mode behavior

+In active-standby mode, during any planned maintenance or unplanned disruption affecting the active instance, the following behavior occurs:

+### Active-active mode design

+### Dual-redundancy active-active mode design

+## Configure an active-active mode gateway

+## Reset an active-active mode gateway

+> [!NOTE]

+> For Azure Front Door Standard and Premium, you should use [Get-AzFrontDoorCdnProfile](/powershell/module/az.cdn/Get-AzFrontDoorCdnProfile).