-Learn more about [Service limits in Azure Cognitive Search](/azure/search/search-limits-quotas-capacity).

-Learn more about [Service limits in Azure Cognitive Search](/azure/search/search-limits-quotas-capacity).

-Learn more about [Service limits in Azure Cognitive Search](/azure/search/search-limits-quotas-capacity)

-|Azure Cognitive Search | `Microsoft.Search` |

-Azure AI Vision can power many digital asset management (DAM) scenarios. DAM is the business process of organizing, storing, and retrieving rich media assets and managing digital rights and permissions. For example, a company may want to group and identify images based on visible logos, faces, objects, colors, and so on. Or, you might want to automatically [generate captions for images](./Tutorials/storage-lab-tutorial.md) and attach keywords so they're searchable. For an all-in-one DAM solution using Azure AI services, Azure Cognitive Search, and intelligent reporting, see the [Knowledge Mining Solution Accelerator Guide](https://github.com/Azure-Samples/azure-search-knowledge-mining) on GitHub. For other DAM examples, see the [Azure AI Vision Solution Templates](https://github.com/Azure-Samples/Cognitive-Services-Vision-Solution-Templates) repository.

-For all models, except Business card model, Document Intelligence now supports add-on capabilities to allow for more sophisticated analysis. These optional capabilities can be enabled and disabled depending on the scenario of the document extraction. There are four add-on capabilities available for the `2023-07-31` (GA) API version:

-\* - Premium features incur additional costs

-| [prebuilt-read](concept-read.md#data-detection-and-extraction) | Γ£ô | Γ£ô | | | Γ£ô | | | |

-## Supported document types

-> [!NOTE]

->

-> * For the preview of Office and HTML file formats, Read API ignores the pages parameter and extracts all pages by default. Each embedded image counts as 1 page unit and each worksheet, slide, and page (up to 3000 characters) count as 1 page.

-| **Model** | **Images** | **PDF** | **TIFF** | **Word** | **Excel** | **PowerPoint** | **HTML** |

-| | | | | | | | |

-| **prebuilt-read** | GA</br> (2023-07-31 and 2022-08-31)| GA</br> (2023-07-31 and 2022-08-31) | GA</br> (2023-07-31 and 2022-08-31) | Preview</br>(2022-06-30-preview) | Preview</br>(2022-06-30-preview) | Preview</br>(2022-06-30-preview) | Preview</br>(2022-06-30-preview) |

-## Data detection and extraction

- | **Model** | **Text** | *[**Language extraction**](#supported-extracted-languages-and-locales) </br>* [**Language detection**](#language-detection) |

-| | | |

-**prebuilt-read** | Γ£ô |Γ£ô |

-### Barcode extraction

-The Read OCR model extracts all identified barcodes in the `barcodes` collection as a top level object under `content`. Inside the `content`, detected barcodes are represented as `:barcode:`. Each entry in this collection represents a barcode and includes the barcode type as `kind` and the embedded barcode content as `value` along with its `polygon` coordinates. Initially, barcodes appear at the end of each page. Here, the `confidence` is hard-coded for the public preview (`2023-02-28`) release.

-#### Supported barcode types

-| **Barcode Type** | **Example** |

-| | |

-| QR Code |:::image type="content" source="media/barcodes/qr-code.png" alt-text="Screenshot of the QR Code.":::|

-| Code 39 |:::image type="content" source="media/barcodes/code-39.png" alt-text="Screenshot of the Code 39.":::|

-| Code 128 |:::image type="content" source="media/barcodes/code-128.png" alt-text="Screenshot of the Code 128.":::|

-| UPC (UPC-A & UPC-E) |:::image type="content" source="media/barcodes/upc.png" alt-text="Screenshot of the UPC.":::|

-| PDF417 |:::image type="content" source="media/barcodes/pdf-417.png" alt-text="Screenshot of the PDF417.":::|

-```json

-"content": ":barcode:",

- "pages": [

- {

- "pageNumber": 1,

- "barcodes": [

- {

- "kind": "QRCode",

- "value": "http://test.com/",

- "span": { ... },

- "polygon": [...],

- "confidence": 1

- }

- ]

- }

- ]

-```

-### Language detection

-The Read OCR model in Document Intelligence adds [language detection](#language-detection) as a new feature for text lines. Read predicts the detected primary language for each text line along with the `confidence` in the `languages` collection under `analyzeResult`.

-```json

-"languages": [

- {

- "spans": [

- {

- "offset": 0,

- "length": 131

- }

- ],

- "locale": "en",

- "confidence": 0.7

- },

-]

-```

-### Extract pages from documents

-### Extract text lines and words

- :::image type="icon" source="media/overview/icon-w2.png" link="#us-tax-w-2-form":::</br>

- [**US Tax W-2 form**](#us-tax-w-2-form) | Extract taxable </br>compensation details.

- :::image type="icon" source="media/overview/icon-w2.png" link="#us-tax-w-2-form":::</br>

- [**US Tax W-2 form**](#us-tax-w-2-form) | Extract taxable </br>compensation details.

-|[**prebuilt-read**](concept-read.md)|&#9679; Extract **text** from documents.</br>&#9679; [Data and field extraction](concept-read.md#data-detection-and-extraction)| &#9679; Contract processing. </br>&#9679; Financial or medical report processing.|&#9679; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/read)</br>&#9679; [**REST API**](how-to-guides/use-sdk-rest-api.md?view=doc-intel-3.0.0&preserve-view=true&pivots=programming-language-rest-api)</br>&#9679; [**C# SDK**](how-to-guides/use-sdk-rest-api.md?view=doc-intel-3.0.0&preserve-view=true&pivots=programming-language-csharp)</br>&#9679; [**Python SDK**](how-to-guides/use-sdk-rest-api.md?view=doc-intel-3.0.0&preserve-view=true&pivots=programming-language-python)</br>&#9679; [**Java SDK**](how-to-guides/use-sdk-rest-api.md?view=doc-intel-3.0.0&preserve-view=true&pivots=programming-language-java)</br>&#9679; [**JavaScript**](how-to-guides/use-sdk-rest-api.md?view=doc-intel-3.0.0&preserve-view=true&pivots=programming-language-javascript) |

-### US Tax W-2 form

-* [Barcode](concept-read.md#barcode-extraction) extraction.

-* An optional `features` query parameter to Analyze operations can optionally enable specific features. Some premium features may incur added billing. Refer to [Analyze feature list](#analysis-features) for details.

-* Extend extracted currency field objects to output a normalized currency code field when possible. Currently, current fields may return amount (ex. 123.45) and currencySymbol (ex. $). This feature maps the currency symbol to a canonical ISO 4217 code (ex. USD). The model may optionally utilize the global document content to disambiguate or infer the currency code.

-Starting from v3.0, [Document Intelligence REST API](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.1.0&preserve-view=true) has been redesigned for better usability. In this section, learn the differences between Document Intelligence v2.0, v2.1 and v3.1 and how to move to the newer version of the API.

-* `locale` : Locale hint for text recognition and document analysis. Value may contain only the language code (ex. `en`, `fr`) or BCP 47 language tag (ex. "en-US").

-Analyze response has been refactored to the following top-level results to support multi-page elements.

-* ```modelName``` has been renamed to ```description```

-List models have been extended to now return prebuilt and custom models. All prebuilt model names start with ```prebuilt-```. Only models with a status of succeeded are returned. To list models that either failed or are in progress, see [List Operations](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v3-0-preview-1/operations/GetModels).

- * Table extraction improvements.

-* [**Read**](concept-read.md#barcode-extraction) and [**Layout**](concept-layout.md#data-extraction) models support **barcode** extraction with the ```2023-02-28-preview``` API.

- * This should also influence your Azure **Cognitive Search** SKU selection, see more details [here](../../../../search/search-sku-tier.md). Additionally, you may need to adjust Cognitive Search [capacity](../../../../search/search-capacity-planning.md) with replicas.

-| |Azure Cognitive Search | Limitations |

-The throughput for question answering is currently capped at 10 text records per second for both management APIs and prediction APIs. To target 10 text records per second for your service, we recommend the S1 (one instance) SKU of Azure Cognitive Search.

-Your custom question answering feature deals with two kinds of keys: **authoring keys** and **Azure Cognitive Search keys** used to access the service in the customerΓÇÖs subscription.

-|Azure Cognitive Search Admin Key|[Azure portal](../../../../search/search-security-api-keys.md)|These keys are used to communicate with the Azure cognitive search service deployed in the userΓÇÖs Azure subscription. When you associate an Azure Cognitive Search resource with the custom question answering feature, the admin key is automatically passed to question answering. <br><br>You can find these keys on the **Azure Cognitive Search** resource on the **Keys** page.|

-* Cognitive Search resource

-### Azure Cognitive Search resource

-The [Cognitive Search](../../../../search/index.yml) resource is used to:

-You can publish N-1 projects of a single language or N/2 projects of different languages in a particular tier, where N is the maximum number of indexes allowed in the Azure Cognitive Search tier. Also check the maximum size and the number of documents allowed per tier.

-The confidence score of an answer may change negligibly between the test and deployed version of the project even if the content is the same. This is because the content of the test and the deployed project are located in different Azure Cognitive Search indexes.

- * One resource restricted to one project: restrict your single language resource (and the resulting Azure Cognitive Search test index) to a project.

-If you have a project in different regions, each region uses its own Azure Cognitive Search index. Because different indexes are used, the scores will not be exactly the same.

-Question answering limits provided below are a combination of the [Azure Cognitive Search pricing tier limits](../../../../search/search-limits-quotas-capacity.md) and question answering limits. Both sets of limits affect how many projects you can create per resource and how large each project can grow.

-The maximum number of projects is based on [Azure Cognitive Search tier limits](../../../../search/search-limits-quotas-capacity.md).

-Metadata is presented as a text-based `key:value` pair, such as `product:windows 10`. It is stored and compared in lower case. Maximum number of metadata fields is based on your **[Azure Cognitive Search tier limits](../../../../search/search-limits-quotas-capacity.md)**.

-|**Azure Cognitive Search tier** | **Free** | **Basic** |**S1** | **S2**| **S3** |**S3 HD**|

-|**Azure Cognitive Search tier** | **Free** | **Basic** |**S1** | **S2**| **S3** |**S3 HD**|

-* Maximum number of question-answer pairs: Depends on the **[Azure Cognitive Search tier](../../../../search/search-limits-quotas-capacity.md#document-limits)** chosen. A question and answer pair maps to a document on Azure Cognitive Search index.

-| [Cognitive Search](azure-resources.md#azure-cognitive-search-resource) resource | Data storage and search |

-Question answering throughput is currently capped at 10 text records per second for both management APIs and prediction APIs. To target 10 text records per second for your service, we recommend the S1 (one instance) SKU of Azure Cognitive Search.

-A single language resource with the custom question answering feature enabled can host more than one project. The number of projects is determined by the Cognitive Search pricing tier's quantity of supported indexes. Learn more about the [relationship of indexes to projects](azure-resources.md#index-usage).

-* [Cognitive Search resource](../../../../search/search-limits-quotas-capacity.md) pricing tier limits

-A project shares the Cognitive Search index with all other projects on the language resource. While the project is isolated by partition, sharing the index can cause a difference in the score when compared to the published project.

-Once you are done testing the project, you can deploy it to production. Deployment pushes the latest version of the tested project to a dedicated Azure Cognitive Search index representing the **published** project. It also creates an endpoint that can be called in your application or chat bot.

-At the same time, customers often require a custom answer authoring experience to achieve more granular control over the quality and content of question-answer pairs, and allow them to address content issues in production. Read this article to learn how to integrate Azure OpenAI On Your Data (Preview) with question-answer pairs from your Custom Question Answering project, using your project's underlying Azure Cognitive Search indexes.

-1. Make a note of your Azure Search details, such as Azure Search resource name, subscription, and location. You will need this information when you connect your Azure Cognitive Search index to Azure OpenAI.

-1. In the pane that appears, select **Azure Cognitive Search** under **Select or add data source**. This will update the screen with **Data field mapping** options depending on your data source.

-1. Select the subscription, Azure Cognitive Search service and Azure Cognitive Search Index associated with your Custom Question Answering project. Select the acknowledgment that connecting it will incur usage on your account. Then select **Next**.

- :::image type="content" source="../media/question-answering/azure-search-data-source.png" alt-text="A screenshot showing selection information for Azure Cognitive Search in Azure OpenAI Studio." lightbox="../media/question-answering/azure-search-data-source.png":::

- :::image type="content" source="../media/question-answering/data-field-mapping.png" alt-text="A screenshot showing index field mapping information for Azure Cognitive Search in Azure OpenAI Studio." lightbox="../media/question-answering/data-field-mapping.png":::

- :::image type="content" source="../media/question-answering/data-management.png" alt-text="A screenshot showing the data management options for Azure Cognitive Search indexes." lightbox="../media/question-answering/data-management.png":::

-You can configure question answering to use a different Cognitive Search resource.

-## Change Cognitive Search resource

-2. Select **Features** and select the Azure Cognitive Search service you want to link with your language resource.

- > Your Language resource will retain your Azure Cognitive Search keys. If you update your search resource (for example, regenerating your keys), you will need to select **Update Azure Cognitive Search keys for the current search service**.

-> It is recommended to set your CMK in a fresh Azure Cognitive Search service before any projects are created. If you set CMK in a language resource with existing projects, you might lose access to them. Read more about [working with encrypted content](../../../../search/search-security-manage-encryption-keys.md#work-with-encrypted-content) in Azure Cognitive search.

-This will establish a private endpoint connection between language resource and Azure Cognitive Search service instance. You can verify the Private endpoint connection on the *Networking* tab of the Azure Cognitive Search service instance. Once the whole operation is completed, you are good to use your language resource with question answering enabled.

- * We don't support changes to Azure Cognitive Search service once you enable private access to your language resources. If you change the Azure Cognitive Search service via 'Features' tab after you have enabled private access, the language resource will become unusable.

- * After establishing Private Endpoint Connection, if you switch Azure Cognitive Search Service Networking to 'Public', you won't be able to use the language resource. Azure Search Service Networking needs to be 'Private' for the Private Endpoint Connection to work.

-## Restrict access to Cognitive Search resource

-Throughput performance issues indicate you need to scale up your Cognitive Search. Consider adding a replica to your Cognitive Search to improve performance.

-If you delete an Azure Cognitive Search index, the operation is final and the index cannot be recovered.

-<summary><b>Can I use the same Azure Cognitive Search resource for projects using multiple languages?</b></summary>

-* The language is used by the Cognitive Search service (ranker #1) and Custom question answering (ranker #2) to generate the best answer to a query.

-Custom question answering depends on [Azure Cognitive Search language analyzers](/rest/api/searchservice/language-support) for providing results.

-While the Azure Cognitive Search capabilities are on par for supported languages, question answering has an additional ranker that sits above the Azure search results. In this ranker model, we use some special semantic and word-based features in the following languages.

-Example narrative summarization JSON response:

- * [Azure Cognitive Search](../../../search/vector-search-overview.md)

-When selecting an existing Cognitive Search resource the search indices don't load, and the loading wheel spins continuously. In Azure OpenAI Studio, go to **Playground Chat** > **Add your data (preview)** under Assistant setup. Selecting **Add a data source** opens a modal that allows you to add a data source through either Azure Cognitive Search or Blob Storage. Selecting the Azure Cognitive Search option and an existing Cognitive Search resource should load the available Azure Cognitive Search indices to select from.

- * [Azure Cognitive Search](../../../search/vector-search-overview.md)

-| | QnA Maker Management | App Service | Azure Cognitive Search | Limitations |

-|Target QPS | App Service | Azure Cognitive Search |

-|[Upgrade](../How-to/set-up-qnamaker-service-azure.md#upgrade-app-service) App Service SKU and check Cognitive Search tier and [create Cognitive Search replicas](../../../search/search-capacity-planning.md)|Your knowledge base needs to serve more requests from your client app, such as a chat bot.|

-|[Upgrade](../How-to/set-up-qnamaker-service-azure.md#upgrade-the-azure-cognitive-search-service) Azure Cognitive Search service|You plan to have many knowledge bases.|

-The confidence score of an answer may change negligibly between the test and published version of the knowledge base even if the content is the same. This is because the content of the test and the published knowledge base are located in different Azure Cognitive Search indexes.

