+ Title: Feature-based comparison of Azure API Management tiers

+Each API Management [pricing tier](api-management-key-concepts.md#api-management-tiers) offers a distinct set of features to meet the needs of different customers. The following table summarizes the key features available in each of the tiers. Some features might work differently or have different capabilities depending on the tier. In such cases the differences are called out in the documentation articles describing these individual features.

+| Feature | Consumption | Developer | Basic | Basic v2 |Standard | Standard v2 | Premium | Premium v2 (preview) |

+| -- | -- | | | | -- | -- | - | - |

+| Microsoft Entra integration¹ | No | Yes | No | Yes | Yes | Yes | Yes | Yes |

+| Virtual network injection support | No | Yes | No | No | No | No | Yes | Yes |

+| Private endpoint support for inbound connections | No | Yes | Yes | No | Yes | No | Yes | No |

+| Outbound virtual network integration support | No | No | No | No | No | Yes | No | Yes |

+| Multi-region deployment | No | No | No | No | No | No | Yes | No |

+| Availability zones | No | No | No | No | No | No | Yes | No |

+| Multiple custom domain names for gateway | No | Yes | No | No | No | No | Yes | No |

+| Developer portal² | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes |

+| Built-in cache | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes |

+| [External cache](./api-management-howto-cache-external.md) | Yes | Yes | Yes | Yes | Yes | Yes |Yes | Yes

+| Autoscaling | No | No | Yes | No | Yes | No |Yes | No |

+| API analytics | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes |

+| [Self-hosted gateway](self-hosted-gateway-overview.md)³ | No | Yes | No | No | No | No | Yes | No |

+| [Workspaces](workspaces-overview.md) | No | No | No | No | No | No | Yes | No |

+| [TLS settings](api-management-howto-manage-protocols-ciphers.md) | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |

+| [Client certificate authentication](api-management-howto-mutual-certificates-for-clients.md) | Yes | Yes | Yes | Yes | Yes | Yes |Yes | Yes |

+| [Policies](api-management-howto-policies.md)⁴ | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |

+| [Credential manager](credentials-overview.md) | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |

+| [Backup and restore](api-management-howto-disaster-recovery-backup-restore.md) | No | Yes | Yes | No | Yes | No | Yes | No |

+| [Management over Git](api-management-configuration-repository-git.md) | No | Yes | Yes |No | Yes | No | Yes | No |

+| Azure Monitor metrics | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |

+| Azure Monitor and Log Analytics request logs | No | Yes | Yes | Yes | Yes | Yes |Yes | Yes |

+| Application Insights request logs | Yes | Yes | Yes | Yes | Yes | Yes |Yes | Yes |

+| Static IP | No | Yes | Yes | No |Yes | No | Yes | No |

+³ See [Gateway overview](api-management-gateways-overview.md#feature-comparison-managed-versus-self-hosted-gateways) for a feature comparison of managed versus self-hosted gateways. In the Developer tier, self-hosted gateways are limited to a single gateway node. <br/>

+## Related content

+* [Overview of Azure API Management](api-management-key-concepts.md)

+* [API Management limits](/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/api-management/toc.json&bc=/azure/api-management/breadcrumb/toc.json#api-management-limits)

+* [V2 tiers overview](v2-service-tiers-overview.md)

+* [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/)

+* **V2** - the managed gateway available in the Basic v2, Standard v2, and Premium v2 tiers

+| | | -- | -- | - | -- |

+| [Virtual network injection](virtual-network-concepts.md) | Developer, Premium | Premium v2 | ❌ | ✔️^1,2 | ✔️ |

+| [Outbound virtual network integration](integrate-vnet-outbound.md) | ❌ | Standard v2, Premium v2 | ❌ | ❌ | ✔️ |

+| [Availability zones](zone-redundancy.md) | Premium | Γ¥î | Γ¥î | Γ£ö∩╕Ź | Γ£ö∩╕ų |

+| [CA root certificates](api-management-howto-ca-certificates.md) for certificate validation | Γ£ö∩╕Å | Γ£ö∩╕Å | Γ¥î | Γ£ö∩╕ų | Γ¥î |

+| **HTTP/2** (Client-to-gateway) | Γ£ö∩╕Å⁴ | Γ£ö∩╕Å⁴ |Γ¥î | Γ£ö∩╕Å | Γ¥î |

+³ CA root certificates for self-hosted gateway are managed separately per gateway<br/>

+⁴ Client protocol needs to be enabled.

+| [Azure OpenAI and LLM](azure-openai-api-from-specification.md) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |

+Managed and self-hosted gateways support all available [policies](api-management-policies.md) in policy definitions with the following exceptions. See the policy reference for details about each policy.

+| [Authenticate with managed identity](authentication-managed-identity-policy.md) | ✔️ | ✔️ |✔️ | ✔️ | ❌ |

+| [Azure OpenAI and LLM semantic caching](api-management-policies.md#caching) | ❌ | ✔️ |❌ | ❌ | ❌ |

+## IP addresses of Consumption, Basic v2, Standard v2, and Premium v2 tier API Management service

+If your API Management instance is created in a service tier that runs on a shared infrastructure, it doesn't have a dedicated IP address. Currently, instances in the following service tiers run on a shared infrastructure and without a deterministic IP address: Consumption, Basic v2, Standard v2, Premium v2.

+If you need to add the outbound IP addresses used by your Consumption, Basic v2, Standard v2, or Premium v2 tier instance to an allowlist, you can add the instance's data center (Azure region) to an allowlist. You can [download a JSON file that lists IP addresses for all Azure data centers](https://www.microsoft.com/download/details.aspx?id=56519). Then find the JSON fragment that applies to the region that your instance runs in.

+> * The following tiers don't support changes to the default cipher configuration: **Consumption**, **Basic v2**, **Standard v2**, **Premium v2**.

+### Consumption, Basic v2, Standard v2, or Premium v2 tier

+To receive and verify client certificates in the Consumption, Basic v2, Standard v2, or Premium v2 tier, you must enable the **Request client certificate** setting on the **Custom domains** blade as shown below.

+* **V2** - A new set of tiers that offer fast provisioning and scaling, including Basic v2 for development and testing, and Standard v2 and Premium v2 for production workloads. Standard v2 and Premium v2 support virtual network integration for simplified connection to network-isolated backends. Premium v2 also supports virtual network injection for full isolation of network traffic to and from the gateway.

+|Policy |Description |Classic | V2 | Consumption | Self-hosted | Workspace |

+||||||--|--|

+| [Limit call rate by subscription](rate-limit-policy.md) | Prevents API usage spikes by limiting call rate, on a per subscription basis. | Yes | Yes | Yes | Yes | Yes |

+| [Limit call rate by key](rate-limit-by-key-policy.md) | Prevents API usage spikes by limiting call rate, on a per key basis. | Yes | Yes | No | Yes | Yes |

+| [Set usage quota by subscription](quota-policy.md) | Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per subscription basis. | Yes | Yes | Yes | Yes | Yes |

+| [Set usage quota by key](quota-by-key-policy.md) | Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per key basis. | Yes | No | No | Yes | Yes |

+| [Limit concurrency](limit-concurrency-policy.md) | Prevents enclosed policies from executing by more than the specified number of requests at a time. | Yes | Yes | Yes | Yes | Yes |

+| [Limit Azure OpenAI Service token usage](azure-openai-token-limit-policy.md) | Prevents Azure OpenAI API usage spikes by limiting large language model tokens per calculated key. | Yes | Yes | No | No | Yes |

+| [Limit large language model API token usage](llm-token-limit-policy.md) | Prevents large language model (LLM) API usage spikes by limiting LLM tokens per calculated key. | Yes | Yes | No | No | Yes |

+|Policy |Description | Classic | V2 | Consumption |Self-hosted | Workspace |

+||||||--|--|

+| [Check HTTP header](check-header-policy.md) | Enforces existence and/or value of an HTTP header. | Yes | Yes | Yes | Yes | Yes |

+| [Get authorization context](get-authorization-context-policy.md) | Gets the authorization context of a specified [connection](credentials-overview.md) to a credential provider configured in the API Management instance. | Yes | Yes | Yes | No | No |

+| [Restrict caller IPs](ip-filter-policy.md) | Filters (allows/denies) calls from specific IP addresses and/or address ranges. | Yes | Yes | Yes | Yes | Yes |

+| [Validate Microsoft Entra token](validate-azure-ad-token-policy.md) | Enforces existence and validity of a Microsoft Entra (formerly called Azure Active Directory) JWT extracted from either a specified HTTP header, query parameter, or token value. | Yes | Yes | Yes | Yes | Yes |

+| [Validate JWT](validate-jwt-policy.md) | Enforces existence and validity of a JWT extracted from either a specified HTTP header, query parameter, or token value. | Yes | Yes | Yes | Yes | Yes |

+| [Validate client certificate](validate-client-certificate-policy.md) |Enforces that a certificate presented by a client to an API Management instance matches specified validation rules and claims. | Yes | Yes | Yes | Yes | Yes |

+| [Authenticate with Basic](authentication-basic-policy.md) | Authenticates with a backend service using Basic authentication. | Yes | Yes | Yes | Yes | Yes |

+| [Authenticate with client certificate](authentication-certificate-policy.md) | Authenticates with a backend service using client certificates. | Yes | Yes | Yes | Yes | Yes |

+| [Authenticate with managed identity](authentication-managed-identity-policy.md) | Authenticates with a backend service using a [managed identity](../active-directory/managed-identities-azure-resources/overview.md). | Yes | Yes | Yes | Yes | No |

+|Policy |Description | Classic | V2 | Consumption |Self-hosted |Workspace |

+||||||--||

+| [Validate content](validate-content-policy.md) | Validates the size or content of a request or response body against one or more API schemas. The supported schema formats are JSON and XML. | Yes | Yes | Yes | Yes | Yes |

+| [Validate GraphQL request](validate-graphql-request-policy.md) | Validates and authorizes a request to a GraphQL API. | Yes | Yes | Yes | Yes | No |

+| [Validate OData request](validate-odata-request-policy.md) | Validates a request to an OData API to ensure conformance with the OData specification. | Yes | Yes | Yes | Yes | Yes |

+| [Validate parameters](validate-parameters-policy.md) | Validates the request header, query, or path parameters against the API schema. | Yes | Yes | Yes | Yes | Yes |

+| [Validate headers](validate-headers-policy.md) | Validates the response headers against the API schema. | Yes | Yes | Yes | Yes | Yes |

+| [Validate status code](validate-status-code-policy.md) | Validates the HTTP status codes in responses against the API schema. | Yes | Yes | Yes | Yes | Yes |

+|Policy |Description | Classic | V2 | Consumption |Self-hosted | Workspace |

+||||||--|-|

+| [Forward request](forward-request-policy.md) | Forwards the request to the backend service. | Yes | Yes | Yes | Yes | Yes |

+| [Set backend service](set-backend-service-policy.md) | Changes the backend service base URL of an incoming request to a URL or a [backend](backends.md). Referencing a backend resource allows you to manage the backend service base URL and other settings in a single place. Also implement [load balancing of traffic across a pool of backend services](backends.md#load-balanced-pool) and [circuit breaker rules](backends.md#circuit-breaker) to protect the backend from too many requests. | Yes | Yes | Yes | Yes | Yes |

+| [Set HTTP proxy](proxy-policy.md) | Allows you to route forwarded requests via an HTTP proxy. | Yes | Yes | Yes | Yes | Yes |

+|Policy |Description | Classic | V2 | Consumption |Self-hosted | Workspace |

+||||||--|--|

+| [Get from cache](cache-lookup-policy.md) | Performs cache lookup and return a valid cached response when available. | Yes | Yes | Yes | Yes | Yes |

+| [Store to cache](cache-store-policy.md) | Caches response according to the specified cache control configuration. | Yes | Yes | Yes | Yes | Yes |

+| [Get value from cache](cache-lookup-value-policy.md) | Retrieves a cached item by key. | Yes | Yes | Yes | Yes | Yes |

+| [Store value in cache](cache-store-value-policy.md) | Stores an item in the cache by key. | Yes | Yes | Yes | Yes | Yes |

+| [Remove value from cache](cache-remove-value-policy.md) | Removes an item in the cache by key. | Yes | Yes | Yes | Yes | Yes |

+| [Get cached responses of Azure OpenAI API requests](azure-openai-semantic-cache-lookup-policy.md) | Performs lookup in Azure OpenAI API cache using semantic search and returns a valid cached response when available. | Yes | Yes | Yes | Yes | No |

+| [Store responses of Azure OpenAI API requests to cache](azure-openai-semantic-cache-store-policy.md) | Caches response according to the Azure OpenAI API cache configuration. | Yes | Yes | Yes | Yes | No |

+| [Get cached responses of large language model API requests](llm-semantic-cache-lookup-policy.md) | Performs lookup in large language model API cache using semantic search and returns a valid cached response when available. | Yes | Yes | Yes | Yes | No |

+| [Store responses of large language model API requests to cache](llm-semantic-cache-store-policy.md) | Caches response according to the large language model API cache configuration. | Yes | Yes | Yes | Yes | No |

+|Policy |Description | Classic | V2 | Consumption |Self-hosted | Workspace |

+||||||--|-|

+| [Set request method](set-method-policy.md) | Allows you to change the HTTP method for a request. | Yes | Yes | Yes | Yes | Yes |

+| [Set status code](set-status-policy.md) | Changes the HTTP status code to the specified value. | Yes | Yes | Yes | Yes | Yes |

+| [Set variable](set-variable-policy.md) | Persists a value in a named [context](api-management-policy-expressions.md#ContextVariables) variable for later access. | Yes | Yes | Yes | Yes | Yes |

+| [Set body](set-body-policy.md) | Sets the message body for a request or response. | Yes | Yes | Yes | Yes | Yes |

+| [Set HTTP header](set-header-policy.md) | Assigns a value to an existing response and/or request header or adds a new response and/or request header. | Yes | Yes | Yes | Yes | Yes |

+| [Set query string parameter](set-query-parameter-policy.md) | Adds, replaces value of, or deletes request query string parameter. | Yes | Yes | Yes | Yes | Yes |

+| [Rewrite URL](rewrite-uri-policy.md) | Converts a request URL from its public form to the form expected by the web service. | Yes | Yes | Yes | Yes | Yes |

+| [Convert JSON to XML](json-to-xml-policy.md) | Converts request or response body from JSON to XML. | Yes | Yes | Yes | Yes | Yes |

+| [Convert XML to JSON](xml-to-json-policy.md) | Converts request or response body from XML to JSON. | Yes | Yes | Yes | Yes | Yes |

+| [Find and replace string in body](find-and-replace-policy.md) | Finds a request or response substring and replaces it with a different substring. | Yes | Yes | Yes | Yes | Yes |

+| [Mask URLs in content](redirect-content-urls-policy.md) | Rewrites (masks) links in the response body so that they point to the equivalent link via the gateway. | Yes | Yes | Yes | Yes | Yes |

+| [Transform XML using an XSLT](xsl-transform-policy.md) | Applies an XSL transformation to XML in the request or response body. | Yes | Yes | Yes | Yes | Yes |

+| [Return response](return-response-policy.md) | Aborts pipeline execution and returns the specified response directly to the caller. | Yes | Yes | Yes | Yes | Yes |

+| [Mock response](mock-response-policy.md) | Aborts pipeline execution and returns a mocked response directly to the caller. | Yes | Yes | Yes | Yes | Yes |

+|Policy |Description | Classic | V2 | Consumption |Self-hosted | Workspace |

+||||||--|--|

+| [Allow cross-domain calls](cross-domain-policy.md) | Makes the API accessible from Adobe Flash and Microsoft Silverlight browser-based clients. | Yes | Yes | Yes | Yes | Yes |

+| [CORS](cors-policy.md) | Adds cross-origin resource sharing (CORS) support to an operation or an API to allow cross-domain calls from browser-based clients. | Yes | Yes | Yes | Yes | Yes |

+| [JSONP](jsonp-policy.md) | Adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients. | Yes | Yes | Yes | Yes | Yes |

+|Policy |Description | Classic | V2 | Consumption |Self-hosted | Workspace |

+||||||--|-|

+ | [Send request](send-request-policy.md) | Sends a request to the specified URL. | Yes | Yes | Yes | Yes | Yes |

+ | [Send one way request](send-one-way-request-policy.md) | Sends a request to the specified URL without waiting for a response. | Yes | Yes | Yes | Yes | Yes |

+| [Log to event hub](log-to-eventhub-policy.md) | Sends messages in the specified format to an event hub defined by a Logger entity.| Yes | Yes | Yes | Yes | Yes |

+| [Send request to a service (Dapr)](set-backend-service-dapr-policy.md)| Uses Dapr runtime to locate and reliably communicate with a Dapr microservice. To learn more about service invocation in Dapr, see the description in this [README](https://github.com/dapr/docs/blob/master/README.md#service-invocation) file. | No | No | No | Yes | No |

+| [Send message to Pub/Sub topic (Dapr)](publish-to-dapr-policy.md) | Uses Dapr runtime to publish a message to a Publish/Subscribe topic. To learn more about Publish/Subscribe messaging in Dapr, see the description in this [README](https://github.com/dapr/docs/blob/master/README.md) file. | No | No | No | Yes | No |

+| [Trigger output binding (Dapr)](invoke-dapr-binding-policy.md) | Uses Dapr runtime to invoke an external system via output binding. To learn more about bindings in Dapr, see the description in this [README](https://github.com/dapr/docs/blob/master/README.md) file. | No | No | No | Yes | No |

+|Policy |Description | Classic | V2 | Consumption |Self-hosted | Workspace |

+||||||--|-|

+| [Trace](trace-policy.md) | Adds custom traces into the [request tracing](./api-management-howto-api-inspector.md) output in the test console, Application Insights telemetries, and resource logs. | Yes | Yes¹ | Yes | Yes | Yes |

+| [Emit metrics](emit-metric-policy.md) | Sends custom metrics to Application Insights at execution. | Yes | Yes | Yes | Yes | Yes |

+| [Emit Azure OpenAI token metrics](azure-openai-emit-token-metric-policy.md) | Sends metrics to Application Insights for consumption of large language model tokens through Azure OpenAI service APIs. | Yes | Yes | No | Yes | Yes |

+| [Emit large language model API token metrics](llm-emit-token-metric-policy.md) | Sends metrics to Application Insights for consumption of large language model (LLM) tokens through LLM APIs. | Yes | Yes | No | Yes | Yes |

+|Policy |Description | Classic | V2 | Consumption |Self-hosted | Workspace |

+||||||--|-|

+| [Azure SQL data source for resolver](sql-data-source-policy.md) | Configures the Azure SQL request and optional response to resolve data for an object type and field in a GraphQL schema. | Yes | Yes | No | No | No |

+| [Cosmos DB data source for resolver](cosmosdb-data-source-policy.md) | Configures the Cosmos DB request and optional response to resolve data for an object type and field in a GraphQL schema. | Yes | Yes | No | No | No |

+| [HTTP data source for resolver](http-data-source-policy.md) | Configures the HTTP request and optionally the HTTP response to resolve data for an object type and field in a GraphQL schema. | Yes | Yes | Yes | No | No |

+| [Publish event to GraphQL subscription](publish-event-policy.md) | Publishes an event to one or more subscriptions specified in a GraphQL API schema. Configure the policy in a GraphQL resolver for a related field in the schema for another operation type such as a mutation. | Yes | Yes | Yes | No | No |

+|Policy |Description | Classic | V2 | Consumption |Self-hosted | Workspace |

+||||||--|-|

+| [Control flow](choose-policy.md) | Conditionally applies policy statements based on the results of the evaluation of Boolean [expressions](api-management-policy-expressions.md). | Yes | Yes | Yes | Yes | Yes |

+| [Include fragment](include-fragment-policy.md) | Inserts a policy fragment in the policy definition. | Yes | Yes | Yes | Yes | Yes |

+| [Retry](retry-policy.md) | Retries execution of the enclosed policy statements, if and until the condition is met. Execution will repeat at the specified time intervals and up to the specified retry count. | Yes | Yes | Yes | Yes | Yes |

+ | [Wait](wait-policy.md) | Waits for enclosed [Send request](send-request-policy.md), [Get value from cache](cache-lookup-value-policy.md), or [Control flow](choose-policy.md) policies to complete before proceeding. | Yes | Yes | Yes | Yes | Yes |

+ Title: Azure API Management - Availability of v2 tiers and workspace gateways

+description: Availability of API Management v2 tiers and workspace gateways in Azure regions. This information supplements product availability by region.

+

+# Azure API Management - Availability of v2 tiers and workspace gateways

+API Management [v2 tiers](v2-service-tiers-overview.md) and API Management [workspace gateways](workspaces-overview.md#workspace-gateway) are available in a subset of the regions where the classic tiers are available. For information about the availability of the API Management classic tiers, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/).

+## Supported regions for v2 tiers and workspace gateways

+Information in the following table is updated regularly. Capacity availability in Azure regions may vary.

+| Region | Basic v2 | Standard v2 | Premium v2 (preview) | Workspace gateway (Premium) |

+|--|::|::|::|::|

+| Australia Central | ✅ | ✅ | | |

+| Australia East | ✅ | ✅ | ✅ | ✅ |

+| Australia Southeast | ✅ | ✅ | | |

+| Brazil South | ✅ | ✅ | | |

+| Central India | ✅ | ✅ | | |

+| East Asia | ✅ | ✅ | | ✅ |

+| East US | ✅ | ✅ | | |

+| East US 2 | ✅ | ✅ | ✅ | ✅ |

+| France Central | ✅ | ✅ | | ✅ |

+| Germany West Central | ✅ | ✅ | ✅ | ✅ |

+| Japan East | ✅ | ✅ | | ✅ |

+| Korea Central | ✅ | ✅ | ✅ | |

+| North Central US | ✅ | ✅ | | ✅ |

+| North Europe | ✅ | ✅ | | ✅ |

+| Norway East | ✅ | ✅ | ✅ | |

+| South Africa North | ✅ | ✅ | | |

+| South Central US | ✅ | ✅ | | |

+| South India | ✅ | ✅ | | |

+| Southeast Asia | ✅ | ✅ | | ✅ |

+| Switzerland North | ✅ |✅ | | |

+| UK South | ✅ | ✅ | ✅ | ✅ |

+| UK West | ✅ | ✅ | | |

+| West Europe | ✅ | ✅ | | |

+| West US | ✅ | ✅ | | ✅ |

+| West US 2 | ✅ | ✅ | | |

+## Related content

+Learn more about:

+* [API Management pricing](https://aka.ms/apimpricing)

+| template | Used to set the templating mode for the `max-item-count`. Currently the only supported value is:<br /><br />- `liquid` - the `max-item-count` uses the liquid templating engine. | No | N/A |

+| template | Used to set the templating mode for the continuation token. Currently the only supported value is:<br /><br />- `liquid` - the continuation token uses the liquid templating engine. | No | N/A |

+| [set-body](set-body-policy.md) | Sets the body in the write request. If not provided, the request payload maps arguments into JSON format.| No |

+| template | Used to set the templating mode for the partition key. Currently the only supported value is:<br /><br />- `liquid` - the partition key uses the liquid templating engine | No | N/A |

+| template | Used to set the templating mode for the etag. Currently the only supported value is:<br /><br />- `liquid` - the etag uses the liquid templating engine | No | N/A |

+ > If you're using the API Management Consumption, Basic v2, Standard v2, and Premium v2 tiers, then [there isn't a dedicated Azure API Management Virtual IP](./api-management-howto-ip-addresses.md#ip-addresses-of-consumption-basic-v2-standard-v2-and-premium-v2-tier-api-management-service) to allow-list with the functions access-restrictions. In the Azure API Management classic (dedicated) tiers [the VIP is single tenant and for the lifetime of the resource](./api-management-howto-ip-addresses.md#changes-to-the-ip-addresses). For the tiers that run on shared infrastructure, you can lock down your API calls via the shared secret function key in the portion of the URI you copied above. Also, for these tiers - steps 12-17 below do not apply.

+> * There may be a delay in the availability of analytics data.

+> [!IMPORTANT]

+> A new Log Analytics workspace can take up to 2 hours to start receiving data. An existing workspace should start receiving data within approximately 15 minutes.

+ Title: Inject API Management in virtual network - Premium v2

+description: Learn how to deploy (inject) an Azure API Management instance in the Premium v2 tier in a virtual network to isolate inbound and outbound traffic.

+# Inject an Azure API Management instance in a private virtual network - Premium v2 tier

+This article guides you through the requirements to inject your Azure API Management Premium v2 (preview) instance in a virtual network.

+> [!NOTE]

+> To inject a classic Developer or Premium tier instance in a virtual network, the requirements and configuration are different. [Learn more](virtual-network-injection-resources.md).

+When an API Management Premium v2 instance is injected in a virtual network:

+* The API Management gateway endpoint is accessible through the virtual network at a private IP address.

+* API Management can make outbound requests to API backends that are isolated in the network.

+This configuration is recommended for scenarios where you want to isolate network traffic to both the API Management instance and the backend APIs.

+If you want to enable *public* inbound access to an API Management instance in the Standard v2 or Premium v2 tier, but limit outbound access to network-isolated backends, see [Integrate with a virtual network for outbound connections](integrate-vnet-outbound.md).

+> [!IMPORTANT]

+> * Virtual network injection described in this article is available only for API Management instances in the Premium v2 tier (preview). For networking options in the different tiers, see [Use a virtual network with Azure API Management](virtual-network-concepts.md).

+> * Currently, you can inject a Premium v2 instance into a virtual network only when the instance is **created**. You can't inject an existing Premium v2 instance into a virtual network. However, you can update the subnet settings for injection after the instance is created.

+> * Currently, you can't switch between virtual network injection and virtual network integration for a Premium v2 instance.

+## Prerequisites

+- An Azure API Management instance in the [Premium v2](v2-service-tiers-overview.md) pricing tier.

+- A virtual network where your client apps and your API Management backend APIs are hosted. See the following sections for requirements and recommendations for the virtual network and subnet used for the API Management instance.

+### Network location

+* The virtual network must be in the same region and Azure subscription as the API Management instance.

+### Subnet requirements

+* The subnet for the API Management instance can't be shared with another Azure resource.

+### Subnet size

+* Minimum: /27 (32 addresses)

+* Recommended: /24 (256 addresses) - to accommodate scaling of API Management instance

+### Network security group

+A network security group must be associated with the subnet.

+### Subnet delegation

+The subnet needs to be delegated to the **Microsoft.Web/hostingEnvironments** service.

+> [!NOTE]

+> You might need to register the `Microsoft.Web/hostingEnvironments` resource provider in the subscription so that you can delegate the subnet to the service.

+For more information about configuring subnet delegation, see [Add or remove a subnet delegation](../virtual-network/manage-subnet-delegation.md).

+### Permissions

+You must have at least the following role-based access control permissions on the subnet or at a higher level to configure virtual network integration:

+| Action | Description |

+|-|-|

+| Microsoft.Network/virtualNetworks/read | Read the virtual network definition |

+| Microsoft.Network/virtualNetworks/subnets/read | Read a virtual network subnet definition |

+| Microsoft.Network/virtualNetworks/subnets/join/action | Joins a virtual network |

+## Inject API Management in a virtual network

+When you [create](get-started-create-service-instance.md) a Premium v2 instance using the Azure portal, you can optionally configure settings for virtual network injection.

+1. In the **Create API Management service** wizard, select the **Networking** tab.

+1. In **Connectivity type**, select **Virtual network**.

+1. In **Type**, select **Internal**.

+1. In **Configure virtual networks**, select the virtual network and the delegated subnet that you want to integrate.

+ Optionally, provide a public IP address resource if you want to own and control an IP address that's used only for outbound connection to the internet.

+1. Complete the wizard to create the API Management instance.

+## DNS settings for integration with private IP address

+When a Premium v2 API Management instance is injected in a virtual network, you have to manage your own DNS to enable inbound access to API Management.

+While you have the option to use your own custom DNS server, we recommend:

+1. Configure an Azure [DNS private zone](../dns/private-dns-overview.md).

+1. Link the Azure DNS private zone to the virtual network.

+Learn how to [set up a private zone in Azure DNS](../dns/private-dns-getstarted-portal.md).

+### Endpoint access on default hostname

+When you create an API Management instance in the Premium v2 tier, the following endpoint is assigned a default hostname:

+* **Gateway** - example: `contoso-apim.azure-api.net`

+### Configure DNS record

+Create an A record in your DNS server to access the API Management instance from within your virtual network. Map the endpoint record to the private VIP address of your API Management instance.

+For testing purposes, you might update the hosts file on a virtual machine in a subnet connected to the virtual network in which API Management is deployed. Assuming the private virtual IP address for your API Management instance is 10.1.0.5, you can map the hosts file as shown in the following example. The hosts mapping file is at `%SystemDrive%\drivers\etc\hosts` (Windows) or `/etc/hosts` (Linux, macOS). For example:

+| Internal virtual IP address | Gateway hostname |

+| -- | -- |

+| 10.1.0.5 | `contoso-apim.portal.azure-api.net` |

+## Related content

+* [Use a virtual network with Azure API Management](virtual-network-concepts.md)

+* [Configure a custom domain name for your Azure API Management instance](configure-custom-domain.md)

+ Title: Integrate API Management in private network

+description: Learn how to integrate an Azure API Management instance in the Standard v2 or Premium v2 tier with a virtual network to access backend APIs in the network.

