+1. If you have access to multiple tenants, select the **Settings** icon in the top menu to switch to your Microsoft Entra tenant from the **Directories + subscriptions** menu.

+The LUIS container sends billing information to Azure, using an _Azure AI services_ resource on your Azure account.

+| [Speech Service API][sp-containers-lid] | **Speech language identification** ([image](https://mcr.microsoft.com/product/azure-cognitive-services/speechservices/language-detection/about)) | Determines the language of spoken audio. | Preview |

+You can configure Azure AI services resources to allow access from specific subnets only. The allowed subnets might belong to a virtual network in the same subscription or in a different subscription. The other subscription can belong to a different Microsoft Entra tenant. When the subnet belongs to a different subscription, the Microsoft.CognitiveServices resource provider needs to be also registered for that subscription.

+The `Billing` setting specifies the endpoint URI of the _Azure AI services_ resource on Azure used to meter billing information for the container. You must specify a value for this configuration setting, and the value must be a valid endpoint URI for an _Azure AI services_ resource on Azure. The container reports usage about every 10 to 15 minutes.

+You need to grant Document Intelligence access to your storage account before it can read blobs. Now that you've enabled Document Intelligence with a system-assigned managed identity, you can use Azure role-based access control (Azure RBAC), to give Document Intelligence access to Azure storage. The **Storage Blob Data Reader** role gives Document Intelligence (represented by the system-assigned managed identity) read and list access to the blob container and data.

+### Additional role assignment for Document Intelligence Studio

+If you are going to use Document Intelligence Studio and your storage account is configured with network restriction such as firewall or virtual network, an additional role, **Storage Blob Data Contributor**, needs to be assigned to your Document Intelligence service. Document Intelligence Studio requires this role to write blobs to your storage account when you perform Auto label, OCR upgrade, Human in the loop, or Project sharing operations.

+#### Azure role assignments

+For document analysis and prebuilt models, following role assignments are required for different scenarios.

+* Basic

+ * **Cognitive Services User**: you need this role to Document Intelligence or Azure AI services resource to enter the analyze page.

+* Advanced

+ * **Contributor**: you need this role to create resource group, Document Intelligence service, or Azure AI services resource.

+### Azure role assignments

+For custom projects, the following role assignments are required for different scenarios.

+* Basic

+ * **Cognitive Services User**: You need this role for Document Intelligence or Azure AI services resource to train the custom model or do analysis with trained models.

+ * **Storage Blob Data Contributor**: You need this role for the Storage Account to create a project and label data.

+* Advanced

+ * **Storage Account Contributor**: You need this role for the Storage Account to set up CORS settings (this is a one-time effort if the same storage account is reused).

+ * **Contributor**: You need this role to create a resource group and resources.

+With the improved quality of content from generative AI models, there is an increased need for more transparency on the origin of AI-generated content. All AI-generated images from the Azure OpenAI service now include Content Credentials, a tamper-evident way to disclose the origin and history of content. Content Credentials are based on an open technical specification from the [Coalition for Content Provenance and Authenticity (C2PA)](https://www.c2pa.org), a Joint Development Foundation project.

+## What are Content Credentials?

+Content Credentials in the Azure OpenAI Service provide customers with information about the origin of an image generated by the DALL-E series models. This information is represented by a manifest attached to the image. The manifest is cryptographically signed by a certificate that traces back to Azure OpenAI Service.

+The manifest contains several key pieces of information:

+|`"when"` |The timestamp of when the Content Credentials were created. |

+Content Credentials in the Azure OpenAI Service can help people understand when visual content is AI-generated. For more information on how to responsibly build solutions with Azure OpenAI service image-generation models, visit the [Azure OpenAI transparency note](/legal/cognitive-services/openai/transparency-note?tabs=text).

+1. **Content Credentials Verify webpage (contentcredentials.org/verify)**: This is a tool that allows users to inspect the Content Credentials of a piece of content. If an image was generated by DALL-E in Azure OpenAI, the tool will display that its Content Credentials were issued by Microsoft Corporation alongside the date and time of issuance.

+ This page shows that an image generated by Azure OpenAI DALL-E has Content Credentials issued by Microsoft.