- * 1 resource restricted to 1 KB: restrict your single QnA resource (and the resulting Azure Cognitive Search test index) to a single knowledge base.

-If you have a knowledge base in different regions, each region uses its own Azure Cognitive Search index. Because different indexes are used, the scores will not be exactly the same.

-Once you are done testing the knowledge base, you can publish it. Publish pushes the latest version of the tested knowledge base to a dedicated Azure Cognitive Search index representing the **published** knowledge base. It also creates an endpoint that can be called in your application or chat bot.

-|4|This altered query is sent to an Azure Cognitive Search Index, which receives the `top` number of results. If the correct answer isn't in these results, increase the value of `top` slightly. Generally, a value of 10 for `top` works in 90% of queries. Azure search filters [stop words](https://github.com/Azure-Samples/azure-search-sample-dat) in this step.|

-1. In the pane that appears, select **Azure Cognitive Search** under **Select or add data source**. This will update the screen with **Data field mapping** options depending on your data source. Select the subscription, Azure Cognitive Search service and Azure Cognitive Search Index associated with your QnA maker project. Select the acknowledgment that connecting it will incur usage on your account. Then select **Next**.

- :::image type="content" source="../media/openai/data-field-mapping.png" alt-text="A screenshot showing index field mapping information for Azure Cognitive Search in Azure OpenAI Studio." lightbox="../media/openai/data-field-mapping.png":::

- :::image type="content" source="../media/openai/data-management.png" alt-text="A screenshot showing the data management options for Azure Cognitive Search indexes." lightbox="../media/openai/data-management.png":::

-1. Create a [new Azure Cognitive Search Resource](https://portal.azure.com/#create/Microsoft.Search).

- | AzureSearchName | `<Azure Cognitive Search Resource Name from step #1>` |

- | AzureSearchAdminKey | `<Azure Cognitive Search Resource admin Key from step #1>`|

- * Choose the **Search pricing tier** of the Azure Cognitive Search service. If the Free tier option is unavailable (appears dimmed), it means you already have a free service deployed through your subscription. In that case, you'll need to start with the Basic tier. See [Azure Cognitive Search pricing details](https://azure.microsoft.com/pricing/details/search/).

- * Choose the **Search location** where you want Azure Cognitive Search indexes to be deployed. Restrictions on where customer data must be stored will help determine the location you choose for Azure Cognitive Search.

-### Upgrade the Azure Cognitive Search service

-If you plan to have many knowledge bases, upgrade your Azure Cognitive Search service pricing tier.

-QnA Maker depends on [Azure Cognitive Search language analyzers](/rest/api/searchservice/language-support) for providing results.

-While the Azure Cognitive Search capabilities are on par for supported languages, QnA Maker has an additional ranker that sits above the Azure search results. In this ranker model, we use some special semantic and word-based features in the following languages.

-1. Create a new Azure Search instance and enable the prerequisites mentioned in the [customer-managed key prerequisites for Azure Cognitive Search](../../search/search-security-manage-encryption-keys.md#prerequisites).

-QnA Maker limits provided below are a combination of the [Azure Cognitive Search pricing tier limits](../../search/search-limits-quotas-capacity.md) and the [QnA Maker pricing tier limits](https://azure.microsoft.com/pricing/details/cognitive-services/qna-maker/). You need to know both sets of limits to understand how many knowledge bases you can create per resource and how large each knowledge base can grow.

-The maximum number of knowledge bases is based on [Azure Cognitive Search tier limits](../../search/search-limits-quotas-capacity.md).

-|**Azure Cognitive Search tier** | **Free** | **Basic** |**S1** | **S2**| **S3** |**S3 HD**|

-Metadata is presented as a text-based key: value pair, such as `product:windows 10`. It is stored and compared in lower case. Maximum number of metadata fields is based on your **[Azure Cognitive Search tier limits](../../search/search-limits-quotas-capacity.md)**.

-|**Azure Cognitive Search tier** | **Free** | **Basic** |**S1** | **S2**| **S3** |**S3 HD**|

-* Maximum number of question-answer pairs: Depends on the **[Azure Cognitive Search tier](../../search/search-limits-quotas-capacity.md#document-limits)** chosen. A question and answer pair maps to a document on Azure Cognitive Search index.

-## Change Azure Cognitive Search

-This will establish a private endpoint connection between Text Analytics service and Azure Cognitive Search service instance. You can verify the Private endpoint connection on the *Networking* tab of the Azure Cognitive Search service instance. Once the whole operation is completed, you are good to use your Text Analytics service.

- * We don't support changes to Azure Cognitive Search service once you enable private access to your Text Analytics service. If you change the Azure Cognitive Search service via 'Features' tab after you have enabled private access, the Text Analytics service will become unusable.

- * After establishing Private Endpoint Connection, if you switch Azure Cognitive Search Service Networking to 'Public', you won't be able to use the Text Analytics service. Azure Search Service Networking needs to be 'Private' for the Private Endpoint Connection to work

-If you delete an Azure Cognitive Search index, the operation is final and the index cannot be recovered.

-<summary><b>Can I use the same Azure Cognitive Search resource for knowledge bases using multiple languages?</b></summary>

-<summary><b>How can I change the name of the Azure Cognitive Search resource used by QnA Maker?</b></summary>

-The name of the Azure Cognitive Search resource is the QnA Maker resource name with some random letters appended at the end. This makes it hard to distinguish between multiple Search resources for QnA Maker. Create a separate search service (naming it the way you would like to) and connect it to your QnA Service. The steps are similar to the steps you need to do to [upgrade an Azure search](How-To/set-up-qnamaker-service-azure.md#upgrade-the-azure-cognitive-search-service).

-### Scenario 3: API management authorizes to backend

-* Users authenticate to API Management by SSO from their identity provider, but authorize to a backend SaaS provider (such as LinkedIn) using a common organizational account

-description: Learn how to configure common credential providers in Azure API Management's credential manager. Example providers are Microsoft Entra ID and generic OAuth 2.0.

-API credentials support the Microsoft Entra identity provider, which is the identity service in Microsoft Azure that provides identity management and access control capabilities. It allows users to securely sign in using industry-standard protocols.

-* Create a connection for [Microsoft Entra ID](authorizations-how-to-azure-ad.md) or [GitHub](authorizations-how-to-github.md).

-> * Configure a credential provider in API Management.

-> * Create an API in API Management and configure a policy.

-## Step 2: Create a Microsoft Entra ID app registration

-Create a Microsoft Entra ID application for user delegation and give it the appropriate permissions to read the credential in API Management.

-* The **runtime** part uses the [`get-authorization-context`](get-authorization-context-policy.md) policy to fetch and store the connection's access and refresh tokens. When a call comes into API Management, and the `get-authorization-context` policy is executed, it will first validate if the existing authorization token is valid. If the authorization token has expired, API Management uses an OAuth 2.0 flow to refresh the stored tokens from the identity provider. Then the access token is used to authorize access to the backend service. For details, see [Runtime of connections](credentials-process-flow.md#runtime-of-connections).

- During the policy execution, access to the tokens is also validated using access policies.

-In the dedicated service tiers, the access token is cached by the API management until 3 minutes before the token expiration time. If the access token is less than 3 minutes away from expiration, the cached time will be until the access token expires.

-For details about managed OAuth 2.0 connections in API Management, see [About credential manager and API credentials in API Management](credentials-overview.md).

-The **management** part of connections in credential manager takes care of setting up and configuring a *credential provider* for OAuth 2.0 tokens, enabling the consent flow for the identity provider, and setting up one or more *connections* to the credential provider for access to the credentials.

-| Step | Description

-| 3| Client sends a request to create a credential |

-| 4| Credential is created, and a response is sent back with the information that the credential isn't "connected"|

-|5| Client sends a request to retrieve a login URL to start the OAuth 2.0 consent at the identity provider. The request includes a post-redirect URL to be used in the last step|

-|7|Client opens a browser with the login URL that was provided in the previous step. The browser is redirected to the identity provider OAuth 2.0 consent flow |

-|8|After the consent is approved, the browser is redirected with a credential code to the redirect URL configured at the identity provider|

-### Connection

-To access and use tokens for a provider, client apps need a connection to the credential provider. A given connection is permitted by *access policies* based on Microsoft Entra identities. You can configure multiple connections for a provider.

-|Authorization code | Bound to a user context, meaning a user needs to consent to the connection. As long as the refresh token is valid, API Management can retrieve new access and refresh tokens. If the refresh token becomes invalid, the user needs to reauthorize. All identity providers support authorization code. [Learn more](https://www.rfc-editor.org/rfc/rfc6749?msclkid=929b18b5d0e611ec82a764a7c26a9bea#section-1.3.1) |

-#### Consent

-For credentials based on the authorization code grant type, you must authenticate to the provider and *consent* to authorization. After successful login and authorization by the identity provider, the provider returns valid access and refresh tokens, which are encrypted and saved by API Management.

-#### Access policy

-|Service principal | Identity whose tokens can be used to authenticate and grant access to specific Azure resources, when an organization is using Microsoft Entra ID. By using a service principal, organizations avoid creating fictitious users to manage authentication when they need to access a resource. A service principal is a Microsoft Entra identity that represents a registered Microsoft Entra application. | Permits more tightly scoped access to credential and user delegation scenarios. Isn't tied to specific API Management instance. Relies on Microsoft Entra ID for permission enforcement. | Getting the [authorization context](get-authorization-context-policy.md) requires a Microsoft Entra token. |

-| Managed identity `<Your API Management instance name>` | This option corresponds to a managed identity tied to your API Management instance. | By default, access is provided to the system-assigned managed identity for the corresponding API management instance. | Identity is tied to your API Management instance. Anyone with Contributor access to API Management instance can access any credential granting managed identity permissions. |

-| Users or groups | Users or groups in your Microsoft Entra tenant. | Allows you to limit access to specific users or groups of users. | Requires that users have a Microsoft Entra account. |

-The **runtime** part requires a backend OAuth 2.0 API to be configured with the [`get-authorization-context`](get-authorization-context-policy.md) policy. At runtime, the policy fetches and stores access and refresh tokens from the credential store. When a call comes into API Management, and the `get-authorization-context` policy is executed, it will first validate if the existing authorization token is valid. If the authorization token has expired, API Management uses an OAuth 2.0 flow to refresh the stored tokens from the identity provider. Then the access token is used to authorize access to the backend service.

-The following image shows an example process flow to fetch and store authorization and refresh tokens based on a credential that uses the authorization code grant type. After the tokens have been retrieved, a call is made to the backend API.

-|2|The [`get-authorization-context`](get-authorization-context-policy.md) policy checks if the access token is valid for the current credential|

-|3|If the access token has expired but the refresh token is valid, API Management tries to fetch new access and refresh tokens from the configured identity provider|

-|4|The identity provider returns both an access token and a refresh token, which are encrypted and saved to API Management|

-* Authorization servers

-* Authorizations

-* Using the API credentials (formerly called authorizations) feature

- App setting names can't contain periods (`.`). If an app setting contains a period, the period is replaced with an underscore in the container.

- > In a default Linux app service or a custom Linux container, any nested JSON key structure in the app setting name like `ApplicationInsights:InstrumentationKey` needs to be configured in App Service as `ApplicationInsights__InstrumentationKey` for the key name. In other words, any `:` should be replaced by `__` (double underscore).

- >

-|clientResponseTime| Time difference (in **seconds**) between first byte application gateway received from the backend to first byte application gateway sent to the client. |

-* [Visualize Azure Cognitive Search Logs and Metrics with Power BI](/azure/search/search-monitor-logs-powerbi)

-description: This article tells you how to configure a Linux virtual machine to a desired state using Azure Automation State Configuration with PowerShell.

-# Configure Linux desired state with Azure Automation State Configuration using PowerShell

-> [!NOTE]

-> Before you enable Automation State Configuration, we would like you to know that a newer version of DSC is now generally available, managed by a feature of Azure Policy named [guest configuration](../governance/machine-configuration/overview.md). The guest configuration service combines features of DSC Extension, Azure Automation State Configuration, and the most commonly requested features from customer feedback. Guest configuration also includes hybrid machine support through [Arc-enabled servers](../azure-arc/servers/overview.md).

-> [!IMPORTANT]

-> The desired state configuration VM extension for Linux will be [retired on **September 30, 2023**](https://aka.ms/dscext4linuxretirement). If you're currently using the desired state configuration VM extension for Linux, you should start planning your migration to the machine configuration feature of Azure Automanage by using the information in this article.

-In this tutorial, you'll apply an Azure Automation State Configuration with PowerShell to an Azure Linux virtual machine to check whether it complies with a desired state. The desired state is to identify if the apache2 service is present on the node.

-Azure Automation State Configuration allows you to specify configurations for your machines and ensure those machines are in a specified state over time. For more information about State Configuration, see [Azure Automation State Configuration overview](./automation-dsc-overview.md).

-In this tutorial, you learn how to:

-> [!div class="checklist"]

-> - Onboard an Azure Linux VM to be managed by Azure Automation DSC

-> - Compose a configuration

-> - Install PowerShell module for Automation

-> - Import a configuration to Azure Automation

-> - Compile a configuration into a node configuration

-> - Assign a node configuration to a managed node

-> - Modify the node configuration mapping

-> - Check the compliance status of a managed node

-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

-## Prerequisites

-## Create a configuration

-Review the code below and note the presence of two node [configurations](/powershell/dsc/configurations/configurations): `IsPresent` and `IsNotPresent`. This configuration calls one resource in each node block: the [nxPackage resource](/powershell/dsc/reference/resources/linux/lnxpackageresource). This resource manages the presence of the **apache2** package. Configuration names in Azure Automation must be limited to no more than 100 characters.

-Then, in a text editor, copy the following code to a local file and name it `LinuxConfig.ps1`:

-```powershell

-Configuration LinuxConfig

-{

- Import-DscResource -ModuleName 'nx'

- Node IsPresent

- {

- nxPackage apache2

- {

- Name = 'apache2'

- Ensure = 'Present'

- PackageManager = 'Apt'

- }

- }

- Node IsNotPresent

- {

- nxPackage apache2

- {

- Name = 'apache2'

- Ensure = 'Absent'

- }

- }

-}

-```

-## Sign in to Azure

-From your machine, sign in to your Azure subscription with the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) PowerShell cmdlet and follow the on-screen directions.

-```powershell

-# Sign in to your Azure subscription

-$sub = Get-AzSubscription -ErrorAction SilentlyContinue

-if(-not($sub))

-{

- Connect-AzAccount

-}

-# If you have multiple subscriptions, set the one to use

-# Select-AzSubscription -SubscriptionId "<SUBSCRIPTIONID>"

-```

-## Initialize variables

-For efficiency and decreased chance of error when executing the cmdlets, revise the PowerShell code further below as necessary and then execute.