+# Integrate an Azure API Management instance with a private virtual network for outbound connections

+This article guides you through the process of configuring *virtual network integration* for your Standard v2 or Premium v2 (preview) Azure API Management instance. With virtual network integration, your instance can make outbound requests to APIs hosted in a delegated subnet of a single connected virtual network.

+When an API Management instance is integrated with a virtual network for outbound requests, the gateway and developer portal endpoints remain publicly accessible. The API Management instance can reach both public and network-isolated backend services.

+If you want to inject a Premium v2 API Management instance into a virtual network to isolate both inbound and outbound traffic, see [Inject a Premium v2 instance into a virtual network](inject-vnet-v2.md).

+> [!IMPORTANT]

+> * Outbound virtual network integration described in this article is available only for API Management instances in the Standard v2 and Premium v2 tiers. For networking options in the different tiers, see [Use a virtual network with Azure API Management](virtual-network-concepts.md).

+> * You can enable virtual network integration when you create an API Management instance in the Standard v2 or Premium v2 tier, or after the instance is created.

+> * Currently, you can't switch between virtual network injection and virtual network integration for a Premium v2 instance.

+- An Azure API Management instance in the [Standard v2 or Premium v2](v2-service-tiers-overview.md) pricing tier

+- A virtual network with a subnet where your API Management backend APIs are hosted. See the following sections for requirements and recommendations for the virtual network and subnet.

+### Network location

+* The virtual network must be in the same region and Azure subscription as the API Management instance.

+### Subnet requirements

+* The subnet can't be shared with another Azure resource.

+### Subnet size

+* Minimum: /27 (32 addresses)

+* Recommended: /24 (256 addresses) - to accommodate scaling of API Management instance

+### Network security group

+A network security group must be associated with the subnet.

+### Subnet delegation

+The subnet needs to be delegated to the **Microsoft.Web/serverFarms** service.

+> [!NOTE]

+> You might need to register the `Microsoft.Web/serverFarms` resource provider in the subscription so that you can delegate the subnet to the service.

+For more information about configuring subnet delegation, see [Add or remove a subnet delegation](../virtual-network/manage-subnet-delegation.md).

+## Configure virtual network integration

+This section guides you through the process of configure external virtual network integration for an existing Azure API Management instance.

+1. On the **Outbound traffic** card, select **virtual network integration**.

+ :::image type="content" source="media/integrate-vnet-outbound/integrate-vnet.png" lightbox="media/integrate-vnet-outbound/integrate-vnet.png" alt-text="Screenshot of virtual network integration in the portal.":::

+1. Select **Apply**, and then select **Save**. The virtual network is integrated.

+ :::image type="content" source="media/integrate-vnet-outbound/vnet-settings.png" lightbox="media/integrate-vnet-outbound/vnet-settings.png" alt-text="Screenshot of virtual network settings in the portal.":::

+## (Optional) Test virtual network integration

+If you have an API hosted in the virtual network, you can import it to your Management instance and test the virtual network integration. For basic steps, see [Import and publish an API](import-and-publish.md).

+| Consumption | Incurs no fixed costs. You are billed based on the number of API requests to the service above a certain threshold. |

+| Developer, Basic, Standard, Premium | Incur monthly costs, based on the number of [units](./api-management-capacity.md), [workspaces](workspaces-overview.md), and [self-hosted gateways](./self-hosted-gateway-overview.md). Self-hosted gateways are free for the Developer tier. |

+| Basic v2, Standard v2, Premium v2 | Incur monthly costs, based on the number of [units](./api-management-capacity.md). Above a certain threshold of API requests, additional requests are billed. |

+Different [upgrade](./upgrade-and-scale.md) options are available, depending on your service tier.

+Budgets can be created with filters for specific resources or services in Azure if you want more granularity present in your monitoring. Filters help ensure that you don't accidentally create new resources that cost you additional money. For more about the filter options when you create a budget, see [Group and filter options](../cost-management-billing/costs/group-filter.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn).

+Except in the Consumption and Developer service tiers, API Management supports scaling by adding or removing [*capacity units*](api-management-capacity.md). As the load increases on an API Management instance, adding capacity units may be more economical than upgrading to a higher service tier. The maximum number of units depends on the service tier.

+You can choose between the following dedicated tiers: **Developer**, **Basic**, **Basic v2**, **Standard**, **Standard v2**, **Premium**, and **Premium v2**.

+* **Basic**, **Basic v2**, **Standard**, **Standard v2**, **Premium**, and **Premium v2** are production tiers that have SLA and can be scaled. For pricing details and scale limits, see [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/#pricing).

+ * You can upgrade and downgrade to and from v2 tiers (**Basic v2**, **Standard v2**, and **Premium v2**).

+The API Management v2 tiers (SKUs) are built on a new, more reliable and scalable platform and are designed to make API Management accessible to a broader set of customers and offer flexible options for a wider variety of scenarios. The v2 tiers are in addition to the existing classic tiers (Developer, Basic, Standard, and Premium) and the Consumption tier. [See detailed comparison of API Management tiers](api-management-features.md).

+The following v2 tier is in preview:

+* **Premium v2** - Premium v2 offers enterprise features including full virtual network isolation and scaling for high volume workloads.

+ > [!NOTE]

+ > The Premium v2 tier is currently in limited preview. To sign up, fill [this form](https://aka.ms/premiumv2).

+* **Faster deployment, configuration, and scaling** - Deploy a production-ready API Management instance in minutes. Quickly apply configurations such as certificate and hostname updates. Scale a Basic v2 or Standard v2 instance quickly to up to 10 units to meet the needs of your API management workloads. Scale a Premium v2 instance to up to 30 units.

+* **Simplified networking** - The Standard v2 and Premium v2 tiers provide [networking options](#networking-options) to isolate API Management's inbound and outbound traffic.

+* **More options for production workloads** - The v2 tiers are all supported with an SLA.

+The latest capabilities of the v2 tiers are supported in API Management API version **2024-05-01** or later.

+## Networking options

+* **Standard v2** and **Premium v2** support **virtual network integration** to allow your API Management instance to reach API backends that are isolated in a single connected virtual network. The API Management gateway, management plane, and developer portal remain publicly accessible from the internet. The virtual network must be in the same region and subscription as the API Management instance. [Learn more](integrate-vnet-outbound.md).

+* **Premium v2** also supports simplified **virtual network injection** for complete isolation of inbound and outbound gateway traffic without requiring network security group rules, route tables, or service endpoints. The virtual network must be in the same region and subscription as the API Management instance. [Learn more](inject-vnet-v2.md).

+For a current list of regions where the v2 tiers are available, see [Availability of v2 tiers and workspace gateways](api-management-region-availability.md).

+### Classic feature availability

+* Direct Management API access

+* Capacity metric - *replaced by CPU Percentage of Gateway and Memory Percentage of Gateway metrics*

+* Built-in analytics - *replaced by Azure Monitor-based dashboard*

+* Upgrade to v2 tiers from classic tiers

+Deploy a v2 tier instance using the Azure portal or using tools such as the Azure REST API, Azure Resource Manager, Bicep template, or Terraform.

+A: They're not related. stv2 is a [compute platform](compute-infrastructure.md) version of the Developer, Basic, Standard, and Premium tier service instances. stv2 is a successor to the stv1 compute platform [that retired in 2024](./breaking-changes/stv1-platform-retirement-august-2024.md).

+### Q: Will I still be able to provision Developer, Basic, Standard, or Premium tier services?

+A: Yes, there are no changes to the classic Developer, Basic, Standard, or Premium tiers.

+### Q: What is the difference between virtual network integration in Standard v2 tier and virtual network injection in the Premium and Premium v2 tiers?

+A: A Standard v2 service instance can be integrated with a virtual network to provide secure access to the backends residing there. A Standard v2 service instance integrated with a virtual network has a public IP address for inbound access.

+The Premium tier and Premium v2 tier support full network isolation by deployment (injection) into a virtual network without exposing a public IP address. [Learn more about networking options in API Management](virtual-network-concepts.md).

+### Q: Can I deploy an instance of the Basic v2 or Standard v2 tier entirely in my virtual network?

+A: No, such a deployment is only supported in the Premium and Premium v2 tiers.

+By default your API Management instance is accessed from the internet at a public endpoint, and acts as a gateway to public backends. API Management provides several options to use an Azure virtual network to secure access to your API Management instance and to backend APIs. Available options depend on the [service tier](api-management-features.md) of your API Management instance. Choose networking capabilities to meet your organization's needs.

+|**[Virtual network injection (classic tiers) - external](#virtual-network-injection-classic-tiers)** | Developer, Premium | Developer portal, gateway, management plane, and Git repository | Inbound and outbound traffic can be allowed to internet, peered virtual networks, ExpressRoute, and S2S VPN connections. | External access to private and on-premises backends |

+|**[Virtual network injection (classic tiers) - internal](#virtual-network-injection-classic-tiers)** | Developer, Premium | Developer portal, gateway, management plane, and Git repository | Inbound and outbound traffic can be allowed to peered virtual networks, ExpressRoute, and S2S VPN connections. | Internal access to private and on-premises backends |

+|**[Virtual network injection (v2 tiers)](#virtual-network-injection-v2-tiers)** | Premium v2 | Gateway only | Inbound and outbound traffic can be allowed to a delegated subnet of a virtual network, peered virtual networks, ExpressRoute, and S2S VPN connections. | Internal access to private and on-premises backends |

+|**[Virtual network integration (v2 tiers)](#virtual-network-integration-v2-tiers)** | Standard v2, Premium v2 | Gateway only | Outbound request traffic can reach APIs hosted in a delegated subnet of a single connected virtual network. | External access to private and on-premises backends |

+|**[Inbound private endpoint](#inbound-private-endpoint)** | Developer, Basic, Standard, Premium | Gateway only (managed gateway supported, self-hosted gateway not supported) | Only inbound traffic can be allowed from internet, peered virtual networks, ExpressRoute, and S2S VPN connections. | Secure client connection to API Management gateway |

+## Virtual network injection (classic tiers)

+In the API Management classic Developer and Premium tiers, deploy ("inject") your API Management instance in a subnet in a non-internet-routable network to which you control access. In the virtual network, your API Management instance can securely access other networked Azure resources and also connect to on-premises networks using various VPN technologies.

+Using a virtual network, you can configure the developer portal, API gateway, and other API Management endpoints to be accessible either from the internet (external mode) or only within the virtual network (internal mode).

+* **External** - The API Management endpoints are accessible from the public internet via an external load balancer. The gateway can access resources within the virtual network.

+ :::image type="content" source="media/virtual-network-concepts/api-management-vnet-external.png" alt-text="Diagram showing a connection to external virtual network." :::

+* **Internal** - The API Management endpoints are accessible only from within the virtual network via an internal load balancer. The gateway can access resources within the virtual network.

+ :::image type="content" source="media/virtual-network-concepts/api-management-vnet-internal.png" alt-text="Diagram showing a connection to internal virtual network." lightbox="media/virtual-network-concepts/api-management-vnet-internal.png":::

+## Virtual network injection (v2 tiers)

+In the API Management Premium v2 tier, inject your instance into a delegated subnet of a virtual network to secure the gateway's inbound and outbound traffic. Currently, you can configure settings for virtual network injection at the time you create the instance.

+In this configuration:

+* The API Management gateway endpoint is accessible through the virtual network at a private IP address.

+* API Management can make outbound requests to API backends that are isolated in the network.

+This configuration is recommended for scenarios where you want to isolate both the API Management instance and the backend APIs. Virtual network injection in the Premium v2 tier automatically manages network connectivity to most service dependencies for Azure API Management.

+For more information, see [Inject a Premium v2 instance into a virtual network](inject-vnet-v2.md).

+## Virtual network integration (v2 tiers)

+The Standard v2 and Premium v2 tiers support outbound virtual network integration to allow your API Management instance to reach API backends that are isolated in a single connected virtual network. The API Management gateway, management plane, and developer portal remain publicly accessible from the internet.

+For more information, see [Integrate an Azure API Management instance with a private virtual network for outbound connections](integrate-vnet-outbound.md).

+## Related content

+Learn more about virtual network configuration with API Management:

+* [Inject a Premium v2 instance into a virtual network](inject-vnet-v2.md)

+* [Integrate an Azure API Management instance with a private virtual network for outbound connections](integrate-vnet-outbound.md)

+To learn more about Azure virtual networks, start with the information in the [Azure Virtual Network Overview](../virtual-network/virtual-networks-overview.md).

+description: Learn about requirements for network resources when you deploy (inject) your API Management Developer or Premium tier instance in an Azure virtual network.

+The following are virtual network resource requirements for injection of an API Management Developer or Premium instance into a virtual network. Some requirements differ depending on the version (`stv2` or `stv1`) of the [compute platform](compute-infrastructure.md) hosting your API Management instance.

+> [!NOTE]

+> To inject a Premium v2 instance in a virtual network, the requirements and configuration are different. [Learn more](inject-vnet-v2.md)

+For a current list of regions where workspace gateways are available, see [Availability of v2 tiers and workspace gateways](api-management-region-availability.md).

+Restore-AzDeletedWebApp -ResourceGroupName <original_rg> -Name <original_app> -DeletedId /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/providers/Microsoft.Web/locations/location/deletedSites/1234 -TargetAppServicePlanName <my_asp>

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myresourcegroup/providers/Microsoft.Web/sites/mywebapp/config/authsettings",

+ "ResourceId": "/SUBSCRIPTIONS/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/RESOURCEGROUPS/MYRESOURCEGROUP/PROVIDERS/MICROSOFT.WEB/SITES/MY-DEMO-APP",

+Visual Studio requires basic authentication to deploy to Azure App Service. The warning reminds you that the configuration on your app changed and you can no longer deploy to it. Either you disabled basic authentication on the app yourself, or your organization policy enforces that basic authentication is disabled for App Service apps.

+ "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/asev3-cdns-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ase-cdns-managed-identity"

+ "keyVaultReferenceIdentity": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/asev3-cdns-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ase-cdns-managed-identity"

+ "keyVaultReferenceIdentity": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/asev3-migration/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ase-managed-identity"

+ "keyVaultReferenceIdentity": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/asev3-migration/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ase-managed-identity"

+ "keyVaultReferenceIdentity": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/asev3-migration/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ase-managed-identity"

+ "keyVaultReferenceIdentity": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/asev3-migration/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ase-managed-identity"

+The App Service diagnostics homepage provides many tools to diagnose app problems. For more information, see [Diagnostic tools](#diagnostic-tools) in this article.

+1. Copy these output values for later. You can also find them in the portal, in the management pages of the respective resources.

+1. In the Cloud Shell, run the following command to add to the web app the user-assigned managed identity that `azd provision` created. Use the value of `<managed-identity-resource-id>` (a very long string) in the `azd provision` output.

+1. Go back to the resource group overview page, then select the Application Insights resource that `azd up` created. You should now see some data in the default charts.

+ Zone redundancy is available only where Azure availability zones are available. In other regions, all other features are supported. For more information, see [Azure regions with availability zone support](../reliability/availability-zones-region-support.md).

+See [Azure regions with availability zone support](../reliability/availability-zones-region-support.md) for the Azure regions that have availability zones.

+- Learn more about [regions that support availability zones](../reliability/availability-zones-region-support.md).

+You must have a disaster recovery strategy to handle a region-wide service outage or zone-wide failure to help reduce the impact and effects arising from unpredictable events on your business and customers. You're responsible to set up disaster recovery of Automation accounts, and its dependent resources such as Modules, Connections, Credentials, Certificates, Variables and Schedules. An important aspect of a disaster recovery plan is preparing to fail over to the replica of the Automation account created in advance in the secondary region, if the Automation account in the primary region becomes unavailable. Ensure that your disaster recovery strategy considers your Automation account and the dependent resources.

+- If you're using [ARM templates](../azure-resource-manager/management/overview.md) to define and deploy Automation runbooks, you can use these templates to deploy the same runbooks in any other Azure region where you create the replica Automation account. In case of a region-wide outage or zone-wide failure in the primary region, you can execute the runbooks replicated in the secondary region to continue business as usual. This ensures that the secondary region steps up to continue the work if the primary region has a disruption or failure.

+If the Hybrid Runbook worker is deployed in the primary region, and there's a compute failure in that region, the machine won't be available for executing Automation jobs. You must provision a new virtual machine in an alternate region and register it as Hybrid Runbook Worker in Automation account in the secondary region.

+You can use these scripts for migration of Automation account assets from the account in primary region to the account in the secondary region. These scripts are used to migrate only Runbooks, Modules, Connections, Credentials, Certificates and Variables. The execution of these scripts doesn't affect the Automation account and its assets present in the primary region.

+ 1. Ensure that the Automation account in the secondary region is created and available so that assets from primary region can be migrated to it. It's preferred if the destination automation account is one without any custom resources as it prevents potential resource clash due to same name and loss of data.

+ 1. Ensure that the system assigned managed identities of the primary Automation account have contributor access to the subscription it belongs to.

+- The script migrates only Custom PowerShell modules. Default modules and Python packages wouldn't be migrated to replica Automation account.

+- The script doesn't migrate **Schedules** and **Managed identities** present in Automation account in primary region. These would have to be created manually in replica Automation account.

+- Jobs data and activity logs wouldn't be migrated to the replica account.

+- Learn more about [regions that support availability zones](../reliability/availability-zones-region-support.md).

+1. Under **Operations**, select **Change tracking**.

+

+ :::image type="content" source="media/manage-change-tracking-monitoring-agent/configure-file-settings.png" alt-text="Screenshot of selecting the change tracking to configure file settings." lightbox="media/manage-change-tracking-monitoring-agent/configure-file-settings.png":::

+ Title: Export settings from App Configuration with Azure Pipelines

+description: Learn how to use Azure Pipelines to export key-values from an App Configuration Store

+# Export settings from App Configuration with Azure Pipelines

+The Azure App Configuration Export task exports key-values from your App Configuration store and sets them as Azure pipeline variables, which subsequent tasks can consume. This task complements the Azure App Configuration Import task that imports key-values from a configuration file into your App Configuration store. For more information, see [Import settings to App Configuration with Azure Pipelines](azure-pipeline-import-task.md).

+## Prerequisites

+- Azure subscription - [create one for free](https://azure.microsoft.com/free/)

+- App Configuration store - [create one for free](./quickstart-azure-app-configuration-create.md#create-an-app-configuration-store)

+- Azure DevOps project - [create one for free](https://go.microsoft.com/fwlink/?LinkId=2014881)

+- [Azure Pipelines agent version 2.144.0](https://github.com/microsoft/azure-pipelines-agent/releases/tag/v2.144.0) or later and [Node version 16](https://nodejs.org/en/blog/release/v16.16.0/) or later for running the task on self-hosted agents.

+## Create a service connection

+## Add role assignment

+Assign the proper App Configuration role assignments to the credentials being used within the task so that the task can access the App Configuration store.

+1. Go to your target App Configuration store.

+1. In the left menu, select **Access control (IAM)**.

+1. In the right pane, select **Add role assignments**.

+ :::image type="content" border="true" source="./media/azure-app-configuration-role-assignment/add-role-assignment-button.png" alt-text="Screenshot shows the Add role assignments button.":::

+1. For **Role**, select **App Configuration Data Reader**. This role allows the task to read from the App Configuration store.

+1. Select the service principal associated with the service connection that you created in the previous section.

+ :::image type="content" border="true" source="./media/azure-app-configuration-role-assignment/add-role-assignment-data-reader.png" alt-text="Screenshot shows the Add role assignment dialog.":::

+1. Select **Review + assign**.

+1. If the store contains Key Vault references, go to relevant Key Vault and assign **Key Vault Secret User** role to the service principal created in the previous step. From the Key Vault menu, select **Access policies** and ensure [Azure role-based access control](/azure/key-vault/general/rbac-guide) is selected as the permission model.

+## Use in builds

+This section covers how to use the Azure App Configuration Export task in an Azure DevOps build pipeline.

+1. Navigate to the build pipeline page by clicking **Pipelines** > **Pipelines**. For build pipeline documentation, see [Create your first pipeline](/azure/devops/pipelines/create-first-pipeline?tabs=net%2Ctfs-2018-2%2Cbrowser).

+ - If you're creating a new build pipeline, on the last step of the process, on the **Review** tab, select **Show assistant** on the right side of the pipeline.

+ > [!div class="mx-imgBorder"]

+ > 

+ - If you're using an existing build pipeline, click the **Edit** button at the top-right.

+ > [!div class="mx-imgBorder"]

+ > 

+1. Search for the **Azure App Configuration Export** Task.

+ > [!div class="mx-imgBorder"]

+ > 

+1. To export the key-values from the App Configuration store, configure the necessary parameters for the task. Descriptions of the parameters are available in the **Parameters** section and in tooltips next to each parameter.

+ - Set the **Azure subscription** parameter to the name of the service connection you created in a previous step.

+ - Set the **App Configuration Endpoint** to the endpoint of your App Configuration store.

+ - Leave the default values for the remaining parameters.

+ > [!div class="mx-imgBorder"]

+ > 

+1. Save and queue a build. The build log displays any failures that occurred during the execution of the task.

+## Use in releases

+This section covers how to use the Azure App Configuration Export task in an Azure DevOps release pipeline.

+1. Navigate to release pipeline page by selecting **Pipelines** > **Releases**. For release pipeline documentation, see [Release pipelines](/azure/devops/pipelines/release).

+1. Choose an existing release pipeline. If you donΓÇÖt have one, click **New pipeline** to create a new one.

+1. Select the **Edit** button in the top-right corner to edit the release pipeline.

+1. From the **Tasks** dropdown, choose the **Stage** to which you want to add the task. More information about stages can be found in [Add stages, dependencies, & conditions](/azure/devops/pipelines/release/environments).

+ > [!div class="mx-imgBorder"]

+ > 

+1. Click **+** next to the Job to which you want to add a new task.

+ > [!div class="mx-imgBorder"]

+ > 

+1. Search for the **Azure App Configuration Export** Task.

+ > [!div class="mx-imgBorder"]

+ > 

+1. To export your key-values from your App Configuration store, configure the necessary parameters within the task. Descriptions of the parameters are available in the **Parameters** section and in tooltips next to each parameter.

+ - Set the **Azure subscription** parameter to the name of the service connection you created in a previous step.

+ - Set the **App Configuration Endpoint** to the endpoint of your App Configuration store.

+ - Leave the default values for the remaining parameters.

+1. Save and queue a release. The release log displays any failures encountered during the execution of the task.

+## Parameters

+The following parameters are used by the Azure App Configuration Export task:

+- **Azure subscription**: A drop-down containing your available Azure service connections. To update and refresh your list of available Azure service connections, press the **Refresh Azure subscription** button to the right of the textbox.

+- **App Configuration Endpoint**: A drop-down that loads your available configuration stores endpoints under the selected subscription. To update and refresh your list of available configuration stores endpoints, press the **Refresh App Configuration Endpoint** button to the right of the textbox.

+- **Selection Mode**: Specifies how the key-values read from a configuration store are selected. The 'Default' selection mode allows the use of key and label filters. The 'Snapshot' selection mode allows key-values to be selected from a snapshot. Default value is **Default**.

+- **Key Filter**: The filter can be used to select what key-values are requested from Azure App Configuration. A value of * selects all key-values. For more information on, see [Query key-values](concept-key-value.md#query-key-values).

+- **Label**: Specifies which label should be used when selecting key-values from the App Configuration store. If no label is provided, then key-values with the no label are retrieved. The following characters aren't allowed: , *.

+- **Snapshot Name**: Specifies snapshot from which key-values should be retrieved in Azure App Configuration.

+- **Trim Key Prefix**: Specifies one or more prefixes that should be trimmed from App Configuration keys before setting them as variables. A new-line character can be used to separate multiple prefixes.

+- **Suppress Warning For Overridden Keys**: Default value is unchecked. Specifies whether to show warnings when existing keys are overridden. Enable this option when it's expected that the key-values downloaded from App Configuration have overlapping keys with what exists in pipeline variables.

+## Use key-values in subsequent tasks

+The key-values that are fetched from App Configuration are set as pipeline variables, which are accessible as environment variables. The key of the environment variable is the key of the key-value that is retrieved from App Configuration after trimming the prefix, if specified.

+For example, if a subsequent task runs a PowerShell script, it could consume a key-value with the key 'myBuildSetting' like this:

+```powershell

+echo "$env:myBuildSetting"

+```

+And the value is printed to the console.

+> [!NOTE]

+> Azure Key Vault references within App Configuration will be resolved and set as [secret variables](/azure/devops/pipelines/process/variables#secret-variables). In Azure pipelines, secret variables are masked out from log. They aren't passed into tasks as environment variables and must instead be passed as inputs.

+## Troubleshooting

+If an unexpected error occurs, debug logs can be enabled by setting the pipeline variable `system.debug` to `true`.

+## FAQ

+**How do I compose my configuration from multiple keys and labels?**

+There are times when configuration may need to be composed from multiple labels, for example, default and dev. Multiple App Configuration tasks may be used in one pipeline to implement this scenario. The key-values fetched by a task in a later step supersedes any values from previous steps. In the aforementioned example, a task can be used to select key-values with the default label while a second task can select key-values with the dev label. The keys with the dev label override the same keys with the default label.

+## Next step

+For a complete reference of the parameters or to use this pipeline task in YAML pipelines, refer to the following document.

+> [!div class="nextstepaction"]

+> [Azure App Configuration Export Task reference](/azure/devops/pipelines/tasks/reference/azure-app-configuration-export-v10)

+To learn how to import key-values from a configuration file into your App Configuration store, continue to the following document.

+> [!div class="nextstepaction"]

+> [Import settings to App Configuration with Azure pipelines](./azure-pipeline-import-task.md)

+To learn how to create snapshot in an App Configuration store, continue to the following document.

+> [!div class="nextstepaction"]

+> [Create snapshots in App Configuration with Azure Pipelines](./azure-pipeline-snapshot-task.md)

+ Title: Import settings to App Configuration with Azure Pipelines

+description: Learn to use Azure Pipelines to import key-values to an App Configuration Store

+# Import settings to App Configuration with Azure Pipelines

+The Azure App Configuration Import task imports key-values from a configuration file into your App Configuration store. This task enables full circle functionality within the pipeline as you're now able to export settings from the App Configuration store and import settings to the App Configuration store.

+## Prerequisites

+- Azure subscription - [create one for free](https://azure.microsoft.com/free/)

+- App Configuration store - [create one for free](./quickstart-azure-app-configuration-create.md#create-an-app-configuration-store)

+- Azure DevOps project - [create one for free](https://go.microsoft.com/fwlink/?LinkId=2014881)

+- [Azure Pipelines agent version 2.144.0](https://github.com/microsoft/azure-pipelines-agent/releases/tag/v2.144.0) or later and [Node version 16](https://nodejs.org/en/blog/release/v16.16.0/) or later for running the task on self-hosted agents.

+## Create a service connection

+## Add role assignment

+Assign the proper App Configuration role assignments to the credentials being used within the task so that the task can access the App Configuration store.

+1. Go to your target App Configuration store.

+1. In the left menu, select **Access control (IAM)**.

+1. In the right pane, select **Add role assignments**.

+ :::image type="content" border="true" source="./media/azure-app-configuration-role-assignment/add-role-assignment-button.png" alt-text="Screenshot shows the Add role assignments button.":::

+1. For **Role**, select **App Configuration Data Owner**. This role allows the task to read from and write to the App Configuration store.

+1. Select the service principal associated with the service connection that you created in the previous section.

+ :::image type="content" border="true" source="./media/azure-app-configuration-role-assignment/add-role-assignment-data-owner.png" alt-text="Screenshot shows the Add role assignment dialog.":::

+1. Select **Review + assign**.

+## Use in builds

+This section covers how to use the Azure App Configuration Import task in an Azure DevOps build pipeline.

+1. Navigate to the build pipeline page by clicking **Pipelines** > **Pipelines**. For more information about build pipelines go to [Create your first pipeline](/azure/devops/pipelines/create-first-pipeline?tabs=tfs-2018-2).

+ - If you're creating a new build pipeline, on the last step of the process, on the **Review** tab, select **Show assistant** on the right side of the pipeline.

+ > [!div class="mx-imgBorder"]

+ > 

+ - If you're using an existing build pipeline, click the **Edit** button at the top-right.

+ > [!div class="mx-imgBorder"]

+ > 

+1. Search for the **Azure App Configuration Import** Task.

+ > [!div class="mx-imgBorder"]

+ > 

+1. Configure the necessary parameters for the task to import key-values from the configuration file to the App Configuration store. Explanations of the parameters are available in the **Parameters** section, and in tooltips next to each parameter.

+ > [!div class="mx-imgBorder"]

+ > 

+1. Save and queue a build. The build log displays any failures that occurred during the execution of the task.

