+Azure Kubernetes Service (AKS) simplifies deploying a managed Kubernetes cluster in Azure by offloading the operational overhead to Azure. As a hosted Kubernetes service, Azure handles critical tasks, like health monitoring and maintenance. When you create an AKS cluster, a control plane is automatically created and configured. This control plane is provided at no cost as a managed Azure resource abstracted from the user. You only pay for and manage the nodes attached to the AKS cluster.

+* [Azure CLI][aks-quickstart-cli]

+* [Azure portal][aks-quickstart-portal]

+* Template-driven deployment options, like [Azure Resource Manager templates][aks-quickstart-template], [Bicep](../azure-resource-manager/bicep/overview.md), and Terraform.

+When you deploy an AKS cluster, you specify the number and size of the nodes, and AKS deploys and configures the Kubernetes control plane and nodes. [Advanced networking][aks-networking], [Azure Active Directory (Azure AD) integration][aad], [monitoring][aks-monitor], and other features can be configured during the deployment process.

+For improved security and management, you can integrate with [Azure AD][aad] to:

+* Use Kubernetes role-based access control (Kubernetes RBAC).

+To secure your AKS clusters, see [Integrate Azure AD with AKS][aks-aad].

+[Azure Monitor for Container Health][azure-monitor] collects memory and processor performance metrics from containers, nodes, and controllers within your AKS clusters and deployed applications. You can review both container logs and [the Kubernetes logs][aks-master-logs], which are:

+* Stored in an [Azure Log Analytics][azure-logs] workspace.

+For more information, see [Monitor AKS container health][container-health].

+For more information, see [Scale an AKS cluster][aks-scale].

+AKS offers multiple Kubernetes versions. As new versions become available in AKS, you can upgrade your cluster using the Azure portal, Azure CLI, or Azure PowerShell. During the upgrade process, nodes are carefully cordoned and drained to minimize disruption to running applications.

+To learn more about lifecycle versions, see [Supported Kubernetes versions in AKS][aks-supported versions]. For steps on how to upgrade, see [Upgrade an AKS cluster][aks-upgrade].

+For more information, see [Use the Mariner container host on AKS](use-mariner.md)

+To support application workloads, you can mount static or dynamic storage volumes for persistent data. Depending on the number of connected pods expected to share the storage volumes, you can use storage backed by:

+* [Azure Disks][azure-disk] for single pod access

+* [Azure Files][azure-files] for multiple, concurrent pod access.

+For more information, see [Storage options for applications in AKS][concepts-storage].

+An AKS cluster can be deployed into an existing virtual network. In this configuration, every pod in the cluster is assigned an IP address in the virtual network and can directly communicate with other pods in the cluster and other nodes in the virtual network.

+Pods can also connect to other services in a peered virtual network and on-premises networks over ExpressRoute or site-to-site (S2S) VPN connections.

+As applications are deployed, publicly accessible DNS names are auto-configured. The HTTP application routing sets up a DNS zone and integrates it with the AKS cluster. You can then deploy Kubernetes ingress resources as normal.

+To get started with Ingress traffic, see [HTTP application routing][aks-http-routing].

+Kubernetes has a rich ecosystem of development and management tools that work seamlessly with AKS. These tools include [Helm][helm] and the [Kubernetes extension for Visual Studio Code][k8s-extension].

+* Creates Azure resources (such as AKS).

+* Configures a release pipeline in Azure DevOps Services that includes a build pipeline for CI.

+* Sets up a release pipeline for CD.

+* Generates an Azure Application Insights resource for monitoring.

+AKS has been [CNCF-certified][cncf-cert] as Kubernetes conformant.

+Learn more about deploying and managing AKS.

+> [Cluster operator and developer best practices to build and manage applications on AKS][aks-best-practices]

+[cncf-cert]: https://www.cncf.io/certification/software-conformance/

+[k8s-extension]: https://marketplace.visualstudio.com/items?itemName=ms-kubernetes-tools.vscode-kubernetes-tools

+[aad]: managed-aad.md

+[aks-monitor]: monitor-aks.md

+[azure-monitor]: ../azure-monitor/containers/containers.md

+[azure-logs]: ../azure-monitor/logs/log-analytics-overview.md

+[helm]: /quickstart-helm.md

+[aks-best-practices]: /best-practices.md

+Go to the application folder:

+```bash

+cd msdocs-python-flask-webapp-quickstart

+```

+Create a virtual environment for the app:

+Install the dependencies:

+```bash

+pip install -r requirements.txt

+```

+# Get started with Form Recognizer

+> [!IMPORTANT]

+> The documents in this section are for GitOps with Flux v1. GitOps with Flux v2 is now available for Azure Arc-enabled Kubernetes and Azure Kubernetes Service (AKS) clusters; [learn about GitOps with Flux v2](./conceptual-gitops-flux2.md). Eventually Azure will stop supporting GitOps with Flux v1, so begin using Flux v2 as soon as possible.