-| Variable | Value |

-|||

-|$resourceGroup| Replace `yourResourceGroup` with the actual name of your resource group.|

-|$automationAccount| Replace `yourAutomationAccount` with the actual name of your Automation account.|

-|$VM| Replace `yourVM` with the actual name of your Azure Linux VM.|

-|$configurationName| Leave as is with `LinuxConfig`. The name of the configuration used in this tutorial.|

-|$nodeConfigurationName0|Leave as is with `LinuxConfig.IsNotPresent`. The name of a node configuration used in this tutorial.|

-|$nodeConfigurationName1|Leave as is with `LinuxConfig.IsPresent`. The name of a node configuration used in this tutorial.|

-|$moduleName|Leave as is with `nx`. The name of the PowerShell module used for DSC in this tutorial.|

-|$moduleVersion| Obtain the latest version number for `nx` from the [PowerShell Gallery](https://www.powershellgallery.com/packages/nx). This tutorial uses version `1.0`.|

-```powershell

-$resourceGroup = "yourResourceGroup"

-$automationAccount = "yourAutomationAccount"

-$VM = "yourVM"

-$configurationName = "LinuxConfig"

-$nodeConfigurationName0 = "LinuxConfig.IsNotPresent"

-$nodeConfigurationName1 = "LinuxConfig.IsPresent"

-$moduleName = "nx"

-$moduleVersion = "1.0"

-```

-## Install nx module

-Azure Automation uses a number of PowerShell modules to enable cmdlets in runbooks and DSC resources in DSC configurations. **nx** is the module with DSC Resources for Linux. Install the **nx** module with the [New-AzAutomationModule](/powershell/module/az.automation/new-azautomationmodule) cmdlet. For more information about modules, see [Manage modules in Azure Automation](./shared-resources/modules.md). Run the following command:

-```powershell

-New-AzAutomationModule `

- -ResourceGroupName $resourceGroup `

- -AutomationAccountName $automationAccount `

- -Name $moduleName `

- -ContentLinkUri "https://www.powershellgallery.com/api/v2/package/$moduleName/$moduleVersion"

-```

-The output should look similar as shown below:

- :::image type="content" source="media/dsc-linux-powershell/new-azautomationmodule-output.png" alt-text="Output from New-AzAutomationModule command.":::

-You can verify the installation running the following command:

-```powershell

-Get-AzAutomationModule `

- -ResourceGroupName $resourceGroup `

- -AutomationAccountName $automationAccount `

- -Name $moduleName

-```

-## Import configuration to Azure Automation

-Call the [Import-AzAutomationDscConfiguration](/powershell/module/az.automation/import-azautomationdscconfiguration) cmdlet to upload the configuration into your Automation account. Revise value for `-SourcePath` with your actual path and then run the following command:

-```powershell

-Import-AzAutomationDscConfiguration `

- -ResourceGroupName $resourceGroup `

- -AutomationAccountName $automationAccount `

- -SourcePath "path\LinuxConfig.ps1" `

- -Published

-```

-The output should look similar as shown below:

- :::image type="content" source="media/dsc-linux-powershell/import-azautomationdscconfiguration-output.png" alt-text="Output from Import-AzAutomationDscConfiguration command.":::

-You can view the configuration from your Automation account running the following command:

-```powershell

-Get-AzAutomationDscConfiguration `

- -ResourceGroupName $resourceGroup `

- -AutomationAccountName $automationAccount `

- -Name $configurationName

-```

-## Compile configuration in Azure Automation

-Before you can apply a desired state to a node, the configuration defining that state must be compiled into one or more node configurations. Call the [Start-AzAutomationDscCompilationJob](/powershell/module/Az.Automation/Start-AzAutomationDscCompilationJob) cmdlet to compile the `LinuxConfig` configuration in Azure Automation. For more information about compilation, see [Compile DSC configurations](./automation-dsc-compile.md). Run the following command:

-```powershell

-Start-AzAutomationDscCompilationJob `

- -ResourceGroupName $resourceGroup `

- -AutomationAccountName $automationAccount `

- -ConfigurationName $configurationName

-```

-The output should look similar as shown below:

- :::image type="content" source="media/dsc-linux-powershell/start-azautomationdsccompilationjob-output.png" alt-text="Output from Start-AzAutomationDscCompilationJob command.":::

-You can view the compilation job from your Automation account using the following command:

-```powershell

-Get-AzAutomationDscCompilationJob `

- -ResourceGroupName $resourceGroup `

- -AutomationAccountName $automationAccount `

- -ConfigurationName $configurationName

-```

-Wait for the compilation job to complete before proceeding. The configuration must be compiled into a node configuration before it can be assigned to a node. Execute the following code to check for status every 5 seconds:

-```powershell

-while ((Get-AzAutomationDscCompilationJob `

- -ResourceGroupName $resourceGroup `

- -AutomationAccountName $automationAccount `

- -ConfigurationName $configurationName).Status -ne "Completed")

-{

- Write-Output "Wait"

- Start-Sleep -Seconds 5

-}

-Write-Output "Compilation complete"

-```

-After the compilation job completes, you can also view the node configuration metadata using the following command:

-```powershell

-Get-AzAutomationDscNodeConfiguration `

- -ResourceGroupName $resourceGroup `

- -AutomationAccountName $automationAccount

-```

-## Register the Azure Linux VM for an Automation account

-Register the Azure Linux VM as a Desired State Configuration (DSC) node for the Azure Automation account. The [Register-AzAutomationDscNode](/powershell/module/az.automation/register-azautomationdscnode) cmdlet only supports VMs running Windows OS. The Azure Linux VM will first need to be configured for DSC. For detailed steps, see [Get started with Desired State Configuration (DSC) for Linux](/powershell/dsc/getting-started/lnxgettingstarted).

-1. Construct a Python script with the registration command using PowerShell for later execution on your Azure Linux VM by running the following code:

- ```powershell

- $primaryKey = (Get-AzAutomationRegistrationInfo `

- -ResourceGroupName $resourceGroup `

- -AutomationAccountName $automationAccount).PrimaryKey

- $URL = (Get-AzAutomationRegistrationInfo `

- -ResourceGroupName $resourceGroup `

- -AutomationAccountName $automationAccount).Endpoint

- Write-Output "sudo /opt/microsoft/dsc/Scripts/Register.py $primaryKey $URL"

- ```

- These commands obtain the Automation account's primary access key and URL and concatenates it to the registration command. Ensure you remove any carriage returns from the output. This command will be used in a later step.

-1. Connect to your Azure Linux VM. If you used a password, you can use the syntax below. If you used a public-private key pair, see [SSH on Linux](./../virtual-machines/linux/mac-create-ssh-keys.md) for detailed steps. The other commands retrieve information about what packages can be installed, including what updates to currently installed packages are available, and installs Python.

- ```cmd

- ssh user@IP

- ```

- ```bash

- sudo apt-get update

- sudo apt-get install -y python

- ```

-1. Install Open Management Infrastructure (OMI). For more information on OMI, see [Open Management Infrastructure](https://github.com/Microsoft/omi). Verify the latest [release](https://github.com/Microsoft/omi/releases). Revise the release version below as needed, and then execute the commands in your ssh session:

- ```bash

- wget https://github.com/microsoft/omi/releases/download/v1.6.8-0/omi-1.6.8-0.ssl_110.ulinux.x64.deb

- sudo dpkg -i ./omi-1.6.8-0.ssl_110.ulinux.x64.deb

- ```

-1. Install PowerShell Desired State Configuration for Linux. For more information, see [DSC on Linux](https://github.com/microsoft/PowerShell-DSC-for-Linux). Verify the latest [release](https://github.com/microsoft/PowerShell-DSC-for-Linux/releases). Revise the release version below as needed, and then execute the commands in your ssh session:

- ```bash

- wget https://github.com/microsoft/PowerShell-DSC-for-Linux/releases/download/v1.2.1-0/dsc-1.2.1-0.ssl_110.x64.deb

- sudo dpkg -i ./dsc-1.2.1-0.ssl_110.x64.deb

- ```

-1. Now you can register the node using the `sudo /opt/microsoft/dsc/Scripts/Register.py <Primary Access Key> <URL>` Python script created in step 1. Run the commands in your ssh session, and the following output should look similar as shown below:

- ```output

- instance of SendConfigurationApply

- {

- ReturnValue=0

- }

- ```

-1. You can verify the registration in PowerShell using the following command:

- ```powershell

- Get-AzAutomationDscNode `

- -ResourceGroupName $resourceGroup `

- -AutomationAccountName $automationAccount `

- -Name $VM

- ```

- The output should look similar as shown below:

- :::image type="content" source="media/dsc-linux-powershell/get-azautomationdscnode-output.png" alt-text="Output from Get-AzAutomationDscNode command.":::

-## Assign a node configuration

-Call the [Set-AzAutomationDscNode](/powershell/module/Az.Automation/Set-AzAutomationDscNode) cmdlet to set the node configuration mapping. Run the following commands:

-```powershell

-# Get the ID of the DSC node

-$node = Get-AzAutomationDscNode `

- -ResourceGroupName $resourceGroup `

- -AutomationAccountName $automationAccount `

- -Name $VM

-# Set node configuration mapping

-Set-AzAutomationDscNode `

- -ResourceGroupName $resourceGroup `

- -AutomationAccountName $automationAccount `

- -NodeConfigurationName $nodeConfigurationName0 `

- -NodeId $node.Id `

- -Force

-```

-The output should look similar as shown below:

- :::image type="content" source="media/dsc-linux-powershell/set-azautomationdscnode-output.png" alt-text="Output from Set-AzAutomationDscNode command.":::

-## Modify the node configuration mapping

-Call the [Set-AzAutomationDscNode](/powershell/module/Az.Automation/Set-AzAutomationDscNode) cmdlet to modify the node configuration mapping. Here, you modify the current node configuration mapping from `LinuxConfig.IsNotPresent` to `LinuxConfig.IsPresent`. Run the following command:

-```powershell

-# Modify node configuration mapping

-Set-AzAutomationDscNode `

- -ResourceGroupName $resourceGroup `

- -AutomationAccountName $automationAccount `

- -NodeConfigurationName $nodeConfigurationName1 `

- -NodeId $node.Id `

- -Force

-```

-## Check the compliance status of a managed node

-Each time State Configuration does a consistency check on a managed node, the node sends a status report back to the pull server. The following example uses the [Get-AzAutomationDscNodeReport](/powershell/module/Az.Automation/Get-AzAutomationDscNodeReport) cmdlet to report on the compliance status of a managed node.

-```powershell

-Get-AzAutomationDscNodeReport `

- -ResourceGroupName $resourceGroup `

- -AutomationAccountName $automationAccount `

- -NodeId $node.Id `

- -Latest

-```

-The output should look similar as shown below:

- :::image type="content" source="media/dsc-linux-powershell/get-azautomationdscnodereport-output.png" alt-text="Output from Get-AzAutomationDscNodeReport command.":::

-The first report may not be available immediately and may take up to 30 minutes after you enable a node. For more information about report data, see [Using a DSC report server](/powershell/dsc/pull-server/reportserver).

-## Clean up resources

-The following steps help you delete the resources created for this tutorial that are no longer needed.

-1. Remove DSC node from management by an Automation account. Although you can't register a node through PowerShell, you can unregister it with PowerShell. Run the following commands:

- ```powershell

- # Get the ID of the DSC node

- $NodeID = (Get-AzAutomationDscNode `

- -ResourceGroupName $resourceGroup `

- -AutomationAccountName $automationAccount `

- -Name $VM).Id

- Unregister-AzAutomationDscNode `

- -ResourceGroupName $resourceGroup `

- -AutomationAccountName $automationAccount `

- -Id $NodeID `

- -Force

- # Verify using the same command from Register the Azure Linux VM for an Automation account. A blank response indicates success.

- Get-AzAutomationDscNode `

- -ResourceGroupName $resourceGroup `

- -AutomationAccountName $automationAccount `

- -Name $VM

- ```

-1. Remove metadata from DSC node configurations in Automation. Run the following commands:

- ```powershell

- Remove-AzAutomationDscNodeConfiguration `

- -ResourceGroupName $resourceGroup `

- -AutomationAccountName $automationAccount `

- -Name $nodeConfigurationName0 `

- -IgnoreNodeMappings `

- -Force

- Remove-AzAutomationDscNodeConfiguration `

- -ResourceGroupName $resourceGroup `

- -AutomationAccountName $automationAccount `

- -Name $nodeConfigurationName1 `

- -IgnoreNodeMappings `

- -Force

- # Verify using the same command from Compile configuration in Azure Automation.

- Get-AzAutomationDscNodeConfiguration `

- -ResourceGroupName $resourceGroup `

- -AutomationAccountName $automationAccount `

- -Name $nodeConfigurationName0

- Get-AzAutomationDscNodeConfiguration `

- -ResourceGroupName $resourceGroup `

- -AutomationAccountName $automationAccount `

- -Name $nodeConfigurationName1

- ```

- Successful removal is indicated by output that looks similar to the following: `Get-AzAutomationDscNodeConfiguration : NodeConfiguration LinuxConfig.IsNotPresent not found`.

-1. Remove DSC configuration from Automation. Run the following command:

- ```powershell

- Remove-AzAutomationDscConfiguration `

- -AutomationAccountName $automationAccount `

- -ResourceGroupName $resourceGroup `

- -Name $configurationName `

- -Force

- # Verify using the same command from Import configuration to Azure Automation.

- Get-AzAutomationDscConfiguration `

- -ResourceGroupName $resourceGroup `

- -AutomationAccountName $automationAccount `

- -Name $configurationName

- ```

- Successful removal is indicated by output that looks similar to the following: `Get-AzAutomationDscConfiguration : Operation returned an invalid status code 'NotFound'`.

-1. Removes nx module from Automation. Run the following command:

- ```powershell

- Remove-AzAutomationModule `

- -ResourceGroupName $resourceGroup `

- -AutomationAccountName $automationAccount `

- -Name $moduleName -Force

- # Verify using the same command from Install nx module.

- Get-AzAutomationModule `

- -ResourceGroupName $resourceGroup `

- -AutomationAccountName $automationAccount `

- -Name $moduleName

- ```

- Successful removal is indicated by output that looks similar to the following: `Get-AzAutomationModule : The module was not found. Module name: nx.`.

-## Next steps

-In this tutorial, you applied an Azure Automation State Configuration with PowerShell to an Azure Linux VM to check whether it complied with a desired state. For a more thorough explanation of configuration composition, see:

-> [!div class="nextstepaction"]

-> [Compose DSC configurations](./compose-configurationwithcompositeresources.md)

-The private endpoint documentation provides guidance for configuring [on-premises workloads using a DNS forwarder](../../private-link/private-endpoint-dns.md#on-premises-workloads-using-a-dns-forwarder).

-The private endpoint documentation provides guidance for configuring [on-premises workloads using a DNS forwarder](../../private-link/private-endpoint-dns.md#on-premises-workloads-using-a-dns-forwarder).

-+ Training: [Create a custom skill for Azure Cognitive Search](/training/modules/create-enrichment-pipeline-azure-cognitive-search)

-||Azure Cognitive Search|search.windows.net|search.windows.us||

-Data stored or processed in customer VMs, storage accounts, databases, Azure Import/Export, Azure Cache for Redis, ExpressRoute, Azure Cognitive Search, App Service, API Management, and other Azure services suitable for holding, processing, or transmitting customer data can contain sensitive data. However, metadata for these Azure services isn't permitted to contain sensitive or restricted data. This metadata includes all configuration data entered when creating and maintaining an Azure service, including:

-### [Azure Cognitive Search](../search/index.yml)

-* [Azure Cognitive Search](/java/api/overview/azure/search-documents-readme) 11.3.0+

-+ Removes the agent from the cluster nodes.

-| Azure Cognitive Search | [Cognitive Search monitoring data reference (schemas)](../../search/monitor-azure-cognitive-search-data-reference.md#schemas) |

-* To mount an NFS volume successfully, ensure that the following NFS ports are open between the client and the NFS volumes:

- * 111 TCP/UDP = `RPCBIND/Portmapper`

- * 635 TCP/UDP = `mountd`

- * 2049 TCP/UDP = `nfs`

- * 4045 TCP/UDP = `nlockmgr` (NFSv3 only)

- * 4046 TCP/UDP = `status` (NFSv3 only)

- * If you use NFSv4.1 and your configuration requires using VMs with the same host names (for example, in a DR test), refer to [Configure two VMs with the same hostname to access NFSv4.1 volumes](configure-nfs-clients.md#configure-two-vms-with-the-same-hostname-to-access-nfsv41-volumes).