+## Use in releases

+This section covers how to use the Azure App Configuration Import task in an Azure DevOps release pipeline.

+1. Navigate to release pipeline page by selecting **Pipelines** > **Releases**. For more information about release pipelines, go to [Create your first release pipeline](/azure/devops/pipelines/release).

+1. Choose an existing release pipeline. If you donΓÇÖt have one, select **+ New** to create a new one.

+1. Select the **Edit** button in the top-right corner to edit the release pipeline.

+1. From the **Tasks** dropdown, choose the **Stage** to which you want to add the task. More information about stages can be found in [Add stages, dependencies, & conditions](/azure/devops/pipelines/release/environments).

+ > [!div class="mx-imgBorder"]

+ > 

+1. Click **+** next to the Job to which you want to add a new task.

+ > [!div class="mx-imgBorder"]

+ > 

+1. In the **Add tasks** dialog, type **Azure App Configuration Import** into the search box and select it.

+1. Configure the necessary parameters within the task to import your key-values from your configuration file to your App Configuration store. Explanations of the parameters are available in the **Parameters** section, and in tooltips next to each parameter.

+1. Save and queue a release. The release log displays any failures encountered during the execution of the task.

+## Parameters

+The following parameters are used by the App Configuration Import task:

+- **Azure subscription**: A drop-down containing your available Azure service connections. To update and refresh your list of available Azure service connections, press the **Refresh Azure subscription** button to the right of the textbox.

+- **App Configuration Endpoint**: A drop-down that loads your available configuration stores endpoint under the selected subscription. To update and refresh your list of available configuration stores endpoint, press the **Refresh App Configuration Endpoint** button to the right of the textbox.

+- **Configuration File Path**: The path to your configuration file. The **Configuration File Path** parameter begins at the root of the file repository. You can browse through your build artifact to select a configuration file. (`...` button to the right of the textbox). The supported file formats depend on the file content profile. For the default profile the supported file formats are yaml, json and properties. For KvSet profile the supported file format is json.

+- **File Content Profile**: The Configuration File's [content profile](./concept-config-file.md). Default value is **Default**.

+ - **Default**: Refers to the conventional configuration file formats that are directly consumable by applications.

+ - **Kvset**: Refers to a [file schema](https://aka.ms/latest-kvset-schema) that contains all properties of an App Configuration key-value, including key, value, label, content type, and tags. The task parameters 'Separator', 'Label', 'Content type', 'Prefix', 'Tags', and 'Depth' aren't applicable when using the Kvset profile.

+- **Import Mode**: The default value is **All**. Determines the behavior when importing key-values.

+ - **All**: Imports all key-values in the configuration file to App Configuration.

+ - **Ignore-Match**: Imports only settings that have no matching key-value in App Configuration. Matching key-values are considered to be key-values with the same key, label, value, content type, and tags.

+- **Dry Run**: Default value is **Unchecked**.

+ - **Checked**: No updates are performed to App Configuration. Instead any updates that would have been performed in a normal run are printed to the console for review.

+ - **Unchecked**: Performs any updates to App Configuration and doesn't print to the console.

+- **Separator**: The separator that's used to flatten .json and .yml files.

+- **Depth**: The depth that the .json and .yml files are flattened to.

+- **Prefix**: A string appended to the beginning of each key imported to the App Configuration store.

+- **Label**: A string added to each key-value as the label within the App Configuration store.

+- **Content Type**: A string added to each key-value as the content type within the App Configuration store.

+- **Tags**: A JSON object in the format of `{"tag1":"val1", "tag2":"val2"}`, which defines tags that are added to each key-value imported to your App Configuration store.

+- **Delete key-values that are not included in the configuration file**: Default value is **Unchecked**. The behavior of this option depends on the configuration file content profile.

+ - **Checked**:

+ - **Default content profile**: Removes all key-values in the App Configuration store that match both the specified prefix and label before importing new key-values from the configuration file.

+ - **Kvset content profile**: Removes all key-values in the App Configuration store that aren't included in the configuration file before importing new key-values from the configuration file.

+ - **Unchecked**: Imports all key-values from the configuration file into the App Configuration store and leaves everything else in the App Configuration store intact.

+## Troubleshooting

+If an unexpected error occurs, debug logs can be enabled by setting the pipeline variable `system.debug` to `true`.

+## FAQ

+**How can I upload multiple configuration files?**

+To import multiple configuration files to the App Configuration store, create multiple instances of the Azure App Configuration Import task within the same pipeline.

+**How can I create Key Vault references or feature flags using this task?**

+Depending on the file content profile you selected, refer to examples in the [Azure App Configuration support for configuration file](./concept-config-file.md).

+**Why am I receiving a 409 error when attempting to import key-values to my configuration store?**

+A 409 Conflict error message occurs if the task tries to remove or overwrite a key-value that is locked in the App Configuration store.

+## Next step

+For a complete reference of the parameters or to use this pipeline task in YAML pipelines, refer to the following document.

+> [!div class="nextstepaction"]

+> [Azure App Configuration Import Task reference](/azure/devops/pipelines/tasks/reference/azure-app-configuration-import-v10)

+To learn how to export key-values from your App Configuration store and set them as Azure pipeline variables, continue to the following document.

+> [!div class="nextstepaction"]

+> [Export settings from App Configuration with Azure pipelines](./azure-pipeline-export-task.md)

+To learn how to create snapshot in an App Configuration store, continue to the following document.

+> [!div class="nextstepaction"]

+> [Create snapshots in App Configuration with Azure Pipelines](./azure-pipeline-snapshot-task.md)

+ Title: Create snapshots in App Configuration with Azure Pipelines

+description: Learn to use Azure Pipelines to create a snapshot in an App Configuration Store

+# Create snapshots in App Configuration with Azure Pipelines

+The Azure App Configuration snapshot task is designed to create snapshots in Azure App Configuration.

+## Prerequisites

+- Azure subscription - [create one for free](https://azure.microsoft.com/free/)

+- App Configuration store - [create one for free](./quickstart-azure-app-configuration-create.md#create-an-app-configuration-store)

+- Azure DevOps project - [create one for free](https://go.microsoft.com/fwlink/?LinkId=2014881)

+- [Azure Pipelines agent version 2.144.0](https://github.com/microsoft/azure-pipelines-agent/releases/tag/v2.144.0) or later and [Node version 16](https://nodejs.org/en/blog/release/v16.16.0/) or later for running the task on self-hosted agents.

+## Create a service connection

+## Add role assignment

+Assign the proper App Configuration role assignment to the credentials being used within the task so that the task can access the App Configuration store.

+1. Go to your target App Configuration store.

+1. In the left menu, select **Access control (IAM)**.

+1. In the right pane, select **Add role assignment**.

+ :::image type="content" border="true" source="./media/azure-app-configuration-role-assignment/add-role-assignment-button.png" alt-text="Screenshot shows the Add role assignments button.":::

+1. For the **Role**, select **App Configuration Data Owner**. This role allows the task to read from and write to the App Configuration store.

+1. Select the service principal associated with the service connection that you created in the previous section.

+ :::image type="content" border="true" source="./media/azure-app-configuration-role-assignment/add-role-assignment-data-owner.png" alt-text="Screenshot shows the Add role assignment dialog.":::

+1. Select **Review + assign**.

+## Use in builds

+In this section, learn how to use the Azure App Configuration snapshot task in an Azure DevOps build pipeline.

+1. Navigate to the build pipeline page by clicking **Pipelines** > **Pipelines**. For more information about build pipelines got to [Create your first pipeline](/azure/devops/pipelines/create-first-pipeline?tabs=tfs-2018-2).

+ - If you're creating a new build pipeline, on the last step of the process, on the **Review** tab, select **Show assistant** on the right side of the pipeline.

+ > [!div class="mx-imgBorder"]

+ > 

+ - If you're using an existing build pipeline, click the **Edit** button at the top-right.

+ > [!div class="mx-imgBorder"]

+ > 

+1. Search for the **Azure App Configuration snapshot** Task.

+ > [!div class="mx-imgBorder"]

+ > 

+1. Configure the necessary parameters for the task to create a snapshot in an App Configuration store. Explanations of the parameters are available in the **Parameters** section below and in tooltips next to each parameter.

+ > [!div class="mx-imgBorder"]

+ > 

+1. Save and queue a build. The build log displays any failures that occurred during the execution of the task.

+## Use in releases

+In this section, learn how to use the Azure App Configuration snapshot task in an Azure DevOps release pipeline.

+1. Navigate to the release pipeline page by selecting, **Pipelines** > **Releases**. For more information about release pipelines, go to [Create your first pipeline](/azure/devops/pipelines/release).

+1. Choose an existing release pipeline. If you donΓÇÖt have one, select **+ New** to create a new one.

+1. Select the **Edit** button in the top-right corner to edit the release pipeline.

+1. From the **Tasks** dropdown, choose the **Stage** to which you want to add the task. More information about stages can be found in [Add stages, dependencies, & conditions](/azure/devops/pipelines/release/environments).

+ > [!div class="mx-imgBorder"]

+ > 

+1. Click **+** next to the job to which you want to add a new task.

+ > [!div class="mx-imgBorder"]

+ > 

+1. In the **Add tasks** dialog, type **Azure App Configuration snapshot** into the search box and select it.

+1. Configure the necessary parameters within the task to create a snapshot within your App Configuration store. Explanations of the parameters are available in the **Parameters** section below, and in tooltips next to each parameter.

+1. Save and queue a release. The release log displays any failures encountered during the execution of the task.

+## Parameters

+The following parameters are used by the App Configuration snapshot task:

+- **Azure subscription**: A drop-down containing your available Azure service connections. To update and refresh your list of available Azure service connections, press the **Refresh Azure subscription** button to the right of the textbox.

+- **App Configuration Endpoint**: A drop-down that loads your available configuration store endpoints under the selected subscription. To update and refresh your list of available configuration store endpoints, press the **Refresh App Configuration Endpoint** button to the right of the textbox.

+- **Snapshot Name**: Specify the name for the snapshot.

+- **Composition Type**: The default value is **Key**.

+ - **Key**: The filters are applied in order for this composition type. Each key-value in the snapshot is uniquely identified by the key only. If there are multiple key-values with the same key and multiple labels, only one key-value will be retained based on the last applicable filter.

+ - **Key-Label**: Filters will be applied and every key-value in the resulting snapshot will be uniquely identified by the key and label together.

+- **Filters**: Represents key and label filter used to build an App Configuration snapshot. Filters should be of a valid JSON format. Example `[{"key":"abc*", "label":"1.0.0"}]`. At least one filter should be specified and a max of three filters can be specified.

+- **Retention period**: The default value is 30 days. Refers to the number of days the snapshot will be retained after it's archived. Archived snapshots can be recovered during the retention period.

+- **Tags**: A JSON object in the format of `{"tag1":"val1", "tag2":"val2"}`, which defines tags that are added to each snapshot created in your App Configuration store.

+## Troubleshooting

+If an unexpected error occurs, debug logs can be enabled by setting the pipeline variable `system.debug` to `true`.

+## Next step

+For a complete reference of the parameters or to use this pipeline task in YAML pipelines, please refer to the following document.

+> [!div class="nextstepaction"]

+> [Azure App Configuration Snapshot Task reference](/azure/devops/pipelines/tasks/reference/azure-app-configuration-snapshot-v1)

+To learn how to export key-values from your App Configuration store and set them as Azure pipeline variables, continue to the following document.

+> [!div class="nextstepaction"]

+> [Export settings from App Configuration with Azure pipelines](./azure-pipeline-export-task.md)

+To learn how to import key-values from a configuration file into your App Configuration store, continue to the following document.

+> [!div class="nextstepaction"]

+> [Import settings to App Configuration with Azure pipelines](./azure-pipeline-import-task.md)

+- You keep the configuration file in the format you had before. This format is helpful if you want to use the file as the fallback configuration for your application or the local configuration during development. When you import the configuration file, specify how you want the data transformed to App Configuration key-values and feature flags. This option is the [**default file content profile**](#file-content-profile-default) in App Configuration importing tools such as portal, Azure CLI, Azure Pipeline Import task, GitHub Actions, etc.

+- You keep the configuration file in the format that contains all App Configuration key-value properties. When you import the file, you don't need to specify any transformation rules because all properties of a key-value are already in the file. This option is called [**KVSet file content profile**](#file-content-profile-kvset) in App Configuration importing tools. It's helpful if you want to manage all your App Configuration data, including regular key-values, Key Vault references, and feature flags, in one file and import them in one shot.

+The rest of this document discusses both file content profiles in detail and use Azure CLI as an example. The same concept applies to other App Configuration importing tools too.

+| .appconfig.featureflag/Beta | {"id":"Beta","description":"","enabled": false,"conditions":{"client_filters":[]}} | dev | application/vnd.microsoft.appconfig.ff+json;charset=utf-8 |

+> - [Azure App Configuration Import Task](./azure-pipeline-import-task.md) version 10.0.0 or later

+> - Azure portal

+App Configuration offers the option to bulk [import](./howto-import-export-data.md) your configuration settings from your current configuration files using either the Azure portal or CLI. You can also use the same options to export key-values from App Configuration, for example between related stores. If you have adopted Configuration as Code and manage your configurations in GitHub or Azure DevOps, you can set up ongoing configuration file import using [GitHub Actions](./push-kv-github-action.md) or [Azure Pipeline Import Task](./azure-pipeline-import-task.md).

+- For Azure DevOps, you can include the [Azure App Configuration Import](azure-pipeline-import-task.md

+), an Azure pipeline task, in your build or release pipelines for data synchronization.

+This article provides a guide for importing and exporting data using either the [Azure portal](https://portal.azure.com) or the [Azure CLI](./scripts/cli-import.md). If you have adopted [Configuration as Code](./howto-best-practices.md#configuration-as-code) and manage your configurations in GitHub or Azure DevOps, you can set up ongoing configuration file import using [GitHub Actions](./push-kv-github-action.md) or use the [Azure Pipeline Import Task](./azure-pipeline-import-task.md).

+If you have an Azure DevOps Pipeline, you can fetch key-values from App Configuration and set them as task variables. The Azure App Configuration DevOps extension is an add-on module that provides this functionality. [Get this module](https://go.microsoft.com/fwlink/?linkid=2091063) and refer to [Export settings from App Configuration with Azure Pipelines](./azure-pipeline-export-task.md) for instructions to use it in your Azure Pipelines.

+Zone redundancy is available only in Azure regions that have Availability Zones. See [Azure regions with Availability Zones](../reliability/availability-zones-region-support.md) for the latest list.

+If you're using `RedisSessionStateProvider`, ensure you set the retry timeout correctly. The `retryTimeoutInMilliseconds` value should be higher than the `operationTimeoutInMilliseconds` value. Otherwise, no retries occur. In the following example, `retryTimeoutInMilliseconds` is set to 3000. For more information, see [ASP.NET Session State Provider for Azure Cache for Redis](cache-aspnet-session-state-provider.md) and [ASP.NET Output Cache Provider for Azure Cache for Redis](cache-aspnet-output-cache-provider.md).

+| [PowerBI/Analytics Acceleration](https://techcommunity.microsoft.com/blog/analyticsonazure/how-to-use-redis-as-a-data-source-for-power-bi-with-redis-sql-odbc/3799471) | You can use the Redis ODBC driver to utilize Redis for BI, reporting, and analytics use-cases. Because Redis is typically much faster than relational databases, using Redis in this way can dramatically increase query responsiveness. |

+ In the [Java functions runtime library](/java/api/overview/azure/functions/runtime), use the `@QueueOutput` annotation on function parameters whose value would be written to a Service Bus queue. The parameter type should be `OutputBinding<T>`, where `T` is any native Java type of a plan old Java object (POJO).

+TypeScript samples aren't documented for model v3.

+|**QueueName**|Name of the queue. Set only if sending queue messages, not for a topic. |

+|**Access**|Access rights for the connection string. Available values are `manage` and `listen`. The default is `manage`, which indicates that the `connection` has the **Manage** permission. If you use a connection string that doesn't have the **Manage** permission, set `accessRights` to "listen". Otherwise, the Functions runtime might fail trying to do operations that require manage rights. In Azure Functions version 2.x and higher, this property isn't available because the latest version of the Service Bus SDK doesn't support manage operations.|

+You can use the `ServiceBusAccount` attribute to specify the Service Bus account to use at class, method, or parameter level. For more information, see [Attributes](functions-bindings-service-bus-trigger.md#attributes) in the trigger reference.

+| `queue_name` | Name of the queue. Set only if sending queue messages, not for a topic. |

+|**type** |Must be set to `serviceBus`. This property is set automatically when you create the trigger in the Azure portal.|

+|**direction** | Must be set to `out`. This property is set automatically when you create the trigger in the Azure portal. |

+|**queueName**|Name of the queue. Set only if sending queue messages, not for a topic.|

+|**type** |Must be set to `serviceBus`. This property is set automatically when you create the trigger in the Azure portal.|

+|**direction** | Must be set to `out`. This property is set automatically when you create the trigger in the Azure portal. |

+|**queueName**|Name of the queue. Set only if sending queue messages, not for a topic.|

+|**accessRights** (v1 only)|Access rights for the connection string. Available values are `manage` and `listen`. The default is `manage`, which indicates that the `connection` has the **Manage** permission. If you use a connection string that doesn't have the **Manage** permission, set `accessRights` to "listen". Otherwise, the Functions runtime might fail trying to do operations that require manage rights. In Azure Functions version 2.x and higher, this property isn't available because the latest version of the Service Bus SDK doesn't support manage operations.|

+All C# modalities and extension versions support the following output parameter types:

+Messaging-specific parameter types contain extra message metadata and aren't compatible with JSON serialization. As a result, it isn't possible to use `ServiceBusMesage` with the output binding in the isolated model. The specific types supported by the output binding depend on the Functions runtime version, the extension package version, and the C# modality used.

+Earlier versions of this extension in the isolated worker process only support binding to messaging-specific types. More options are available to **Extension 5.x and higher**

+| [**Container Apps**](functions-container-apps-hosting.md) | Create and deploy containerized function apps in a fully managed environment hosted by Azure Container Apps, which lets you run your functions alongside other microservices, APIs, websites, and workflows as container-hosted programs. |

+| [az cosmosdb keys list](/cli/azure/cosmosdb/keys#az-cosmosdb-keys-list)| Gets the keys for the database. |

+| Datapoint | Country/region | City | Office name |

+For a list of regions that currently support availability zones, see [Azure regions with availability zone support](../reliability/availability-zones-region-support.md).

+ The cool access feature provides the ability to configure a capacity pool with cool access, which moves cold (infrequently accessed) data transparently to Azure storage account to help you reduce the total cost of storage. There's a difference in data access latency as data blocks might be tiered to Azure storage account. The cool access feature provides options for the "coolness period" to optimize the days in which infrequently accessed data moves to cool tier and network transfer cost, based on your workload and read/write patterns. The "coolness period" feature is provided at the volume level.

+ Cross-zone replication is available in all [regions with availability zones](../reliability/availability-zones-region-support.md) and with [Azure NetApp Files presence](https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=netapp&regions=all&rar=true).

+Determines whether a resource type supports zones for a region. This function **only supports zonal resources**. Zone redundant services return an empty array. For more information, see [Azure services that support availability zones](../../reliability/availability-zones-service-support.md).

+There are different categories for Azure Availability Zones - zonal and zone-redundant. The `pickZones` function can be used to return an availability zone for a zonal resource. For zone redundant services (ZRS), the function returns an empty array. Zonal resources typically have a `zones` property at the top level of the resource definition. To determine the category of support for availability zones, see [Azure services that support availability zones](../../reliability/availability-zones-service-support.md).

+output outString string = first(skip(split(inputString, '/'), 1))

+output outString string = first(skip(split(inputString, '/'), 1))!

+Determines whether a resource type supports zones for the specified location or region. This function **only supports zonal resources**. Zone redundant services return an empty array. For more information, see [Azure services that support availability zones](../../reliability/availability-zones-service-support.md).

+There are different categories for Azure Availability Zones - zonal and zone-redundant. The `pickZones` function can be used to return an availability zone for a zonal resource. For zone redundant services (ZRS), the function returns an empty array. Zonal resources typically have a `zones` property at the top level of the resource definition. To determine the category of support for availability zones, see [Azure services that support availability zones](../../reliability/availability-zones-service-support.md).

+Bicep provides the reference function, but in most cases, the reference function isn't required. It's recommended to use the symbolic name for the resource instead. See [reference](../bicep/bicep-functions-resource.md#reference).

+Zone-enabled Azure regions (not all [regions support availability zones](../reliability/availability-zones-region-support.md)) have a minimum of three availability zones. A zone is one or more datacenters, each with its own independent power and network connections. All the zones in a region are connected by a dedicated low-latency regional network. If a zone fails, Azure SignalR Service traffic running on the affected zone is routed to other zones in the region.

+* Learn more about [regions that support availability zones](../reliability/availability-zones-region-support.md).

+| vCenter Server vpxd crashes when using special characters in network names with VMware HCX. For more information, see [vpxd crashes with duplicate key value in "vpx_nw_assignment" when using HCX-IX for migrations (323283)](https://knowledge.broadcom.com/external/article?articleNumber=323283). | November 2024 | Avoid using special characters in your Azure VMware Solution network names. | November 2024 |

+- [Planning Highly Available, Mission Critical SQL Server Deployments with VMware vSphere](https://www.vmware.com/docs/architecting-mssql-server-for-ha-on-vmware-vsphere-platform-final-0)

+- [Planning Highly Available, Mission Critical SQL Server Deployments with VMware vSphere](https://www.vmware.com/docs/architecting-mssql-server-for-ha-on-vmware-vsphere-platform-final-0)

+- [Planning Highly Available, Mission Critical SQL Server Deployments with VMware vSphere](https://www.vmware.com/docs/architecting-mssql-server-for-ha-on-vmware-vsphere-platform-final-0)

+Zone-enabled Azure regions (not all [regions support availability zones](../reliability/availability-zones-region-support.md)) have a minimum of three availability zones. A zone is one or more datacenters, each with its own independent power and network connections. All the zones in a region are connected by a dedicated low-latency regional network. If a zone fails, Azure Web PubSub Service traffic running on the affected zone is routed to other zones in the region.

+* Learn more about [regions that support availability zones](../reliability/availability-zones-region-support.md).

+1. Open this [Event Hubs Consumer Client](https://awpseventlistenerdemo.z13.web.core.windows.net/eventhub-consumer/https://docsupdatetracker.net/index.html) web app, input the Event Hubs connection string to connect to an event hub as a consumer. If you get the Event Hubs connection string from an Event Hubs namespace resource instead of an event hub instance, then you need to specify the event hub name. This event hub consumer client is connected with the mode that only reads new events; the events published before aren't seen here. You can change the consumer client connection mode to read all the available events in the production environment.

+1. Use this [WebSocket Client](https://awpseventlistenerdemo.z13.web.core.windows.net/webpubsub-client/websocket-client.html) web app to generate client events. If you've configured to send system event `connected` to that event hub, you should be able to see a printed `connected` event in the Event Hubs consumer client after connecting to Web PubSub service successfully. You can also generate a user event with the app.

+## How Cross Subscription Backup for Azure File share (preview) works?

+Cross Subscription Backup (CSB) for Azure File share (preview) enables you to back up file shares across subscriptions. This feature is useful when you want to centralize backup management for file shares across different subscriptions. You can back up file shares from a source subscription to a Recovery Services vault in a target subscription.

+Learn about the [additional prerequisites](backup-azure-files.md#prerequisites) and [steps to configure Cross Subscription Backup for Azure File share (preview)](backup-azure-files.md#configure-the-backup). For information on the supported regions for Cross Subscription Backup, see the [Azure File share backup support matrix](azure-file-share-support-matrix.md#supported-regions-for-cross-subscription-backup-preview).

+### Supported regions for Cross Subscription Backup (preview)

+Cross Subscription Backup (CSB) for Azure File share (preview) is currently available in the following regions: East Asia, Southeast Asia, UK South, UK West, Central India.

+* Ensure the file share is present in one of the supported storage account types. Review the [support matrix](azure-file-share-support-matrix.md).

+>[!Important]

+>To perform [Cross Subscription Backup (CSB) for protecting Azure File share (preview)](azure-file-share-backup-overview.md#how-cross-subscription-backup-for-azure-file-share-preview-works) in another subscription, ensure you register `Microsoft.RecoveryServices` in the **subscription of the file share** in addition to the above prerequisites. Learn about the [supported regions for Cross Subscription Backup (preview)](azure-file-share-support-matrix.md#supported-regions-for-cross-subscription-backup-preview).

+You can configure *snapshot backup* and *vaulted backup (preview)* for Azure File share from the *Recovery Services vault* or *File share blade*.

+# [Recovery Services vault](#tab/recovery-services-vault)

+To configure backup for multiple file shares from the Recovery Services vault, follow these steps:

+1. In the [Azure portal](https://portal.azure.com/), go to the **Recovery Services vault** and select **+Backup**.

+ :::image type="content" source="./media/backup-afs/azure-file-configure-backup.png" alt-text="Screenshot showing to configure Backup for Azure File." lightbox="./media/backup-afs/azure-file-configure-backup.png":::

+1. Click **Select** to select the storage account that contains the file shares to be backed up.

+ The **Select storage account** blade opens on the right, which lists a set of discovered supported storage accounts. They're either associated with this vault or present in the same region as the vault, but not yet associated with any Recovery Services vault.

+1. On the **Select storage account** blade, by default it list the storage accounts from the current subscription. Select an account, and select **OK**.

+ If you want to configure the backup operation with a storage account in a different subscription ([Cross Subscription Backup - preview](azure-file-share-backup-overview.md#how-cross-subscription-backup-for-azure-file-share-preview-works)), choose the other subscription from the **Subscription** filter. The storage accounts from the selected subscription appear.

+ 1. Configure the *backup schedule* as per the requirement. You can configure up to *six backups* per day. The snapshots are taken as per the schedule defined in the policy. In case of vaulted backup, the data from the last snapshot of the day is transferred to the vault.

+ 1. Configure the *backup schedule* as per the requirement. You can configure up to *six backups* per day. The snapshots are taken as per the schedule defined in the policy. In case of vaulted backup, the data from the last snapshot of the day is transferred to the vault.

+# [Recovery Services vault](#tab/recovery-services-vault)

+1. Go to the **Recovery Services vault** and select **Backup items** from the menu.

+1. On the **Backup items** blade, select the **Backup Management Type** as **Azure Storage (Azure Files)**.

+1. Monitor the portal notifications to keep track of backup job run completion.

+ To monitor the job progress in the **Recovery Services vault** dashboard, go to **Recovery Services vault** > **Backup Jobs** > **In progress**.

+## Supported scenarios for WORM storage

+- Use of WORM storage for immutable vaults in locked state is currently in GA for Recovery Services Vaults in the following regions: Australia Central 2, Switzerland West, South Africa West, Korea Central, Germany North, Korea South, Spain Central.

+## Before you start

+- The backup operation isn't supported for blobs that are uploaded by using [Data Lake Storage APIs](/rest/api/storageservices/data-lake-storage-gen2).

+>Secure by default and soft delete for vaults is currently in limited preview in the following region: East Asia.

+>

+>Since this is a preview feature, disabling soft delete is allowed from REST API, PS, CLI commands. A complete secure by default experience will be available from the GA of this feature.

+ - [Secure by Default with Vault soft delete (preview)](#secure-by-default-with-vault-soft-delete-preview)

+ - [WORM enabled Immutable Storage for Recovery Services vaults is now generally available](#worm-enabled-immutable-storage-for-recovery-services-vaults-is-now-generally-available)

+ - [Cross Subscription Backup support for Azure File Share (preview)](#cross-subscription-backup-support-for-azure-file-share-preview)

+ - [Back up SAP ASE (Sybase) database (preview)](#back-up-sap-ase-sybase-database-preview)

+ - [Vaulted backup and Cross Region Restore support for AKS is now generally available](#vaulted-backup-and-cross-region-restore-support-for-aks-is-now-generally-available)

+## Secure by Default with Vault soft delete (preview)

+

+Azure Backup now provides the **Secure By default with Vault soft delete (preview)** feature that applies soft delete by default at all granularities - vaults, recovery points, containers and backup items. Azure Backup now ensures that all the backup data is recoverable against ransomware attacks by default and has no cost for *14 days*. You don't need to opt in to get *fair* security level for your backup data. You can update the soft delete retention period as per your preference up to *180 days*.

+Soft delete provides data recoverability from malicious or accidental deletions and is enabled by default for all vaults. To make soft delete irreversible, you can use **always-on** soft delete.

+For more information, see [Secure by Default with Azure Backup (Preview)](secure-by-default.md).

+## WORM enabled Immutable Storage for Recovery Services vaults is now generally available

+Azure Backup now provides immutable WORM storage for your backups when immutability is enabled and locked on a Recovery Services vault. When immutability is enabled, Azure Backup ensures that a Recovery Point, once created, can't be deleted or have its retention period reduced before its intended expiry.