+> [!IMPORTANT]

+> [!IMPORTANT]

+> [!IMPORTANT]

+ Title: "Deploy applications consistently at scale using Flux v2 configurations and Azure Policy"

+description: "Use Azure Policy to apply Flux v2 configurations at scale on Azure Arc-enabled Kubernetes or AKS clusters."

+# Deploy applications consistently at scale using Flux v2 configurations and Azure Policy

+>

+## Prerequisites

+> [!IMPORTANT]

+> [!IMPORTANT]

+|AzureWebJobsFeatureFlags|`feature1,feature2,EnableProxies`|

+Add `EnableProxies` to this list to re-enable proxies on version 4.x of the Functions runtime while you plan your migration to Azure API Management. For more information, see [Re-enable proxies in Functions v4.x](./legacy-proxies.md#re-enable-proxies-in-functions-v4x).

+If you have challenges moving from proxies or if Azure API Management doesn't address your specific scenarios, post a request in the [API Management feedback forum](https://feedback.azure.com/d365community/forum/e808a70c-ff24-ec11-b6e6-000d3a4f0858).

+## Re-enable proxies in Functions v4.x

+After [migrating your function app to version 4.x of the Functions runtime](migrate-version-3-version-4.md), you'll need to specifically reenable proxies. You should still switch to integrating your function apps with [Azure API Management](functions-proxies.md#api-management-integration) as soon as possible, and not just rely on proxies.

+Re-enabling proxies requires you to set a flag in the `AzureWebJobsFeatureFlags` application setting in one of the following ways:

+[`AzureWebJobsFeatureFlags`](functions-app-settings.md#azurewebjobsfeatureflags) is a comma-delimited array of flags used to enable preview and other temporary features.

+To learn more about how to create and modify application settings, see [Work with application settings](functions-how-to-use-azure-function-app-settings.md#settings).

+- Azure Functions proxies is a legacy feature for versions 1.x through 3.x of the Azure Functions runtime. Support for Functions proxies can be re-enabled in version 4.x so that you can successfully upgrade your function apps to the latest runtime version. As soon as possible, you should instead switch to integrating your function apps with Azure API Management. API Management lets you take advantage of a more complete set of features for defining, securing, managing, and monetizing your Functions-based APIs. For more information, see [API Management integration](functions-proxies.md#api-management-integration). To learn how to re-enable proxies support in Functions version 4.x, see [Re-enable proxies in Functions v4.x](legacy-proxies.md#re-enable-proxies-in-functions-v4x).

+| Azure VM | Log Analytics agent VM extension for Windows/Linux | The agent is automatically upgraded [after the VM model changes](../../virtual-machines/extensions/features-linux.md#how-agents-and-extensions-are-updated), unless you configured your Azure Resource Manager template to opt out by setting the property `autoUpgradeMinorVersion` to **false**. Once deployed, however, the extension won't upgrade minor versions unless redeployed, even with this property set to **true**. Only the Linux agent supports automatic update post deployment with `enableAutomaticUpgrade` property (see [Enable Auto-update for the Linux agent](#enable-auto-update-for-the-linux-agent)). Major version upgrade is always manual (see [VirtualMachineExtensionInner.AutoUpgradeMinorVersion Property](/dotnet/api/microsoft.azure.management.compute.fluent.models.virtualmachineextensioninner.autoupgrademinorversion)). |

+> * Entries in the Activity Log are representing control plane changes like a virtual machine restart, any non related entries should be written into [Azure Resource Logs](resource-logs.md)

+Learn more about:

+* [Platform logs](./platform-logs-overview.md)

+* [Activity log event schema](activity-log-schema.md)

+* [Activity log insights](activity-log-insights.md)

+To filter in more metrics for any default targets, edit the settings under `default-targets-metrics-keep-list` for the corresponding job you'd like to change.

+For example, `kubelet` is the metric filtering setting for the default target kubelet. Use the following to filter IN metrics collected for the default targets using regex based filtering.

+The cluster label appended to every time series scraped will use the last part of the full AKS cluster's ARM resourceID. For example, if the resource ID is `/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg-name/providers/Microsoft.ContainerService/managedClusters/clustername`, the cluster label is `clustername`.

+### Debug mode

+### Scrape interval settings

+To update the scrape interval settings for any target, the customer can update the duration in default-targets-scrape-interval-settings setting for that target in `ama-metrics-settings-configmap` [configmap](https://aka.ms/azureprometheus-addon-settings-configmap). The scrape intervals have to be set by customer in the correct format specified [here](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#configuration-file), else the default value of 30 seconds will be applied to the corresponding targets.

+The `ama-metrics` replicaset pod consumes the custom Prometheus config and scrapes the specified targets. For a cluster with a large number of nodes and pods and a large volume of metrics to scrape, some of the applicable custom scrape targets can be off-loaded from the single `ama-metrics` replicaset pod to the `ama-metrics` daemonset pod. The [ama-metrics-prometheus-config-node configmap](https://aka.ms/azureprometheus-addon-ds-configmap), similar to the regular configmap, can be created to have static scrape configs on each node. The scrape config should only target a single node and shouldn't use service discovery. Otherwise each node will try to scrape all targets and will make many calls to the Kubernetes API server. The `node-exporter` config below is one of the default targets for the daemonset pods. It uses the `$NODE_IP` environment variable, which is already set for every ama-metrics addon container to target a specific port on the node:

+Any other unsupported sections need to be removed from the config before applying as a configmap. Otherwise the custom configuration will fail validation and won't be applied.