-1. You can also access NFS volumes from Windows clients via SMB by setting the protocol access for the volume to ΓÇ£dual-protocolΓÇ¥. This setting allows access to the volume via SMB and NFS (NFSv3 or NFSv4.1) and will result in better performance than using the NFS client on Windows with an NFS volume. See [Create a dual-protocol volume](create-volumes-dual-protocol.md) for details, and take note of the security style mappings table. Mounting a dual-protocol volume from Windows clients using the same procedure as regular SMB volumes.

- level5: invalidRecursiveObject

-| Microsoft.Search | [Azure Cognitive Search](../../search/index.yml) |

-## Azure Cognitive Search limits

-To learn more about limits on a more granular level, such as document size, queries per second, keys, requests, and responses, see [Service limits in Azure Cognitive Search](../../search/search-limits-quotas-capacity.md).

-> | Cognitive Search | **Yes** | **Yes** | Supported with manual steps.<br/><br/> Learn about [moving your Azure Cognitive Search service to another region](../../search/search-howto-move-across-regions.md) |

-If your Azure Cosmos DB account is used by other Azure services like Azure Cognitive Search, or is accessed from Stream analytics or Power BI, you allow access by selecting **Accept connections from within global Azure datacenters**.

-This setting should only be enabled when you want your Azure Cosmos DB account to be accessible to any Azure service in any Azure region. Other Azure first party services such as Azure Data Factory and Azure Cognitive Search provide documentation for how to secure access to data sources including Azure Cosmos DB accounts, for example:

-Azure Cosmos DB for MongoDB does not currently support text indexes. For text search queries on strings, you should use [Azure Cognitive Search](../../search/search-howto-index-cosmosdb.md) integration with Azure Cosmos DB.

-### Azure Cognitive Search

-Azure Cognitive Search is fully managed cloud search service that provides auto-complete, geospatial search, filtering and faceting capabilities for a rich user experience.

-Here's how you can [index data from the Azure Cosmos DB for MongoDB account](../../search/search-howto-index-cosmosdb-mongodb.md) to use with Azure Cognitive Search.

-Because you're using Azure Cosmos DB, you can easily implement a search engine using [Azure Cognitive Search](https://azure.microsoft.com/services/search/) in a few minutes without typing any code, other than the search process and UI.

-Azure Cognitive Search implements what they call [Indexers](/rest/api/searchservice/Indexer-operations), background processes that hook in your data repositories and automagically add, update or remove your objects in the indexes. They support an [Azure SQL Database indexers](/archive/blogs/kaevans/indexing-azure-sql-database-with-azure-search), [Azure Blobs indexers](../search/search-howto-indexing-azure-blob-storage.md) and thankfully, [Azure Cosmos DB indexers](../search/search-howto-index-cosmosdb.md). The transition of information from Azure Cosmos DB to Azure Cognitive Search is straightforward. Both technologies store information in JSON format, so you just need to [create your Index](../search/search-what-is-an-index.md) and map the attributes from your Documents you want indexed. ThatΓÇÖs it! Depending on the size of your data, all your content will be available to be searched upon within minutes by the best Search-as-a-Service solution in cloud infrastructure.

-For more information about Azure Cognitive Search, you can visit the [HitchhikerΓÇÖs Guide to Search](/archive/blogs/mvpawardprogram/a-hitchhikers-guide-to-search).

-The truth is that there's no silver bullet for this kind of scenarios. ItΓÇÖs the synergy created by the combination of great services that allow us to build great experiences: the speed and freedom of Azure Cosmos DB to provide a great social application, the intelligence behind a first-class search solution like Azure Cognitive Search, the flexibility of Azure App Services to host not even language-agnostic applications but powerful background processes and the expandable Azure Storage and Azure SQL Database for storing massive amounts of data and the analytic power of Azure Machine Learning to create knowledge and intelligence that can provide feedback to your processes and help us deliver the right content to the right users.

-# Copy data to an Azure Cognitive Search index using Azure Data Factory or Synapse Analytics

-This article outlines how to use the Copy Activity in an Azure Data Factory or Synapse Analytics pipeline to copy data into Azure Cognitive Search index. It builds on the [copy activity overview](copy-activity-overview.md) article that presents a general overview of copy activity.

-This Azure Cognitive Search connector is supported for the following capabilities:

-The following sections provide details about properties that are used to define Data Factory entities specific to Azure Cognitive Search connector.

-The following properties are supported for Azure Cognitive Search linked service:

-> When copying data from a cloud data store into search index, in Azure Cognitive Search linked service, you need to refer an Azure Integration Runtime with explicit region in connactVia. Set the region as the one where your search service resides. Learn more from [Azure Integration Runtime](concepts-integration-runtime.md#azure-integration-runtime).

-For a full list of sections and properties available for defining datasets, see the [datasets](concepts-datasets-linked-services.md) article. This section provides a list of properties supported by Azure Cognitive Search dataset.

-To copy data into Azure Cognitive Search, the following properties are supported:

-| indexName | Name of the search index. The service does not create the index. The index must exist in Azure Cognitive Search. | Yes |

- "referenceName": "<Azure Cognitive Search linked service name>",

-For a full list of sections and properties available for defining activities, see the [Pipelines](concepts-pipelines-activities.md) article. This section provides a list of properties supported by Azure Cognitive Search source.

-### Azure Cognitive Search as sink

-To copy data into Azure Cognitive Search, set the source type in the copy activity to **AzureSearchIndexSink**. The following properties are supported in the copy activity **sink** section:

-AzureSearchSink upserts when writing data. In other words, when writing a document, if the document key already exists in the search index, Azure Cognitive Search updates the existing document rather than throwing a conflict exception.

-Azure Cognitive Search service supports writing documents as a batch. A batch can contain 1 to 1,000 Actions. An action handles one document to perform the upload/merge operation.

- "referenceName": "<Azure Cognitive Search output dataset name>",

-The following table specifies whether an Azure Cognitive Search data type is supported or not.

-| Azure Cognitive Search data type | Supported in Azure Cognitive Search Sink |

-Currently other data types e.g. ComplexType are not supported. For a full list of Azure Cognitive Search supported data types, see [Supported data types (Azure Cognitive Search)](/rest/api/searchservice/supported-data-types).

-| Transfer | The elapsed time between the end of the previous step and the IR transferring all the data from source to sink. <br/>Note the sub-steps under transfer run in parallel, and some operations are not shown now e.g. parsing/generating file format.<br><br/>- **Time to first byte:** The time elapsed between the end of the previous step and the time when the IR receives the first byte from the source data store. Applies to non-file-based sources.<br>- **Listing source:** The amount of time spent on enumerating source files or data partitions. The latter applies when you configure partition options for database sources, e.g. when copy data from databases like Oracle/SAP HANA/Teradata/Netezza/etc.<br/>-**Reading from source:** The amount of time spent on retrieving data from source data store.<br/>- **Writing to sink:** The amount of time spent on writing data to sink data store. Note some connectors do not have this metric at the moment, including Azure Cognitive Search, Azure Data Explorer, Azure Table storage, Oracle, SQL Server, Common Data Service, Dynamics 365, Dynamics CRM, Salesforce/Salesforce Service Cloud. |

-Satellite imagery makes up a foundational pillar of agriculture data. To support scalable ingestion of geometry-clipped imagery, we've partnered with Sentinel Hub by Sinergise to provide a seamless bring your own license (BYOL) experience. This BYOL experience allows you to manage your own costs while keeping the convenience of storing your field-clipped historical and up to date imagery in the linked context of the relevant fields.

-> [!Tip]

-|Azure Cognitive Search|Γ£ö|-|-|

-### Private link restrictions - Runtime threat protection

-## Bulk import with the Jobs API

-The [Jobs API](/rest/api/digital-twins/dataplane/jobs) is a data plane API that allows you to import a set of models, twins, and/or relationships in a single API call. Jobs API operations are also included with the [CLI commands](/cli/azure/dt/job) and [data plane SDKs](#data-plane-apis). Using the Jobs API requires use of [Azure Blob Storage](../storage/blobs/storage-blobs-introduction.md).

-To use the Jobs API, you'll need to enable the permission settings described in this section.

-> If you attempt an Jobs API call and you're missing write permissions to one of the graph element types you're trying to import, the job will skip that type and import the others. For example, if you have write access to models and twins, but not relationships, an attempt to bulk import all three types of element will only succeed in importing the models and twins. The job status will reflect a failure and the message will indicate which permissions are missing.

-Once the file has been created, upload it to a block blob in Azure Blob Storage using your preferred upload method (some options are the [AzCopy command](../storage/common/storage-use-azcopy-blobs-upload.md), the [Azure CLI](../storage/blobs/storage-quickstart-blobs-cli.md#upload-a-blob), or the [Azure portal](https://portal.azure.com)). You'll use the blob storage URL of the NDJSON file in the body of the Jobs API call.

-Now you can proceed with calling the [Jobs API](/rest/api/digital-twins/dataplane/jobs). For detailed instructions on importing a full graph in one API call, see [Upload models, twins, and relationships in bulk with the Jobs API](how-to-manage-graph.md#upload-models-twins-and-relationships-in-bulk-with-the-jobs-api). You can also use the Jobs API to import each resource type independently. For more information on using the Jobs API with individual resource types, see Jobs API instructions for [models](how-to-manage-model.md#upload-large-model-sets-with-the-jobs-api), [twins](how-to-manage-twin.md#create-twins-in-bulk-with-the-jobs-api), and [relationships](how-to-manage-graph.md#create-relationships-in-bulk-with-the-jobs-api).

-When the job is complete, you can see the total number of ingested entities using the [BulkOperationEntityCount metric](how-to-monitor.md#bulk-operation-metrics-from-the-jobs-api).

-It's also possible to cancel a running import job with the [Cancel operation](/rest/api/digital-twins/dataplane/jobs/import-jobs-cancel) from the Jobs API. Once the job has been canceled and is no longer running, you can delete it.

-Keep the following considerations in mind while working with the Jobs API:

-* Currently, the Jobs API only supports "create" operations.

-* Only one bulk import job is supported at a time within an Azure Digital Twins instance. You can view this information and other numerical limits of the Jobs API in [Azure Digital Twins limits](reference-service-limits.md).

-You can upload many models in a single API call using the [Jobs API](concepts-apis-sdks.md#bulk-import-with-the-jobs-api). The API can simultaneously accept up to the [Azure Digital Twins limit for number of models in an instance](reference-service-limits.md), and it automatically reorders models if needed to resolve dependencies between them. For detailed instructions and examples that use this API, see [bulk import instructions for models](how-to-manage-model.md#upload-large-model-sets-with-the-jobs-api).

-An alternative to the Jobs API is the [Model uploader sample](https://github.com/Azure/opendigitaltwins-tools/tree/main/ADTTools#uploadmodels), which uses the individual model APIs to upload multiple model files at once. The sample also implements automatic reordering to resolve model dependencies. It currently only works with [version 2 of DTDL](concepts-models.md#supported-dtdl-versions).

-### Create twins and relationships in bulk with the Jobs API

-You can upload many twins and relationships in a single API call using the [Jobs API](concepts-apis-sdks.md#bulk-import-with-the-jobs-api). Twins and relationships created with this API can optionally include initialization of their properties. For detailed instructions and examples that use this API, see [bulk import instructions for twins](how-to-manage-twin.md#create-twins-in-bulk-with-the-jobs-api) and [relationships](how-to-manage-graph.md#create-relationships-in-bulk-with-the-jobs-api).

-### Create relationships in bulk with the Jobs API

-You can use the [Jobs API](concepts-apis-sdks.md#bulk-import-with-the-jobs-api) to create many relationships at once in a single API call. This method requires the use of [Azure Blob Storage](../storage/blobs/storage-blobs-introduction.md), as well as [write permissions](concepts-apis-sdks.md#check-permissions) in your Azure Digital Twins instance for relationships and bulk jobs.

->The Jobs API also allows models and twins to be imported in the same call, to create all parts of a graph at once. For more about this process, see [Upload models, twins, and relationships in bulk with the Jobs API](#upload-models-twins-and-relationships-in-bulk-with-the-jobs-api).

-You can view an example import file and a sample project for creating these files in the [Jobs API introduction](concepts-apis-sdks.md#bulk-import-with-the-jobs-api).

-Then, the file can be used in an [Jobs API](/rest/api/digital-twins/dataplane/jobs) call. You'll provide the blob storage URL of the input file, as well as a new blob storage URL to indicate where you'd like the output log to be stored when it's created by the service.

-### Upload models, twins, and relationships in bulk with the Jobs API

-You can use the [Jobs API](concepts-apis-sdks.md#bulk-import-with-the-jobs-api) to upload multiple models, twins, and relationships to your instance in a single API call, effectively creating the graph all at once. This method requires the use of [Azure Blob Storage](../storage/blobs/storage-blobs-introduction.md), as well as [write permissions](concepts-apis-sdks.md#check-permissions) in your Azure Digital Twins instance for graph elements (models, twins, and relationships) and bulk jobs.

-You can view an example import file and a sample project for creating these files in the [Jobs API introduction](concepts-apis-sdks.md#bulk-import-with-the-jobs-api).

-Then, the file can be used in an [Jobs API](/rest/api/digital-twins/dataplane/jobs) call. You'll provide the blob storage URL of the input file, as well as a new blob storage URL to indicate where you'd like the output log to be stored when it's created by the service.

-### Upload large model sets with the Jobs API

-For large model sets, you can use the [Jobs API](concepts-apis-sdks.md#bulk-import-with-the-jobs-api) to upload many models at once in a single API call. The API can simultaneously accept up to the [Azure Digital Twins limit for number of models in an instance](reference-service-limits.md), and it automatically reorders models if needed to resolve dependencies between them. This method requires the use of [Azure Blob Storage](../storage/blobs/storage-blobs-introduction.md), as well as [write permissions](concepts-apis-sdks.md#check-permissions) in your Azure Digital Twins instance for models and bulk jobs.

->The Jobs API also allows twins and relationships to be imported in the same call, to create all parts of a graph at once. For more about this process, see [Upload models, twins, and relationships in bulk with the Jobs API](how-to-manage-graph.md#upload-models-twins-and-relationships-in-bulk-with-the-jobs-api).

-To import models in bulk, you'll need to structure your models (and any other resources included in the bulk import job) as an *NDJSON* file. The `Models` section comes immediately after `Header` section, making it the first graph data section in the file. You can view an example import file and a sample project for creating these files in the [Jobs API introduction](concepts-apis-sdks.md#bulk-import-with-the-jobs-api).

-Then, the file can be used in an [Jobs API](/rest/api/digital-twins/dataplane/jobs) call. You'll provide the blob storage URL of the input file, as well as a new blob storage URL to indicate where you'd like the output log to be stored when it's created by the service.

-Entities in your environment are represented by [digital twins](concepts-twins-graph.md). Managing your digital twins may include creation, modification, and removal.

- - Telemetry (initialization recommended): You can also set initial values for telemetry fields on the twin. Although initializing telemetry isn't required, telemetry fields also won't show up as part of a twin until they've been set. This means that **you'll be unable to edit telemetry values for a twin unless they've been initialized first**.

-First, you can create a data object to represent the twin and its property data. You can create a parameter object either manually, or by using a provided helper class. Here is an example of each.

-The helper class of `BasicDigitalTwin` allows you to store property fields in a "twin" object directly. You may still want to build the list of properties using a `Dictionary<string, object>`, which can then be added to the twin object as its `CustomProperties` directly.

-### Create twins in bulk with the Jobs API

-You can use the [Jobs API](concepts-apis-sdks.md#bulk-import-with-the-jobs-api) to create many twins at once in a single API call. This method requires the use of [Azure Blob Storage](../storage/blobs/storage-blobs-introduction.md), as well as [write permissions](concepts-apis-sdks.md#check-permissions) in your Azure Digital Twins instance for twins and bulk jobs.

->The Jobs API also allows models and relationships to be imported in the same call, to create all parts of a graph at once. For more about this process, see [Upload models, twins, and relationships in bulk with the Jobs API](how-to-manage-graph.md#upload-models-twins-and-relationships-in-bulk-with-the-jobs-api).