+When immutability is locked, Azure Backup also uses WORM-enabled immutable storage to meet any compliance requirements. This feature is applicable to both existing and new vaults with locked immutability.WORM immutability is available in [these regions](backup-azure-immutable-vault-concept.md#supported-scenarios-for-worm-storage).

+For more information, see [About Immutable vault for Azure Backup](backup-azure-immutable-vault-concept.md).

+## Cross Subscription Backup support for Azure File Share (preview)

+Azure Backup now supports Cross Subscription Backup (CSB) for Azure File Shares (preview), allowing you to back up data across different subscriptions within the same tenant or Microsoft Entra ID. This capability offers greater flexibility and control, essentially for enterprises managing multiple subscriptions with varying purposes and security policies.

+For more information, see [About Azure File share backup](azure-file-share-backup-overview.md#how-cross-subscription-backup-for-azure-file-share-preview-works).

+Batch maintains parity with Azure on supporting Availability Zones. To use the zonal option, your pool must be created in a [supported Azure region](../reliability/availability-zones-region-support.md).

+|Asus|[NUC14RVH-B (u5)](https://www.asus.com/us/displays-desktops/nucs/nuc-mini-pcs/asus-nuc-14-pro/)|Windows 11 IoT Enterprise|2024-11-20|

+|Asus|[NUC14RVH-B (u7)](https://www.asus.com/us/displays-desktops/nucs/nuc-mini-pcs/asus-nuc-14-pro/)|Windows 10 IoT Enterprise|2024-11-20|

+In this article, you learn which Azure logs, Azure metrics & Teams logs are emitted for Teams external users when joining Teams meetings. Azure Communication Services user joining Teams meeting emits the following metrics: [Authentication API](../../metrics.md) and [Chat API](../../metrics.md). Communication Services resource additionally tracks the following logs: [Call Summary](../../analytics/logs/voice-and-video-logs.md) and [Call Diagnostic](../../analytics/logs/voice-and-video-logs.md) Log. Teams administrator can use [Teams Admin Center](https://aka.ms/teamsadmincenter) and [Teams Call Quality Dashboard](https://cqd.teams.microsoft.com) to review logs stored for Teams external users joining Teams meetings organized by the tenant.

+Authentication API metrics emit records for every operation called on the Identity SDK or API (for example, creating a user `CreateIdentity` or issue of a token `CreateToken`). Chat API metrics emit records for every chat API call made via chat SDK or APIs (for example, creating a thread or sending a message).

+- Azure Communication Services users joining the meeting from the same tenant. Users rejected in the lobby and Azure Communication Services users from different resources but in the same tenant are included.

+- Microsoft 365 users, phone users, and bots joining the meeting only if the organizer and current Azure Communication Services resource are in the same tenant.

+If Azure Communication Services resource and Teams meeting organizer tenants are different, then some fields of the logs are redacted. You can find more information in the call summary & diagnostics logs [documentation](../../analytics/logs/voice-and-video-logs.md). Bots indicate service logic provided during the meeting. Here's a list of frequently used bots:

+Teams administrator can see Teams external users in the overview of the meeting (section `Manage users` -> `Select user` -> `Meetings & calls` -> `Select meeting`). The summary logs can be found when selecting individual Teams external users (continue `Participant details` -> `Anonymous user`). For more details about the call logs, proceed with [Teams Call Quality Dashboard](https://cqd.teams.microsoft.com). You can learn more about the call quality dashboard [here](/microsoftteams/cqd-what-is-call-quality-dashboard).

+You can send a limited number of email messages. If you exceed the [email rate limits](#rate-limits-for-email) for your subscription, your requests are rejected. You can attempt these requests again, after the Retry-After time passes. Take action before reaching the limit by requesting to raise your sending volume limits if needed.

+The Azure Communication Services email service is designed to support high throughput. However, the service imposes initial rate limits to help customers onboard smoothly and avoid some of the issues that can occur when switching to a new email service.

+We recommend gradually increasing your email volume using Azure Communication Services Email over a period of two to four weeks, while closely monitoring the delivery status of your emails. This gradual increase enables third-party email service providers to adapt to the change in IP for your domain's email traffic. The gradual change gives you time to protect your sender reputation and maintain the reliability of your email delivery.

+Azure Communication Services email service supports high volume up to 1-2 million messages per hour. High throughput can be enabled based on several factors, including:

+- Customer peak traffic

+- Business needs

+- Ability to manage failure rates

+- Domain reputation

+### Failure Rate Requirements

+To enable a high email quota, your email failure rate must be less than one percent (1%). If your failure rate is high, you must resolve the issues before requesting a quota increase.

+Customers are expected to actively monitor their failure rates.

+If the failure rate increases after a quota increase, Azure Communication Services will contact the customer for immediate action and a resolution timeline. In extreme cases, if the failure rate isn't managed within the specified timeline, Azure Communication Services may reduce or suspend service until the issue is resolved.

+#### Related articles

+Azure Communication Services provides rich logs and analytics to help monitor and manage failure rates. For more information, see the following articles:

+- [Improve sender reputation in Azure Communication Services email](./email/sender-reputation-managed-suppression-list.md)

+- [Email Insights](./analytics/insights/email-insights.md)

+- [Enable logs via Diagnostic Settings in Azure Monitor](./analytics/enable-logging.md)

+- [Quickstart: Handle Email events](../quickstarts/email/handle-email-events.md)

+- [Quickstart: Manage domain suppression lists in Azure Communication Services using the management client libraries](../quickstarts/email/manage-suppression-list-management-sdks.md)

+> [!NOTE]

+> To request higher limits, follow the instructions at [Quota increase for email domains](./email/email-quota-increase.md). Higher quotas are only available for verified custom domains, not Azure-managed domains.

+### Rate Limits for Email

+[Custom Domains](../quickstarts/email/add-custom-verified-domains.md)

+| Operation | Scope | Timeframe (minutes) | Limit (number of emails) | Higher limits available |

+| | | | | |

+| Send Email | Per Subscription | 1 | 30 | Yes |

+| Send Email | Per Subscription | 60 | 100 | Yes |

+| Get Email Status | Per Subscription | 1 | 60 | Yes |

+| Get Email Status | Per Subscription | 60 | 200 | Yes |

+| Operation | Scope | Timeframe (minutes) | Limit (number of emails) | Higher limits available |

+| | | | | |

+| Send Email | Per Subscription | 1 | 5 | No |

+| Send Email | Per Subscription | 60 | 10 | No |

+| Get Email Status | Per Subscription | 1 |10 | No |

+| Get Email Status | Per Subscription | 60 |20 | No |

+- [Help and support options](../support.md)

+This article describes how to provision an Azure Managed Domain for Email Communication Service in Azure Communication Services.

+### Service limits

+Both Azure managed domains and Custom domains are subject to service limits. Service limits include failure, rate, and size limits. For more informations, see [Service limits for Azure Communication Services > Email](../../concepts/service-limits.md#email).

+* Familiarize yourself with the [Email client library](../../concepts/email/sdk-features.md).

+* Review email failure limits, rate limits, and size limits in [Service limits for Azure Communication Services > Email](../../concepts/service-limits.md#email).

+* Learn how to send emails with custom verified domains in [Quickstart: How to add custom verified email domains](../../quickstarts/email/add-custom-verified-domains.md).

+### Service limits

+Both Azure managed domains and Custom domains are subject to service limits. Service limits include failure, rate, and size limits. For more informations, see [Service limits for Azure Communication Services > Email](../../concepts/service-limits.md#email).

+* Review email failure limits, rate limits, and size limits in [Service limits for Azure Communication Services > Email](../../concepts/service-limits.md#email).

+* Learn how to send emails with Azure Managed Domains in [Quickstart: How to add Azure Managed Domains to Email Communication Service](../../quickstarts/email/add-azure-managed-domains.md).

+ Title: Perform secure multiparty data collaboration on Azure

+description: Learn how Azure Confidential Clean Rooms enables multiparty collaborations while keeping your data safe from other collaborators.

+# Azure Confidential Clean Rooms

+> [!NOTE]

+> Azure Confidential Clean Rooms is currently in Gated Preview. Please fill the form at https://aka.ms/ACCRPreview and we will reach out to you with next steps.

+Azure Confidential Clean Rooms, aka ACCR, offers a secure and compliant environment that helps organizations overcome the challenges of using privacy-sensitive data for AI model development, inferencing, and data analytics. Built on top of [Confidential containers or C-ACI](../confidential-computing/confidential-containers.md), this service secures the data and the model from exfiltration outside the clean room boundary.

+Organizations can safely collaborate and analyze sensitive data, within the sandbox, without violating compliance standards or risking data breaches by using advanced privacy-enhancing technologies like secure governance & audit, secure collaboration (TEE), verifiable trust, differential privacy, and controlled access.

+## Who should use Azure Confidential Clean Rooms?

+Azure Confidential Clean Rooms could be a great choice for you if you have these scenarios:

+- Data analytics and inferencing: Organizations looking to build insights on second-party data while ensuring data privacy can use ACCR. ACCR is useful when data providers are concerned about data exfiltration. ACCR ensures that data is only used for agreed purposes and safeguards against unauthorized access or egress (as it's a sandboxed environment).

+- Data privacy ISVs: Independent Software Vendors (ISVs) who provide secure multiparty data collaboration services can use ACCR as an extensible platform. It allows them to add enforceable tamperproof contracts with governance and audit capabilities, and uses [Confidential containers or C-ACI](../confidential-computing/confidential-containers.md) underneath to ensure data is encrypted during processing so that their customers' data remains secure.

+- ML fine tuning: ACCR provides a solution to organizations that require data from various sources to train or fine-tune machine learning models but face data sharing regulations. It allows any party to audit and confirm that data is being used only for the agreed purpose, such as ML modeling.

+- ML inferencing: Organizations can use ACCR in machine learning (ML) inferencing to enable secure, collaborative data analysis without compromising privacy or data ownership. ACCR acts as secure environment where multiple parties can combine sensitive data and apply ML models for inferencing while keeping raw data inaccessible to others.

+### Industries that can successfully utilize ACCR

+- Healthcare- In the healthcare industry, Azure Confidential Clean Rooms enable secure collaboration on sensitive patient data. For example, healthcare providers can use clean rooms to train and fine-tune AI/ML models for predictive diagnostics, personalized medicine, and clinical decision support. By using confidential computing, healthcare organizations can protect patient privacy while collaborating with other institutions to improve healthcare outcomes.

+ACCR can also be used for ML inferencing where partner hospitals can utilize power of these models for early detection.

+- Advertising- In the advertising industry, Azure Confidential Clean Rooms facilitates secure data sharing between advertisers and publishers. ACCR enables targeted advertising and campaign effectiveness measurement without exposing sensitive user data.

+- Banking, Financial Services and Insurance (BFSI) - The BFSI sector can use Azure Confidential Clean Rooms to securely collaborate on financial data, ensuring compliance with regulatory requirements. This enables financial institutions to perform joint data analysis and develop risk models, fraud detection models, lending scenarios among others without exposing sensitive customer information.

+- Retail- In the retail industry, Azure Confidential Clean Rooms enables secure collaboration on customer data to enhance personalized marketing and inventory management. Retailers can use clean rooms to analyze customer behavior and preferences to create personalized marketing campaigns without compromising data privacy.

+## Benefits

+Azure Confidential Clean Rooms (ACCR) provides a secure and compliant environment for multi-party data collaboration. Built on [Confidential containers or C-ACI](../confidential-computing/confidential-containers.md), ACCR ensures that sensitive data remains protected throughout the collaboration process. Here are some key benefits of using Azure Confidential Clean Rooms:

+- Secure collaboration and governance:

+ACCR allows collaborators to create tamper-proof contracts. ACCR also enforces all the constraints which are part of the contract. Governance ensures validity of constraints before allowing data to be released into clean rooms and drives transparency among collaborators by generating tamper-proof audit trails. ACCR uses the open-sourced [confidential consortium framework](https://microsoft.github.io/CCF/main/overview/what_is_ccf.html) to enable these capabilities.

+- Compliance:

+Confidential computing can address some of the regulatory and privacy concerns by providing a secure environment for data collaboration. This capability is beneficial for industries such as financial services, healthcare, and telecom, which deal with highly sensitive data and personally identifiable information (PII).

+- Enhanced data security:

+ACCR is built using confidential computing to provide a hardware-based, trusted execution environment (TEE). This environment is sandboxed and allows only authorized workloads to execute and prevents unauthorized access to data or code during processing, ensuring that sensitive information remains secure.

+- Verifiable trust at each step with the help of cryptographic remote attestation forms the cornerstone of Azure Confidential Clean Rooms.

+- Cost-effective:

+By providing a secure and compliant environment for data collaboration, ACCR reduces the need for costly and complex data protection measures. This makes it a cost-effective solution for organizations looking to use sensitive data for analysis and insights.

+## Onboarding to Azure Confidential Clean Rooms

+ACCR is currently in Gated Preview. To express your interest in joining the gated preview, follow these steps:

+- Fill and submit the form at https://aka.ms/ACCR-Preview-Onboarding.

+- Once you submit, further steps will be shared with you on onboarding.

+- For further questions on onboarding reach out to CleanRoomPMTeam@microsoft.com.

+- After reviewing details, we'll reach out to you with detailed steps for onboarding.

+## Frequently asked questions

+- Question: Where is the location Microsoft published side cars?

+ Answer: The Microsoft published side cars are available at: mcr.microsoft.com/cleanroom. The code repository for the sidecars is present [here](https://github.com/Azure/azure-cleanroom/).

+- Question: Is there a sampleclean room application to try out?

+ Answer: You can find the clean room sample application [here](https://github.com/Azure-Samples/azure-cleanroom-samples). Please feel free to try out the sample after signing up for the Preview and receiving our response.

+- Question: Can more than two collaborators participate in a collaboration?

+ Answer: Yes, more than two collaborators can become part of collaboration. This allows multiple data providers to share data in the clean room.

+If you have questions about Azure Confidential Clean Rooms, reach out to <accrsupport@microsoft.com>.

+## Next steps

+- [Deploy Confidential container group with Azure Container Instances](/azure/container-instances/container-instances-tutorial-deploy-confidential-containers-cce-arm)

+- [Microsoft Azure Attestation](/azure/attestation/overview)

+Or, you can find the actual resiliency policy by enabling debug logs on your container app and querying to see if a resiliency resource is loaded.

+Once debug logs are enabled, use a query similar to the following:

+> [!VIDEO https://www.youtube.com/embed/OxmVds31qL8]

+To [create subscriptions under an enrollment account](programmatically-create-subscription-preview.md), users must have the Azure RBAC [Owner role](../../role-based-access-control/built-in-roles.md#owner) on that account. You can grant a user or a group of users the Azure RBAC Owner role on an enrollment account by following these steps:

+ Connect-AzAccount -EnvironmentName AzASE -TenantId aaaabbbb-0000-cccc-1111-dddd2222eeee -credential $cred

+ Use the tenant ID aaaabbbb-0000-cccc-1111-dddd2222eeee as in this instance it's hard coded.

+ PS C:\windows\system32> Connect-AzAccount -EnvironmentName AzASE -TenantId aaaabbbb-0000-cccc-1111-dddd2222eeee -credential $cred

+ EdgeArmUser@localhost Default Provider Subscription aaaabbbb-0000-cccc-1111-dddd2222eeee AzASE

+ `login-AzAccount -EnvironmentName <Environment Name> -TenantId aaaabbbb-0000-cccc-1111-dddd2222eeee`

+ PS C:\WINDOWS\system32> login-AzAccount -EnvironmentName AzASE -TenantId aaaabbbb-0000-cccc-1111-dddd2222eeee

+ 1. To sign in, type the following command. The tenant ID in this instance is hard coded - aaaabbbb-0000-cccc-1111-dddd2222eeee. Use the following username and password.

+ PS C:\windows\system32> Connect-AzureRmAccount -EnvironmentName AzDBE -TenantId aaaabbbb-0000-cccc-1111-dddd2222eeee -credential $cred

+ EdgeArmUser@localhost Default Provider Subscription aaaabbbb-0000-cccc-1111-dddd2222eeee AzDBE

+ `login-AzureRMAccount -EnvironmentName <Environment Name> -TenantId aaaabbbb-0000-cccc-1111-dddd2222eeee`

+ PS C:\Users\Administrator> login-AzureRMAccount -EnvironmentName AzDBE -TenantId aaaabbbb-0000-cccc-1111-dddd2222eeee

+ EdgeArmUser@localhost Default Provider Subscription aaaabbbb-0000-cccc-1111-dddd2222eeee AzDBE

+Tenant : aaaabbbb-0000-cccc-1111-dddd2222eeeeΓÇï

+Tenants : {aaaabbbb-0000-cccc-1111-dddd2222eeee}ΓÇï

+ExtendedProperties : {[Subscriptions, ...], [Tenants, aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e]}

+EdgeArmUser@localhost Default Provider Subscription aaaabbbb-0000-cccc-1111-dddd2222eeee AzDBE1

+Tenant : aaaabbbb-0000-cccc-1111-dddd2222eeeeΓÇï

+Tenant : aaaabbbb-0000-cccc-1111-dddd2222eeeeΓÇï

+Tenants : {aaaabbbb-0000-cccc-1111-dddd2222eeee}ΓÇï

+ExtendedProperties : {[Subscriptions, ...], [Tenants, aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e]}

+EdgeArmUser@localhost Default Provider Subscription aaaabbbb-0000-cccc-1111-dddd2222eeee AzDBE1

+Tenant : aaaabbbb-0000-cccc-1111-dddd2222eeeeΓÇï

+ "id": "/Subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/Providers/Microsoft.Compute/Locations/eastus/Publishers/MicrosoftWindowsServer/ArtifactTypes/VMImage/Offers/WindowsServer/Skus/2019-Datacenter/Versions/17763.1935.2105080716",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/newrgmd1/providers/Microsoft.Compute/disks/NewManagedDisk1",

+ "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myaserg1/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000",

+ "tenantId": "aaaabbbb-0000-cccc-1111-dddd2222eeee",

+ $ENV:ARM_TENANT_ID = "aaaabbbb-0000-cccc-1111-dddd2222eeee"

+Id : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myasegpuvm1/providers/Microsoft.Compute/virtualMachines/VM5/extensions/CustomScriptExtension

+Id : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myasegpuvm1/providers/Microsoft.Compute/virtualMachines/VM5/extensions/CustomScriptExtension

+Id : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myasegpuvm1/providers/Microsoft.Compute/virtualMachines/VM2/extensions/windowsgpuext

+Id : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/rg2/providers/Microsoft.Compute/virtualMachines/VM1/extensions/gpuLinux

+Id : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myasepro2rg/provi

+Id : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups

+ PS C:\windows\system32> login-AzureRMAccount -EnvironmentName aztest1 -TenantId aaaabbbb-0000-cccc-1111-dddd2222eeee

+ EdgeArmUser@localhost Default Provider Subscription aaaabbbb-0000-cccc-1111-dddd2222eeee aztest1

+ Id : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/rg201221071831/providers/Microsoft.Compute/disks/ld201221071831

+ Id : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/rg201221071831/providers/Microsoft.Compute/images/ig201221071831

+ Using Vnet /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/ASERG/providers/Microsoft.Network/virtualNetworks/ASEVNET

+ "Id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/rg201221071831/providers/Microsoft.Network/networkInterfaces/nic201221071831/ipConfigurations/ip201221071831",

+ "Id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/ASERG/providers/Microsoft.Network/virtualNetworks/ASEVNET/subnets/ASEVNETsubNet",

+ Id : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/rg201221071831/providers/Microsoft.Network/networkInterfaces/nic201221071831

+ Add-AzureRmVMNetworkInterface -VM Microsoft.Azure.Commands.Compute.Models.PSVirtualMachine -Id /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/rg201221071831/providers/Microsoft.Network/networkInterfaces/nic201221071831.Id

+ Set-AzureRmVMSourceImage -VM Microsoft.Azure.Commands.Compute.Models.PSVirtualMachine -Id /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/rg201221071831/providers/Microsoft.Compute/images/ig201221071831

+ResourceId : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myaserg1

+ResourceId : /subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/myasegpurgvm

+ PS C:\WINDOWS\system32> login-AzureRMAccount -EnvironmentName aztest -TenantId aaaabbbb-0000-cccc-1111-dddd2222eeee

+ EdgeArmUser@localhost Default Provider Subscription aaaabbbb-0000-cccc-1111-dddd2222eeee aztest

+ Id : /subscriptions/cccc2c2c-dd3d-ee4e-ff5f-aaaaaa6a6a6a/resourceGroups/ASERG/providers/Microsoft

+ "Id": "/subscriptions/cccc2c2c-dd3d-ee4e-ff5f-aaaaaa6a6a6a/resourceGroups/ASERG/provider

+ Id : /subscriptions/cccc2c2c-dd3d-ee4e-ff5f-aaaaaa6a6a6a/resourceGroups/ASERG/providers/Microsoft

+ "Id": "/subscriptions/cccc2c2c-dd3d-ee4e-ff5f-aaaaaa6a6a6a/resourceGroups/ASERG/provider

+ ResourceId : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myasevm1rg/providers/Microsoft.Compute/disk

+ ResourceId : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myasevm1rg/providers/Microsoft.Compute/virt

+ ResourceId : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myasevm1rg/providers/Microsoft.Network/netw

+ ResourceId : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myasevm1rg/providers/Microsoft.Storage/stor

+ ResourceId : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/ase-image-resourcegroup

+ ResourceId : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/ASERG

+ ResourceId : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myaserg

+ "value": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/myaserg/providers/microsoft.operationalinsights/workspaces/myaseloganalyticsws"

+ PS /home/myaccount> az account set -s aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myaserg/providers/Microsoft.Resources/deployments/Testdeployment1",

+ "correlationId": "aaaa0000-bb11-2222-33cc-444444dddddd",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myaserg/providers/Microsoft.OperationsManagement/solutions/ContainerInsights(myaseloganalyticsws)",

+ "value": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/myaserg/providers/microsoft.operationalinsights/workspaces/myaseloganalyticsws"

+ "ioTHostHubId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/GroupForEdgeAutomation/Microsoft.Devices/IotHubs/testrxiothub",

+ "ioTHostHubId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/GroupForEdgeAutomation/Microsoft.Devices/IotHubs/testrxiothub",

+ "ioTHostHubId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/GroupForEdgeAutomation/Microsoft.Devices/IotHubs/testrxiothub",

+ "ioTHostHubId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/GroupForEdgeAutomation/Microsoft.Devices/IotHubs/testrxiothub",

+ "ioTHostHubId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/GroupForEdgeAutomation/Microsoft.Devices/IotHubs/testrxiothub",

+ "ioTHostHubId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/GroupForEdgeAutomation/Microsoft.Devices/IotHubs/testrxiothub",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/GroupForEdgeAutomation/providers/Microsoft.DataBoxEdge/dataBoxEdgeDevices/testedgedevice/roles/IoTRole1",

+ "ioTHostHubId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/GroupForEdgeAutomation/Microsoft.Devices/IotHubs/testrxiothub",

+ "ioTHostHubId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/GroupForEdgeAutomation/Microsoft.Devices/IotHubs/testrxiothub",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/GroupForEdgeAutomation/providers/Microsoft.DataBoxEdge/dataBoxEdgeDevices/res1/roles/kubernetesRole/addons/iotName",

+var id = $@"/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/resourceGroup/providers/Microsoft.DataBoxEdge/dataBoxEdgeDevices/deviceName/roles/iotrole";

+var k8sId = $@"/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/resourceGroup/providers/Microsoft.DataBoxEdge/dataBoxEdgeDevices/deviceName/roles/KubernetesRole";

+var ioTId = $@"/subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/resourceGroup/providers/Microsoft.DataBoxEdge/dataBoxEdgeDevices/deviceName/roles/KubernetesRole/addons/iotaddon";

+ ResourceId : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myas

+ SubscriptionId : aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e

+ ResourceId : /subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/myaserg2/providers/Microsoft.Compute/virtua

+ SubscriptionId : bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f

+ Id : /subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/myaserg2/providers/Microsoft.Compute/virtua

+ Id : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/mya

+ ResourceId : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myas

+ SubscriptionId : aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e

+ Id : /subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGroups/myaserg1/providers/Microsoft.Compute/virtualMachines/myaselinuxvm1

+ ResourceId : /subscriptions/bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f/resourceGrou

+ SubscriptionId : bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f

+ PS Azure:\> Set-AzContext -SubscriptionId aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e

+|AADSTS50126: Invalid username or password.<br>Trace ID: 0000aaaa-11bb-cccc-dd22-eeeeee333333<br>Correlation ID: aaaa0000-bb11-2222-33cc-444444dddddd<br>Timestamp: 2019-11-15 09:21:57Z: The remote server returned an error: (400) Bad Request.<br>At line:1 char:1 |This error could be the result of any of these conditions:<li>For an invalid username and password, make sure that you have [reset the Azure Storage Manager password from the Azure portal](./azure-stack-edge-gpu-set-azure-resource-manager-password.md), and then use the correct password.<li>For an invalid tenant ID, make sure the tenant ID is set to `aaaabbbb-0000-cccc-1111-dddd2222eeee`</li>|

+|connect-AzureRmAccount: AADSTS90056: The resource is disabled or does not exist. Check your app's code to ensure that you have specified the exact resource URL for the resource you are trying to access.<br>Trace ID: 3333dddd-44ee-ffff-aa55-bbbbbb666666<br>Correlation ID: cccc2222-dd33-4444-55ee-666666ffffff Timestamp: 2019-11-18 07:00:51Z: The remote server returned an error: (400) Bad |The Azure Resource Manager endpoints used in the `Add-AzureRmEnvironment` command are incorrect.<br>To find the Azure Resource Manager endpoints, check **Device endpoints** on the **Device** page of your device's local web UI.<br>For PowerShell instructions, see [Set Azure Resource Manager environment](azure-stack-edge-gpu-connect-resource-manager.md#step-7-set-azure-resource-manager-environment). |

+- Windows 11

+- Windows Server 2003/2008/2012/2016/2019/2022

+ :::image type="content" source="./media/devtest-lab-create-lab/portal-create-basic-settings-managed-identity.png" alt-text="Screenshot of the Basic Settings tab in the Create DevTest Labs form.":::

+ :::image type="content" source="./media/tutorial-create-custom-lab/portal-create-basic-settings-managed-identity.png" alt-text="Screenshot of the Basic Settings tab of the Create DevTest Labs form.":::

+> Azure Private DNS is a zone-redundant service. For more information, see [Azure services with availability zone support](/azure/reliability/availability-zones-service-support).

+For a list of regions that support availability zones, see [Azure regions with availability zones](../reliability/availability-zones-region-support.md). If your Azure DNS Private Resolver is located in one of the regions listed, you don't need to take any other action beyond provisioning the service.

+This guide shows you how to deploy the Geospatial Consumption Zone (GCZ) service integrated with Azure Data Manager for Energy (ADME).

+To deploy the GCZ, you need to create an App Registration in Microsoft Entra ID. The App Registration is used to authenticate the GCZ APIs with Azure Data Manager for Energy to be able to generate the cache of the geospatial data.

+- **Azure Kubernetes Service (AKS)**: Deploy the GCZ service on an AKS cluster. This deployment option is recommended for production environments. It requires more effort to set up, configure, and maintain.

+- **Windows**: Deploy the GCZ service on a Windows. This deployment option recommended for development and testing environments.

+ - [GCZ Provider](https://github.com/microsoft/adme-samples/blob/main/services/gcz/gcz-openapi-provider.yaml)

+ - [GCZ Transformer](https://github.com/microsoft/adme-samples/blob/main/services/gcz/gcz-openapi-transformer.yaml)

+1. Open each OpenAPI specification file in a text editor and replace the `servers` section with the corresponding IPs of the AKS GCZ Services' Load Balancer.

+ ```yaml

+ servers:

+ - url: "http://<GCZ-Service-LoadBalancer-IP>/ignite-provider"

+ ```

+1. Download the API client collection from the [OSDU GitLab](https://community.opengroup.org/osdu/platform/consumption/geospatial/-/blob/master/docs/test-assets/postman/Geospatial%20Consumption%20Zone%20-%20Provider%20Postman%20Tests.postman_collection.json?ref_type=heads) and import it into your API client of choice (that is, Bruno, Postman).

+1.

+ - `PROVIDER_URL` - The URL to the GCZ Provider API.

+ - `AMBASSADOR_URL` - The URL to the GCZ Transformer API.

+ - `access_token` - A valid ADME access token.

+ Title: Microsoft Security Copilot in Defender EASM

+description: You can use Microsoft Security Copilot to get information about your EASM data.

+# Microsoft Security Copilot in Defender EASM

+Defender EASMΓÇÖs integration with Microsoft Security Copilot enables users to interact with MicrosoftΓÇÖs discovered attack surfaces. These attack surfaces allow users to quickly understand their externally facing infrastructure and relevant, critical risks to their organization. They provide insight into specific areas of risk, including vulnerabilities, compliance, and security hygiene. For more information about Microsoft Security Copilot, go to [What is Microsoft Security Copilot](/security-copilot/microsoft-security-copilot). For more information on the embedded Microsoft Security Copilot experience, refer to [Query your attack surface with Defender EASM using Microsoft Copilot in Azure](/azure/copilot/query-attack-surface).