+Targets discovered using [`kubernetes_sd_configs`](https://aka.ms/azureprometheus-promioconfig-sdk8s) will each have different `__meta_*` labels depending on what role is specified. The labels can be used in the `relabel_configs` section to filter targets or replace labels for the targets.

+Add a new label called `example_label` with value `example_value` to every metric of the job. Use `__address__` as the source label only because that label will always exist and will add the label for every target of the job.

+- `prometheus.io/scheme`: If the metrics endpoint is secured, then you'll need to set scheme to `https` & most likely set the tls config.

+You can easily see the models you have available for both inference and fine-tuning in your resource by using the [Models API](/rest/api/cognitiveservices/azureopenai/models/list).

+This article provides details on the REST API endpoints for the Azure OpenAI Service, a service in the Azure Cognitive Services suite. The REST APIs are broken up into two categories:

+Learn about [managing deployments, models, and finetuning with the REST API](/rest/api/cognitiveservices/azureopenai/deployments/create).

+| 400 | Play Failed | Ensure your audio file is WAV, 16KHz, Mono and make sure the file url is publicly accessible. |

+| 400 | Recognize Failed | Check the error message. The message will highlight if this is due to timeout being reached or if operation was canceled. For more information about the error codes and messages you can check our how-to guide for [gathering user input](../how-tos/call-automation/recognize-action.md#event-codes).

+| 500 | Play Failed | File a support request through the Azure portal. |

+| 500 | Recognize Failed | Check error message and confirm the audio file format is valid (WAV, 16KHz, Mono), if the file format is valid then file a support request through Azure portal. |

+If you have an existing certificate, upload it to AKV. For more information on how to use your own signing key, see the [signing certificate requirements.](https://github.com/notaryproject/notaryproject/blob/main/specs/signature-specification.md#certificate-requirements)

+You can create and manage virtual machines (VMs) on an Azure Stack Edge Pro GPU device by using the Azure portal, templates, and Azure PowerShell cmdlets, and via the Azure CLI or Python scripts. This article describes how to create and manage a high performance network (HPN) VM on your Azure Stack Edge Pro GPU device.

+HPN VMs are specifically designed for 5G and Multi-access Edge Computing (MEC) network functions that require high packet processing rates, low latency, and low jitter.

+HPN VMs rely on a non-uniform memory access (NUMA) architecture to increase processing speeds. In a NUMA system, CPUs are arranged in smaller systems called nodes. Each node has a dedicated set of logical processors and memory. An HPN VM can use CPU from only one NUMA node.

+On your Azure Stack Edge device, logical processors are distributed on NUMA nodes and high speed network interfaces can be attached to these nodes.

+To maximize performance, processing, and transmitting on the same NUMA node, processors are allocated memory that they're closest to in order to reduce physical distance. For more information, see [NUMA Support](/windows/win32/procthread/numa-support).

+### vCPU reservations for Azure Stack Edge

+To deploy HPN VMs on Azure Stack Edge, you must reserve vCPUs on NUMA nodes. The number of vCPUs reserved determines the available vCPUs that can be assigned to the HPN VMs.

+For the number of cores that each HPN VM size uses, see theΓÇ»[Supported HPN VM sizes](azure-stack-edge-gpu-virtual-machine-sizes.md#supported-vm-sizes).

+In version 2210, vCPUs are automatically reserved with the maximum number of vCPUs supported on each NUMA node. If the vCPUs were already reserved for HPN VMs in an earlier version, the existing reservation is carried forth to the 2210 version. If vCPUs weren't reserved for HPN VMs in an earlier version, upgrading to 2210 will still carry forth the existing configuration.

+For versions 2209 and earlier, you must reserve vCPUs on NUMA nodes before you deploy HPN VMs on your device. We recommend that the vCPU reservation is done on NUMA node 0, as this node has Mellanox high speed network interfaces, Port 5 and Port 6, attached to it.

+1. While configuring the network settings on your device, make sure that there's a virtual switch associated with a network interface on your device that can be used for the VM resources and VMs. We'll use the default virtual network created with the vswitch for this article. You have the option of creating and using a different virtual network, if desired.

+2. Enable cloud management of VMs from the Azure portal. Download a VHD onto your device, and create a VM image from the VHD.

+3. Reserve vCPUs on the device for HPN VMs with versions 2209 and earlier. For version 2210, the vCPUs are automatically reserved.

+4. Use the resources created in the previous steps:

+ 1. The VM image that you created.

+ 2. The default virtual network associated with the virtual switch. The default virtual network has the same name as the name of the virtual switch.

+ 3. The default subnet for the default virtual network.

+1. And create or specify the following resources:

+ 1. Specify a VM name, choose a supported HPN VM size, and specify sign-in credentials for the VM.

+ 1. Create new data disks or attach existing data disks.