-To import twins in bulk, you'll need to structure your twins (and any other resources included in the bulk import job) as an *NDJSON* file. The `Twins` section comes after the `Models` section (and before the `Relationships` section). Twins defined in the file can reference models that are either defined in this file or already present in the instance, and they can optionally include initialization of the twin's properties.

-You can view an example import file and a sample project for creating these files in the [Jobs API introduction](concepts-apis-sdks.md#bulk-import-with-the-jobs-api).

-Then, the file can be used in an [Jobs API](/rest/api/digital-twins/dataplane/jobs) call. You'll provide the blob storage URL of the input file, as well as a new blob storage URL to indicate where you'd like the output log to be stored when it's created by the service.

-This call returns twin data as a strongly typed object type such as `BasicDigitalTwin`. `BasicDigitalTwin` is a serialization helper class included with the SDK, which will return the core twin metadata and properties in pre-parsed form. You can always deserialize twin data using the JSON library of your choice, like `System.Text.Json` or `Newtonsoft.Json`. For basic access to a twin, however, the helper classes can make this more convenient.

- - `lastUpdateTime` for twin properties. This is a timestamp indicating the date and time the property update message was processed by Azure Digital Twins

-Here's the body of the basic query that will return a list of all digital twins in the instance:

-A single patch call can update as many properties on a single twin as you want (even all of them). If you need to update properties across multiple twins, you'll need a separate update call for each twin.

-Recall that a model may contain components, allowing it to be made up of other models.

-Models may contain properties that are of an object type. Those objects may have their own properties, and you may want to update one of those sub-properties belonging to the object-type property. This process is similar to the process for [updating sub-properties in components](#update-sub-properties-in-digital-twin-components), but may require some extra steps.

-When a twin is created using this model, it's not necessary to instantiate the `ObjectProperty` at that time. If the object property isn't instantiated during twin creation, there's no default path created to access `ObjectProperty` and its `StringSubProperty` for a patch operation. You'll need to add the path to `ObjectProperty` yourself before you can update its properties.

-Although the first step isn't necessary in cases where `ObjectProperty` was instantiated when the twin was created, it's recommended to use it every time you update a sub-property for the first time, since you may not always know with certainty whether the object property was initially instantiated or not.

-This operation will only succeed if the digital twin being modified by the patch conforms with the new model.

-You may optionally decide to use the `sourceTime` field on twin properties to record timestamps for when property updates are observed in the real world. Azure Digital Twins natively supports `sourceTime` in the metadata for each twin property. The `sourceTime` value must comply with ISO 8601 date and time format. For more information about this field and other fields on digital twins, see [Digital twin JSON format](concepts-twins-graph.md#digital-twin-json-format).

-* Write property A on Twin1

-* Write property B on Twin1

-* Write property A on Twin2

-The two calls that modify Twin1 are executed one after another, and change messages are generated for each change. The call to modify Twin2 may be executed concurrently with no conflict, as soon as it arrives.

-Here is an example of the code to delete twins and their relationships. The `DeleteDigitalTwin` SDK call is highlighted to clarify where it falls in the wider example context.

-3. Add two dependencies to your project that will be needed to work with Azure Digital Twins. The first is the package for the [Azure Digital Twins SDK for .NET](/dotnet/api/overview/azure/digitaltwins.core-readme), and the second provides tools to help with authentication against Azure.

-You'll also need to set up local credentials if you want to run the sample directly. The next section walks through this.

-Now that you've completed setup, you can run the sample code project.

-Here is the console output of the above program:

-### Bulk operation metrics (from the Jobs API)

-Metrics having to do with bulk operations from the [Jobs API](/rest/api/digital-twins/dataplane/jobs):

-| ImportJobEntityCount | Import Job Entity Count | Count | Total | The number of twins, models, or relationships processed by an import job. | Operation, <br>Result |

-* If you want to continue using the Azure Digital Twins instance, but clear out all of its models, twins, and relationships, you can use the [az dt twin relationship delete](/cli/azure/dt/twin/relationship#az-dt-twin-relationship-delete), [az dt twin delete](/cli/azure/dt/twin#az-dt-twin-delete), and [az dt model delete](/cli/azure/dt/model#az-dt-model-delete) commands to clear the relationships, twins, and models in your instance, respectively.

-1. Deploy a [DNS forwarder](../private-link/private-endpoint-dns.md#virtual-network-and-on-premises-workloads-using-a-dns-forwarder) virtual machine in a virtual network connected to the secured virtual hub and linked to the Private DNS Zones hosting the A record types for the private endpoints.

-|[Azure Cognitive Search service should use a SKU that supports private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa049bf77-880b-470f-ba6d-9f21c530cf83) |With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: [https://aka.ms/azure-cognitive-search/inbound-private-endpoints](https://aka.ms/azure-cognitive-search/inbound-private-endpoints). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_RequirePrivateLinkSupportedResource_Deny.json) |

-| Azure Cognitive Search | Stores indices that are used to help query your machine learning content. |

-Your Azure Machine Learning workspace reads and writes data using its managed identity. This identity is granted access to the resources using a role assignment (Azure role-based access control) on the data resources. The encryption key you provide is used to encrypt data that is stored on Microsoft-managed resources. It's also used to create indices for Azure Cognitive Search, which are created at runtime.

-## YAML: Pipeline component deployment (preview)

-> You might require additional DNS settings to resolve the private IP address of the storage account's private endpoint from the source environment. To understand the DNS configuration needed, see [Azure private endpoint DNS configuration](../private-link/private-endpoint-dns.md#on-premises-workloads-using-a-dns-forwarder).

-The on-premises appliance (or replication provider) will access the Azure Migrate resources using their fully qualified private link domain names (FQDNs). You might require additional DNS settings to resolve the private IP address of the private endpoints from the source environment. [See this article](../private-link/private-endpoint-dns.md#on-premises-workloads-using-a-dns-forwarder) to understand the DNS configuration scenarios that can help troubleshoot any network connectivity issues.

-| Azure Cognitive Search | All public regions | | GA </br> [Learn how to create a private endpoint for Azure Cognitive Search](../search/service-create-private-endpoint.md) |

-The same considerations as in scenario 2 above apply. In this scenario, there aren't virtual network peering charges. For more information about how to configure your DNS servers to allow on-premises workloads to access private endpoints, see [on-premises workloads using a DNS forwarder](./private-endpoint-dns.md#on-premises-workloads-using-a-dns-forwarder).

-description: Learn about Azure Private Endpoint DNS configuration.

-# Azure Private Endpoint DNS configuration

-> [!IMPORTANT]

-> It is not recommended to override a zone that's actively in use to resolve public endpoints. Connections to resources won't be able to resolve correctly without DNS forwarding to the public DNS. To avoid issues, create a different domain name or follow the suggested name for each service below.

-> [!IMPORTANT]

-> Existing Private DNS Zones linked to a single service should not be associated with two different Private Endpoints. This will cause a deletion of the initial A-record and result in resolution issue when attempting to access that service from each respective Private Endpoint. However, linking a Private DNS Zones with private endpoints associated with different services would not face this resolution constraint.

-Your applications don't need to change the connection URL. When resolving to a public DNS service, the DNS server will resolve to your private endpoints. The process doesn't affect your existing applications. If you are using Azure File shares, the share will need to be remounted if it's currently mounted using the public endpoint.

-> * Private networks already using the private DNS zone for a given type, can only connect to public resources if they don't have any private endpoint connections, otherwise a corresponding DNS configuration is required on the private DNS zone in order to complete the DNS resolution sequence.

-> * Private endpoint private DNS zone configurations will only automatically generate if you use the recommended naming scheme in the following table.

-For Azure services, use the recommended zone names as described in the following table:

-| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |

-|||||

-| Azure Automation (Microsoft.Automation/automationAccounts) | Webhook <br> DSCAndHybridWorker | privatelink.azure-automation.net | {regionCode}.azure-automation.net |

-| Azure SQL Database (Microsoft.Sql/servers) | sqlServer | privatelink.database.windows.net | database.windows.net |

-| Azure SQL Managed Instance (Microsoft.Sql/managedInstances) | managedInstance | privatelink.{dnsPrefix}.database.windows.net | {instanceName}.{dnsPrefix}.database.windows.net |

-| Azure Synapse Analytics (Microsoft.Synapse/workspaces) | Sql | privatelink.sql.azuresynapse.net | sql.azuresynapse.net |

-| Azure Synapse Analytics (Microsoft.Synapse/workspaces) | SqlOnDemand | privatelink.sql.azuresynapse.net | {workspaceName}-ondemand.sql.azuresynapse.net |

-| Azure Synapse Analytics (Microsoft.Synapse/workspaces) | Dev | privatelink.dev.azuresynapse.net | dev.azuresynapse.net |

-| Azure Synapse Studio (Microsoft.Synapse/privateLinkHubs) | Web | privatelink.azuresynapse.net | azuresynapse.net |

-| Storage account (Microsoft.Storage/storageAccounts) | blob </br> blob_secondary | privatelink.blob.core.windows.net | blob.core.windows.net |

-| Storage account (Microsoft.Storage/storageAccounts) | table </br> table_secondary | privatelink.table.core.windows.net | table.core.windows.net |

-| Storage account (Microsoft.Storage/storageAccounts) | queue </br> queue_secondary | privatelink.queue.core.windows.net | queue.core.windows.net |

-| Storage account (Microsoft.Storage/storageAccounts) | file | privatelink.file.core.windows.net | file.core.windows.net |

-| Storage account (Microsoft.Storage/storageAccounts) | web </br> web_secondary | privatelink.web.core.windows.net | web.core.windows.net |

-| Azure Data Lake File System Gen2 (Microsoft.Storage/storageAccounts) | dfs </br> dfs_secondary | privatelink.dfs.core.windows.net | dfs.core.windows.net |

-| Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) | Sql | privatelink.documents.azure.com | documents.azure.com |

-| Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) | MongoDB | privatelink.mongo.cosmos.azure.com | mongo.cosmos.azure.com |

-| Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) | Cassandra | privatelink.cassandra.cosmos.azure.com | cassandra.cosmos.azure.com |

-| Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) | Gremlin | privatelink.gremlin.cosmos.azure.com | gremlin.cosmos.azure.com |

-| Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) | Table | privatelink.table.cosmos.azure.com | table.cosmos.azure.com |

-| Azure Cosmos DB (Microsoft.DBforPostgreSQL/serverGroupsv2) | coordinator | privatelink.postgres.cosmos.azure.com | postgres.cosmos.azure.com |

-| Azure Batch (Microsoft.Batch/batchAccounts) | batchAccount | {regionName}.privatelink.batch.azure.com | {regionName}.batch.azure.com |

-| Azure Batch (Microsoft.Batch/batchAccounts) | nodeManagement | {regionName}.service.privatelink.batch.azure.com | {regionName}.service.batch.azure.com |

-| Azure Database for PostgreSQL - Single server (Microsoft.DBforPostgreSQL/servers) | postgresqlServer | privatelink.postgres.database.azure.com | postgres.database.azure.com |

-| Azure Database for MySQL - Single Server (Microsoft.DBforMySQL/servers) | mysqlServer | privatelink.mysql.database.azure.com | mysql.database.azure.com |

-| Azure Database for MySQL - Flexible Server (Microsoft.DBforMySQL/flexibleServers) | mysqlServer | privatelink.mysql.database.azure.com | mysql.database.azure.com |

-| Azure Database for MariaDB (Microsoft.DBforMariaDB/servers) | mariadbServer | privatelink.mariadb.database.azure.com | mariadb.database.azure.com |

-| Azure Key Vault (Microsoft.KeyVault/vaults) | vault | privatelink.vaultcore.azure.net | vault.azure.net <br> vaultcore.azure.net |

-| Azure Key Vault (Microsoft.KeyVault/managedHSMs) | managedhsm | privatelink.managedhsm.azure.net | managedhsm.azure.net |

-| Azure Kubernetes Service - Kubernetes API (Microsoft.ContainerService/managedClusters) | management | privatelink.{regionName}.azmk8s.io </br> {subzone}.privatelink.{regionName}.azmk8s.io | {regionName}.azmk8s.io |

-| Azure Search (Microsoft.Search/searchServices) | searchService | privatelink.search.windows.net | search.windows.net |

-| Azure Container Registry (Microsoft.ContainerRegistry/registries) | registry | privatelink.azurecr.io </br> {regionName}.privatelink.azurecr.io | azurecr.io </br> {regionName}.azurecr.io |

-| Azure App Configuration (Microsoft.AppConfiguration/configurationStores) | configurationStores | privatelink.azconfig.io | azconfig.io |

-| Azure Backup (Microsoft.RecoveryServices/vaults) | AzureBackup | privatelink.{regionCode}.backup.windowsazure.com | {regionCode}.backup.windowsazure.com |

-| Azure Site Recovery (Microsoft.RecoveryServices/vaults) | AzureSiteRecovery | privatelink.siterecovery.windowsazure.com | {regionCode}.siterecovery.windowsazure.com |

-| Azure Event Hubs (Microsoft.EventHub/namespaces) | namespace | privatelink.servicebus.windows.net | servicebus.windows.net |

-| Azure Service Bus (Microsoft.ServiceBus/namespaces) | namespace | privatelink.servicebus.windows.net | servicebus.windows.net |

-| Azure IoT Hub (Microsoft.Devices/IotHubs) | iotHub | privatelink.azure-devices.net<br/>privatelink.servicebus.windows.net¹ | azure-devices.net<br/>servicebus.windows.net |

-| Azure IoT Hub Device Provisioning Service (Microsoft.Devices/ProvisioningServices) | iotDps | privatelink.azure-devices-provisioning.net | azure-devices-provisioning.net |

-| Azure Relay (Microsoft.Relay/namespaces) | namespace | privatelink.servicebus.windows.net | servicebus.windows.net |

-| Azure Event Grid (Microsoft.EventGrid/topics) | topic | privatelink.eventgrid.azure.net | eventgrid.azure.net |

-| Azure Event Grid (Microsoft.EventGrid/domains) | domain | privatelink.eventgrid.azure.net | eventgrid.azure.net |

-| Azure Web Apps - Azure Function Apps (Microsoft.Web/sites) | sites | privatelink.azurewebsites.net </br> scm.privatelink.azurewebsites.net | azurewebsites.net </br> scm.azurewebsites.net |

-| Azure Machine Learning (Microsoft.MachineLearningServices/workspaces) | amlworkspace | privatelink.api.azureml.ms<br/>privatelink.notebooks.azure.net | api.azureml.ms<br/>notebooks.azure.net<br/>instances.azureml.ms<br/>aznbcontent.net<br/>inference.ml.azure.com |

-| SignalR (Microsoft.SignalRService/SignalR) | signalR | privatelink.service.signalr.net | service.signalr.net |

-| Azure Monitor (Microsoft.Insights/privateLinkScopes) | azuremonitor | privatelink.monitor.azure.com<br/> privatelink.oms.opinsights.azure.com <br/> privatelink.ods.opinsights.azure.com <br/> privatelink.agentsvc.azure-automation.net <br/> privatelink.blob.core.windows.net | monitor.azure.com<br/> oms.opinsights.azure.com<br/> ods.opinsights.azure.com<br/> agentsvc.azure-automation.net <br/> blob.core.windows.net |

-| Azure AI services (Microsoft.CognitiveServices/accounts) | account | privatelink.cognitiveservices.azure.com <br/> privatelink.openai.azure.com | cognitiveservices.azure.com <br/> openai.azure.com |

-| Azure File Sync (Microsoft.StorageSync/storageSyncServices) | afs | privatelink.afs.azure.net | afs.azure.net |

-| Azure Data Factory (Microsoft.DataFactory/factories) | dataFactory | privatelink.datafactory.azure.net | datafactory.azure.net |

-| Azure Data Factory (Microsoft.DataFactory/factories) | portal | privatelink.adf.azure.com | adf.azure.com |