+## Know before you begin

+If you're new to Microsoft Security Copilot, you should familiarize yourself with it by reading these articles:

+- [What is Microsoft Security Copilot?](/security-copilot/microsoft-security-copilot)

+- [Microsoft Security Copilot experiences](/security-copilot/experiences-security-copilot)

+- [Get started with Microsoft Security Copilot](/security-copilot/get-started-security-copilot)

+- [Understand authentication in Microsoft Security Copilot](/security-copilot/authentication)

+- [Prompting in Microsoft Security Copilot](/security-copilot/prompting-security-copilot)

+## Microsoft Security Copilot integration in Defender EASM

+Microsoft Security Copilot can surface insights from Defender EASM about an organization's attack surface. You can use the system features built into Microsoft Security Copilot, and use prompts to get more information. This information can help you understand your security posture and mitigate vulnerabilities.

+This article introduces you to Microsoft Security Copilot and includes sample prompts that can help Defender EASM users.

+## Key features

+The EASM Security Copilot integration can help you with:

+- Providing a snapshot of your external attack surface and generating insights into potential risks

+ This allows users to get a quick view of their external attack surface by analyzing internet-available information combined with Microsoft's proprietary discovery algorithm. It provides an easy-to-understand natural language explanation of the organization's externally facing assets, such as hosts, domains, webpages, and IP addresses, and highlights the critical risks associated with them.

+- Prioritizing remediation efforts based on asset risk and CVEs

+ EASM allows security teams to prioritize their remediation efforts by understanding which assets and Common Vulnerabilities and Exposures (CVEs) pose the greatest risk in their environment. It does this by analyzing vulnerability and infrastructure data to showcase key areas of concern, providing a natural language explanation of the risks and recommended actions.

+- Leveraging Security Copilot to surface insights

+ Users can leverage Security Copilot to ask about insights in natural language to extract insights from Defender EASM about their organization's attack surface. This includes querying details such as the number of insecure SSL certificates, ports detected, and specific vulnerabilities impacting the attack surface.

+- Expediting Attack Surface Curation

+ Utilize Security Copilot to curate your attack surface with labels, external IDs, and state modifications for a set of assets. This process speeds up curation, allowing you to organize your inventory faster and more efficiently.

+## Enable the Microsoft Security Copilot integration in Defender EASM

+* Access to Microsoft Security Copilot, with permissions to activate new connections.

+1. Access [Microsoft Security Copilot](https://securitycopilot.microsoft.com/) and ensure you're authenticated.

+4. If you would like Microsoft Security Copilot to pull data from your Microsoft Defender External Attack Surface Resource, click on the gear to open the plugin settings, and fill out the fields from your resourceΓÇÖs ΓÇ£EssentialsΓÇ¥ section on the Overview blade.

+## Sample Defender EASM prompts

+Microsoft Security Copilot operates primarily with natural language prompts. When querying information from Defender EASM, you submit a prompt that guides Microsoft Security Copilot to select the Defender EASM plugin and invoke the relevant capability.

+- Microsoft Security Copilot saves your prompt sessions. To see the previous sessions, in Microsoft Security Copilot, go to the menu > **My sessions**.

+ For a walkthrough on Microsoft Security Copilot, including the pin and share feature, go to [Navigating Microsoft Security Copilot](/security-copilot/navigating-security-copilot).

+For more information on writing Microsoft Security Copilot prompts, go to [Microsoft Security Copilot prompting tips](/security-copilot/prompting-tips).

+### Plugin capabilities reference

+### Switching between resource and company data

+Even though we have added resource integration for our skills, we still support pulling data from prebuilt attack surfaces for specific companies. To improve Security CopilotΓÇÖs accuracy in determining when a customer wants to pull from their attack surface or a prebuilt, company attack surface, we recommend using ΓÇ£myΓÇ¥, ΓÇ£my attack surfaceΓÇ¥, etc. to convey they want to use their resource and ΓÇ£theirΓÇ¥, ΓÇ£{specific company name}ΓÇ¥, etc. to convey they want a prebuilt attack surface. While this does improve the experience in a single session, we strongly recommend having two separate sessions to avoid any confusion.

+Your feedback on Microsoft Security Copilot generally, and the Defender EASM plugin specifically, is vital to guide current and planned development on the product. The optimal way to provide this feedback is directly in the product, using the feedback buttons at the bottom of each completed prompt. Select "Looks right," "Needs improvement" or "Inappropriate". We recommend ΓÇ£Looks rightΓÇ¥ when the result matches expectations, ΓÇ£Needs improvementΓÇ¥ when it doesn't, and ΓÇ£InappropriateΓÇ¥ when the result is harmful in some way.

+Whenever possible, and especially when the result is ΓÇ£Needs improvement,ΓÇ¥ please write a few words explaining what we can do to improve the outcome. This also applies when you expected Microsoft Security Copilot to invoke the Defender EASM plugin, but another plugin was selected instead.

+## Privacy and data security in Microsoft Security Copilot

+When you interact with Microsoft Security Copilot to get Defender EASM data, Copilot pulls that data from Defender EASM. The prompts, the data that's retrieved, and the output shown in the prompt results is processed and stored within the Microsoft Security Copilot service.

+For more information about data privacy in Microsoft Security Copilot, go to [Privacy and data security in Microsoft Security Copilot](/security-copilot/privacy-data-security).

+- [What is Microsoft Security Copilot?](/security-copilot/microsoft-security-copilot)

+- [Privacy and data security in Microsoft Security Copilot](/security-copilot/privacy-data-security)

+Azure Firewall Availability Zones are available in regions that support availability zones. For more information, see [Regions with availability zone support](../reliability/availability-zones-region-support.md).

+Azure Firewall Availability Zones are available in regions that support Availability Zones. For more information, see [Azure regions with availability zones](../reliability/availability-zones-region-support.md).

+To learn more about secrets, see [Create and manage secrets in Azure IoT Operations](../secure-iot-ops/howto-manage-secrets.md).

+To learn more about secrets, see [Create and manage secrets in Azure IoT Operations](../secure-iot-ops/howto-manage-secrets.md).

+To learn more about secrets, see [Create and manage secrets in Azure IoT Operations](../secure-iot-ops/howto-manage-secrets.md).

+* An Azure IoT Operations instance deployed with test settings. For example, follow the instructions in [Quickstart: Run Azure IoT Operations in GitHub Codespaces](../get-started-end-to-end-sample/quickstart-deploy.md).

+Now that secret synchronization setup is complete, you can refer to [Manage secrets for your Azure IoT Operations deployment](./howto-manage-secrets.md) to learn how to use secrets with Azure IoT Operations.

+ >[!IMPORTANT]

+ >If your environment uses a proxy server or Azure Arc Gateway, modify the `az connectedk8s connect` command with your proxy information:

+ >

+ >1. Follow the instructions in either [Connect using an outbound proxy server](/azure/azure-arc/kubernetes/quickstart-connect-cluster#connect-using-an-outbound-proxy-server) or [Onboard Kubernetes clusters to Azure Arc with Azure Arc Gateway](/azure/azure-arc/kubernetes/arc-gateway-simplify-networking#onboard-kubernetes-clusters-to-azure-arc-with-your-arc-gateway-resource).

+ >1. Add `169.254.169.254` to the `--proxy-skip-range` parameter of the `az connectedk8s connect` command. [Azure Device Registry](../discover-manage-assets/overview-manage-assets.md#store-assets-as-azure-resources-in-a-centralized-registry) uses this local endpoint to get access tokens for authorization.

+ >

+ >Azure IoT Operations doesn't support proxy servers that require a trusted certificate.

+| Hardware memory capacity (RAM) | 16-GB | 32-GB |

+| Available memory for Azure IoT Operations (RAM) | 10-GB | Depends on usage |

+A deployed instance of Azure IoT Operations. If you don't already have an instance, see [Quickstart: Run Azure IoT Operations in GitHub Codespaces with K3s](../get-started-end-to-end-sample/quickstart-deploy.md).

+In Azure IoT Operations, the connector for ONVIF (preview) enables you to control an ONVIF compliant camera that's connected to your Azure IoT Operations cluster. This article explains how to configure and use the connector for ONVIF to perform tasks such as reading and writing properties to control a camera or discovering the media streams a camera supports.

+A deployed instance of Azure IoT Operations. If you don't already have an instance, see [Quickstart: Run Azure IoT Operations in GitHub Codespaces with K3s](../get-started-end-to-end-sample/quickstart-deploy.md).

+## View resources in the Azure portal

+To view the asset endpoint and asset you created in the Azure portal, go to the resource group that contains your Azure IoT Operations instance. You can see the thermostat asset in the **Azure IoT Operations** resource group. If you select **Show hidden types**, you can also see the asset endpoint:

+The portal enables you to view the asset details. Select **JSON View** for more details:

+* Ports that don't link a *BrokerAuthentication* resource have authentication disabled.

+Azure IoT Operations deploys a default *BrokerAuthentication* resource named `default` linked with the *default* listener in the `azure-iot-operations` namespace. It only uses [Kubernetes Service Account Tokens (SATs)](#kubernetes-service-account-tokens) for authentication.

+With X.509 authentication, the MQTT broker uses a **trusted CA certificate** to validate client certificates. This trusted CA can be a root or intermediate CA. The broker checks the client certificate chain against the trusted CA certificate. If the chain is valid, the client is authenticated.

+To use X.509 authentication with a trusted CA certificate, the following requirements must be met:

+- **TLS**: Since X.509 relies on TLS client certificates, [TLS must be enabled for ports using X.509 authentication](./howto-configure-brokerlistener.md).

+- **Key algorithms**: Both EC and RSA keys are supported, but all certificates in the chain must use the same key algorithm.

+- **Format**: The CA certificate must be in PEM format.

+> [!TIP]

+> PEM format is a common format for certificates and keys. PEM files are base64-encoded ASCII files with headers like `--BEGIN CERTIFICATE--` and `--BEGIN EC PRIVATE KEY--`.

+>

+> If you have a certificate in another format, you can convert it to PEM using OpenSSL. For more information, see [How to convert a certificate into the appropriate format](https://knowledge.digicert.com/solution/how-to-convert-a-certificate-into-the-appropriate-format).

+### Get a trusted CA certificate

+In a production setup, the CA certificate is provided by an organization's public key infrastructure (PKI) or a public certificate authority.

+For testing, create a self-signed CA certificate with OpenSSL. For example, run the following command to generate a self-signed CA certificate with an RSA key, a distinguished name `CN=Contoso Root CA Cert`, and a validity of 365 days:

+openssl req -x509 -newkey rsa:4096 -keyout ca-key.pem -out ca.pem -days 365 -nodes -subj "/CN=Contoso Root CA Cert"

+The same command with [Step CLI](https://smallstep.com/docs/step-cli/installation/), which is a convenient tool for managing certificates, is:

+```bash

+step certificate create "Contoso Root CA Cert" ca.pem ca-key.pem --profile root-ca --kty RSA --size 4096 --no-password --insecure

+ --not-after 8760h

+```

+These commands create a CA certificate `ca.pem` and a private key `ca-key.pem` in PEM format. The CA certificate `ca.pem` can be imported into the MQTT broker for X.509 authentication.

+### Import a trusted CA certificate

+To get started with X.509 authentication, import the trusted CA certificate into a ConfigMap in the `azure-iot-operations` namespace. To import a trusted CA certificate `ca.pem` into a ConfigMap named `client-ca`, run:

+```bash

+kubectl create configmap client-ca --from-file=ca.pem -n azure-iot-operations

+```

+In this example, the CA certificate is imported under the key `ca.pem`. MQTT broker trusts all CA certificates in the ConfigMap, so the name of the key can be anything.

+ca.pem:

+MIIFDjCCAvagAwIBAgIRAKQWo1+S13GTwqZSUYLPemswDQYJKoZIhvcNAQELBQAw

+...

+### Configure X.509 authentication method

+Once the trusted CA certificate is imported, enable X.509 client authentication by adding it as an authentication method in a *BrokerAuthentication* resource. Ensure this resource is linked to a TLS-enabled listener port.

+1. In the **X.509 authentication details** pane, specify the trusted CA certificate ConfigMap name using JSON format.

+ ```json

+ {

+ "trustedClientCaCert": "<TRUSTED_CA_CONFIGMAP>"

+ }

+ ```

+

+ Replace `<TRUSTED_CA_CONFIGMAP>` with the name of the ConfigMap that contains the trusted CA certificate. For example, `"trustedClientCaCert": "client-ca"`.

+ :::image type="content" source="media/howto-configure-authentication/x509-method.png" alt-text="Screenshot using Azure portal to set MQTT broker X.509 authentication method." lightbox="media/howto-configure-authentication/x509-method.png":::

+1. Optionally, add authorization attributes for clients using X.509 certificates. To learn more, see [Certificate attributes for authorization](#optional-certificate-attributes-for-authorization).

+1. Select **Apply** to save the changes.

+param trustedCaConfigMap string = '<TRUSTED_CA_CONFIGMAP>'

+ trustedClientCaCert: trustedCaConfigMap

+ // authorizationAttributes: {

+ //// Optional authorization attributes

+ //// See the next section for more information

+ // }

+Replace `<TRUSTED_CA_CONFIGMAP>` with the name of the ConfigMap that contains the trusted CA certificate. For example, `client-ca`.

+ trustedClientCaCert: <TRUSTED_CA_CONFIGMAP>

+ # authorizationAttributes:

+ ## Optional authorization attributes

+ ## See the next section for more information

+```

+Replace `<TRUSTED_CA_CONFIGMAP>` with the name of the ConfigMap that contains the trusted CA certificate. For example, `client-ca`.

+#### Optional: Certificate attributes for authorization

+X.509 attributes can be specified in the *BrokerAuthentication* resource for authorizing clients based on their certificate properties. The attributes are defined in the `authorizationAttributes` field.

+For example:

+# [Portal](#tab/portal)

+In the Azure portal, when configuring the X.509 authentication method, add the authorization attributes in the **X.509 authentication details** pane in JSON format.

+```json

+{

+ "trustedClientCaCert": "<TRUSTED_CA_CONFIGMAP>",

+ "authorizationAttributes": {

+ "root": {

+ "subject": "CN = Contoso Root CA Cert, OU = Engineering, C = US",

+ "attributes": {

+ "organization": "contoso"

+ }

+ },

+ "intermediate": {

+ "subject": "CN = Contoso Intermediate CA",

+ "attributes": {

+ "city": "seattle",

+ "foo": "bar"

+ }

+ },

+ "smartfan": {

+ "subject": "CN = smart-fan",

+ "attributes": {

+ "building": "17"

+ }

+ }

+ }

+}

+```

+

+# [Bicep](#tab/bicep)

+```bicep

+x509Settings: {

+ trustedClientCaCert: '<TRUSTED_CA_CONFIGMAP>'

+ authorizationAttributes: {

+ root: {

+ subject: 'CN = Contoso Root CA Cert, OU = Engineering, C = US'

+ attributes: {

+ organization: 'contoso'

+ }

+ }

+ intermediate: {

+ subject: 'CN = Contoso Intermediate CA'

+ attributes: {

+ city: 'seattle'

+ foo: 'bar'

+ }

+ }

+ smartfan: {

+ subject: 'CN = smart-fan'

+ attributes: {

+ building: '17'

+ }

+ }

+ }

+}

+```

+# [Kubernetes (preview)](#tab/kubernetes)

+```yaml

+x509Settings:

+ trustedClientCaCert: <TRUSTED_CA_CONFIGMAP>

+ authorizationAttributes:

+ root:

+ subject = "CN = Contoso Root CA Cert, OU = Engineering, C = US"

+ attributes:

+ organization = contoso

+ intermediate:

+ subject = "CN = Contoso Intermediate CA"

+ attributes:

+ city = seattle

+ foo = bar

+ smart-fan:

+ subject = "CN = smart-fan"

+ attributes:

+ building = 17

+Authorization rules can be applied to clients using X.509 certificates with these attributes. To learn more, see [Authorize clients that use X.509 authentication](./howto-configure-authorization.md#authorize-clients-that-use-x509-authentication).

+### Enable X.509 authentication for a listener port

+After importing the trusted CA certificate and configuring the *BrokerAuthentication* resource, link it to a TLS-enabled listener port. For more details, see [Enable TLS manual certificate management for a port](./howto-configure-brokerlistener.md#enable-tls-manual-certificate-management-for-a-port) and [Enable TLS automatic certificate management for a port](./howto-configure-brokerlistener.md#enable-tls-automatic-certificate-management-for-a-port).

+1. The frontend collects all credentials the client presented so far, like authentication data from the CONNECT packet, and the client certificate chain presented during the TLS handshake.

+When a client connects to the MQTT broker with custom authentication enabled, the broker sends an HTTPS request to a custom authentication server with the client's credentials. The server then responds with either approval or denial, including the client's [authorization attributes](./howto-configure-authorization.md).

+On disconnect, the client's network connection is closed. The client doesn't receive an MQTT DISCONNECT packet, but the broker logs a message that it disconnected the client.

+To create rules based on properties from a client's certificate, its root CA, or intermediate CA, define the X.509 attributes in the *BrokerAuthorization* resource. For more information, see [Certificate attributes](howto-configure-authentication.md#optional-certificate-attributes-for-authorization).

+resource aioInstance 'Microsoft.IoTOperations/instances@2024-11-01' existing = {

+resource defaultBroker 'Microsoft.IoTOperations/instances/brokers@2024-11-01' existing = {

+resource defaultListener 'Microsoft.IoTOperations/instances/brokers/listeners@2024-11-01' = {

+With automatic certificate management, you use cert-manager to manage the TLS server certificate. By default, cert-manager is installed alongside Azure IoT Operations in the `cert-manager` namespace already. Verify the installation before proceeding.

+Azure IoT Operations features an enterprise-grade, standards-compliant MQTT broker that is scalable, highly available, and Kubernetes-native. It provides the messaging plane for Azure IoT Operations, enables bi-directional edge/cloud communication and powers [event-driven applications](/azure/architecture/guide/architecture-styles/event-driven) at the edge.

+## Operations experience

+To sign in to the [operations experience](https://iotoperations.azure.com) web UI, you need a Microsoft Entra ID account with at least contributor permissions for the resource group that contains your **Kubernetes - Azure Arc** instance.

+If you receive one of the following error messages:

+- A problem occurred getting unassigned instances

+- Message: The request is not authorized

+- Code: PermissionDenied

+Verify your Microsoft Entra ID account meets the requirements in the [prerequisites](../discover-manage-assets/howto-manage-assets-remotely.md#prerequisites) section for operations experience access.

+ > [Azure regions that support availability zones](../reliability/availability-zones-region-support.md).

+* [Azure regions with availability zone support](../reliability/availability-zones-region-support.md)

+Availability zones are supported with Consumption logic app workflows, which run in multitenant Azure Logic Apps. This capability is automatically enabled for new and existing Consumption logic app workflows in [Azure regions that support availability zones](../reliability/availability-zones-region-support.md).

+ > [Azure regions that support availability zones](../reliability/availability-zones-region-support.md).

+ > [Azure regions that support availability zones](../reliability/availability-zones-region-support.md).

+ > [Azure regions that support availability zones](../reliability/availability-zones-region-support.md).

+## Onboard to Azure Local (optional)

+> [!Note]

+> Perform this step only if you are migrating to [Azure Local](/azure-stack/hci/overview).

+Provide the Azure Local instance information and the credentials to connect to the system. For more information, see [Download the Azure Local software](/azure-stack/hci/deploy/download-azure-stack-hci-software).

+- If the source VM supports availability zones, then the target region must also support availability zones. To see which regions support availability zones, see [Azure regions with availability zone support](../reliability/availability-zones-region-support.md).

+The steps to run a cluster runtime upgrade is located [here](./howto-cluster-runtime-upgrade.md).

+The Azure Private 5G Core service is automatically deployed as zone-redundant in Azure regions that support availability zones, as listed in [Azure regions with availability zone support](../reliability/availability-zones-region-support.md). If a region supports availability zones then all Azure Private 5G Core resources created in a region can be managed from any of the availability zones.

+| [Azure Monitor](/azure/azure-monitor/essentials/network-security-perimeter) | Microsoft.Insights/dataCollectionEndpoints</br>Microsoft.Insights/ScheduledQueryRules</br>Microsoft.Insights/actionGroups</br>Microsoft.OperationalInsights/workspaces | Log Analytics Workspace, Application Insights, Alerts, Notification Service |

+| [Azure AI Search](/azure/search/search-security-network-security-perimiter) | Microsoft.Search/searchServices | - |

+| [Cosmos DB](/azure/cosmos-db/how-to-configure-nsp) | Microsoft.DocumentDB/databaseAccounts | - |

+| [Key Vault](/azure/key-vault/general/network-security#network-security-perimeter-preview) | Microsoft.KeyVault/vaults | - |

+| [SQL DB](/azure/azure-sql/database/network-security-perimeter) | Microsoft.Sql/servers | - |

+This article shows you how to assess the availability-zone readiness of your application for the purposes of migrating from non-availability zone to availability zone support. Understand how you can take advantage of availability zone support, and how to meet your application and resiliency requirements. For more detailed information on availability zones and the regions that support them, see [What are Azure regions and availability zones](availability-zones-overview.md).

+In this first step, you'll need to [validate](availability-zones-region-support.md) that your selected Azure region support availability zones as well as the required Azure services for your application.

+For multi-zone high availability of Azure IaaS Virtual Machines, use [Virtual Machine Scale Sets Flex](/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes) to spread VMs across multiple availability zones.

+For a [distributed microservices model](/azure/architecture/guide/architecture-styles/microservices) and depending on your application, there's the possibility of ongoing data exchange between microservices across zones. This continual data exchange through APIs could affect performance. To improve performance and maintain a reliable architecture, you can choose zonal deployment.

+For a 3-tier application it's important to understand the application, business, and data tiers; as well as their state (stateful or stateless) to architect in alignment with the best practices and guidance according to the type of workload.

+> [Azure services with availability zones](availability-zones-service-support.md)

+> [!div class="nextstepaction"]

+> [Azure regions with availability zones](availability-zones-region-support.md)

+To see which regions support availability zones, see [Azure regions with availability zone support](availability-zones-region-support.md).

+Azure services support one or both of these approaches. Platform as a service (PaaS) services typically support zone-redundant deployments. Infrastructure as a service (IaaS) services typically support zonal deployments. For more information about how Azure services work with availability zones, see [Azure regions with availability zone support](availability-zones-region-support.md).

+- [Azure services with availability zones](availability-zones-service-support.md)

+- [Azure regions with availability zones](availability-zones-region-support.md)

+ Title: Azure regions with availability zone support

+description: Learn which Azure regions offer availability zone support

+# Azure regions with availability zone support

+Azure provides the most extensive global footprint of any cloud provider and is rapidly opening new regions and availability zones. Azure supports availability zones in every geographic area that has an Azure datacenter. For more information on availability zones and regions, see [What are Azure regions and availability zones?](availability-zones-overview.md)

+The following regions currently support availability zones:

+| Americas | Europe | Middle East | Africa | Asia Pacific |

+||||||

+| Brazil South | France Central | Qatar Central | South Africa North | Australia East |

+| Canada Central | Italy North | UAE North | | Central India |

+| Central US | Germany West Central | Israel Central | | Japan East |

+| East US | Norway East | | | *Japan West |

+| East US 2 | North Europe | | | Southeast Asia |

+| South Central US | UK South | | | East Asia |

+| US Gov Virginia | West Europe | | | China North 3 |

+| West US 2 | Sweden Central | | |Korea Central |

+| West US 3 | Switzerland North | | | *New Zealand North |

+| Mexico Central | Poland Central ||||

+||Spain Central ||||

+\* To learn more about availability zones and available services support in these regions, contact your Microsoft sales or customer representative. For upcoming regions that support availability zones, see [Azure geographies](https://azure.microsoft.com/global-infrastructure/geographies/).

+## Next steps

+> [!div class="nextstepaction"]

+> [Azure services with availability zones](availability-zones-service-support.md)

+> [!div class="nextstepaction"]

+> [Microsoft commitment to expand Azure availability zones to more regions](https://azure.microsoft.com/blog/our-commitment-to-expand-azure-availability-zones-to-more-regions/)

+ Title: Azure services with availability zone support

+description: Learn which Azure services offer availability zone support.

+# Azure services with availability zone support

+Azure availability zones are physically separate locations within each Azure region. This article shows you which services support availability zones.

+Azure is continually expanding the number of services that support availability zones, including zonal and zone-redundant offerings.

+## Types of availability zone support

+Azure services can provide two types of availability zone support: *zonal* and *zone-redundant*. Each service supports either one or both types. When designing your reliability strategy, make sure that you understand which availability zone types are supported in each service of your workload.

+- **Zonal services**: A resource can be deployed to a specific, self-selected availability zone to achieve more stringent latency or performance requirements. Resiliency is self-architected by replicating applications and data to one or more zones within the region. Resources are aligned to a selected zone. For example, virtual machines, managed disks, or standard IP addresses can be aligned to a same zone, which allows for increased resiliency by having multiple instances of resources deployed to different zones.

+- **Zone-redundant services**: Resources are replicated or distributed across zones automatically. For example, zone-redundant services replicate the data across multiple zones so that a failure in one zone doesn't affect the high availability of the data.ΓÇ»

+>[!IMPORTANT]

+>Some services may have limited support for availability zones. For example, some may only support availability zones for certain tiers, regions, or SKUs. To get more information on service limitations for availability zone support, select that service in the table.

+## Always-available services

+Some Azure services don't support availability zones because they are:

+- Available across multiple Azure regions within a geographic area, or even across all Azure regions globally.

+- Resilient to zone-wide outages.

+- Resilient to region-wide outages.

+For a complete list of always-available services, also called non-regional services, in Azure, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/).

+## Azure services with availability zone support

+| [Azure Bastion](../bastion/bastion-overview.md) |   |

+- [Azure regions with availability zones](availability-zones-region-support.md)

+- [Availability zone migration guidance overview](availability-zones-migration-overview.md)

+- [Availability of service by category](availability-service-by-category.md)

+- [Well-architected Framework: Overview of the reliability pillar](/azure/architecture/framework/resiliency/overview)

+- [Azure services with availability zones](availability-zones-service-support.md)

+- [Azure regions with availability zones](availability-zones-region-support.md)

+Shared responsibility becomes the crux of your strategic decision-making when it comes to disaster recovery. Azure doesn't require you to use cross-region replication, and you can use services to build resiliency without cross-replicating to another enabled region. But we strongly recommend that you configure your essential services across regions to benefit from [isolation](../security/fundamentals/isolation-choices.md) and improve [availability](availability-zones-overview.md).

+Non-paired regions follow [data residency](https://azure.microsoft.com/global-infrastructure/data-residency/#overview) guidelines to allow for the option to keep data resident within the same region. Customers are responsible for data resiliency based on their Recovery Point Objective or Recovery Time Objective (RTO/RPO) needs and may move, copy, or access their data from any location globally. In the rare event that an entire Azure region is unavailable, customers will need to plan for their Cross Region Disaster Recovery per guidance from [Azure services that support high availability](../reliability/availability-zones-service-support.md) and [Azure Resiliency ΓÇô Business Continuity and Disaster Recovery](https://azure.microsoft.com/mediahandler/files/resourcefiles/resilience-in-azure-whitepaper/resiliency-whitepaper-2022.pdf).

+- [Azure services with availability zones](availability-zones-service-support.md)

+- [Azure regions with availability zones](availability-zones-region-support.md)

+* To configure availability zones for API Management, your instance must be in one of the [Azure regions that support availability zones](availability-zones-region-support.md).

+- [Azure services with availability zones](availability-zones-service-support.md)

+- [Azure regions with availability zones](availability-zones-region-support.md)

+> [Azure services that support availability zones](availability-zones-service-support.md)

+> [!div class="nextstepaction"]

+> [Azure regions that support availability zones](availability-zones-region-support.md)

+[Application Gateway Standard v2](../application-gateway/overview-v2.md) and Application Gateway with [WAF v2](../web-application-firewall/ag/ag-overview.md) supports zonal and zone redundant deployments. For more information about zone redundancy, see [What are availability zones?](availability-zones-overview.md).

+> [Azure services that support availability zones](availability-zones-service-support.md)

+> [!div class="nextstepaction"]

+> [Azure regions that support availability zones](availability-zones-region-support.md)

+> [Azure services that support availability zones](availability-zones-service-support.md)

+> [!div class="nextstepaction"]

+> [Azure regions that support availability zones](availability-zones-region-support.md)

+> [Azure services that support availability zones](availability-zones-service-support.md)

+> [!div class="nextstepaction"]

+> [Azure regions that support availability zones](availability-zones-region-support.md)

+- Understand that enabling availability zones is not an account-wide choice. A single Cosmos DB account can span an arbitrary number of Azure regions, each of which can independently be configured to leverage availability zones and some regional pairs may not have availability zone support. This is important, as some regions do not yet support availability zones, but adding them to a Cosmos DB account will not prevent enabling availability zones in other regions configured for that account. The billing model also reflects this possibility. For more information on SLA for Cosmos DB, see [Reliability in Cosmos DB for NoSQL](./reliability-cosmos-db-nosql.md#sla-improvements). To see which regions support availability zones, see [Azure regions with availability zone support](./availability-zones-region-support.md).