+ 1. Configure static or dynamic IP for the VM. If you're providing a static IP, choose from a free IP in the subnet range of the default virtual network.

+1. Use the preceding resources to create an HPN VM.

+Before you create and manage VMs on your device via the Azure portal, make sure that:

+### [2210](#tab/2210)

+- You've configured and activated your Azure Stack Edge Pro GPU device as described in [Tutorial: Activate Azure Stack Edge Pro with GPU](azure-stack-edge-gpu-deploy-activate.md).

+ Make sure that you've created a virtual switch. The VMs and the resources for VMs will be using this virtual switch and the associated virtual network. For more information, see [Configure a virtual switch on Azure Stack Edge Pro GPU](azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy.md#configure-virtual-switches).

+- You have access to a VM image for the VM you intend to create. To create a VM image, you can [Get an image from Azure Marketplace](azure-stack-edge-gpu-create-virtual-machine-marketplace-image.md).

+- In addition to the above prerequisites for VM creation, you'll also need to check the vCPU reservation of HPN VMs.

+ - The default vCPU reservation uses the SkuPolicy, which reserves all vCPUs that are available for HPN VMs.

+ - If the vCPUs were already reserved for HPN VMs in an earlier version - for example, version 2009 or earlier, then the existing reservation is carried forth to the 2210 version.

+ - For most use cases, we recommend that you use the default configuration. If needed, you can also customize the NUMA configuration for HPN VMs. To customize the configuration, use the steps provided for 2209.

+- Use the following steps to get information about the SkuPolicy settings on your device:

+ 1. [Connect to the PowerShell interface of the device](azure-stack-edge-gpu-connect-powershell-interface.md#connect-to-the-powershell-interface).

+

+

+ 1. Run the following command to see the available NUMA policies on your device:

+ ```powershell

+ Get-HcsNumaPolicy

+ ```

+

+ Here's an example output:

+ ```powershell

+ [DBE-BNVGF33.microsoftdatabox.com]: PS>Get-HcsNumaPolicy

+ Get-HcsNumaPolicy

+ PolicyType: AllRoot

+ HpnLpMapping:

+ CPUs: []

+ PolicyType: SkuPolicy

+ HpnLpMapping:

+ CPUs: [4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47]

+ [DBE-BNVGF33.microsoftdatabox.com]: PS>

+ ```

+ 1. Run the following command to get the vCPU reservation information on your device:

+ This cmdlet will output:

+ 1. HpnLpMapping: The NUMA logical processor indexes that are reserved on the machine.

+ 1. HpnCapableLpMapping: The NUMA logical processor indexes that are capable for reservation.

+ 1. HpnLpAvailable: The NUMA logical processor indexes that aren't available for new HPN VM deployments.

+ 1. The NUMA logical processors used by HPN VMs and NUMA logical processors available for new HPN VM deployments on each NUMA node in the cluster.

+ ```powershell

+ Get-HcsNumaLpMapping

+ ```

+ Here's an example output when SkuPolicy is in effect:

+ ```powershell

+ [DBE-BNVGF33.microsoftdatabox.com]: PS>Get-HcsNumaLpMapping

+ Hardware:

+ { Numa Node #0 : CPUs [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23] }

+ { Numa Node #1 : CPUs [24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47] }

+ HpnCapableLpMapping:

+ { Numa Node #0 : CPUs [4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23] }

+ { Numa Node #1 : CPUs [28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47] }

+ BNVGF33:

+ HpnLpMapping:

+ { Numa Node #0 : CPUs [4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23] }

+ { Numa Node #1 : CPUs [28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47] }

+ HpnLpAvailable:

+ { Numa Node #0 : CPUs [4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23] }

+ { Numa Node #1 : CPUs [28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47] }

+ ```

+ Proceed to the following steps only if you want to change the current reservation, or to create a new reservation.

+ 1. Run the following command to set a NUMA logical processor mapping on your device. You can use the `-Custom` parameter if you want to specify a custom logical processor set. See the **2209 and earlier** tab in this article for rules when specifying a custom set.

+

+ Running this command stops running VMs, triggers a reboot, and then restarts the VMs.

+ ```powershell

+ Set-HcsNumaLpMapping -UseSkuPolicy

+ ```

+ Here's an example output:

+ ```powershell

+ [DBE-BNVGF33.microsoftdatabox.com]: Set-HcsNumaLpMapping -UseSkuPolicy

+ Requested Config already exists. No action needed.

+ [DBE-BNVGF33.microsoftdatabox.com]: PS> Set-HcsNumaLpMapping -UseAllRoot

+ Requested Configuration requires a reboot...

+ Machine will reboot in some time. Please be patient.

+ [DBE-BNVGF33.microsoftdatabox.com]: PS>

+ ```

+ 1. Run the following command to validate the vCPU reservation and verify that the VMs have restarted.

+ ```powershell

+ Get-HcsNumaLpMapping

+ ```

+ The output shouldn't show the indexes you set. If you see the indexes you set in the output, the `Set` command didn't complete successfully. Retry the command and if the problem persists, contact Microsoft Support.