-| Azure Cache for Redis (Microsoft.Cache/Redis) | redisCache | privatelink.redis.cache.windows.net | redis.cache.windows.net |

-| Azure Cache for Redis Enterprise (Microsoft.Cache/RedisEnterprise) | redisEnterprise | privatelink.redisenterprise.cache.azure.net | redisenterprise.cache.azure.net |

-| Microsoft Purview (Microsoft.Purview/accounts) | account | privatelink.purview.azure.com | purview.azure.com |

-| Microsoft Purview (Microsoft.Purview/accounts) | portal | privatelink.purviewstudio.azure.com | purview.azure.com </br> purviewstudio.azure.com |

-| Azure Digital Twins (Microsoft.DigitalTwins/digitalTwinsInstances) | digitalTwinsInstances | privatelink.digitaltwins.azure.net | digitaltwins.azure.net |

-| Azure HDInsight (Microsoft.HDInsight/clusters) | N/A | privatelink.azurehdinsight.net | azurehdinsight.net |

-| Azure Arc (Microsoft.HybridCompute/privateLinkScopes) | hybridcompute | privatelink.his.arc.azure.com <br/> privatelink.guestconfiguration.azure.com </br> privatelink.dp.kubernetesconfiguration.azure.com | his.arc.azure.com <br/> guestconfiguration.azure.com </br> dp.kubernetesconfiguration.azure.com |

-| Azure Media Services (Microsoft.Media/mediaservices) | keydelivery </br> liveevent </br> streamingendpoint | privatelink.media.azure.net | media.azure.net |

-| Azure Data Explorer (Microsoft.Kusto/Clusters) | cluster | privatelink.{regionName}.kusto.windows.net | {regionName}.kusto.windows.net |

-| Azure Static Web Apps (Microsoft.Web/staticSites) | staticSites | privatelink.azurestaticapps.net </br> privatelink.{partitionId}.azurestaticapps.net | azurestaticapps.net </br> {partitionId}.azurestaticapps.net |

-| Azure Migrate (Microsoft.Migrate/migrateProjects) | Default | privatelink.prod.migration.windowsazure.com | prod.migration.windowsazure.com |

-| Azure Migrate (Microsoft.Migrate/assessmentProjects) | Default | privatelink.prod.migration.windowsazure.com | prod.migration.windowsazure.com |

-| Azure API Management (Microsoft.ApiManagement/service) | gateway | privatelink.azure-api.net | azure-api.net |

-| Microsoft PowerBI (Microsoft.PowerBI/privateLinkServicesForPowerBI) | tenant | privatelink.analysis.windows.net </br> privatelink.pbidedicated.windows.net </br> privatelink.tip1.powerquery.microsoft.com | analysis.windows.net </br> pbidedicated.windows.net </br> tip1.powerquery.microsoft.com |

-| Azure Bot Service (Microsoft.BotService/botServices) | Bot | privatelink.directline.botframework.com | directline.botframework.com </br> europe.directline.botframework.com |

-| Azure Bot Service (Microsoft.BotService/botServices) | Token | privatelink.token.botframework.com | token.botframework.com </br> europe.token.botframework.com |

-| Azure Health Data Services (Microsoft.HealthcareApis/workspaces) | healthcareworkspace | privatelink.workspace.azurehealthcareapis.com </br> privatelink.fhir.azurehealthcareapis.com </br> privatelink.dicom.azurehealthcareapis.com | workspace.azurehealthcareapis.com </br> fhir.azurehealthcareapis.com </br> dicom.azurehealthcareapis.com |

-| Azure Databricks (Microsoft.Databricks/workspaces) | databricks_ui_api </br> browser_authentication | privatelink.azuredatabricks.net | azuredatabricks.net |

-| Azure Virtual Desktop (Microsoft.DesktopVirtualization/workspaces) | global | privatelink-global.wvd.microsoft.com | wvd.microsoft.com |

-| Azure Virtual Desktop (Microsoft.DesktopVirtualization/workspaces </br> Microsoft.DesktopVirtualization/hostpools) | feed <br> connection | privatelink.wvd.microsoft.com | wvd.microsoft.com |

-| Azure Resource Manager (Microsoft.Authorization/resourceManagementPrivateLinks) | ResourceManagement | privatelink.azure.com | azure.com |

-### Government

-| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |

-|||||

-| Azure Automation / (Microsoft.Automation/automationAccounts) | Webhook </br> DSCAndHybridWorker | privatelink.azure-automation.us | azure-automation.us |

-| Azure SQL Database (Microsoft.Sql/servers) | sqlServer | privatelink.database.usgovcloudapi.net | database.usgovcloudapi.net |

-| Azure SQL Managed Instance (Microsoft.Sql/managedInstances) | managedInstance | privatelink.{dnsPrefix}.database.usgovcloudapi.net | {instanceName}.{dnsPrefix}.database.usgovcloudapi.net |

-| Azure Synapse Analytics (Microsoft.Synapse/workspaces) | Sql | privatelink.sql.azuresynapse.usgovcloudapi.net | sql.azuresynapse.usgovcloudapi.net |

-| Azure Synapse Analytics (Microsoft.Synapse/workspaces) | SqlOnDemand | privatelink.sql.azuresynapse.usgovcloudapi.net | {workspaceName}-ondemand.sql.azuresynapse.usgovcloudapi.net |

-| Azure Synapse Analytics (Microsoft.Synapse/workspaces) | Dev | privatelink.dev.azuresynapse.usgovcloudapi.net | dev.azuresynapse.usgovcloudapi.net |

-| Azure Synapse Studio (Microsoft.Synapse/privateLinkHubs) | Web | privatelink.azuresynapse.usgovcloudapi.net | azuresynapse.usgovcloudapi.net |

-| Storage account (Microsoft.Storage/storageAccounts) | blob </br> blob_secondary | privatelink.blob.core.usgovcloudapi.net | blob.core.usgovcloudapi.net |

-| Storage account (Microsoft.Storage/storageAccounts) | table </br> table_secondary | privatelink.table.core.usgovcloudapi.net | table.core.usgovcloudapi.net |

-| Storage account (Microsoft.Storage/storageAccounts) | queue </br> queue_secondary | privatelink.queue.core.usgovcloudapi.net | queue.core.usgovcloudapi.net |

-| Storage account (Microsoft.Storage/storageAccounts) | file </br> file_secondary | privatelink.file.core.usgovcloudapi.net | file.core.usgovcloudapi.net |

-| Storage account (Microsoft.Storage/storageAccounts) | web </br> web_secondary | privatelink.web.core.usgovcloudapi.net | web.core.usgovcloudapi.net |

-| Azure Data Lake File System Gen2 (Microsoft.Storage/storageAccounts) | dfs </br> dfs_secondary | privatelink.dfs.core.usgovcloudapi.net | dfs.core.usgovcloudapi.net |

-| Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) | Sql | privatelink.documents.azure.us | documents.azure.us |

-| Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) | MongoDB | privatelink.mongo.cosmos.azure.us | mongo.cosmos.azure.us |

-| Azure Batch (Microsoft.Batch/batchAccounts) | batchAccount | privatelink.batch.usgovcloudapi.net | {regionName}.batch.usgovcloudapi.net |

-| Azure Batch (Microsoft.Batch/batchAccounts) | nodeManagement | privatelink.batch.usgovcloudapi.net | {regionName}.service.batch.usgovcloudapi.net |

-| Azure Database for PostgreSQL - Single server (Microsoft.DBforPostgreSQL/servers) | postgresqlServer | privatelink.postgres.database.usgovcloudapi.net | postgres.database.usgovcloudapi.net |

-| Azure Database for MySQL - Single Server (Microsoft.DBforMySQL/servers) | mysqlServer | privatelink.mysql.database.usgovcloudapi.net | mysql.database.usgovcloudapi.net |

-| Azure Database for MySQL - Flexible Server (Microsoft.DBforMySQL/flexibleServers) | mysqlServer | privatelink.mysql.database.usgovcloudapi.net | mysql.database.usgovcloudapi.net |

-| Azure Database for MariaDB (Microsoft.DBforMariaDB/servers) | mariadbServer | privatelink.mariadb.database.usgovcloudapi.net| mariadb.database.usgovcloudapi.net |

-| Azure Data Factory (Microsoft.DataFactory/factories) | dataFactory | privatelink.datafactory.azure.us | datafactory.azure.us |

-| Azure Data Factory (Microsoft.DataFactory/factories) | portal | privatelink.adf.azure.us | adf.azure.us |

-| Azure Key Vault (Microsoft.KeyVault/vaults) | vault | privatelink.vaultcore.usgovcloudapi.net | vault.usgovcloudapi.net <br> vaultcore.usgovcloudapi.net |

-| Azure Search (Microsoft.Search/searchServices) | searchService | privatelink.search.windows.us | search.windows.us |

-| Azure Container Registry (Microsoft.ContainerRegistry/registries) | registry | privatelink.azurecr.us </br> {regionName}.privatelink.azurecr.us | azurecr.us </br> {regionName}.azurecr.us |

-| Azure App Configuration (Microsoft.AppConfiguration/configurationStores) | configurationStores | privatelink.azconfig.azure.us | azconfig.azure.us |

-| Azure Backup (Microsoft.RecoveryServices/vaults) | AzureBackup | privatelink.{regionCode}.backup.windowsazure.us | {regionCode}.backup.windowsazure.us |

-| Azure Site Recovery (Microsoft.RecoveryServices/vaults) | AzureSiteRecovery | privatelink.siterecovery.windowsazure.us | {regionCode}.siterecovery.windowsazure.us |

-| Azure Event Hubs (Microsoft.EventHub/namespaces) | namespace | privatelink.servicebus.usgovcloudapi.net | servicebus.usgovcloudapi.net|

-| Azure Service Bus (Microsoft.ServiceBus/namespaces) | namespace | privatelink.servicebus.usgovcloudapi.net| servicebus.usgovcloudapi.net |

-| Azure IoT Hub (Microsoft.Devices/IotHubs) | iotHub | privatelink.azure-devices.us<br/>privatelink.servicebus.windows.us¹ | azure-devices.us<br/>servicebus.usgovcloudapi.net |

-| Azure IoT Hub Device Provisioning Service (Microsoft.Devices/ProvisioningServices) | iotDps | privatelink.azure-devices-provisioning.us | azure-devices-provisioning.us |

-| Azure Relay (Microsoft.Relay/namespaces) | namespace | privatelink.servicebus.usgovcloudapi.net | servicebus.usgovcloudapi.net |

-| Azure Event Grid (Microsoft.EventGrid/topics) | topic | privatelink.eventgrid.azure.us | eventgrid.azure.us |

-| Azure Event Grid (Microsoft.EventGrid/domains) | domain | privatelink.eventgrid.azure.us | eventgrid.azure.us |

-| Azure Web Apps (Microsoft.Web/sites) | sites | privatelink.azurewebsites.us </br> scm.privatelink.azurewebsites.us | azurewebsites.us </br> scm.azurewebsites.us

-| Azure Monitor (Microsoft.Insights/privateLinkScopes) | azuremonitor | privatelink.monitor.azure.us <br/> privatelink.adx.monitor.azure.us <br/> privatelink.oms.opinsights.azure.us <br/> privatelink.ods.opinsights.azure.us <br/> privatelink.agentsvc.azure-automation.us <br/> privatelink.blob.core.usgovcloudapi.net | monitor.azure.us <br/> adx.monitor.azure.us <br/> oms.opinsights.azure.us<br/> ods.opinsights.azure.us<br/> agentsvc.azure-automation.us <br/> blob.core.usgovcloudapi.net |

-| Azure AI services (Microsoft.CognitiveServices/accounts) | account | privatelink.cognitiveservices.azure.us | cognitiveservices.azure.us |

-| Azure Cache for Redis (Microsoft.Cache/Redis) | redisCache | privatelink.redis.cache.usgovcloudapi.net | redis.cache.usgovcloudapi.net |

-| Microsoft Purview (Microsoft.Purview) | account | privatelink.purview.azure.us | purview.azure.us |

-| Microsoft Purview (Microsoft.Purview) | portal | privatelink.purviewstudio.azure.us | purview.azure.us </br> purviewstudio.azure.us |

-| Azure HDInsight (Microsoft.HDInsight) | N/A | privatelink.azurehdinsight.us | azurehdinsight.us |

-| Azure Machine Learning (Microsoft.MachineLearningServices/workspaces) | amlworkspace | privatelink.api.ml.azure.us<br/>privatelink.notebooks.usgovcloudapi.net | api.ml.azure.us<br/>notebooks.usgovcloudapi.net <br/> instances.azureml.us<br/>aznbcontent.net <br/> inference.ml.azure.us |

-| Azure Health Data Services (Microsoft.HealthcareApis/workspaces) | healthcareworkspace | privatelink.workspace.azurehealthcareapis.us </br> privatelink.fhir.azurehealthcareapis.us </br> privatelink.dicom.azurehealthcareapis.us | workspace.azurehealthcareapis.us </br> fhir.azurehealthcareapis.us </br> dicom.azurehealthcareapis.us |

-| Azure Databricks (Microsoft.Databricks/workspaces) | databricks_ui_api </br> browser_authentication | privatelink.databricks.azure.us | databricks.azure.us |

-| Azure Virtual Desktop (Microsoft.DesktopVirtualization/workspaces) | global | privatelink-global.wvd.azure.us | wvd.azure.us |

-| Azure Virtual Desktop (Microsoft.DesktopVirtualization/workspaces </br> Microsoft.DesktopVirtualization/hostpools) | feed <br> connection | privatelink.wvd.azure.us | wvd.azure.us |

-### China

-| Private link resource type | Subresource | Private DNS zone name | Public DNS zone forwarders |

-||||--|

-| Azure Automation / (Microsoft.Automation/automationAccounts) | Webhook </br> DSCAndHybridWorker | privatelink.azure-automation.cn | azure-automation.cn |

-| Azure SQL Database (Microsoft.Sql/servers) | sqlServer | privatelink.database.chinacloudapi.cn | database.chinacloudapi.cn |

-| Storage account (Microsoft.Storage/storageAccounts) | blob </br> blob_secondary | privatelink.blob.core.chinacloudapi.cn | blob.core.chinacloudapi.cn |

-| Storage account (Microsoft.Storage/storageAccounts) | table </br> table_secondary | privatelink.table.core.chinacloudapi.cn | table.core.chinacloudapi.cn |

-| Storage account (Microsoft.Storage/storageAccounts) | queue </br> queue_secondary | privatelink.queue.core.chinacloudapi.cn | queue.core.chinacloudapi.cn |

-| Storage account (Microsoft.Storage/storageAccounts) | file </br> file_secondary | privatelink.file.core.chinacloudapi.cn | file.core.chinacloudapi.cn |

-| Storage account (Microsoft.Storage/storageAccounts) | web </br> web_secondary | privatelink.web.core.chinacloudapi.cn | web.core.chinacloudapi.cn |

-| Azure Data Lake File System Gen2 (Microsoft.Storage/storageAccounts) | dfs </br> dfs_secondary | privatelink.dfs.core.chinacloudapi.cn | dfs.core.chinacloudapi.cn |

-| Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) | Sql | privatelink.documents.azure.cn | documents.azure.cn |

-| Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) | MongoDB | privatelink.mongo.cosmos.azure.cn | mongo.cosmos.azure.cn |

-| Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) | Cassandra | privatelink.cassandra.cosmos.azure.cn | cassandra.cosmos.azure.cn |

-| Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) | Gremlin | privatelink.gremlin.cosmos.azure.cn | gremlin.cosmos.azure.cn |

-| Azure Cosmos DB (Microsoft.AzureCosmosDB/databaseAccounts) | Table | privatelink.table.cosmos.azure.cn | table.cosmos.azure.cn |

-| Azure Batch (Microsoft.Batch/batchAccounts) | batchAccount | privatelink.batch.chinacloudapi.cn | {region}.batch.chinacloudapi.cn |