+- [Azure services with availability zones](availability-zones-service-support.md)

+- [Azure regions with availability zones](availability-zones-region-support.md)

+- [Azure services with availability zones](availability-zones-service-support.md)

+- [Azure regions with availability zones](availability-zones-region-support.md)

+- [Reliability for Azure Backup](./reliability-backup.md)

+- [Azure services with availability zones](availability-zones-service-support.md)

+- [Azure regions with availability zones](availability-zones-region-support.md)

+* Three [availability zones in the region](availability-zones-region-support.md).

+Before you migrate to availability zone support, refer to the following table to ensure that your Azure SQL Database is in a supported service tier and deployment model. Make sure that your tier and model is offered in a [region that supports availability zones](availability-zones-region-support.md).

+| Premium | Single database or Elastic Pool | [All regions that support availability zones](availability-zones-region-support.md)|

+| Business Critical | Single database or Elastic Pool | [All regions that support availability zones](availability-zones-region-support.md) |

+| Hyperscale | Single database | [All regions that support availability zones](availability-zones-region-support.md) |

+> [Azure services that support availability zones](availability-zones-service-support.md)

+> [!div class="nextstepaction"]

+> [Azure regions that support availability zones](availability-zones-region-support.md)

+>Zone redundancy for SQL Managed Instance is currently in Preview. To learn which regions support SQL Instance zone redundancy, see [Services support by region](availability-zones-region-support.md).

+> [Azure services that support availability zones](availability-zones-service-support.md)

+> [!div class="nextstepaction"]

+> [Azure regions that support availability zones](availability-zones-region-support.md)

+| Supported regions | Supported | Only availability zone supported regions are supported. Learn [more](availability-zones-region-support.md) to learn about the region details. |

+- [Azure services with availability zones](availability-zones-service-support.md)

+- [Azure regions with availability zones](availability-zones-region-support.md)

+There are two approaches types of availability zone supported

+> [!div class="nextstepaction"]

+> [Azure services that support availability zones](availability-zones-service-support.md)

+> [Azure regions that support availability zones](availability-zones-region-support.md)

+- [Azure services with availability zones](availability-zones-service-support.md)

+- [Azure regions with availability zones](availability-zones-region-support.md)

+To deploy with availability zone support, you must choose a region that supports availability zones. To see which regions support availability zones, see the [list of supported regions](availability-zones-region-support.md).

+Zone-redundant App Service plans can be deployed in [any region that supports availability zones](./availability-zones-region-support.md).

+Azure Container Apps uses [availability zones](availability-zones-overview.md#zonal-and-zone-redundant-services) in regions where they're available. For a list of regions that support availability zones, see [Azure regions with availability zones](availability-zones-region-support.md).

+- To deploy with availability zone support, you must choose a region that supports availability zones. To see which regions supports availability zones, see the [list of supported regions](availability-zones-region-support.md).

+Azure Bastion supports availability zones in both zonal and zone-redundant configurations:

+- *Zonal:* You can select a single availability zone for an Azure Bastion resource.

+ > [!NOTE]

+ > Pinning to a single zone doesnΓÇÖt increase resiliency. To improve resiliency, you need to either use a zone-redundant configuration or explicitly deploy resources into multiple zones.

+- *Zone-redundant:* Enabling zone redundancy for an Azure Bastion resource spreads your instances across multiple [availability zones](../reliability/availability-zones-overview.md). When you spread resources across availability zones, you can achieve resiliency and reliability for your production workloads.

+The following diagram shows a zone-redundant Azure Bastion resource, with its instances spread across three zones:

+Zonal and zone-redundant Azure Bastion resources can be deployed into the following regions:

+- To configure Azure Bastion resources to be zonal or zone redundant, you must deploy with the Basic, Standard, or Premium SKUs.

+- Azure Bastion requires a Standard SKU zone-redundant Public IP address.

+**Migration:** It's not possible to change the availability zone configuration of an existing Azure Bastion resource. Instead, you need to create an Azure Bastion resource with the new configuration and delete the old one.

+If you configure zone redundancy on Azure Bastion, a session might be sent to an Azure Bastion instance in an availability zone that's different from the virtual machine you're connecting to. In the following diagram, a request from the user is sent to an Azure Bastion instance in zone 2, although the virtual machine is in zone 1:

+**Detection and response:** When you use zone redundancy, Azure Bastion detects and responds to failures in an availability zone. You don't need to do anything to initiate an availability zone failover.

+**Traffic rerouting:** When you use zone redundancy, new connections use Azure Bastion instances in the surviving availability zones. Overall, Azure Bastion remains operational.

+- Batch maintains parity with Azure on supporting availability zones. To use the zonal option, your pool must be created in an [Azure region with availability zone support](availability-zones-region-support.md).

+- Your replicas must be deployed in an Azure region that supports availability zones. To see if your region supports availability zones, see the [list of supported regions](availability-zones-region-support.md).

+For availability zone support, your Event Grid resources must be in a region that supports availability zones. To review which regions support availability zones, see the [list of supported regions](availability-zones-region-support.md).

+Availability zone support is only available in [Azure regions with availability zones](./availability-zones-region-support.md).

+Azure Functions supports a [zone-redundant deployment](availability-zones-service-support.md).

+Azure HDInsight supports a [zonal deployment configuration](availability-zones-service-support.md). Azure HDInsight cluster nodes are placed in a single zone that you select in the selected region. A zonal HDInsight cluster is isolated from any outages that occur in other zones. However, if an outage impacts the specific zone chosen for the HDInsight cluster, the cluster won't be available. This deployment model provides inexpensive, low latency network connectivity within the cluster. Replicating this deployment model into multiple availability zones can provide a higher level of availability to protect against hardware failure.

+- To use availability zones with Load Balancer, you need to create your load balancer in a region that supports availability zones. To see which regions support availability zones, see the [list of supported regions](availability-zones-region-support.md).

+- Azure Notification Hubs uses [availability zones](availability-zones-overview.md#zonal-and-zone-redundant-services) in regions where they're available. For a list of regions that support availability zones, see [Azure regions with availability zones](availability-zones-region-support.md).

+Azure Database for PostgreSQL - Flexible Server supports both [zone-redundant and zonal models](availability-zones-service-support.md) for high availability configurations. Both high availability configurations enable automatic failover capability with zero data loss during both planned and unplanned events.

+1. To use availability zones, your scale set must be created in a [supported Azure region](./availability-zones-region-support.md).

+Virtual machines support availability zones with three availability zones per supported Azure region and are also zone-redundant and zonal. For more information, see [Azure services with availability zones](availability-zones-service-support.md). The customer is responsible for configuring and migrating their virtual machines for availability.

+- Review [availability zone service support](./availability-zones-service-support.md) and [region support](availability-zones-region-support.md)

+- Your virtual machine SKUs must be available across the zones in for your region. To review which regions support availability zones, see the [list of supported regions](availability-zones-region-support.md).

+[Azure availability zones](../availability-zones/az-overview.md#availability-zones) help protect your Azure deployment from datacenter failures. Each availability zone is made up of one or more datacenters equipped with independent power, cooling, and networking. To ensure resiliency, thereΓÇÖs a minimum of three separate zones in all [enabled regions](../reliability/availability-zones-region-support.md). Using Resource Mover, you can move:

+[Azure Resource Mover](overview.md) is constantly improving and releasing new features that simplify moving workloads in Azure. These new features expand the current capability of region-to-region migration by supporting more resource types or adding in new move capabilities.

+You can learn more about the new releases by bookmarking this page or by subscribing to updates [here](https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbR85jvyZFzJ9Fij7HO6nPfn5UNFc3QTJXNFMwNFhKMDUwOEhOTzdFQzFEMi4u).

+## Updates (March 2024)

+### Capability to move Azure VMs to another subscription and region

+Azure Resource Mover now supports moving resources from one subscription to another, in addition to moving Azure VMs across regions. This feature helps consolidate, organize, manage, and bill resources more effectively. The **Edit target subscription** option is available on the move resources blade, along with options to add or remove resources, prepare, initiate, discard, and commit the move. After adding resources, you can select **Edit target subscription** to move resources to a different subscription than the source.

+For more information, see [Move Azure VMs to another subscription and region](./move-region-within-resource-group.md).

+### Updates (September 2020)

+### Why does connectivity not work when I advertise routes with an ASN of 0 in the AS-Path?

+Azure Route Server drops routes with an ASN of 0 in the AS-Path. To ensure these routes are successfully advertised into Azure, the AS-Path should not include 0.

+ Route Server exposes two BGP peer IPs, which share the responsibility of sending the routes to all other VMs running in your virtual network. Each NVA must set up two identical BGP sessions (for example, use the same AS number, the same AS path and advertise the same set of routes) to the two BGP peer IPs so that your VMs in the virtual network can get consistent routing info from Azure Route Server.

+Azure availability zones are at least three physically separate groups of datacenters within each Azure region. Datacenters within each zone are equipped with independent power, cooling, and networking infrastructure. In case of a local zone failure, availability zones are designed such that, if one zone is affected, the remaining two zones can support: regional services, capacity and high availability. Failures can range from software and hardware failures to events such as earthquakes, floods, and fires. Tolerance to failures is achieved with redundancy and logical isolation of Azure services. For more detailed information on availability zones in Azure, see [What are availability zones?](../../reliability/availability-zones-overview.md).

+There are three types of Azure services that support availability zones: zonal, zone-redundant, and always-available services. You can learn more about these types of services and how they promote resiliency in the [Azure services with availability zone support](../../reliability/availability-zones-service-support.md).

+- A decision about which Azure regions to deploy to. See the [list of Azure regions](https://azure.microsoft.com/global-infrastructure/regions/), and list of [regions with availability zone support](../../reliability/availability-zones-region-support.md). To learn which services are available in each region, see [products available by region](https://azure.microsoft.com/global-infrastructure/services/).

+- November 19, 2024: Update parameter `enque/encni/set_so_keepalive` to uppercase, as the parameter is case sensitive. Updated in [SAP workloads on Azure: planning and deployment checklist](deployment-checklist.md),[HA for SAP NW on Azure VMs on RHEL multi-SID guide](./high-availability-guide-rhel-multi-sid.md), [Azure VMs high availability for SAP NW on RHEL with Azure NetApp Files](./high-availability-guide-rhel-netapp-files.md),[Azure VMs high availability for SAP NW on RHEL with NFS on Azure Files](./high-availability-guide-rhel-nfs-azure-files.md),[HA for SAP NW on Azure VMs on RHEL for SAP applications](./high-availability-guide-rhel.md),[Azure VMs high availability for SAP NetWeaver on SLES multi-SID guide](./high-availability-guide-suse-multi-sid.md), [Azure VMs high availability for SAP NW on SLES with NFS on Azure Files](./high-availability-guide-suse-netapp-files.md),[Azure VMs high availability for SAP NW on SLES with NFS on Azure Files](./high-availability-guide-suse-nfs-azure-files.md), [Azure VMs high availability for SAP NetWeaver on SLES for SAP Applications with simple mount and NFS](./high-availability-guide-suse-nfs-simple-mount.md),[Azure VMs high availability for SAP NetWeaver on SLES](./high-availability-guide-suse.md),[HA for SAP NetWeaver on Azure VMs on Windows with Azure NetApp Files(SMB)](./high-availability-guide-windows-netapp-files-smb.md),[SAP ASCS/SCS instance multi-SID high availability with Windows server failover clustering and Azure shared disk](./sap-ascs-ha-multi-sid-wsfc-azure-shared-disk.md),[SAP ASCS/SCS installation on Windows with file share](sap-high-availability-installation-wsfc-file-share.md),[SAP ASCS/ERS installation on Windows with shared disk](sap-high-availability-installation-wsfc-shared-disk.md).

+ Based on the RHEL version, perform the configuration mentioned in SAP Note [2002167](https://launchpad.support.sap.com/#/notes/2002167), SAP Note [2772999](https://launchpad.support.sap.com/#/notes/2772999), or SAP Note [3108316](https://launchpad.support.sap.com/#/notes/3108316).

+ enque/encni/set_so_keepalive = TRUE

+ enque/encni/set_so_keepalive = TRUE

+ enque/encni/set_so_keepalive = TRUE

+ enque/encni/set_so_keepalive = TRUE

+| enque/encni/set_so_keepalive | **TRUE** |

+ enque/encni/set_so_keepalive = TRUE

+| enque/encni/set_so_keepalive | **TRUE** |

+We don't describe the DBMS setup in this article because setups vary depending on the DBMS system you use. We assume that high-availability concerns with the DBMS are addressed with the functionalities that different DBMS vendors support for Azure. Examples are Always On or database mirroring for SQL Server and Oracle Data Guard for Oracle databases. The high availability scenarios for the DBMS aren't covered in this article.

+2. If using the new SAP Enqueue Replication Server 2, which is also clustered instance, then you need to reserve in DNS a virtual host name for ERS2 as well.

+If you have Enqueue Replication Server 1, add SAP profile parameter `enque/encni/set_so_keepalive` as described below. The profile parameter prevents connections between SAP work processes and the enqueue server from closing when they're idle for too long. The SAP parameter isn't required for ERS2.

+ enque/encni/set_so_keepalive = TRUE

+- For the SAP ASC/SCS Instance

+- If using ERS2, which is clustered. There's no need to configure probe port for ERS1, as it isn't clustered.

+If using ERS2, you'll also need to open the firewall port for the ERS2 probe port.

+1. Verify that the SAP system can successfully fail over from node A to node B

+ - You can run the rule query across multiple workspaces.

+ In addition, due to the size limits of the alerts, your query should make use of `project` statements to include only the necessary fields from your table. Otherwise, the information you want to surface could end up being truncated.

+ - Queries can now run across multiple workspaces.

+We recommend that you configure auditing for *all* messages from the audit log, instead of only specific logs. Ingestion cost differences are generally minimal and the data is useful for Microsoft Sentinel detections and in post-compromise investigations and hunting.

+We recommend that you configure auditing for *all* messages from the audit log, instead of only specific logs. Ingestion cost differences are generally minimal and the data is useful for Microsoft Sentinel detections and in post-compromise investigations and hunting. For more information, see [Configure SAP auditing](preparing-sap.md#configure-sap-auditing).

+- If your Microsoft Entra data is in a different Log Analytics workspace, make sure you select the relevant subscriptions and workspaces at the top of the workbook, under **Azure audit and activities**.

+We recommend that you configure auditing for *all* messages from the audit log, instead of only specific logs. Ingestion cost differences are generally minimal and the data is useful for Microsoft Sentinel detections and in post-compromise investigations and hunting. For more information, see [Configure SAP auditing](preparing-sap.md#configure-sap-auditing).

+We recommend that you configure auditing for *all* messages from the audit log, instead of only specific logs. Ingestion cost differences are generally minimal and the data is useful for Microsoft Sentinel detections and in post-compromise investigations and hunting. For more information, see [Configure SAP auditing](preparing-sap.md#configure-sap-auditing).

+We recommend that you configure auditing for *all* messages from the audit log, instead of only specific logs. Ingestion cost differences are generally minimal and the data is useful for Microsoft Sentinel detections and in post-compromise investigations and hunting. For more information, see [Configure SAP auditing](preparing-sap.md#configure-sap-auditing).

+> The availability zones support is only available in [Azure regions](../reliability/availability-zones-region-support.md) where availability zones are present.

+> - The [region supports availability zones](../reliability/availability-zones-region-support.md).

+Learn more about [Azure regions with availability zones](../reliability/availability-zones-region-support.md).

+Availability Zones in Azure help protect your applications and data from datacenter failures. Each Availability Zone is made up of one or more datacenters equipped with independent power, cooling, and networking. To ensure resiliency, thereΓÇÖs a minimum of three separate zones in all enabled regions. The physical separation of Availability Zones within a region helps protect applications and data from datacenter failures. With Availability Zones, Azure offers a service-level agreement (SLA) of 99.99% for uptime of virtual machines (VMs). Availability Zones are supported in select regions, as mentioned in [Regions with availability zones](../reliability/availability-zones-region-support.md).

+- Check whether the target region has [support for availability zones](../reliability/availability-zones-region-support.md). Check that your choice of [source region/target region combination is supported](./azure-to-azure-support-matrix.md#region-support). Make an informed decision on the target region.

+3. In **Configure disaster recovery** > **Target region**, select the target region to which you'll replicate. Ensure this region [supports](../reliability/availability-zones-region-support.md) availability zones.

+For a list of regions that support availability zones, see [Azure regions with availability zones](../../reliability/availability-zones-region-support.md#azure-regions-with-availability-zone-support). If your Azure Spatial Anchors account is located in one of the regions listed, you don't need to take any other action beyond provisioning the service.

+Data plane operations are captured in [Azure resource logs for Storage](monitor-blob-storage.md#azure-monitor-resource-logs). You can [configure Diagnostic settings](/azure/azure-monitor/platform/diagnostic-settings) to export logs to Log Analytics workspace for a native query experience.

+A user delegation SAS is secured with Microsoft Entra credentials and also by the permissions specified for the SAS. A user delegation SAS is supported for Azure Blob Storage and Azure Data Lake Storage. It's not currently supported for Azure Files, Azure Queue Storage, or Azure Table Storage.

+> Azure File Sync is zone-redundant in all regions that [support availability zones](../../reliability/availability-zones-region-support.md) except US Gov Virginia. In most cases, we recommend that Azure File Sync users configure storage accounts to use ZRS or GZRS.

+For more information about which regions support ZRS, see [Azure regions with availability zones](../../reliability/availability-zones-region-support.md).

+> [!NOTE]

+> Azure File Sync is zone-redundant in all regions that [support availability zones](../../reliability/availability-zones-region-support.md) except US Gov Virginia.

+description: Learn how to configure source control in Azure Synapse Studio. This guide includes best practices and troubleshooting steps.

+By default, Synapse Studio authors directly against the Synapse service. If you have a need for collaboration using Git for source control, Synapse Studio allows you to associate your workspace with a Git repository, Azure DevOps, or GitHub.

+- Users must have the Azure Contributor (Azure RBAC) or higher role on the Synapse workspace to configure, edit settings, and disconnect a Git repository with Synapse.

+## Configure Git repository in Synapse Studio

+After launching your Synapse Studio, you can configure a git repository in your workspace. A Synapse Studio workspace can be associated with only one git repository at a time.

+In the Synapse Studio global bar at the top of the data, develop, integrate, and manage hubs, select the **Synapse Live** drop-down menu, and then select **Set up code repository**.

+Go to the Manage hub of Synapse Studio. Select **Git configuration** in the **Source control** section. If you have no repository connected, select **Configure**.

+## Connect with Azure DevOps Git

+When connecting to your git repository, first select your repository type as Azure DevOps git, and then select one Microsoft Entra tenant from the dropdown list, and select **Continue**.

+| **Import resource into this branch** | Select which branch the resources (sql script, notebook, spark job definition, dataset, dataflow etc.) are imported to.

+You can also use repository link to quickly point to the git repository you want to connect with.

+> Azure Synapse doesn't support connection to an on-premises Azure DevOps repository.

+The Azure Repos Git repo can be in a different Microsoft Entra tenant. To specify a different Microsoft Entra tenant, you have to have administrator permissions for the Azure subscription that you're using. For more info, see [change subscription administrator](../../cost-management-billing/manage/add-change-subscription-administrator.md#assign-a-subscription-administrator).

+> To connect to another Microsoft Entra ID, the user logged in must be a part of that active directory.

+2. Sign in to the Azure portal with your personal Microsoft account. Then switch to your organization's Active Directory.

+### Use a cross tenant Azure DevOps organization

+When your Azure DevOps isn't in the same tenant as the Synapse workspace, you can configure the workspace with cross tenant Azure DevOps organization.

+1. Select the **Cross tenant sign in** option and select **Continue**

+1. Select **Use another account** and sign in with your Azure DevOps account.

+## Connect with GitHub

+> If you're using GitHub Enterprise Cloud, leave the **Use GitHub Enterprise Server** checkbox cleared.

+| **GitHub Enterprise URL** | The GitHub Enterprise root URL (must be HTTPS for local GitHub Enterprise server). For example: `https://github.mydomain.com`. Required only if **Use GitHub Enterprise** is selected | `<your GitHub enterprise url>` |

+| **Import resource into this branch** | Select which branch the resources (sql script, notebook, spark job definition, dataset, dataflow etc.) is imported.

+1. In the Git configuration pane, enter the organization name in the *GitHub Account* field. A prompt to sign in into GitHub appears.

+1. Login using your user credentials.

+1. You're asked to authorize Synapse as an application called *Azure Synapse*. On this screen, you see an option to grant permission for Synapse to access the organization. If you don't see the option to grant permission, ask an admin to manually grant the permission through GitHub.

+Each Git repository that's associated with a Synapse Studio has a collaboration branch. (`main` or `master` is the default collaboration branch). Users can also create feature branches by clicking **+ New Branch** in the branch dropdown.

+When you're ready to merge the changes from your feature branch to your collaboration branch, select the branch dropdown and select **Create pull request**. This action takes you to Git provider where you can raise pull requests, do code reviews, and merge changes to your collaboration branch. You're only allowed to publish to the Synapse service from your collaboration branch.

+Synapse Studio can only have one publish branch at a time. When you specify a new publish branch, the original publish branch won't be deleted. If you want to remove the previous publish branch, delete it manually.

+After merging changes to the collaboration branch, select **Publish** to manually publish your code changes in the collaboration branch to the Synapse service.

+A side pane opens where you confirm that the publish branch and pending changes are correct. Once you verify your changes, select **OK** to confirm the publish.

+To switch to a different Git repository, go to Git configuration page in the management hub under **Source control**. Select **Disconnect**.

+Enter your workspace name and select **Disconnect** to remove the Git repository associated with your workspace.

+- **Permissions**. After you have a git repository connected to your workspace, anyone who can access to your git repo with any role in your workspace is able to update artifacts, like sql script, notebook, spark job definition, dataset, dataflow, and pipeline in git mode. Typically you don't want every team member to have permissions to update workspace.

+Only grant git repository permission to Synapse workspace artifact authors.

+- **Synapse live mode**. After publishing in git mode, all changes are reflected in Synapse live mode. In Synapse live mode, publishing is disabled. And you can view, run artifacts in live mode if you have been granted the right permission.

+- **Edit artifacts in Studio**. Synapse studio is the only place you can enable workspace source control and sync changes to git automatically. Any change via SDK, PowerShell, isn't synced to git. We recommend you always edit artifact in Studio when git is enabled.

+### Access to git mode

+If you have been granted the permission to the GitHub git repository linked with your workspace, but you can't access to Git mode:

+1. Clear your cache and refresh the page.

+1. Sign in your GitHub account.

+1. Create a pull request to merge the changes to the collaboration branch

+- Synapse Studio doesn't allow cherry-picking of commits or selective publishing of resources.

+## Next step

+> [!div class="nextstepaction"]

+> [Implement continuous integration and deployment](continuous-integration-delivery.md)

+ Title: Use C\# ingestion to ingest data from Event Hubs into Azure Synapse Data Explorer (Preview)

+description: Learn how to use C\# to ingest (load) data into Azure Synapse Data Explorer from Event Hubs.

+# Create an Event Hubs data connection for Azure Synapse Data Explorer by using C# (Preview)

+In this article, you create an Event Hubs data connection for Azure Synapse Data Explorer by using C\#.

+- [Event hub with data for ingestion](data-explorer-ingest-event-hub-portal.md#create-an-event-hub).

+## Add an Event Hubs data connection

+The following example shows you how to add an Event Hubs data connection programmatically. See [connect to the Event Hubs](data-explorer-ingest-event-hub-portal.md#connect-to-the-event-hubs) for information about adding an Event Hubs data connection using the Azure portal.

+| eventHubResourceId | *Resource ID* | The resource ID of your event hub that holds the data for ingestion. |

+| consumerGroup | *$Default* | The consumer group of your event hub.|

+See the [sample app](https://github.com/Azure-Samples/event-hubs-dotnet-ingest) that generates data and sends it to an event hub.

+ Title: Use one-select ingestion to ingest data from Event Hubs into Azure Synapse Data Explorer (Preview)

+description: Learn how to use one-select to ingest (load) data into Azure Synapse Data Explorer from Event Hubs.

+# Use one-select ingestion to create an Event Hubs data connection for Azure Synapse Data Explorer (Preview)

+Azure Synapse Data Explorer offers ingestion (data loading) from Event Hubs, a big data streaming platform and event ingestion service. [Event Hubs](../../../event-hubs/event-hubs-about.md) can process millions of events per second in near real-time. In this article, you connect an Event Hubs to a table in Azure Synapse Data Explorer using the [one-select ingestion](data-explorer-ingest-data-one-click.md) experience.

+- [Event Hubs with data for ingestion](data-explorer-ingest-event-hub-portal.md#create-an-event-hub).

+ :::image type="content" source="../media/ingest-data-event-hub/one-click-ingestion-event-hub.png" alt-text="Screenshot showing the Azure Data Explorer Data menu with ingest from event hub highlighted.":::

+ :::image type="content" source="../media/ingest-data-one-click/select-azure-data-explorer-ingest-event-hub-details.png" alt-text="Screenshot of source tab with project details fields to be filled in - ingest new data to Azure Synapse Data Explorer with Event Hubs in the one select experience.":::

+ | Subscription | | The subscription ID where the Event Hubs resource is located. |

+ | Event Hubs namespace | | The name that identifies your namespace. |

+ | Event Hubs | | The Event Hubs you wish to use. |

+ | Consumer group | | The consumer group defined in your Event Hubs. |

+ | Event system properties | Select relevant properties | The [Event Hubs system properties](../../../service-bus-messaging/service-bus-amqp-protocol-guide.md#message-annotations). If there are multiple records per event message, the system properties will be added to the first one. When adding system properties, [create](/azure/data-explorer/kusto/management/create-table-command?context=/azure/synapse-analytics/context/context) or [update](/azure/data-explorer/kusto/management/alter-table-command?context=/azure/synapse-analytics/context/context) table schema and [mapping](/azure/data-explorer/kusto/management/mappings?context=/azure/synapse-analytics/context/context) to include the selected properties. |

+Data is read from the Event Hubs in form of [EventData](/dotnet/api/microsoft.servicebus.messaging.eventdata) objects. Supported formats are CSV, JSON, PSV, SCsv, SOHsv TSV, TXT, and TSVE.

+1. If the data you see in the preview window isn't complete, you may need more data to create a table with all necessary data fields. Use the following commands to fetch new data from your Event Hubs:

+## Continuous ingestion from Event Hubs

+In the **Continuous ingestion from Event Hub established** window, all steps will be marked with green check marks when establishment finishes successfully. The cards below these steps give you options to explore your data with **Quick queries**, undo changes made using **Tools**, or **Monitor** the Event Hubs connections and data.

+ Title: Event Hubs data connection for Azure Synapse Data Explorer (Preview)

+description: This article provides an overview of how to ingest (load) data into Azure Synapse Data Explorer from Event Hubs.

+# Event Hubs data connection (Preview)

+The Event Hubs ingestion pipeline transfers events to Azure Synapse Data Explorer in several steps. You first create an Event Hubs in the Azure portal. You then create a target table in Azure Synapse Data Explorer into which the [data in a particular format](#data-format), will be ingested using the given [ingestion properties](#ingestion-properties). The Event Hubs connection needs to know [events routing](#events-routing). Data is embedded with selected properties according to the [event system properties mapping](#event-system-properties-mapping). [Create a connection](#event-hubs-connection) to Event Hubs to [create an Event Hubs](#create-an-event-hubs) and [send events](#send-events). This process can be managed through the [Azure portal](data-explorer-ingest-event-hub-portal.md), programmatically with [C#](data-explorer-ingest-event-hub-csharp.md) or [Python](data-explorer-ingest-event-hub-python.md), or with the [Azure Resource Manager template](data-explorer-ingest-event-hub-resource-manager.md).

+* Data is read from the Event Hubs in form of [EventData](/dotnet/api/microsoft.servicebus.messaging.eventdata) objects.

+When you set up an Event Hubs connection to Azure Synapse Data Explorer cluster, you specify target table properties (table name, data format, compression, and mapping). The default routing for your data is also referred to as `static routing`.

+In the following example, set Event Hubs details and send weather metric data to table `WeatherMetrics`.

+>[!WARNING]

+>This example uses connection string authentication to connect to Event Hubs for simplicity of the example. However, hard-coding a connection string into your script requires a very high degree of trust in the application, and carries security risks.

+>

+>For long-term, secure solutions, use one of these options:

+>

+>* [Passwordless authentication](../../../event-hubs/event-hubs-dotnet-standard-getstarted-send.md?tabs=passwordless)

+>* [Store your connection string in an Azure Key Vault](/azure/key-vault/secrets/quick-create-portal) and use [this method](/azure/key-vault/secrets/quick-create-net#retrieve-a-secret) to retrieve it in your code.