+ Here's an example output.

+ ```powershell

+ dbe-1csphq2.microsoftdatabox.com]: PS> Get-HcsNumaLpMapping -MapType MinRootAware -NodeName 1CSPHQ2

+ { Numa Node #0 : CPUs [0, 1, 2, 3] }

+ { Numa Node #1 : CPUs [20, 21, 22, 23] }

+ [dbe-1csphq2.microsoftdatabox.com]:

+ PS>

+

+### [2209 and earlier](#tab/2209)

+In addition to the above prerequisites that are used for VM creation, configure the following prerequisite specifically for the HPN VMs:

+ 1. Identify all the VMs running on your device, including Kubernetes VMs and any VM workloads that you may have deployed.

+ ```

+ 1. Get the `hostname` for your device. This should return a string corresponding to the device hostname.

+ 1. Get the logical processor indexes to reserve for HPN VMs.

+ Get-HcsNumaLpMapping -MapType HighPerformanceCapable -NodeName <Output of hostname command>

+ Here's example output:

+ ```powershell

+ [dbe-1csphq2.microsoftdatabox.com]: PS>hostname 1CSPHQ2

+ [dbe-1csphq2.microsoftdatabox.com]: P> Get-HcsNumaLpMapping -MapType HighPerformanceCapable -NodeName

+ [dbe-1csphq2.microsoftdatabox.com]: P> Get-HcsNumaLpMapping -MapType HighPerformanceCapable -NodeName 1CSPHQ2

+ { Numa Node #0 : CPUs [4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19] }

+ { Numa Node #1 : CPUs [24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39] }

+ [dbe-1csphq2.microsoftdatabox.com]: PS>

+ ```

+ 1. Reserve vCPUs for HPN VMs. The number of vCPUs reserved here determines the available vCPUs that could be assigned to the HPN VMs. For the number of cores that each HPN VM size uses, see theΓÇ»[Supported HPN VM sizes](azure-stack-edge-gpu-virtual-machine-sizes.md#supported-vm-sizes). On your device, Mellanox ports 5 and 6 are on NUMA node 0.

+

+ ```powershell

+ Set-HcsNumaLpMapping -CpusForHighPerfVmsCommaSeperated <Logical indexes from the Get-HcsNumaLpMapping cmdlet> -AssignAllCpusToRoot $false

+ ```

+

+ Here's an example output:

+ ```powershell

+ [dbe-1csphq2.microsoftdatabox.com]: PS>Set-HcsNumaLpMapping -CpusForHighPerfVmsCommaSeperated "4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39" -AssignAllCpusToRoot $false

+ Requested Configuration requires a reboot...

+ Machine will reboot in some time. Please be patient.

+ [dbe-1csphq2.microsoftdatabox.com]: PS>

+ ```

+ > [!Note]

+ > - You can choose to reserve all the logical indexes from both NUMA nodes shown in the example or a subset of the indexes. If you choose to reserve a subset of indexes, pick the indexes from the device node that has a Mellanox network interface attached to it, for best performance. For Azure Stack Edge Pro GPU, the NUMA node with Mellanox network interface is #0.

+ > - The list of logical indexes must contain a paired sequence of an odd number and an even number. For example, ((4,5)(6,7)(10,11)). Attempting to set a list of numbers such as `5,6,7` or pairs such as `4,6` will not work.

+ > - Using two `Set-HcsNuma` commands consecutively to assign vCPUs will reset the configuration. Also, do not free the CPUs using the Set-HcsNuma cmdlet if you have deployed an HPN VM.

+ > [!NOTE]

+ > Devices that are updated to 2210 from earlier versions will keep their minroot configuration from before upgrade.

+ 8. Wait for the device to finish rebooting. Once the device is running again, open a new PowerShell session. [Connect to the PowerShell interface of the device](azure-stack-edge-gpu-connect-powershell-interface.md#connect-to-the-powershell-interface).

+ 1. Validate the vCPU reservation and verify that the VMs have restarted.

+ ```powershell

+ Get-HcsNumaLpMapping

+ ```

+ The output shouldn't show the indexes you set. If you see the indexes you set in the output, the `Set` command didn't complete successfully. Retry the command and if the problem persists, contact Microsoft Support.

+ Here's an example output.

+ ```powershell

+ dbe-1csphq2.microsoftdatabox.com]: PS> Get-HcsNumaLpMapping -MapType MinRootAware -NodeName 1CSPHQ2

+ { Numa Node #0 : CPUs [0, 1, 2, 3] }

+ { Numa Node #1 : CPUs [20, 21, 22, 23] }

+ [dbe-1csphq2.microsoftdatabox.com]:

+ PS>

+ ```

+ 1. Restart the VMs that you had stopped in the earlier step.

+ ```powershell

+ start-vm

+ ```

+> [!NOTE]

+> Azure Stack Edge Pro 1 devices have two NUMA nodes, so you must provision HPN VMs before you provision non-HPN VMs.

+ > [!NOTE]

+ > If the vCPUs are not reserved for HPN VMs prior to the deployment, the deployment will fail with a *FabricVmPlacementErrorInsufficientNumaNodeCapacity* error.