-| Azure Batch (Microsoft.Batch/batchAccounts) | nodeManagement | privatelink.batch.chinacloudapi.cn | {region}.service.batch.chinacloudapi.cn |

-| Azure Database for PostgreSQL - Single server (Microsoft.DBforPostgreSQL/servers) | postgresqlServer | privatelink.postgres.database.chinacloudapi.cn | postgres.database.chinacloudapi.cn |

-| Azure Database for MySQL - Single Server (Microsoft.DBforMySQL/servers) | mysqlServer | privatelink.mysql.database.chinacloudapi.cn | mysql.database.chinacloudapi.cn |

-| Azure Database for MySQL - Flexible Server (Microsoft.DBforMySQL/flexibleServers) | mysqlServer | privatelink.mysql.database.chinacloudapi.cn | mysql.database.chinacloudapi.cn |

-| Azure Database for MariaDB (Microsoft.DBforMariaDB/servers) | mariadbServer | privatelink.mariadb.database.chinacloudapi.cn | mariadb.database.chinacloudapi.cn |

-| Azure Key Vault (Microsoft.KeyVault/vaults) | vault | privatelink.vaultcore.azure.cn | vaultcore.azure.cn |

-| Azure Event Hubs (Microsoft.EventHub/namespaces) | namespace | privatelink.servicebus.chinacloudapi.cn | servicebus.chinacloudapi.cn |

-| Azure Service Bus (Microsoft.ServiceBus/namespaces) | namespace | privatelink.servicebus.chinacloudapi.cn | servicebus.chinacloudapi.cn |

-| Azure IoT Hub (Microsoft.Devices/IotHubs) | iotHub | privatelink.azure-devices.cn <br/> privatelink.servicebus.chinacloudapi.cn ¹ | azure-devices.cn<br/>servicebus.chinacloudapi.cn |

-| Azure IoT Hub Device Provisioning Service (Microsoft.Devices/ProvisioningServices) | iotDps | privatelink.azure-devices-provisioning.cn | azure-devices-provisioning.cn |

-| Azure Relay (Microsoft.Relay/namespaces) | namespace | privatelink.servicebus.chinacloudapi.cn | servicebus.chinacloudapi.cn |

-| Azure Event Grid (Microsoft.EventGrid/topics) | topic | privatelink.eventgrid.azure.cn | eventgrid.azure.cn |

-| Azure Event Grid (Microsoft.EventGrid/domains) | domain | privatelink.eventgrid.azure.cn | eventgrid.azure.cn |

-| Azure Web Apps (Microsoft.Web/sites) | sites | privatelink.chinacloudsites.cn | chinacloudsites.cn |

-| Azure Machine Learning (Microsoft.MachineLearningServices/workspaces) | amlworkspace | privatelink.api.ml.azure.cn<br/>privatelink.notebooks.chinacloudapi.cn | api.ml.azure.cn<br/>notebooks.chinacloudapi.cn <br/> instances.azureml.cn <br/> aznbcontent.net <br/> inference.ml.azure.cn |

-| SignalR (Microsoft.SignalRService/SignalR) | signalR | privatelink.signalr.azure.cn | service.signalr.azure.cn |

-| Azure File Sync (Microsoft.StorageSync/storageSyncServices) | afs | privatelink.afs.azure.cn | afs.azure.cn |

-| Azure Data Factory (Microsoft.DataFactory/factories) | dataFactory | privatelink.datafactory.azure.cn | datafactory.azure.cn |

-| Azure Data Factory (Microsoft.DataFactory/factories) | portal | privatelink.adf.azure.cn | adf.azure.cn |

-| Azure Cache for Redis (Microsoft.Cache/Redis) | redisCache | privatelink.redis.cache.chinacloudapi.cn | redis.cache.chinacloudapi.cn |

-| Azure HDInsight (Microsoft.HDInsight) | N/A | privatelink.azurehdinsight.cn | azurehdinsight.cn |

-| Azure Data Explorer (Microsoft.Kusto/Clusters) | cluster | privatelink.{regionName}.kusto.windows.cn | {regionName}.kusto.windows.cn |

-| Azure Virtual Desktop (Microsoft.DesktopVirtualization/workspaces) | global | privatelink-global.wvd.azure.cn | wvd.azure.cn |

-| Azure Virtual Desktop (Microsoft.DesktopVirtualization/workspaces and Microsoft.DesktopVirtualization/hostpools) | feed </br> connection | privatelink.wvd.azure.cn | wvd.azure.cn |

-¹To use with IoT Hub's built-in Event Hub compatible endpoint. To learn more, see [private link support for IoT Hub's built-in endpoint](../iot-hub/virtual-network-support.md#built-in-event-hubs-compatible-endpoint)

-## DNS configuration scenarios

-The FQDN of the services resolves automatically to a public IP address. To resolve to the private IP address of the private endpoint, change your DNS configuration.

-DNS is a critical component to make the application work correctly by successfully resolving the private endpoint IP address.

-Based on your preferences, the following scenarios are available with DNS resolution integrated:

- - [Azure services DNS zone configuration](#azure-services-dns-zone-configuration)

- - [Government](#government)

- - [China](#china)

- - [DNS configuration scenarios](#dns-configuration-scenarios)

- - [Virtual network workloads without custom DNS server](#virtual-network-workloads-without-custom-dns-server)

- - [On-premises workloads using a DNS forwarder](#on-premises-workloads-using-a-dns-forwarder)

- - [Virtual network and on-premises workloads using a DNS forwarder](#virtual-network-and-on-premises-workloads-using-a-dns-forwarder)

- - [Private DNS zone group](#private-dns-zone-group)

- - [Next steps](#next-steps)

-> [!NOTE]

-> [Azure Firewall DNS proxy](../firewall/dns-settings.md#dns-proxy) can be used as DNS forwarder for [On-premises workloads](#on-premises-workloads-using-a-dns-forwarder) and [Virtual network workloads using a DNS forwarder](#virtual-network-and-on-premises-workloads-using-a-dns-forwarder).

-## Virtual network workloads without custom DNS server

-This configuration is appropriate for virtual network workloads without a custom DNS server. In this scenario, the client queries for the private endpoint IP address to the Azure-provided DNS service [168.63.129.16](../virtual-network/what-is-ip-address-168-63-129-16.md). Azure DNS is responsible for DNS resolution of the private DNS zones.

-> [!NOTE]

-> This scenario uses the Azure SQL Database-recommended private DNS zone. For other services, you can adjust the model using the following reference: [Azure services DNS zone configuration](#azure-services-dns-zone-configuration).

-To configure properly, you need the following resources:

-The following screenshot illustrates the DNS resolution sequence from virtual network workloads using the private DNS zone:

-You can extend this model to peered virtual networks associated to the same private endpoint. [Add new virtual network links](../dns/private-dns-virtual-network-links.md) to the private DNS zone for all peered virtual networks.

-> [!IMPORTANT]

-> A single private DNS zone is required for this configuration. Creating multiple zones with the same name for different virtual networks would need manual operations to merge the DNS records.

-> [!IMPORTANT]

-> If you're using a private endpoint in a hub-and-spoke model from a different subscription or even within the same subscription, link the same private DNS zones to all spokes and hub virtual networks that contain clients that need DNS resolution from the zones.

-In this scenario, there's a [hub and spoke](/azure/architecture/reference-architectures/hybrid-networking/hub-spoke) networking topology. The spoke networks share a private endpoint. The spoke virtual networks are linked to the same private DNS zone.

-## On-premises workloads using a DNS forwarder

-For on-premises workloads to resolve the FQDN of a private endpoint, use a DNS forwarder to resolve the Azure service [public DNS zone](#azure-services-dns-zone-configuration) in Azure. A [DNS forwarder](/windows-server/identity/ad-ds/plan/reviewing-dns-concepts#resolving-names-by-using-forwarding) is a Virtual Machine running on the Virtual Network linked to the Private DNS Zone that can proxy DNS queries coming from other Virtual Networks or from on-premises. This is required as the query must be originated from the Virtual Network to Azure DNS. A few options for DNS proxies are: Windows running DNS services, Linux running DNS services, [Azure Firewall](../firewall/dns-settings.md).

-The following scenario is for an on-premises network that has a DNS forwarder in Azure. This forwarder resolves DNS queries via a server-level forwarder to the Azure provided DNS [168.63.129.16](../virtual-network/what-is-ip-address-168-63-129-16.md).

-> [!NOTE]

-> This scenario uses the Azure SQL Database-recommended private DNS zone. For other services, you can adjust the model using the following reference: [Azure services DNS zone configuration](#azure-services-dns-zone-configuration).

-To configure properly, you need the following resources:

-The following diagram illustrates the DNS resolution sequence from an on-premises network. The configuration uses a DNS forwarder deployed in Azure. The resolution is made by a private DNS zone [linked to a virtual network](../dns/private-dns-virtual-network-links.md):

-This configuration can be extended for an on-premises network that already has a DNS solution in place. 

-The on-premises DNS solution is configured to forward DNS traffic to Azure DNS via a [conditional forwarder](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server). The conditional forwarder references the DNS forwarder deployed in Azure.

-> [!NOTE]

-> This scenario uses the Azure SQL Database-recommended private DNS zone. For other services, you can adjust the model using the following reference: [Azure services DNS zone configuration](#azure-services-dns-zone-configuration)

-To configure properly, you need the following resources:

-The following diagram illustrates the DNS resolution from an on-premises network. DNS resolution is conditionally forwarded to Azure. The resolution is made by a private DNS zone [linked to a virtual network](../dns/private-dns-virtual-network-links.md).

-> [!IMPORTANT]

-> The conditional forwarding must be made to the recommended [public DNS zone forwarder](#azure-services-dns-zone-configuration). For example: `database.windows.net` instead of **privatelink**.database.windows.net.

-## Virtual network and on-premises workloads using a DNS forwarder

-For workloads accessing a private endpoint from virtual and on-premises networks, use a DNS forwarder to resolve the Azure service [public DNS zone](#azure-services-dns-zone-configuration) deployed in Azure.

-The following scenario is for an on-premises network with virtual networks in Azure. Both networks access the private endpoint located in a shared hub network.

-This DNS forwarder is responsible for resolving all the DNS queries via a server-level forwarder to the Azure-provided DNS service [168.63.129.16](../virtual-network/what-is-ip-address-168-63-129-16.md).

-> [!IMPORTANT]

-> A single private DNS zone is required for this configuration. All client connections made from on-premises and [peered virtual networks](../virtual-network/virtual-network-peering-overview.md) must  also use the same private DNS zone.

-> [!NOTE]

-> This scenario uses the Azure SQL Database-recommended private DNS zone. For other services, you can adjust the model using the following reference: [Azure services DNS zone configuration](#azure-services-dns-zone-configuration).

-To configure properly, you need the following resources:

-The following diagram shows the DNS resolution for both networks, on-premises and virtual networks. The resolution is using a DNS forwarder. The resolution is made by a private DNS zone [linked to a virtual network](../dns/private-dns-virtual-network-links.md):

-## Private DNS zone group

-If you choose to integrate your private endpoint with a private DNS zone, a private DNS zone group is also created. The DNS zone group has a strong association between the private DNS zone and the private endpoint. It helps with managing the private DNS zone records when there's an update on the private endpoint. For example, when you add or remove regions, the private DNS zone is automatically updated with the correct number of records.

-Previously, the DNS records for the private endpoint were created via scripting (retrieving certain information about the private endpoint and then adding it on the DNS zone). With the DNS zone group, there is no need to write any additional CLI/PowerShell lines for every DNS zone. Also, when you delete the private endpoint, all the DNS records within the DNS zone group will be deleted as well.

-A common scenario for DNS zone group is in a hub-and-spoke topology, where it allows the private DNS zones to be created only once in the hub and allows the spokes to register to it, rather than creating different zones in each spoke.

-> [!NOTE]

-> Each DNS zone group can support up to 5 DNS zones.

-> [!NOTE]

-> Adding multiple DNS zone groups to a single Private Endpoint is not supported.

-> [!NOTE]

-> Delete and update operations for DNS records can be seen performed by "Azure Traffic Manager and DNS." This is a normal platform operation necessary for managing your DNS Records.

-## Next steps

-| Azure Cognitive Search | Microsoft.Search/searchServices | searchService |

-> | Azure Public IP | Azure Cognitive Search |

-| [Azure Cognitive Search](migrate-search-service.md)|

-| [Azure Cognitive Search](../search/search-reliability.md#availability-zones) |  |

-| [Azure Cognitive Search](../search/search-reliability.md) |

-description: Learn how to migrate Azure Cognitive Search to availability zone support.

-# Migrate Azure Cognitive Search to availability zone support

-This guide describes how to migrate Azure Cognitive Search from non-availability zone support to availability support.

-Azure Cognitive Search services can take advantage of availability support [in regions that support availability zones](../search/search-reliability.md#availability-zones). Services with [two or more replicas](../search/search-capacity-planning.md) in these regions created after availability support was enabled can automatically utilize availability zones. Each replica will be placed in a different availability zone within the region. If you have more replicas than availability zones, the replicas will be distributed across availability zones as evenly as possible.

-> [Learn about high availability in Azure Cognitive Search](../search/search-reliability.md)

-[Azure Cognitive Search](../search/search-reliability.md?toc=/azure/reliability/toc.json&bc=/azure/reliability/breadcrumb/toc.json)|

-Retrieval Augmentation Generation (RAG) is an architecture that augments the capabilities of a Large Language Model (LLM) like ChatGPT by adding an information retrieval system that provides the data. Adding an information retrieval system gives you control over the data used by an LLM when it formulates a response. For an enterprise solution, RAG architecture means that you can constrain natural language processing to *your enterprise content* sourced from vectorized documents, images, audio, and video.

-Azure AI Search is a [proven solution for information retrieval](https://github.com/Azure-Samples/azure-search-openai-demo) in a RAG architecture. It provides indexing and query capabilities, with the infrastructure and security of the Azure cloud. Through code and other components, you can design a comprehensive RAG solution that includes all of the elements for generative AI over your proprietary content.

-> New to LLM and RAG concepts? This [video clip](https://youtu.be/2meEvuWAyXs?t=404) from a Microsoft presentation offers a simple explanation.

-+ Azure AI Studio, [using your data with an Azure OpenAI Service](/azure/ai-services/openai/concepts/use-your-data). Azure AI Studio integrates with Azure AI Search for storage and retrieval. If you already have a search index, you can connect to it in Azure AI Studio and start chatting right away. If you don't have an index, you can [create one by uploading your data](/azure/ai-services/openai/use-your-data-quickstart) using the studio.

-+ Azure Machine Learning, a search index can be used as a [vector store](/azure/machine-learning/concept-vector-stores). You can [create a vector index in an Azure Machine Learning prompt flow](/azure/machine-learning/how-to-create-vector-index) that uses your Azure AI Search service for storage and retrieval.

-If you need a custom approach however, you can create your own custom RAG solution. The remainder of this article explores how Azure AI Search fits into a custom RAG solution.

-> [!NOTE]

-> Prefer to look at code? You can review the [Azure AI Search OpenAI demo](https://github.com/Azure-Samples/azure-search-openai-demo) for an example.

-In Azure AI Search, all searchable content is stored in a search index that's hosted on your search service in the cloud. A search index is designed for fast queries with millisecond response times, so its internal data structures exist to support that objective. To that end, a search index stores *indexed content*, and not whole content files like entire PDFs or images. Internally, the data structures include inverted indexes of [tokenized text](https://lucene.apache.org/core/7_5_0/test-framework/org/apache/lucene/analysis/Token.html), vector indexes for embeddings, and unaltered text for cases where verbatim matching is required (for example, in filters, fuzzy search, regular expression queries).

-+ [Use Azure AI Studio and "bring your own data"](/azure/ai-services/openai/concepts/use-your-data) to experiment with prompts on an existing search index. This step helps you decide what model to use, and shows you how well your existing index works in a RAG scenario.