+System properties store properties that are set by the Event Hubs service, at the time, the event is enqueued. The Azure Synapse Data Explorer Event Hubs connection will embed the selected properties into the data landing in your table.

+Event Hubs exposes the following system properties:

+| x-opt-sequence-number |long | The logical sequence number of the event within the partition stream of the Event Hubs

+| x-opt-offset |string | The offset of the event from the Event Hubs partition stream. The offset identifier is unique within a partition of the Event Hubs stream |

+## Event Hubs connection

+### Create an Event Hubs

+If you don't already have one, [Create an Event Hubs](../../../event-hubs/event-hubs-create.md). Connecting to Event Hubs can be managed through the [Azure portal](data-explorer-ingest-event-hub-portal.md), programmatically with [C#](data-explorer-ingest-event-hub-csharp.md) or [Python](data-explorer-ingest-event-hub-python.md), or with the [Azure Resource Manager template](data-explorer-ingest-event-hub-resource-manager.md).

+See the [sample app](https://github.com/Azure-Samples/event-hubs-dotnet-ingest) that generates data and sends it to an Event Hubs.

+For an example of how to generate sample data, see [Ingest data from Event Hubs into Azure Synapse Data Explorer](data-explorer-ingest-event-hub-portal.md#generate-sample-data)

+Event Hubs offers a [Geo-disaster recovery](../../../event-hubs/event-hubs-geo-dr.md) solution.

+Azure Synapse Data Explorer doesn't support `Alias` Event Hubs namespaces. To implement the Geo-disaster recovery in your solution, create two Event Hubs data connections: one for the primary namespace and one for the secondary namespace. Azure Synapse Data Explorer will listen to both Event Hubs connections.

+- [Ingest data from Event Hubs into Azure Synapse Data Explorer](data-explorer-ingest-event-hub-portal.md)

+- [Create an Event Hubs data connection for Azure Synapse Data Explorer using C#](data-explorer-ingest-event-hub-csharp.md)

+- [Create an Event Hubs data connection for Azure Synapse Data Explorer using Python](data-explorer-ingest-event-hub-python.md)

+- [Create an Event Hubs data connection for Azure Synapse Data Explorer using Azure Resource Manager template](data-explorer-ingest-event-hub-resource-manager.md)

+ Title: Ingest data from Event Hubs into Azure Synapse Data Explorer (Preview)

+description: Learn how to ingest (load) data into Azure Synapse Data Explorer from Event Hubs.

+# Ingest data from Event Hubs into Azure Synapse Data Explorer

+Azure Synapse Data Explorer offers ingestion (data loading) from Event Hubs, a big data streaming platform and event ingestion service. [Event Hubs](../../../event-hubs/event-hubs-about.md) can process millions of events per second in near real time. In this article, you create an Event Hubs, connect to it from Azure Synapse Data Explorer and see data flow through the system.

+- [A sample app](https://github.com/Azure-Samples/event-hubs-dotnet-ingest) that generates data and sends it to an event hub. Download the sample app to your system.

+## Create an event hub

+Create an event hub by using an Azure Resource Manager template in the Azure portal.

+1. To create an event hub, use the following button to start the deployment. Right-click and select **Open in new window**, so you can follow the rest of the steps in this article.

+1. Select the subscription where you want to create the event hub, and create a resource group named *test-hub-rg*.

+ | Subscription | Your subscription | Select the Azure subscription that you want to use for your Event Hubs.|

+ | Location | *West US* | Select *West US* for this article. For a production system, select the region that best meets your needs. Create the Event Hubs namespace in the same Location as the Azure Synapse Data Explorer cluster for best performance (most important for Event Hubs namespaces with high throughput).

+ | Event Hubs name | *test-hub* | The Event Hubs sits under the namespace, which provides a unique scoping container. The Event Hubs name must be unique within the namespace. |

+ :::image type="content" source="../media/ingest-data-event-hub/review-create.png" alt-text="Screen shot of Azure portal for reviewing and creating Event Hubs namespace, Event Hubs, and consumer group.":::

+Depending on the type of identity, you're using to authenticate with the Event Hubs, you might need some other configurations.

+- If you're authenticating with Event Hubs using a user assigned managed identity, go to your Event Hubs > **Networking**, and then under **Allow access from**, select **All networks** and save the changes.

+ :::image type="content" source="../media/ingest-data-event-hub/configure-event-hub-all-networks.png" alt-text="Screenshot of the Event Hubs networking page, showing the selection of allowing access to all networks.":::

+- If you're authenticating with the Event Hubs using a system assigned managed identity, go to your Event Hubs > **Networking**, and then either allow access from all networks or under **Allow access from**, select **Selected networks**, select **Allow trusted Microsoft services to bypass this firewall** and save the changes.

+ :::image type="content" source="../media/ingest-data-event-hub/configure-event-hub-trusted-services.png" alt-text="Screenshot of the Event Hubs networking page, showing the selection of allowing access to trusted services.":::

+## Connect to the Event Hubs

+Now you connect to the Event Hubs from Data Explorer pool. When this connection is in place, data that flows into the Event Hubs streams to the test table you created earlier in this article.

+1. Select **Notifications** on the toolbar to verify that the Event Hubs deployment was successful.

+ :::image type="content" source="../media/ingest-data-event-hub/select-test-database.png" alt-text="Screenshot of the test database pool, showing select test database.":::

+| Subscription | | The subscription ID where the Event Hubs resource is located. This field is autopopulated. |

+| Event Hubs namespace | A unique namespace name | The name you chose earlier that identifies your namespace. |

+| Event Hubs | *test-hub* | The Event Hubs you created. |

+| Consumer group | *test-group* | The consumer group defined in the Event Hubs you created. |

+| Event system properties | Select relevant properties | The [Event Hubs system properties](../../../service-bus-messaging/service-bus-amqp-protocol-guide.md#message-annotations). If there are multiple records per event message, the system properties will be added to the first record. When adding system properties, [create](/azure/data-explorer/kusto/management/create-table-command?context=/azure/synapse-analytics/context/context) or [update](/azure/data-explorer/kusto/management/alter-table-command?context=/azure/synapse-analytics/context/context) table schema and [mapping](/azure/data-explorer/kusto/management/mappings?context=/azure/synapse-analytics/context/context) to include the selected properties. |

+| Compression | *None* | The compression type of the Event Hubs messages payload. Supported compression types: *None, Gzip*.|

+| Managed Identity | System-assigned | The managed identity used by the Data Explorer cluster for access to read from the Event Hubs.<br /><br />**Note**:<br />When the data connection is created:<br/>\- *System-assigned* identities are automatically created if they don't exist<br />\- The managed identity is automatically assigned the *Azure Event Hubs Data Receiver* role and is added to your Data Explorer cluster. We recommend verifying that the role was assigned and that the identity was added to the cluster. |

+For this article, you use static routing, where you specify the table name, data format, and mapping as default values. If the Event Hubs message includes data routing information, this routing information will override the default settings.

+ :::image type="content" source="../media/ingest-data-event-hub/default-routing-settings.png" alt-text="Default routing settings for ingesting data to Event Hubs - Azure Synapse Data Explorer.":::

+When you run the [sample app](https://github.com/Azure-Samples/event-hubs-dotnet-ingest) listed in Prerequisites, you need the connection string for the Event Hubs namespace.

+1. Under the Event Hubs namespace you created, select **Shared access policies**, then **RootManageSharedAccessKey**.

+>[!WARNING]

+>This sample uses connection string authentication to connect to Event Hubs for simplicity of the example. However, hard-coding a connection string into your script requires a very high degree of trust in the application, and carries security risks.

+>

+>For long-term, secure solutions, use one of these options:

+>

+>* [Passwordless authentication](../../../event-hubs/event-hubs-dotnet-standard-getstarted-send.md?tabs=passwordless)

+>* [Store your connection string in an Azure Key Vault](/azure/key-vault/secrets/quick-create-portal) and use [this method](/azure/key-vault/secrets/quick-create-net#retrieve-a-secret) to retrieve it in your code.

+1. In the *program.cs* file, update the `eventHubName` constant to the name of your Event Hubs and update the `connectionString` constant to the connection string you copied from the Event Hubs namespace.

+1. Build and run the app. The app sends messages to the Event Hubs, and prints its status every 10 seconds.

+1. After the app has sent a few messages, move on to the next step: reviewing the flow of data into your Event Hubs and test table.

+With the app generating data, you can now see the flow of that data from the Event Hubs to the table in your cluster.

+1. In the Azure portal, under your Event Hubs, you see the spike in activity while the app is running.

+If you don't plan to use your Event Hubs again, clean up **test-hub-rg**, to avoid incurring costs.

+The following example shows you how to add an Event Hub data connection programmatically. See [connect to the event hub](data-explorer-ingest-event-hub-portal.md#connect-to-the-event-hubs) for adding an Event Hub data connection using the Azure portal.

+ Title: Create an Event Hubs data connection for Azure Synapse Data Explorer by using Azure Resource Manager template (Preview)

+description: In this article, you learn how to create an Event Hubs data connection for Azure Synapse Data Explorer by using Azure Resource Manager template.

+# Create an Event Hubs data connection for Azure Synapse Data Explorer by using Azure Resource Manager template (Preview)

+In this article, you create an Event Hubs data connection for Azure Synapse Data Explorer by using Azure Resource Manager template.

+- [Event Hubs with data for ingestion](data-explorer-ingest-event-hub-portal.md#create-an-event-hub).

+## Azure Resource Manager template for adding an Event Hubs data connection

+The following example shows an Azure Resource Manager template for adding an Event Hubs data connection. You can [edit and deploy the template in the Azure portal](/azure/azure-resource-manager/resource-manager-quickstart-create-templates-use-the-portal#edit-and-deploy-the-template) by using the form.

+description: In this tutorial, you'll learn to analyze some sample data with Apache Spark in Azure Synapse Analytics.

+# Quickstart: Analyze with Apache Spark

+## Prerequisites

+Make sure you have [placed the sample data in the primary storage account](get-started-create-workspace.md#place-sample-data-into-the-primary-storage-account).

+1. Select **New**

+## Understand serverless Apache Spark pools

+## Next step

+# Tutorial: Integrate with pipelines

+1. Select **+** > **Pipeline** to create a new pipeline. Select the new pipeline object to open the Pipeline designer.

+1. Select **OK**.

+1. Select **Publish All**.

+Once the pipeline is published, you might want to run it immediately without waiting for an hour to pass.

+1. Select **Add trigger** > **Trigger now**.

+1. Select **OK**.

+1. In this view you can switch between tabular **List** display a graphical **Gantt** chart.

+1. Select a pipeline name to see the status of activities in that pipeline.

+## Next step

+ - **(Recommended) Through linked service:** You can use linked service to authenticate to AML workspace. Linked service can use "service principal" or Synapse workspace's "Managed Service Identity (MSI)" for authentication. "Service principal" or "Managed Service Identity (MSI)" must have "Contributor" access to the AML workspace.

+ ```python

+ #AML workspace authentication using linked service

+ from notebookutils.mssparkutils import azureML

+ ws = azureML.getWorkspace("<linked_service_name>") # "<linked_service_name>" is the linked service name, not AML workspace name. Also, linked service supports MSI and service principal both

+ ```

+ - **Through service principal:** Though not recommended, you can use service principal client ID and secret directly to authenticate to AML workspace. Providing the service principal password directly poses some security risk, so we suggest using a linked service where possible. Service principal must have "Contributor" access to the AML workspace.

+ from notebookutils.mssparkutils import azureML

+ #AML workspace authentication using linked service

+ ws = azureML.getWorkspace("<linked_service_name>") # "<linked_service_name>" is the linked service name, not AML workspace name. Also, linked service supports MSI and service principal both

+# customer intent: As a Synapse Analytics user, I want to be able to analyze my text using Azure AI services.

+In this tutorial, you learn how to use [Text Analytics](/azure/ai-services/language-service/) to analyze unstructured text on Azure Synapse Analytics. [Text Analytics](/azure/ai-services/language-service/) is an [Azure AI services](/azure/ai-services/) that enables you to perform text mining and text analysis with Natural Language Processing (NLP) features.

+- Preconfiguration steps described in the tutorial [Configure Azure AI services in Azure Synapse](tutorial-configure-cognitive-services-synapse.md).

+Open Synapse Studio and create a new notebook. To get started, import [SynapseML](https://github.com/microsoft/SynapseML).

+from synapse.ml.services import *

+Use the linked text analytics you configured in the [preconfiguration steps](tutorial-configure-cognitive-services-synapse.md).

+linked_service_name = "<Your linked service for text analytics>"

+The Text Sentiment Analysis provides a way for detecting the sentiment labels (such as "negative", "neutral", and "positive") and confidence scores at the sentence and document-level. See the [Supported languages in Text Analytics API](/azure/ai-services/language-service/language-detection/overview?tabs=sentiment-analysis) for the list of enabled languages.

+ ("I am so happy today, it's sunny!", "en-US"),

+|I'm so happy today, it's sunny!|positive|

+|I'm frustrated by this rush hour traffic|negative|

+|The Azure AI services on spark aint bad|neutral|

+## Related content

+# Azure Synapse Analytics managed private endpoints

+Dedicated SQL pool and serverless SQL pool are analytic capabilities in your Azure Synapse workspace. These capabilities use multitenant infrastructure that isn't deployed into the [Managed workspace Virtual Network](./synapse-workspace-managed-vnet.md).

+When a workspace is created, Azure Synapse creates two Managed private endpoints in the workspace, one for dedicated SQL pool and one for serverless SQL pool.

+## Get started

+To learn more, advance to the [create managed private endpoints to your data sources](./how-to-create-managed-private-endpoints.md) article.

+In this article, you learn how to create an Apache Spark configuration for your synapse studio. The created Apache Spark configuration can be managed in a standardized manner and when you create Notebook or Apache spark job definition can select the Apache Spark configuration that you want to use with your Apache Spark pool. When you select it, the details of the configuration are displayed.

+## Create an Apache Spark Configuration

+1. Select **Manage** > **Apache Spark configurations**.

+1. Select **New** button to create a new Apache Spark configuration, or select **Import** a local .json file to your workspace.

+1. **New Apache Spark configuration** page will be opened after you select **New** button.

+1. For **Name**, you can enter your preferred and valid name.

+1. For **Description**, you can input some description in it.

+1. For **Annotations**, you can add annotations by clicking the **New** button, and also you can delete existing annotations by selecting and clicking **Delete** button.

+1. For **Configuration properties**, customize the configuration by clicking **Add** button to add properties. If you don't add a property, Azure Synapse will use the default value when applicable.

+ 

+1. Select **Continue** button.

+1. Select **Create** button when the validation succeeded.

+1. Publish all.

+> [!NOTE]

+> **Upload Apache Spark configuration** feature has been removed.

+> Pools using an uploaded configuration need to be updated. [Update your pool's configuration](#create-an-apache-spark-configuration-in-already-existing-apache-spark-pool) by selecting an existing configuration or creating a new configuration in the **Apache Spark configuration** menu for the pool. If no new configuration is selected, jobs for these pools will be run using the default configuration in the Spark system settings.

+1. Select an existing Apache Spark pool, and select action "..." button.

+1. Select the **Apache Spark configuration** in the content list.

+ 

+1. For Apache Spark configuration, you can select an already created configuration from the drop-down list, or select **+New** to create a new configuration.

+ * If you select **+New**, the Apache Spark Configuration page will open, and you can create a new configuration by following the steps in [Create custom configurations in Apache Spark configurations](#create-custom-configurations-in-apache-spark-configurations).

+ * If you select an existing configuration, the configuration details will be displayed at the bottom of the page, you can also select the **Edit** button to edit the existing configuration.

+ 

+1. Select **View Configurations** to open the **Select a Configuration** page. All configurations will be displayed on this page. You can select a configuration that you want to use on this Apache Spark pool.

+

+ 

+1. Select **Apply** button to save your action.

+1. Create a new/Open an existing Notebook.

+1. Open the **Properties** of this notebook.

+1. Select **Configure session** to open the Configure session page.

+1. Scroll down the configure session page, for Apache Spark configuration, expand the drop-down menu, you can select New button to [create a new configuration](#create-custom-configurations-in-apache-spark-configurations). Or select an existing configuration, if you select an existing configuration, select the **Edit** icon to go to the Edit Apache Spark configuration page to edit the configuration.

+1. Select **View Configurations** to open the **Select a Configuration** page. All configurations will be displayed on this page. You can select a configuration that you want to use.

+ 

+When you're creating a spark job definition, you need to use Apache Spark configuration, which can be created by following the steps below:

+1. Create a new/Open an existing Apache Spark job definition.

+1. For **Apache Spark configuration**, you can select the **New** button to [create a new configuration](#create-custom-configurations-in-apache-spark-configurations). Or select an existing configuration in the drop-down menu, if you select an existing configuration, select the **Edit** icon to go to the Edit Apache Spark configuration page to edit the configuration.

+1. Select **View Configurations** to open the **Select a Configuration** page. All configurations will be displayed on this page. You can select a configuration that you want to use.

+ 

+> [!NOTE]

+* Import .txt/.conf/.json configuration from local.

+* Export .txt/.conf/.json configuration to local.

+```txt

+spark.synapse.key1 sample

+spark.synapse.key2 true

+# spark.synapse.key3 sample2

+```

+```json

+{

+"configs": {

+ "spark.synapse.key1": "hello world",

+"spark.synapse.key2": "true"

+},

+"annotations": [

+ "Sample"

+]

+}

+```

+> [!NOTE]

+## Related content

+* [Use serverless Apache Spark pool in Synapse Studio](../quickstart-create-apache-spark-pool-studio.md).

+* [Run a Spark application in notebook](./apache-spark-development-using-notebooks.md).

+* [Collect Apache Spark applications logs and metrics with Azure Storage account](./azure-synapse-diagnostic-emitters-azure-storage.md).

+## Related content

+1. Open Synapse Studio, go to **Manage > Linked services** at left, select **New** to create a new linked service.

+2. Choose **Azure SQL Database** or **Azure Database for MySQL** based on your database type, select **Continue**.

+7. Select **Create** to create the linked service.

+Some network security rule settings could block access from Spark pool to the external Hive Metastore DB. Before you configure the Spark pool, run below code in any Spark pool notebook to test connection to the external Hive Metastore DB.

+>[!WARNING]

+>Don't publish the test scripts in your notebook with your password hardcoded as this could cause a potential security risk for your Hive Metastore.

+After creating the linked service to the external Hive Metastore successfully, you need to set up a few Spark configurations to use the external Hive Metastore. You can both set up the configuration at Spark pool level, or at Spark session level.

+|`spark.sql.hive.metastore.version`|Supported versions: <ul><li>`2.3`</li><li>`3.1`</li></ul> Make sure you use the first two parts without the third part|

+Here's an example for metastore version 2.3 with linked service named as HiveCatalog21:

+For notebook session, you can also configure the Spark session in notebook using `%%configure` magic command. Here's the code.

+2. Choose **Azure Blob Storage** and select **Continue**.

+5. **Test connection** and select **Create**.

+- Apache Ranger integration isn't supported.

+Synapse aims to work smoothly with computes from HDI. However HMS 3.1 in HDI 4.0 isn't fully compatible with the OSS HMS 3.1. Apply the following manually to your HMS 3.1 if itΓÇÖs not provisioned by HDI.

+### When sharing the metastore with HDInsight 4.0 Spark cluster, I can't see the tables

+If you want to share the Hive catalog with a spark cluster in HDInsight 4.0, ensure your property `spark.hadoop.metastore.catalog.default` in Synapse spark aligns with the value in HDInsight spark. The default value for HDI spark is `spark` and the default value for Synapse spark is `hive`.

+description: Overview of Delta Lake's key features and how it brings atomicity, consistency, isolation, and durability to Azure Synapse Analytics.

+| **Unified Batch and Streaming Source and Sink** | A table in Delta Lake is both a batch table, and a streaming source and sink. Streaming data ingest, batch historic backfill, and interactive queries all just work out of the box. |

+## Related content

+After selecting your operational database and tables, updates made to the operational data in Azure SQL Database or SQL Server 2022 are visible in the Azure Synapse Analytics dedicated SQL pool. They're available in near real-time with no ETL or data integration logic. You can focus on analytical and reporting logic against operational data via all the capabilities within Azure Synapse Analytics.

+You can now get rich insights by analyzing operational data in Azure SQL Database or SQL Server 2022 in near real-time to enable new business scenarios including operational BI reporting, real time scoring and personalization, or supply chain forecasting etc. via Azure Synapse Link for SQL.

+## Related content

+* [Azure Synapse Link for Azure SQL Database](sql-database-synapse-link.md) and how to [configure Azure Synapse Link for Azure SQL Database](connect-synapse-link-sql-database.md).

+* [Azure Synapse Link for SQL Server 2022](sql-server-2022-synapse-link.md) and how to [configure Azure Synapse Link for SQL Server 2022](connect-synapse-link-sql-server-2022.md).

+Open the link and save the opened script file. Don't save the address of the link, as it could change in the future.

+- Dynamic autoscaling currently requires access to the public Azure Storage endpoint `wvdhpustgr0prod.blob.core.windows.net` to deploy the RDAgent when creating session hosts. Until this is migrated to a [required endpoint for Azure Virtual Desktop](required-fqdn-endpoint.md), session hosts that can't access wvdhpustgr0prod.blob.core.windows.net will fail with a "CustomerVmNoAccessToDeploymentPackageException" error.

+Azure Virtual Desktop doesn't have any native features for managing disaster recovery scenarios, but you can use many other Azure services for each scenario depending on your requirements, such as [Availability sets](/azure/virtual-machines/availability-set-overview), [availability zones](../reliability/availability-zones-overview.md), Azure Site Recovery, and [Azure Files data redundancy](../storage/files/files-redundancy.md) options for user profiles and data.

+## Version 1.0.10292.500 (validation)

+| [Availability zones](../../availability-zones/az-overview.md?toc=%2fazure%2fvirtual-network%2ftoc.json) | Supported. Standard IPs can be nonzonal, zonal, or zone-redundant. **Zone redundant IPs can only be created in [regions where 3 availability zones](../../reliability/availability-zones-region-support.md) are live.** IPs created before availability zones aren't zone redundant. | Not supported. |

+Standard SKU Public IPs can be created as non-zonal, zonal, or zone-redundant in [regions that support availability zones](../../reliability/availability-zones-region-support.md). Basic SKU Public IPs do not have any zones and are created as non-zonal.

+| **[Availability zones](../../reliability/availability-zones-overview.md)** | Supported. Standard IPs can be nonzonal, zonal, or zone-redundant. Zone redundant IPs can only be created in [regions where three availability zones](../../reliability/availability-zones-region-support.md) are live. IPs created before availability zones aren't zone redundant. | Not supported |

+ Title: 'Tutorial: Connect virtual networks with peering'

+description: In this tutorial, you learn how to connect virtual networks with virtual network peering.

+ - template-tutorial

+ - devx-track-azurecli

+ - devx-track-azurepowershell

+ - linux-related-content

+content_well_notification:

+ - AI-contribution

+ai-usage: ai-assisted

+# Customer intent: I want to connect two virtual networks so that virtual machines in one virtual network can communicate with virtual machines in the other virtual network.

+# Tutorial: Connect virtual networks with virtual network peering

+You can connect virtual networks to each other with virtual network peering. These virtual networks can be in the same region or different regions (also known as global virtual network peering). Once virtual networks are peered, resources in both virtual networks can communicate with each other over a low-latency, high-bandwidth connection using Microsoft backbone network.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Create virtual networks

+> * Connect two virtual networks with a virtual network peering

+> * Deploy a virtual machine (VM) into each virtual network

+> * Communicate between VMs

+## Prerequisites

+### [Portal](#tab/portal)

+- An Azure account with an active subscription. You can [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+### [PowerShell](#tab/powershell)

+- An Azure account with an active subscription. You can [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 1.0.0 or later. Run `Get-Module -ListAvailable Az` to find the installed version. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-azure-powershell). If you're running PowerShell locally, you also need to run `Connect-AzAccount` to create a connection with Azure.

+### [CLI](#tab/cli)

+- This article requires version 2.0.28 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

+### [Portal](#tab/portal)

+

+Repeat the previous steps to create a second virtual network with the following values:

+>[!NOTE]

+>The second virtual network can be in the same region as the first virtual network or in a different region. You can skip the **Security** tab and the Bastion deployment for the second virtual network. After the network peer, you can connect to both virtual machines with the same Bastion deployment.

+| Setting | Value |

+| | |

+| Name | **vnet-2** |

+| Address space | **10.1.0.0/16** |

+| Resource group | **test-rg** |

+| Subnet name | **subnet-1** |

+| Subnet address range | **10.1.0.0/24** |

+### [PowerShell](#tab/powershell)

+Before creating a virtual network, you have to create a resource group for the virtual network, and all other resources created in this article. Create a resource group with [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup). The following example creates a resource group named **test-rg** in the **eastus** location.

+```azurepowershell-interactive

+$resourceGroup = @{

+ Name = "test-rg"

+ Location = "EastUS2"

+}

+New-AzResourceGroup @resourceGroup

+```

+Create a virtual network with [New-AzVirtualNetwork](/powershell/module/az.network/new-azvirtualnetwork). The following example creates a virtual network named **vnet-1** with the address prefix **10.0.0.0/16**.

+```azurepowershell-interactive

+$vnet1 = @{

+ ResourceGroupName = "test-rg"

+ Location = "EastUS2"

+ Name = "vnet-1"

+ AddressPrefix = "10.0.0.0/16"

+}

+$virtualNetwork1 = New-AzVirtualNetwork @vnet1

+```

+Create a subnet configuration with [Add-AzVirtualNetworkSubnetConfig](/powershell/module/az.network/add-azvirtualnetworksubnetconfig). The following example creates a subnet configuration with a **10.0.0.0/24** address prefix:

+```azurepowershell-interactive

+$subConfig = @{

+ Name = "subnet-1"

+ AddressPrefix = "10.0.0.0/24"

+ VirtualNetwork = $virtualNetwork1

+}

+$subnetConfig1 = Add-AzVirtualNetworkSubnetConfig @subConfig

+```

+Create a subnet configuration for Azure Bastion with [Add-AzVirtualNetworkSubnetConfig](/powershell/module/az.network/add-azvirtualnetworksubnetconfig). The following example creates a subnet configuration with a **10.0.1.0/24** address prefix:

+```azurepowershell-interactive

+$subBConfig = @{

+ Name = "AzureBastionSubnet"

+ AddressPrefix = "10.0.1.0/24"

+ VirtualNetwork = $virtualNetwork1

+}

+$subnetConfig2 = Add-AzVirtualNetworkSubnetConfig @subBConfig

+```

+Write the subnet configuration to the virtual network with [Set-AzVirtualNetwork](/powershell/module/az.network/Set-azVirtualNetwork), which creates the subnet:

+```azurepowershell-interactive

+$virtualNetwork1 | Set-AzVirtualNetwork

+```

+### Create Azure Bastion

+Create a public IP address for the Azure Bastion host with [New-AzPublicIpAddress](/powershell/module/az.network/new-azpublicipaddress). The following example creates a public IP address named *public-ip-bastion* in the *vnet-1* virtual network.

+```azurepowershell-interactive

+$publicIpParams = @{

+ ResourceGroupName = "test-rg"

+ Name = "public-ip-bastion"

+ Location = "EastUS2"

+ AllocationMethod = "Static"

+ Sku = "Standard"

+}

+New-AzPublicIpAddress @publicIpParams

+```

+Create an Azure Bastion host with [New-AzBastion](/powershell/module/az.network/new-azbastion). The following example creates an Azure Bastion host named *bastion* in the *AzureBastionSubnet* subnet of the *vnet-1* virtual network. Azure Bastion is used to securely connect Azure virtual machines without exposing them to the public internet.

+```azurepowershell-interactive

+$bastionParams = @{

+ ResourceGroupName = "test-rg"

+ Name = "bastion"

+ VirtualNetworkName = "vnet-1"

+ PublicIpAddressName = "public-ip-bastion"

+ PublicIpAddressRgName = "test-rg"

+ VirtualNetworkRgName = "test-rg"

+}

+New-AzBastion @bastionParams -AsJob

+```

+### Create a second virtual network

+Create a second virtual network with [New-AzVirtualNetwork](/powershell/module/az.network/new-azvirtualnetwork). The following example creates a virtual network named **vnet-2** with the address prefix **10.1.0.0/16**.

+>[!NOTE]

+>The second virtual network can be in the same region as the first virtual network or in a different region. You don't need a Bastion deployment for the second virtual network. After the network peer, you can connect to both virtual machines with the same Bastion deployment.