+| **Detected enabling of the WDigest UseLogonCredential registry key** | Analysis of host data detected a change in the registry key HKLM\SYSTEM\ CurrentControlSet\Control\SecurityProviders\WDigest\ "UseLogonCredential". Specifically this key has been updated to allow logon credentials to be stored in clear text in LSA memory. Once enabled, an attacker can dump clear text passwords from LSA memory with credential harvesting tools such as Mimikatz. | - | Medium |

+| **Detected suspicious file creation** | Analysis of host data on %{Compromised Host} detected creation or execution of a process that has previously indicated post-compromise action taken on a victim host by activity group BARIUM. This activity group has been known to use this technique to download more malware to a compromised host after an attachment in a phishing doc has been opened. | - | High |

+| **Detected suspicious use of FTP -s Switch** | Analysis of process creation data from the %{Compromised Host} detected the use of the FTP "-s:filename" switch. This switch is used to specify an FTP script file for the client to run. Malware or malicious processes are known to use this FTP switch (-s:filename) to point to a script file which is configured to connect to a remote FTP server and download more malicious binaries. | - | Medium |

+| **Suspect integrity level indicative of RDP hijacking** | Analysis of host data has detected the tscon.exe running with SYSTEM privileges - this can be indicative of an attacker abusing this binary in order to switch context to any other logged on user on this host; it is a known attacker technique to compromise more user accounts and move laterally across a network. | - | Medium |

+| **Suspect service installation** | Analysis of host data has detected the installation of tscon.exe as a service: this binary being started as a service potentially allows an attacker to trivially switch to any other logged on user on this host by hijacking RDP connections; it's a known attacker technique to compromise more user accounts and move laterally across a network. | - | Medium |

+| **Suspicious code segment detected** | Indicates that a code segment has been allocated by using non-standard methods, such as reflective injection and process hollowing. The alert provides more characteristics of the code segment that have been processed to provide context for the capabilities and behaviors of the reported code segment. | - | Medium |

+|**Access of htaccess file detected**<br>(VM_SuspectHtaccessFileAccess)|Analysis of host data on %{Compromised Host} detected possible manipulation of a htaccess file. Htaccess is a powerful configuration file that allows you to make multiple changes to a web server running the Apache Web software including basic redirect functionality, or for more advanced functions such as basic password protection. Attackers will often modify htaccess files on machines they've compromised to gain persistence.|Persistence, Defense Evasion, Execution|Medium|

+|**Behavior similar to Fairware ransomware detected [seen multiple times]**|Analysis of host data on %{Compromised Host} detected the execution of rm -rf commands applied to suspicious locations. As rm -rf will recursively delete files, it's normally used on discrete folders. In this case, it's being used in a location that could remove a lot of data. Fairware ransomware is known to execute rm -rf commands in this folder. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium|

+|**Behavior similar to Fairware ransomware detected**<br>(VM_FairwareMalware)|Analysis of host data on %{Compromised Host} detected the execution of rm -rf commands applied to suspicious locations. As rm -rf will recursively delete files, it's normally used on discrete folders. In this case, it's being used in a location that could remove a lot of data. Fairware ransomware is known to execute rm -rf commands in this folder.|Execution|Medium|

+|**Detected persistence attempt [seen multiple times]**|Analysis of host data on %{Compromised Host} has detected installation of a startup script for single-user mode. It's extremely rare that any legitimate process needs to execute in that mode, so this may indicate that an attacker has added a malicious process to every run-level to guarantee persistence. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium|

+|**Exposed Docker daemon on TCP socket**<br>(VM_ExposedDocker)|Machine logs indicate that your Docker daemon (dockerd) exposes a TCP socket. By default, Docker configuration, doesn't use encryption or authentication when a TCP socket is enabled. This enables full access to the Docker daemon, by anyone with access to the relevant port.|Execution, Exploitation|Medium|

+|**Fileless Attack Toolkit Detected**<br>(VM_FilelessAttackToolkit.Linux)| The memory of the process specified below contains a fileless attack toolkit: {ToolKitName}. Fileless attack toolkits typically don't have a presence on the filesystem, making detection by traditional anti-virus software difficult.<br>Specific behaviors include: {list of observed behaviors} | Defense Evasion, Execution | High |

+|**MITRE Caldera agent detected**<br>(VM_MitreCalderaTools)|Machine logs indicate that the suspicious process: '%{Suspicious Process}' was running on %{Compromised Host}. This is often associated with the MITRE 54ndc47 agent, which could be used maliciously to attack other machines in some way.|All |Medium|

+|**Possible data exfiltration [seen multiple times]**|Analysis of host data on %{Compromised Host} detected a possible data egress condition. Attackers will often egress data from machines they've compromised. This behavior was seen [x]] times today on the following machines: [Machine names]|-|Medium|

+|**Possible data exfiltration**<br>(VM_DataEgressArtifacts)|Analysis of host data on %{Compromised Host} detected a possible data egress condition. Attackers will often egress data from machines they've compromised.|Collection, Exfiltration|Medium|