-+ ["Chat with your data" solution accelerator](https://github.com/Azure-Samples/chat-with-your-data-solution-accelerator) to create your own RAG solution.

-+ [Review the azure-search-openai-demo demo](https://github.com/Azure-Samples/azure-search-openai-demo) to see a working RAG solution that includes Azure AI Search, and to study the code that builds the experience. This demo uses a fictitious Northwind Health Plan for its data.

- Here's a [similar end-to-end demo](https://github.com/Azure-Samples/openai/blob/main/End_to_end_Solutions/AOAISearchDemo/README.md) from the Azure OpenAI team. This demo uses an unstructured .pdf data consisting of publicly available documentation on Microsoft Surface devices.

-

-| Azure Cognitive Search | Yes | Yes | - |

- [Private endpoint DNS integration](../private-link/private-endpoint-dns.md#virtual-network-workloads-without-custom-dns-server).

- If your environment has a hub and spoke model, you need only one private endpoint and only one private DNS zone for the entire setup. This is because all your virtual networks already have peering enabled between them. For more information, see [Private endpoint DNS integration](../private-link/private-endpoint-dns.md#virtual-network-workloads-without-custom-dns-server).

-|Azure Cognitive Search|Generally available|Yes|Yes|<ul><li>[Index and search Azure Data Lake Storage Gen2 documents](../../search/search-howto-index-azure-data-lake-storage.md)</li></ul>|

-The two private endpoints can't use the same Private DNS Zone for the same endpoint. As a result, each region uses its own Private DNS Zone. Each regional zone is attached to the hub network for the region. This design uses the [DNS forwarder scenario](../../private-link/private-endpoint-dns.md#virtual-network-and-on-premises-workloads-using-a-dns-forwarder) to provide resolution.

-| Azure Cognitive Search | `Microsoft.Search/searchServices` | Enables access to storage accounts for indexing, processing, and querying. |

-

-## Azure Cognitive Search sample

-description: Installs OMI and DSC packages to allow an Azure Linux VM to be configured using Desired State Configuration.

-# DSC extension for Linux (Microsoft.OSTCExtensions.DSCForLinux)

-Desired State Configuration (DSC) is a management platform that you can use to manage your IT and development infrastructure with configuration as code.

-> [!IMPORTANT]

-> The desired state configuration VM extension for Linux will be [retired on **September 30, 2023**](https://aka.ms/dscext4linuxretirement). If you're currently using the desired state configuration VM extension for Linux, you should start planning your migration to the machine configuration feature of Azure Automanage by using the information in this article.

-> [!NOTE]

-> The DSC extension for Linux and the [Log Analytics virtual machine extension for Linux](./oms-linux.md) currently present a conflict

-> and aren't supported in a side-by-side configuration. Don't use the two solutions together on the same VM.

-The DSCForLinux extension is published and supported by Microsoft. The extension installs the OMI and DSC agent on Azure virtual machines. The DSC extension can also do the following actions:

-## Prerequisites

-### Operating system

-For nodes running Linux, the DSC Linux extension supports all the Linux distributions listed in the [PowerShell DSC documentation](/powershell/dsc/getting-started/lnxgettingstarted).

-### Internet connectivity

-The DSCForLinux extension requires the target virtual machine to be connected to the internet. For example, the Register extension requires connectivity to the Automation service.

-For other actions such as Pull, Pull, Install requires connectivity to Azure Storage and GitHub. It depends on settings provided by the customer.

-## Extension schema

-### Public configuration

-Here are all the supported public configuration parameters:

-* `FileUri`: (optional, string) The uri of the MOF file, meta MOF file, or custom resource zip file.

-* `ResourceName`: (optional, string) The name of the custom resource module.

-* `ExtensionAction`: (optional, string) Specifies what an extension does. Valid values are Register, Push, Pull, Install, and Remove. If not specified, it's considered a Push Action by default.

-* `NodeConfigurationName`: (optional, string) The name of a node configuration to apply.

-* `RefreshFrequencyMins`: (optional, int) Specifies how often (in minutes) that DSC attempts to obtain the configuration from the pull server.

- If configuration on the pull server differs from the current one on the target node, it's copied to the pending store and applied.

-* `ConfigurationMode`: (optional, string) Specifies how DSC should apply the configuration. Valid values are ApplyOnly, ApplyAndMonitor, and ApplyAndAutoCorrect.

-* `ConfigurationModeFrequencyMins`: (optional, int) Specifies how often (in minutes) DSC ensures that the configuration is in the desired state.

-> [!NOTE]

-> If you use a version earlier than 2.3, the mode parameter is the same as ExtensionAction. Mode seems to be an overloaded term. To avoid confusion, ExtensionAction is used from version 2.3 onward. For backward compatibility, the extension supports both mode and ExtensionAction.

->

-### Protected configuration

-Here are all the supported protected configuration parameters:

-* `StorageAccountName`: (optional, string) The name of the storage account that contains the file

-* `StorageAccountKey`: (optional, string) The key of the storage account that contains the file

-* `RegistrationUrl`: (optional, string) The URL of the Azure Automation account

-* `RegistrationKey`: (optional, string) The access key of the Azure Automation account

-## Scenarios

-### Register an Azure Automation account

-protected.json

-```json

-{

- "RegistrationUrl": "<azure-automation-account-url>",

- "RegistrationKey": "<azure-automation-account-key>"

-}

-```

-public.json

-```json

-{

- "ExtensionAction" : "Register",

- "NodeConfigurationName" : "<node-configuration-name>",

- "RefreshFrequencyMins" : "<value>",

- "ConfigurationMode" : "<ApplyAndMonitor | ApplyAndAutoCorrect | ApplyOnly>",

- "ConfigurationModeFrequencyMins" : "<value>"

-}

-```

-PowerShell format

-```powershell

-$privateConfig = '{

- "RegistrationUrl": "<azure-automation-account-url>",

- "RegistrationKey": "<azure-automation-account-key>"

-}'

-$publicConfig = '{

- "ExtensionAction" : "Register",

- "NodeConfigurationName": "<node-configuration-name>",

- "RefreshFrequencyMins": "<value>",

- "ConfigurationMode": "<ApplyAndMonitor | ApplyAndAutoCorrect | ApplyOnly>",

- "ConfigurationModeFrequencyMins": "<value>"

-}'

-```

-### Apply an MOF configuration file (in an Azure storage account) to the VM

-protected.json

-```json

-{

- "StorageAccountName": "<storage-account-name>",

- "StorageAccountKey": "<storage-account-key>"

-}

-```

-public.json

-```json

-{

- "FileUri": "<mof-file-uri>",

- "ExtensionAction": "Push"

-}

-```

-PowerShell format

-```powershell

-$privateConfig = '{

- "StorageAccountName": "<storage-account-name>",

- "StorageAccountKey": "<storage-account-key>"

-}'

-$publicConfig = '{

- "FileUri": "<mof-file-uri>",

- "ExtensionAction": "Push"

-}'

-```

-### Apply an MOF configuration file (in public storage) to the VM

-public.json

-```json

-{

- "FileUri": "<mof-file-uri>"

-}

-```

-PowerShell format

-```powershell

-$publicConfig = '{

- "FileUri": "<mof-file-uri>"

-}'

-```

-### Apply a meta MOF configuration file (in an Azure storage account) to the VM

-protected.json

-```json

-{

- "StorageAccountName": "<storage-account-name>",

- "StorageAccountKey": "<storage-account-key>"

-}

-```

-public.json

-```json

-{

- "ExtensionAction": "Pull",

- "FileUri": "<meta-mof-file-uri>"

-}

-```

-PowerShell format

-```powershell

-$privateConfig = '{

- "StorageAccountName": "<storage-account-name>",

- "StorageAccountKey": "<storage-account-key>"

-}'

-$publicConfig = '{

- "ExtensionAction": "Pull",

- "FileUri": "<meta-mof-file-uri>"

-}'

-```

-### Apply a meta MOF configuration file (in public storage) to the VM

-public.json

-```json

-{

- "FileUri": "<meta-mof-file-uri>",

- "ExtensionAction": "Pull"

-}

-```

-PowerShell format

-```powershell

-$publicConfig = '{

- "FileUri": "<meta-mof-file-uri>",

- "ExtensionAction": "Pull"

-}'

-```

-### Install a custom resource module (a zip file in an Azure storage account) to the VM

-protected.json

-```json

-{

- "StorageAccountName": "<storage-account-name>",

- "StorageAccountKey": "<storage-account-key>"

-}

-```

-public.json

-```json

-{

- "ExtensionAction": "Install",

- "FileUri": "<resource-zip-file-uri>"

-}

-```

-PowerShell format

-```powershell

-$privateConfig = '{

- "StorageAccountName": "<storage-account-name>",

- "StorageAccountKey": "<storage-account-key>"

-}'

-$publicConfig = '{

- "ExtensionAction": "Install",

- "FileUri": "<resource-zip-file-uri>"

-}'

-```

-### Install a custom resource module (a zip file in public storage) to the VM

-public.json

-```json

-{

- "ExtensionAction": "Install",

- "FileUri": "<resource-zip-file-uri>"

-}

-```

-PowerShell format

-```powershell

-$publicConfig = '{

- "ExtensionAction": "Install",

- "FileUri": "<resource-zip-file-uri>"

-}'

-```

-### Remove a custom resource module from the VM

-public.json

-```json

-{

- "ResourceName": "<resource-name>",

- "ExtensionAction": "Remove"

-}

-```

-PowerShell format

-```powershell

-$publicConfig = '{

- "ResourceName": "<resource-name>",

- "ExtensionAction": "Remove"

-}'

-```

-## Template deployment

-Azure VM extensions can be deployed with Azure Resource Manager templates. Templates are ideal when you deploy one or more virtual machines that require post-deployment configuration, such as onboarding to Azure Automation.

-For more information about the Azure Resource Manager template, see [Authoring Azure Resource Manager templates](../../azure-resource-manager/templates/syntax.md).

-## Azure CLI deployment

-### Use [Azure CLI][azure-cli]

-Before you deploy the DSCForLinux extension, configure your `public.json` and `protected.json` according to the different scenarios in section 3.

-#### Classic

-The classic deployment mode is also called Azure Service Management mode. You can switch to it by running:

-```

-$ azure config mode asm

-```

-You can deploy the DSCForLinux extension by running:

-```

-$ azure vm extension set <vm-name> DSCForLinux Microsoft.OSTCExtensions <version> \

-```

-To learn the latest extension version available, run:

-```

-$ azure vm extension list

-```

-#### Resource Manager

-You can switch to Azure Resource Manager mode by running:

-```

-$ azure config mode arm

-```

-You can deploy the DSCForLinux extension by running:

-```

-$ azure vm extension set <resource-group> <vm-name> \

-DSCForLinux Microsoft.OSTCExtensions <version> \

-```

-> [!NOTE]

-> In Azure Resource Manager mode, `azure vm extension list` isn't available for now.

->

-### Use [Azure PowerShell][azure-powershell]

-#### Classic

-You can sign in to your Azure account in Azure Service Management mode by running:

-```powershell

-Add-AzureAccount

-```

-And deploy the DSCForLinux extension by running:

-```powershell

-$vmname = '<vm-name>'

-$vm = Get-AzureVM -ServiceName $vmname -Name $vmname

-$extensionName = 'DSCForLinux'

-$publisher = 'Microsoft.OSTCExtensions'

-$version = '< version>'

-```

-Change the content of $privateConfig and $publicConfig according to different scenarios in the previous section.

-```

-$privateConfig = '{

- "StorageAccountName": "<storage-account-name>",

- "StorageAccountKey": "<storage-account-key>"

-}'

-```

-```

-$publicConfig = '{

- "ExtensionAction": "Push",

- "FileUri": "<mof-file-uri>"

-}'

-```

-```powershell

-Set-AzureVMExtension -ExtensionName $extensionName -VM $vm -Publisher $publisher `

- -Version $version -PrivateConfiguration $privateConfig `

- -PublicConfiguration $publicConfig | Update-AzureVM

-```

-#### Resource Manager

-You can sign in to your Azure account in Azure Resource Manager mode by running:

-```powershell

-Login-AzAccount

-```

-To learn more about how to use Azure PowerShell with Azure Resource Manager, see [Manage Azure resources by using Azure PowerShell](../../azure-resource-manager/management/manage-resources-powershell.md).

-You can deploy the DSCForLinux extension by running:

-```powershell

-$rgName = '<resource-group-name>'

-$vmName = '<vm-name>'

-$location = '< location>'

-$extensionName = 'DSCForLinux'

-$publisher = 'Microsoft.OSTCExtensions'

-$version = '< version>'

-```

-Change the content of $privateConfig and $publicConfig according to different scenarios in the previous section.

-```

-$privateConfig = '{

- "StorageAccountName": "<storage-account-name>",

- "StorageAccountKey": "<storage-account-key>"

-}'

-```

-```

-$publicConfig = '{

- "ExtensionAction": "Push",

- "FileUri": "<mof-file-uri>"

-}'

-```

-```powershell

-Set-AzVMExtension -ResourceGroupName $rgName -VMName $vmName -Location $location `

- -Name $extensionName -Publisher $publisher -ExtensionType $extensionName `

- -TypeHandlerVersion $version -SettingString $publicConfig -ProtectedSettingString $privateConfig

-```

-## Troubleshoot and support

-### Troubleshoot

-Data about the state of extension deployments can be retrieved from the Azure portal and by using the Azure CLI. To see the deployment state of extensions for a given VM, run the following command by using the Azure CLI.

-```azurecli

-az vm extension list --resource-group myResourceGroup --vm-name myVM -o table

-```

-Extension execution output is logged to the following file:

-```

-/var/log/azure/<extension-name>/<version>/extension.log file.

-```

-Error code: 51 represents either unsupported distribution or unsupported extension action.

-In some cases, DSC Linux extension fails to install OMI when a higher version of OMI already exists in the machine. [error response: (000003)Downgrade not allowed]

-### Support

-If you need more help at any point in this article, contact the Azure experts on the [MSDN Azure and Stack Overflow forums](https://azure.microsoft.com/support/community/). Alternatively, you can file an Azure Support incident. Go to the [Azure Support site](https://azure.microsoft.com/support/options/), and select **Get support**. For information about using Azure Support, read the [Microsoft Azure Support FAQ](https://azure.microsoft.com/support/faq/).

-## Next steps

-For more information about extensions, see [Virtual machine extensions and features for Linux](features-linux.md).

-The Azure Linux Agent for Azure virtual machines (VM) and the associated extensions are part of Microsoft Azure infrastructure services. Azure VM extensions are software components that extend VM functionality and simplify various VM management operations.

-The Azure DSC extension uses the Azure Linux Agent framework to deliver, enact, and report on DSC configurations running on Azure VMs. The DSC extension accepts a configuration document and a set of parameters. If no file is provided, a [default configuration script](#default-configuration-script) is embedded with the extension. The default configuration script is used only to set metadata in [Local Configuration Manager](/powershell/dsc/managing-nodes/metaConfig).

-The Azure CLI can be used to deploy the DSC extension to an existing VM. The following examples show how to deploy a VM on Windows or Linux.

-For a VM running Linux, use the following command:

-```azurecli

-az vm extension set \

- --resource-group myResourceGroup \

- --vm-name myVM \

- --name DSCForLinux \

- --publisher Microsoft.OSTCExtensions \

- --version 2.7 --protected-settings '{}' \

- --settings '{}'

-```

-| microsoft.ostcextensions.customscriptforlinux | [Desired State Configuration for Linux](dsc-linux.md#troubleshoot-and-support) |

-| **AzureCognitiveSearch** | Azure Cognitive Search. <br/><br/>This tag or the IP addresses covered by this tag can be used to grant indexers secure access to data sources. For more information about indexers, see [indexer connection documentation](../search/search-indexer-troubleshooting.md#connection-errors). <br/><br/> **Note**: The IP of the search service isn't included in the list of IP ranges for this service tag and **also needs to be added** to the IP firewall of data sources. | Inbound | No | Yes |