+```azurepowershell-interactive

+$vnet2 = @{

+ ResourceGroupName = "test-rg"

+ Location = "EastUS2"

+ Name = "vnet-2"

+ AddressPrefix = "10.1.0.0/16"

+}

+$virtualNetwork2 = New-AzVirtualNetwork @vnet2

+```

+Create a subnet configuration with [Add-AzVirtualNetworkSubnetConfig](/powershell/module/az.network/add-azvirtualnetworksubnetconfig). The following example creates a subnet configuration with a **10.1.0.0/24** address prefix:

+```azurepowershell-interactive

+$subConfig = @{

+ Name = "subnet-1"

+ AddressPrefix = "10.1.0.0/24"

+ VirtualNetwork = $virtualNetwork2

+}

+$subnetConfig = Add-AzVirtualNetworkSubnetConfig @subConfig

+```

+Write the subnet configuration to the virtual network with [Set-AzVirtualNetwork](/powershell/module/az.network/Set-azVirtualNetwork), which creates the subnet:

+```azurepowershell-interactive

+$virtualNetwork2 | Set-AzVirtualNetwork

+```

+### [CLI](#tab/cli)

+Before creating a virtual network, you have to create a resource group for the virtual network, and all other resources created in this article. Create a resource group with [az group create](/cli/azure/group). The following example creates a resource group named **test-rg** in the **eastus** location.

+```azurecli-interactive

+az group create \

+ --name test-rg \

+ --location eastus2

+```

+Create a virtual network with [az network vnet create](/cli/azure/network/vnet#az-network-vnet-create). The following example creates a virtual network named **vnet-1** with the address prefix **10.0.0.0/16**.

+```azurecli-interactive

+az network vnet create \

+ --name vnet-1 \

+ --resource-group test-rg \

+ --address-prefixes 10.0.0.0/16 \

+ --subnet-name subnet-1 \

+ --subnet-prefix 10.0.0.0/24

+```

+Create the Bastion subnet with [az network vnet subnet create](/cli/azure/network/vnet/subnet).

+```azurecli-interactive

+# Create a bastion subnet.

+az network vnet subnet create \

+ --vnet-name vnet-1 \

+ --resource-group test-rg \

+ --name AzureBastionSubnet \

+ --address-prefix 10.0.1.0/24

+```

+### Create Azure Bastion

+Create a public IP address for the Azure Bastion host with [az network public-ip create](/cli/azure/network/public-ip). The following example creates a public IP address named *public-ip-bastion* in the *vnet-1* virtual network.

+```azurecli-interactive

+az network public-ip create \

+ --resource-group test-rg \

+ --name public-ip-bastion \

+ --location eastus2 \

+ --allocation-method Static \

+ --sku Standard

+```

+Create an Azure Bastion host with [az network bastion create](/cli/azure/network/bastion). The following example creates an Azure Bastion host named *bastion* in the *AzureBastionSubnet* subnet of the *vnet-1* virtual network. Azure Bastion is used to securely connect Azure virtual machines without exposing them to the public internet.

+```azurecli-interactive

+az network bastion create \

+ --resource-group test-rg \

+ --name bastion \

+ --vnet-name vnet-1 \

+ --public-ip-address public-ip-bastion \

+ --location eastus2 \

+ --no-wait

+```

+### Create a second virtual network

+Create a second virtual network with [az network vnet create](/cli/azure/network/vnet#az-network-vnet-create). The following example creates a virtual network named **vnet-2** with the address prefix **10.1.0.0/16**.

+>[!NOTE]

+>The second virtual network can be in the same region as the first virtual network or in a different region. You don't need a Bastion deployment for the second virtual network. After the network peer, you can connect to both virtual machines with the same Bastion deployment.

+```azurecli-interactive

+az network vnet create \

+ --name vnet-2 \

+ --resource-group test-rg \

+ --address-prefixes 10.1.0.0/16 \

+ --subnet-name subnet-1 \

+ --subnet-prefix 10.1.0.0/24

+```

+### [Portal](#tab/portal)

+<a name="peer-virtual-networks"></a>

+### [PowerShell](#tab/powershell)

+## Peer virtual networks

+Create a peering with [Add-AzVirtualNetworkPeering](/powershell/module/az.network/add-azvirtualnetworkpeering). The following example peers **vnet-1** to **vnet-2**.

+```azurepowershell-interactive

+$peerConfig1 = @{

+ Name = "vnet-1-to-vnet-2"

+ VirtualNetwork = $virtualNetwork1

+ RemoteVirtualNetworkId = $virtualNetwork2.Id

+}

+Add-AzVirtualNetworkPeering @peerConfig1

+```

+In the output returned after the previous command executes, you see that the **PeeringState** is **Initiated**. The peering remains in the **Initiated** state until you create the peering from **vnet-2** to **vnet-1**. Create a peering from **vnet-2** to **vnet-1**.

+```azurepowershell-interactive

+$peerConfig2 = @{

+ Name = "vnet-2-to-vnet-1"

+ VirtualNetwork = $virtualNetwork2

+ RemoteVirtualNetworkId = $virtualNetwork1.Id

+}

+Add-AzVirtualNetworkPeering @peerConfig2

+```

+In the output returned after the previous command executes, you see that the **PeeringState** is **Connected**. Azure also changed the peering state of the **vnet-1-to-vnet-2** peering to **Connected**. Confirm that the peering state for the **vnet-1-to-vnet-2** peering changed to **Connected** with [Get-AzVirtualNetworkPeering](/powershell/module/az.network/get-azvirtualnetworkpeering).

+```azurepowershell-interactive

+$peeringState = @{

+ ResourceGroupName = "test-rg"

+ VirtualNetworkName = "vnet-1"

+}

+Get-AzVirtualNetworkPeering @peeringState | Select PeeringState

+```

+Resources in one virtual network can't communicate with resources in the other virtual network until the **PeeringState** for the peerings in both virtual networks is **Connected**.

+### [CLI](#tab/cli)

+## Peer virtual networks

+Peerings are established between virtual network IDs. Obtain the ID of each virtual network with [az network vnet show](/cli/azure/network/vnet#az-network-vnet-show) and store the ID in a variable.

+```azurecli-interactive

+# Get the id for vnet-1.

+vNet1Id=$(az network vnet show \

+ --resource-group test-rg \

+ --name vnet-1 \

+ --query id --out tsv)

+# Get the id for vnet-2.

+vNet2Id=$(az network vnet show \

+ --resource-group test-rg \

+ --name vnet-2 \

+ --query id \

+ --out tsv)

+```

+Create a peering from **vnet-1** to **vnet-2** with [az network vnet peering create](/cli/azure/network/vnet/peering#az-network-vnet-peering-create). If the `--allow-vnet-access` parameter isn't specified, a peering is established, but no communication can flow through it.

+```azurecli-interactive

+az network vnet peering create \

+ --name vnet-1-to-vnet-2 \

+ --resource-group test-rg \

+ --vnet-name vnet-1 \

+ --remote-vnet $vNet2Id \

+ --allow-vnet-access

+```

+In the output returned after the previous command executes, you see that the **peeringState** is **Initiated**. The peering remains in the **Initiated** state until you create the peering from **vnet-2** to **vnet-1**. Create a peering from **vnet-2** to **vnet-1**.

+```azurecli-interactive

+az network vnet peering create \

+ --name vnet-2-to-vnet-1 \

+ --resource-group test-rg \

+ --vnet-name vnet-2 \

+ --remote-vnet $vNet1Id \

+ --allow-vnet-access

+```

+In the output returned after the previous command executes, you see that the **peeringState** is **Connected**. Azure also changed the peering state of the **vnet-1-to-vnet-2** peering to **Connected**. Confirm that the peering state for the **vnet-1-to-vnet-2** peering changed to **Connected** with [az network vnet peering show](/cli/azure/network/vnet/peering#az-network-vnet-show).

+```azurecli-interactive

+az network vnet peering show \

+ --name vnet-1-to-vnet-2 \

+ --resource-group test-rg \

+ --vnet-name vnet-1 \

+ --query peeringState

+```

+Resources in one virtual network can't communicate with resources in the other virtual network until the **peeringState** for the peerings in both virtual networks is **Connected**.

+## Create virtual machines

+Test the communication between the virtual machines by creating a virtual machine in each virtual network. The virtual machines can communicate with each other over the virtual network peering.

+### [Portal](#tab/portal)

+Repeat the previous steps to create a second virtual machine in the second virtual network with the following values:

+| Setting | Value |

+| | |

+| Virtual machine name | **vm-2** |

+| Region | **East US 2** or same region as **vnet-2**. |

+| Virtual network | Select **vnet-2**. |

+| Subnet | Select **subnet-1 (10.1.0.0/24)**. |

+| Public IP | **None** |

+| Network security group name | **nsg-2** |

+### [PowerShell](#tab/powershell)

+### Create the first virtual machine

+Create a VM with [New-AzVM](/powershell/module/az.compute/new-azvm). The following example creates a VM named **vm-1** in the **vnet-1** virtual network. When prompted, enter the username and password for the virtual machine.

+```azurepowershell-interactive

+# Create a credential object

+$cred = Get-Credential

+# Define the VM parameters

+$vmParams = @{

+ ResourceGroupName = "test-rg"

+ Location = "EastUS2"

+ Name = "vm-1"

+ ImageName = "Canonical:ubuntu-24_04-lts:server-gen1:latest"

+ Size = "Standard_DS1_v2"

+ Credential = $cred

+ VirtualNetworkName = "vnet-1"

+ SubnetName = "subnet-1"

+ PublicIpAddressName = $null # No public IP address

+}

+# Create the VM

+New-AzVM @vmParams

+```

+### Create the second VM

+```azurepowershell-interactive

+# Create a credential object

+$cred = Get-Credential

+# Define the VM parameters

+$vmParams = @{

+ ResourceGroupName = "test-rg"

+ Location = "EastUS2"

+ Name = "vm-2"

+ ImageName = "Canonical:ubuntu-24_04-lts:server-gen1:latest"

+ Size = "Standard_DS1_v2"

+ Credential = $cred

+ VirtualNetworkName = "vnet-2"

+ SubnetName = "subnet-1"

+ PublicIpAddressName = $null # No public IP address

+}

+# Create the VM

+New-AzVM @vmParams

+```

+### [CLI](#tab/cli)

+### Create the first VM

+Create a VM with [az vm create](/cli/azure/vm#az-vm-create). The following example creates a VM named **vm-1** in the **vnet-1** virtual network. If SSH keys don't already exist in a default key location, the command creates them. The `--no-wait` option creates the VM in the background, so you can continue to the next step.

+```azurecli-interactive

+az vm create \

+ --resource-group test-rg \

+ --name vm-1 \

+ --image Ubuntu2204 \

+ --vnet-name vnet-1 \

+ --subnet subnet-1 \

+ --admin-username azureuser \

+ --authentication-type password \

+ --no-wait

+```

+### Create the second VM

+Create a VM in the **vnet-2** virtual network.

+```azurecli-interactive

+az vm create \

+ --resource-group test-rg \

+ --name vm-2 \

+ --image Ubuntu2204 \

+ --vnet-name vnet-2 \

+ --subnet subnet-1 \

+ --admin-username azureuser \

+ --authentication-type password

+```

+The VM takes a few minutes to create.

+Wait for the virtual machines to be created before continuing with the next steps.

+## Connect to a virtual machine

+Use `ping` to test the communication between the virtual machines. Sign-in to the Azure portal to complete the following steps.

+1. In the portal, search for and select **Virtual machines**.

+1. On the **Virtual machines** page, select **vm-1**.

+1. In the **Overview** of **vm-1**, select **Connect**.

+1. In the **Connect to virtual machine** page, select the **Bastion** tab.

+1. Select **Use Bastion**.

+1. Enter the username and password you created when you created the VM, and then select **Connect**.

+## Communicate between VMs

+1. At the bash prompt for **vm-1**, enter `ping -c 4 10.1.0.4`.

+ You get a reply similar to the following message:

+ ```output

+ azureuser@vm-1:~$ ping -c 4 10.1.0.4

+ PING 10.1.0.4 (10.1.0.4) 56(84) bytes of data.

+ 64 bytes from 10.1.0.4: icmp_seq=1 ttl=64 time=2.29 ms

+ 64 bytes from 10.1.0.4: icmp_seq=2 ttl=64 time=1.06 ms

+ 64 bytes from 10.1.0.4: icmp_seq=3 ttl=64 time=1.30 ms

+ 64 bytes from 10.1.0.4: icmp_seq=4 ttl=64 time=0.998 ms

+ 10.1.0.4 ping statistics

+ 4 packets transmitted, 4 received, 0% packet loss, time 3004ms

+ rtt min/avg/max/mdev = 0.998/1.411/2.292/0.520 ms

+ ```

+1. Close the Bastion connection to **vm-1**.

+1. Repeat the steps in [Connect to a virtual machine](#connect-to-a-virtual-machine) to connect to **vm-2**.

+1. At the bash prompt for **vm-2**, enter `ping -c 4 10.0.0.4`.

+ You get a reply similar to the following message:

+ ```output

+ azureuser@vm-2:~$ ping -c 4 10.0.0.4

+ PING 10.0.0.4 (10.0.0.4) 56(84) bytes of data.

+ 64 bytes from 10.0.0.4: icmp_seq=1 ttl=64 time=1.81 ms

+ 64 bytes from 10.0.0.4: icmp_seq=2 ttl=64 time=3.35 ms

+ 64 bytes from 10.0.0.4: icmp_seq=3 ttl=64 time=0.811 ms

+ 64 bytes from 10.0.0.4: icmp_seq=4 ttl=64 time=1.28 ms

+ ```

+1. Close the Bastion connection to **vm-2**.

+### [Portal](#tab/portal)

+### [PowerShell](#tab/powershell)

+When no longer needed, use [Remove-AzResourcegroup](/powershell/module/az.resources/remove-azresourcegroup) to remove the resource group and all of the resources it contains.

+```azurepowershell-interactive

+$rgParams = @{

+ Name = "test-rg"

+}

+Remove-AzResourceGroup @rgParams -Force

+```

+### [CLI](#tab/cli)

+When no longer needed, use [az group delete](/cli/azure/group) to remove the resource group and all of the resources it contains.

+```azurecli-interactive

+az group delete \

+ --name test-rg \

+ --yes \

+ --no-wait

+```

+## Next steps

+In this tutorial, you:

+* Created virtual network peering between two virtual networks.

+* Tested the communication between two virtual machines over the virtual network peering with `ping`.

+To learn more about a virtual network peering:

+> [!div class="nextstepaction"]

+> [Virtual network peering](virtual-network-peering-overview.md)

+### Why does connectivity not work when I advertise routes with an ASN of 0 in the AS-Path?

+The Virtual WAN hub drops routes with an ASN of 0 in the AS-Path. To ensure these routes are successfully advertised into Azure, the AS-Path should not include 0.

+These SKUs are available in Azure regions that have Azure availability zones. For more information, see [Azure regions with availability zones](../reliability/availability-zones-region-support.md).

+ Title: Create a virtual network gateway - PowerShell

+description: Learn how to create a virtual network gateway for VPN Gateway connections using PowerShell.

+This article helps you create an Azure VPN gateway using PowerShell. A VPN gateway is used when creating a VPN connection to your on-premises network. You can also use a VPN gateway to connect virtual networks. For more comprehensive information about some of the settings in this article, see [Create a VPN gateway - portal](tutorial-create-gateway-portal.md).

+The steps in this article create a virtual network, a subnet, a gateway subnet, and a route-based, zone-redundant active-active mode VPN gateway (virtual network gateway) using the Generation 2 VpnGw2AZ SKU. Once the gateway is created, you can configure connections.

+* If you want to create a VPN gateway using the **Basic** SKU instead, see [Create a Basic SKU VPN gateway](create-gateway-basic-sku-powershell.md).

+* We recommend that you create an active-active mode VPN gateway when possible. Active-active mode VPN gateways provide better availability and performance than standard mode VPN gateways. For more information about active-active gateways, see [About active-active mode gateways](about-active-active-gateways.md).

+* For information about availability zones and zone redundant gateways, see [What are availability zones](/azure/reliability/availability-zones-overview?toc=%2Fazure%2Fvpn-gateway%2Ftoc.json&tabs=azure-cli#availability-zones)?

+> [!NOTE]

+> [!INCLUDE [AZ SKU region support note](../../includes/vpn-gateway-az-regions-support-include.md)]

+Create an Azure resource group using the [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup) command. A resource group is a logical container into which Azure resources are deployed and managed. If you're running PowerShell locally, open your PowerShell console with elevated privileges and connect to Azure using the `Connect-AzAccount` command.

+If you don't already have a virtual network, create one with [New-AzVirtualNetwork](/powershell/module/az.network/new-azvirtualnetwork). When you create a virtual network, make sure that the address spaces you specify don't overlap any of the address spaces that you have on your on-premises network. If a duplicate address range exists on both sides of the VPN connection, traffic doesn't route the way you might expect it to. Additionally, if you want to connect this virtual network to another virtual network, the address space can't overlap with other virtual network. Take care to plan your network configuration accordingly.

+The following example creates a virtual network named **VNet1** in the **EastUS** location:

+Create a subnet configuration using the [New-AzVirtualNetworkSubnetConfig](/powershell/module/az.network/new-azvirtualnetworksubnetconfig) cmdlet. The FrontEnd subnet isn't used in this exercise. You can substitute your own subnet name.

+ -Name FrontEnd `

+## <a name="PublicIP"></a>Request public IP addresses

+A VPN gateway must have a public IP address. When you create a connection to a VPN gateway, this is the IP address that you specify. For active-active mode gateways, each gateway instance has its own public IP address resource. You first request the IP address resource, and then refer to it when creating your virtual network gateway. Additionally, for any gateway SKU ending in *AZ*, you must also specify the Zone setting. This example specifies a zone-redundant configuration because it specifies all three regional zones.

+The IP address is assigned to the resource when the VPN gateway is created. The only time the public IP address changes is when the gateway is deleted and re-created. It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

+Use the following examples to request a static public IP address for each gateway instance.

+```

+To create an active-active gateway (recommended), request a second public IP address:

+Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU. Once the gateway is created, you can create connection between your virtual network and your on-premises location. Or, create a connection between your virtual network and another virtual network.

+Create a VPN gateway using the [New-AzVirtualNetworkGateway](/powershell/module/az.network/New-azVirtualNetworkGateway) cmdlet. Notice in the examples that both public IP addresses are referenced and the gateway is configured as active-active using the `EnableActiveActiveFeature` switch. In the example, we add the optional `-Debug` switch. If you want to create a gateway using a different SKU, see [About Gateway SKUs](about-gateway-skus.md) to determine the SKU that best fits your configuration requirements.

+## <a name="viewgwpip"></a>View gateway IP addresses

+Each VPN gateway instance is assigned a public IP address resource. To view the IP address associated with the resource, use the [Get-AzPublicIpAddress](/powershell/module/az.network/Get-azPublicIpAddress) cmdlet. Repeat for each gateway instance. Active-active gateways have a different public IP address assigned to each instance.

+Once the gateway is created, you can configure connections.

+* [Create a site-to-site connection](vpn-gateway-create-site-to-site-rm-powershell.md)

+* [Create a point-to-site connection](vpn-gateway-howto-point-to-site-rm-ps.md)

+* [Create a connection to another virtual network](vpn-gateway-vnet-vnet-rm-ps.md)

+ Title: Create a virtual network gateway - CLI

+description: Learn how to create a virtual network gateway for VPN Gateway connections using CLI.

+# Create a VPN gateway using CLI

+This article helps you create an Azure VPN gateway using Azure CLI. A VPN gateway is used when creating a VPN connection to your on-premises network. You can also use a VPN gateway to connect virtual networks. For more comprehensive information about some of the settings in this article, see [Create a VPN gateway - portal](tutorial-create-gateway-portal.md).

+The steps in this article create a virtual network, a subnet, a gateway subnet, and a route-based, zone-redundant active-active mode VPN gateway (virtual network gateway) using the Generation 2 VpnGw2AZ SKU. The steps in this article create a virtual network, a subnet, a gateway subnet, and a route-based, zone-redundant active-active mode VPN gateway (virtual network gateway) using the Generation 2 VpnGw2AZ SKU. Once the gateway is created, you can configure connections.

+* If you want to create a VPN gateway using the **Basic** SKU instead, see [Create a Basic SKU VPN gateway](create-gateway-basic-sku-powershell.md).

+* We recommend that you create an active-active mode VPN gateway when possible. Active-active mode VPN gateways provide better availability and performance than standard mode VPN gateways. For more information about active-active gateways, see [About active-active mode gateways](about-active-active-gateways.md).

+* For information about availability zones and zone redundant gateways, see [What are availability zones](/azure/reliability/availability-zones-overview?toc=%2Fazure%2Fvpn-gateway%2Ftoc.json&tabs=azure-cli#availability-zones)?

+> [!NOTE]

+> [!INCLUDE [AZ SKU region support note](../../includes/vpn-gateway-az-regions-support-include.md)]

+## Before you begin

+These steps require an Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+* This article requires version 2.0.4 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

+If you don't already have a virtual network, create one using the [az network vnet create](/cli/azure/network/vnet) command. When you create a virtual network, make sure that the address spaces you specify don't overlap any of the address spaces that you have on your on-premises network. If a duplicate address range exists on both sides of the VPN connection, traffic doesn't route the way you might expect it to. Additionally, if you want to connect this virtual network to another virtual network, the address space can't overlap with other virtual network. Take care to plan your network configuration accordingly.

+The following example creates a virtual network named 'VNet1' and a subnet, 'FrontEnd'. The FrontEnd subnet isn't used in this exercise. You can substitute your own subnet name.

+ --subnet-name FrontEnd \

+Use the following example to add a gateway subnet:

+## <a name="PublicIP"></a>Request public IP addresses

+A VPN gateway must have a public IP address. When you create a connection to a VPN gateway, this is the IP address that you specify. For active-active mode gateways, each gateway instance has its own public IP address resource. You first request the IP address resource, and then refer to it when creating your virtual network gateway. Additionally, for any gateway SKU ending in *AZ*, you must also specify the Zone setting. This example specifies a zone-redundant configuration because it specifies all three regional zones.

+The IP address is assigned to the resource when the VPN gateway is created. The only time the public IP address changes is when the gateway is deleted and re-created. It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

+Use the [az network public-ip create](/cli/azure/network/public-ip) command to request a public IP address:

+az network public-ip create --name VNet1GWpip1 --resource-group TestRG1 --allocation-method Static --sku Standard --version IPv4 --zone 1 2 3

+```

+To create an active-active gateway (recommended), request a second public IP address:

+```azurecli-interactive

+az network public-ip create --name VNet1GWpip2 --resource-group TestRG1 --allocation-method Static --sku Standard --version IPv4 --zone 1 2 3

+Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU. Once the gateway is created, you can create connection between your virtual network and your on-premises location. Or, create a connection between your virtual network and another virtual network.

+Create the VPN gateway using the [az network vnet-gateway create](/cli/azure/network/vnet-gateway) command. If you run this command by using the `--no-wait` parameter, you don't see any feedback or output. The `--no-wait` parameter allows the gateway to be created in the background. It doesn't mean that the VPN gateway is created immediately. If you want to create a gateway using a different SKU, see [About Gateway SKUs](about-gateway-skus.md) to determine the SKU that best fits your configuration requirements.

+**Active-active mode gateway**

+az network vnet-gateway create --name VNet1GW --public-ip-addresses VNet1GWpip1 VNet1GWpip2 --resource-group TestRG1 --vnet VNet1 --gateway-type Vpn --vpn-type RouteBased --sku VpnGw2AZ --vpn-gateway-generation Generation2 --no-wait

+```

+**Active-standby mode gateway**

+```azurecli-interactive

+az network vnet-gateway create --name VNet1GW --public-ip-addresses VNet1GWpip1 --resource-group TestRG1 --vnet VNet1 --gateway-type Vpn --vpn-type RouteBased --sku VpnGw2AZ --vpn-gateway-generation Generation2 --no-wait

+## View gateway IP addresses

+Each VPN gateway instance is assigned a public IP address resource. To view the IP address associated with the resource, use the following command. Repeat for each gateway instance.

+az network public-ip show -g TestRG1 -n VNet1GWpip1

+```azurecli-interactive

+Once the gateway is created, you can configure connections.

+* [Create a site-to-site connection](vpn-gateway-howto-site-to-site-resource-manager-cli.md)

+* [Create a connection to another virtual network](vpn-gateway-howto-vnet-vnet-cli.md)

+* [Create a point-to-site connection](point-to-site-about.md)

+You can deploy VPN and ExpressRoute gateways in Azure availability zones. This brings resiliency, scalability, and higher availability to virtual network gateways. Deploying gateways in availability zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures. For more information, see [About zone-redundant virtual network gateways](about-zone-redundant-vnet-gateways.md), [What are availability zones?](../reliability/availability-zones-overview.md), and [Azure regions with availability zones](../reliability/availability-zones-region-support.md).

+Declare the variables that you want to use. Use the following sample, substituting the values for your own when necessary. If you close your PowerShell/Cloud Shell session at any point during the exercise, just copy and paste the values again to redeclare the variables. When specifying location, verify that the region you specify is supported. For more information, see [Azure regions with availability zones](../reliability/availability-zones-region-support.md).

+Yes. AZ SKUs get the benefits of Zone redundancy for VPN gateways in [Azure regions with availability zones](../reliability/availability-zones-region-support.md). If the region doesn't support zone redundancy, the gateway is regional until the region it's deployed to supports zone redundancy.

+> * Create an active-active mode zone-redundant VPN gateway.

+* If you want to learn more about the configuration settings used in this tutorial, see [About VPN Gateway configuration settings](vpn-gateway-about-vpn-gateway-settings.md).

+* For more information about Azure VPN Gateway, see [What is Azure VPN Gateway](vpn-gateway-about-vpngateways.md).

+* If you want to create a gateway using the Basic SKU (instead of VpnGw2AZ), see [Create a Basic SKU VPN gateway](create-gateway-basic-sku-powershell.md).

+* For more information about active-active mode gateways, see [About active-active mode](about-active-active-gateways.md).

+* For more information about zone-redundant gateways, see [About zone-redundant gateways](about-zone-redundant-vnet-gateways.md).

+> [!NOTE]

+> [!INCLUDE [AZ SKU region support note](../../includes/vpn-gateway-az-regions-support-include.md)]

+ Title: 'Connect your on-premises network to an Azure virtual network: site-to-site VPN: PowerShell'

+description: Learn how to create a site-to-site VPN Gateway connection between your on-premises network and an Azure virtual network using PowerShell.

+# Create a site-to-site VPN connection using PowerShell

+This article shows you how to use PowerShell to create a site-to-site VPN gateway connection from your on-premises network to a virtual network (VNet). The steps in this article apply to the [Resource Manager deployment model](../azure-resource-manager/management/deployment-models.md).

+## Prerequisites

+Verify that your environment meets the following criteria before beginning your configuration:

+* Verify that you have a functioning route-based VPN gateway. To create a VPN gateway, see [Create a VPN gateway](create-gateway-powershell.md).

+* If you're unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. When you create this configuration, you must specify the IP address range prefixes that Azure routes to your on-premises location. None of the subnets of your on-premises network can over lap with the virtual network subnets that you want to connect to.

+## <a name="localnet"></a>Create a local network gateway

+The local network gateway (LNG) typically refers to your on-premises location. It isn't the same as a virtual network gateway. You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you'll create a connection. You also specify the IP address prefixes that are routed through the VPN gateway to the VPN device. The address prefixes you specify are the prefixes located on your on-premises network. If your on-premises network changes, you can easily update the prefixes.

+* The *GatewayIPAddress* is the IP address of your on-premises VPN device, not your Azure VPN gateway.

+ -Location 'East US' -GatewayIpAddress '[IP address of your on-premises VPN device]' -AddressPrefix '10.0.0.0/24'

+ -Location 'East US' -GatewayIpAddress '[IP address of your on-premises VPN device]' -AddressPrefix @('192.168.0.0/24','10.0.0.0/24')

+## <a name="ConfigureVPNDevice"></a>Configure your VPN device

+* A shared key. You'll use this shared key both when you configure your VPN device, and when you create your site-to-site VPN connection. In our examples, we use a basic shared key. We recommend that you generate a more complex key to use. The important thing is that the key is the same on both sides of the connection.

+* The public IP address of your virtual network gateway. You can view the public IP address by using the Azure portal, PowerShell, or CLI. To find the public IP address of your virtual network gateway using PowerShell, use the following example. In this example, VNet1GWpip1 is the name of the public IP address resource that you created in an earlier step.

+ Get-AzPublicIpAddress -Name VNet1GWpip1 -ResourceGroupName TestRG1

+## <a name="CreateConnection"></a>Create the VPN connection

+Create a site-to-site VPN connection between your virtual network gateway and your on-premises VPN device. If you're using an active-active mode gateway (recommended), each gateway VM instance has a separate IP address. To properly configure [highly available connectivity](vpn-gateway-highlyavailable.md), you must establish a tunnel between each VM instance and your VPN device. Both tunnels are part of the same connection.

+Be sure to replace the values in the examples with your own. The shared key must match the value you used for your VPN device configuration. Notice that the '-ConnectionType' for site-to-site is **IPsec**.

+## <a name="toverify"></a>Verify the VPN connection