+|**Possible malicious web shell detected [seen multiple times]**<br>(VM_Webshell)|Analysis of host data on %{Compromised Host} detected a possible web shell. Attackers will often upload a web shell to a machine they've compromised to gain persistence or for further exploitation. This behavior was seen [x] times today on the following machines: [Machine names]|Persistence, Exploitation|Medium|

+|**Possible malicious web shell detected**|Analysis of host data on %{Compromised Host} detected a possible web shell. Attackers will often upload a web shell to a machine they've compromised to gain persistence or for further exploitation.|-|Medium|

+|**Suspicious compilation detected [seen multiple times]**|Analysis of host data on %{Compromised Host} detected suspicious compilation. Attackers will often compile exploits on a machine they've compromised to escalate privileges. This behavior was seen [x] times today on the following machines: [Machine names]|-|Medium|

+|**Suspicious compilation detected**<br>(VM_SuspectCompilation)|Analysis of host data on %{Compromised Host} detected suspicious compilation. Attackers will often compile exploits on a machine they've compromised to escalate privileges.|Privilege Escalation, Exploitation|Medium|

+| **PREVIEW - Suspicious invocation of a high-risk 'Credential Access' operation by a service principal detected**<br>(ARM_AnomalousServiceOperation.CredentialAccess) | Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription which might indicate an attempt to access credentials. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity may be legitimate, a threat actor might utilize such operations to access restricted credentials and compromise resources in your environment. This can indicate that the service principal is compromised and is being used with malicious intent. | Credential access | Medium |

+| **PREVIEW - Suspicious invocation of a high-risk 'Data Collection' operation by a service principal detected**<br>(ARM_AnomalousServiceOperation.Collection) | Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription which might indicate an attempt to collect data. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity may be legitimate, a threat actor might utilize such operations to collect sensitive data on resources in your environment. This can indicate that the service principal is compromised and is being used with malicious intent. | Collection | Medium |

+| **PREVIEW - Suspicious invocation of a high-risk 'Defense Evasion' operation by a service principal detected**<br>(ARM_AnomalousServiceOperation.DefenseEvasion) | Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription which might indicate an attempt to evade defenses. The identified operations are designed to allow administrators to efficiently manage the security posture of their environments. While this activity may be legitimate, a threat actor might utilize such operations to avoid being detected while compromising resources in your environment. This can indicate that the service principal is compromised and is being used with malicious intent. | Defense Evasion | Medium |

+| **PREVIEW - Suspicious invocation of a high-risk 'Execution' operation by a service principal detected**<br>(ARM_AnomalousServiceOperation.Execution) | Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation on a machine in your subscription which might indicate an attempt to execute code. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity may be legitimate, a threat actor might utilize such operations to access restricted credentials and compromise resources in your environment. This can indicate that the service principal is compromised and is being used with malicious intent. | Defense Execution | Medium |

+| **PREVIEW - Suspicious invocation of a high-risk 'Impact' operation by a service principal detected**<br>(ARM_AnomalousServiceOperation.Impact) | Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription which might indicate an attempted configuration change. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity may be legitimate, a threat actor might utilize such operations to access restricted credentials and compromise resources in your environment. This can indicate that the service principal is compromised and is being used with malicious intent. | Impact | Medium |

+| **PREVIEW - Suspicious invocation of a high-risk 'Initial Access' operation by a service principal detected**<br>(ARM_AnomalousServiceOperation.InitialAccess) | Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription which might indicate an attempt to access restricted resources. The identified operations are designed to allow administrators to efficiently access their environments. While this activity may be legitimate, a threat actor might utilize such operations to gain initial access to restricted resources in your environment. This can indicate that the service principal is compromised and is being used with malicious intent. | Initial access | Medium |

+| **PREVIEW - Suspicious invocation of a high-risk 'Lateral Movement Access' operation by a service principal detected**<br>(ARM_AnomalousServiceOperation.LateralMovement) | Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription which might indicate an attempt to perform lateral movement. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity may be legitimate, a threat actor might utilize such operations to compromise more resources in your environment. This can indicate that the service principal is compromised and is being used with malicious intent. | Lateral movement | Medium |

+| **PREVIEW - Suspicious invocation of a high-risk 'persistence' operation by a service principal detected**<br>(ARM_AnomalousServiceOperation.Persistence) | Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription which might indicate an attempt to establish persistence. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity may be legitimate, a threat actor might utilize such operations to establish persistence in your environment. This can indicate that the service principal is compromised and is being used with malicious intent. | Persistence | Medium |

+| **PREVIEW - Suspicious invocation of a high-risk 'Privilege Escalation' operation by a service principal detected**<br>(ARM_AnomalousServiceOperation.PrivilegeEscalation) | Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription which might indicate an attempt to escalate privileges. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity may be legitimate, a threat actor might utilize such operations to escalate privileges while compromising resources in your environment. This can indicate that the service principal is compromised and is being used with malicious intent.. | Privilege escalation | Medium |

+| **PREVIEW - Suspicious management session using an inactive account detected**<br>(ARM_UnusedAccountPersistence) | Subscription activity logs analysis has detected suspicious behavior. A principal not in use for a long period of time is now performing actions that can secure persistence for an attacker. | Persistence | Medium |

+| **Suspicious invocation of a high-risk 'Lateral Movement' operation detected (Preview)**<br>(ARM_AnomalousOperation.LateralMovement) | Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription which might indicate an attempt to perform lateral movement. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity may be legitimate, a threat actor might utilize such operations to compromise more resources in your environment. This can indicate that the account is compromised and is being used with malicious intent. | Lateral Movement | Medium |

+| **Suspicious classic role assignment detected (Preview)**<br>(ARM_AnomalousClassicRoleAssignment) | Microsoft Defender for Resource Manager identified a suspicious classic role assignment in your tenant which might indicate that an account in your organization was compromised. The identified operations are designed to provide backward compatibility with classic roles that are no longer commonly used. While this activity may be legitimate, a threat actor might utilize such assignment to grant permissions to an more user account under their control. |  Lateral Movement, Defense Evasion | High |

+| **LateralMovement** | V7, V9 | Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing more tools, such as a remote access tool. An adversary can use lateral movement for many purposes, including remote Execution of tools, pivoting to more systems, access to specific information or files, access to more credentials, or to cause an effect. |

+Here are some examples of options that you can only use in the API:

+You can export data to an Azure Event hub or Log Analytics workspace in a different tenant, without using [Azure Lighthouse](/azure/lighthouse/overview.md). When collecting data into a tenant, you can analyze the data from one central location.

+|**ASB**| Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure.| [Azure Security Benchmark](/security/benchmark/azure/baselines/security-center-security-baseline) |

+[Microsoft Defender for Cloud-overview](overview-page.md)

+Learn more about [Enable Microsoft Defender for Azure Cosmos DB](/azure/defender-for-cloud/defender-for-databases-enable-cosmos-protections)

+ - [Learn more](/azure/defender-for-cloud/defender-for-devops-introduction) about Defender for DevOps.

+ - [Learn more](/azure/defender-for-cloud/concept-attack-path) about Attack path.

+1. For Windows servers, make sure that your servers meet the requirements for [onboarding Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-server-endpoints#windows-server-2012-r2-and-windows-server-2016).

+URI: `https://management.azure.com/subscriptions/<subscriptionId>providers/Microsoft.Security/settings/WDATP_UNIFIED_SOLUTION?api-version=2022-05-01`

+### View properties

+# [Python SDK](#tab/python)

+# [Azure CLI](#tab/cli)

+```azurecli

+az ml job show --name my_job_id --query "{GitCommit:properties."""azureml.git.commit"""}"

+```

+|[Method/API in SDK v1](/python/api/azureml-core/azureml.data)|[Method/API in SDK v2](/python/api/azure-ai-ml/azure.ai.ml.entities)|

+ You can generate inventory reports for blobs and containers. A report for blobs can contain base blobs, snapshots, content length, blob versions and their associated properties such as creation time, last modified time. A report for containers describes containers and their associated properties such as immutability policy status, legal hold status.

+1. If you don't have it already, [install the Azure Az PowerShell module](/powershell/azure/install-az-ps).

+1. Use the `Connect-AzAccount` cmdlet to sign in to your Azure account. Learn more about [signing in to Azure with Azure PowerShell](/powershell/azure/authenticate-azureps).

+> You can use the [`GetAzSecurityPricing` (Az_Security)](/powershell/module/az.security/get-azsecuritypricing) to see all of the Defender for Cloud plans that are enabled for the subscription.

+Learn more about the [`az security pricing create`](/cli/azure/security/pricing#az-security-pricing-create) command.

+1. If you don't have it already, [install the Azure Az PowerShell module](/powershell/azure/install-az-ps).

+1. Use the Connect-AzAccount cmdlet to sign in to your Azure account. Learn more about [signing in to Azure with Azure PowerShell](/powershell/azure/authenticate-azureps).

+1. Enable Microsoft Defender for Storage for the desired storage account with theΓÇ»[`Enable-AzSecurityAdvancedThreatProtection`](/powershell/module/az.security/enable-azsecurityadvancedthreatprotection) cmdlet:

+If you want to disable per-transaction pricing for a specific storage account, use the [`Disable-AzSecurityAdvancedThreatProtection`](/powershell/module/az.security/disable-azsecurityadvancedthreatprotection) cmdlet:

+1. Enable Microsoft Defender for Storage for your subscription with theΓÇ»[`az security atp storage update`](/cli/azure/security/atp/storage) command:

+> You can use the [`az security atp storage show`](/cli/azure/security/atp/storage) command to see if Defender for Storage is enabled on an account.

+To disable Microsoft Defender for Storage for your subscription, use theΓÇ»[`az security atp storage update`](/cli/azure/security/atp/storage) command:

+CRS 3.2 offers a new engine and new rule sets defending against Java injections, an initial set of file upload checks, and fewer false positives compared with earlier versions of CRS. You can also [customize rules to suit your needs](application-gateway-customize-waf-rules-portal.md). Learn more about the new [Azure WAF engine](waf-engine.md).