+2. **Content Authenticity Initiative (CAI) open-source tools**: The CAI provides multiple open-source tools that validate and display C2PA Content Credentials. Find the tool right for your application and [get started here](https://opensource.contentauthenticity.org/).

+

+OpenAI uses the `model` keyword argument to specify what model to use. Azure OpenAI has the concept of unique model [deployments](create-resource.md?pivots=web-portal#deploy-a-model). When using Azure OpenAI `model` should refer to the underling deployment name you chose when you deployed the model.

+* Create a new node pool with Artifact Streaming enabled using the [`az aks nodepool add`][az-aks-nodepool-add] command with the `--enable-artifact-streaming`.

+ --enable-artifact-streaming

+### Azure CNI Cluster Upgrade

+### Kubenet Cluster Upgrade

+Update an existing Kubenet cluster to use Azure CNI Overlay using the [`az aks update`][az-aks-update] command.

+```azurecli-interactive

+clusterName="myOverlayCluster"

+resourceGroup="myResourceGroup"

+location="westcentralus"

+az aks update --name $clusterName \

+--resource-group $resourceGroup \

+--network-plugin azure \

+--network-plugin-mode overlay

+```

+Since the cluster is already using a private CIDR for pods, you don't need to specify the `--pod-cidr` parameter and the Pod CIDR will remain the same.

+> [NOTE!]

+> When upgrading from Kubenet to CNI Overlay, the route table will no longer be required for pod routing. If the cluster is using a customer provided route table, the routes which were being used to direct pod traffic to the correct node will automatically be deleted during the migration operation. If the cluster is using a managed route table (the route table was created by AKS and lives in the node resource group) then that route table will be deleted as part of the migration.

+[aks-view-master-logs]: monitor-aks.md#aks-control-planeresource-logs

+- Australia East, Australia Southeast, Brazil South, Canada Central, Canada East, Central India, Central US, East Asia, East US, East US 2, East US 2 EAUP, France Central, France South, Germany North, Germany West Central, Japan East, Japan West, Jio India West, Korea Central, Korea South, North Central Us, North Europe, Norway East, Norway West, South Africa North, South Central US, South India, Southeast Asia, Sweden Central, Switzerland North, UAE North, UK South, UK West, West Central US, West Europe, West US, West US 2, West US 3

+AKS implements control plane logs for the cluster as [resource logs in Azure Monitor](../azure-monitor/essentials/resource-logs.md). See [Resource logs](monitor-aks.md#aks-control-planeresource-logs) for details on creating a diagnostic setting to collect these logs and [Sample queries](monitor-aks-reference.md#resource-logs) for query examples.

+When you have critical applications and business processes relying on Azure resources, you want to monitor those resources for their availability, performance, and operation. This article describes the monitoring data generated by AKS and analyzed with [Azure Monitor](../azure-monitor/overview.md). If you're unfamiliar with the features of Azure Monitor common to all Azure services that use it, read [Monitoring Azure resources with Azure Monitor](../azure-monitor/containers/monitor-kubernetes.md).

+> Kubernetes is a complex distributed system with many moving parts so monitoring at multiple levels is required. Although AKS is a managed Kubernetes service, the same rigor around monitoring at multiple levels is still required. This article provides high level information and best practices for monitoring an AKS cluster. See the following for additional details.

+- For detailed monitoring of the complete Kubernetes stack, see [Monitor Azure Kubernetes Service (AKS) with Azure Monitor](../azure-monitor/containers/monitor-kubernetes.md)

+- For collecting metric data from Kubernetes clusters, see [Azure Monitor managed service for Prometheus](../azure-monitor/essentials/prometheus-metrics-overview.md).

+- For collecting logs in Kubernetes clusters, see [Container insights](../azure-monitor/containers/container-insights-overview.md).

+- For data visualization, see [Azure Workbooks](../azure-monitor/visualize/workbooks-overview.md) and [Azure Managed Grafana](../azure-monitor/visualize/grafana-plugin.md).

+AKS generates the same kinds of monitoring data as other Azure resources that are described in [Monitoring data from Azure resources](../azure-monitor/essentials/monitor-azure-resource.md#monitoring-data-from-azure-resources). See [Monitoring AKS data reference](monitor-aks-reference.md) for detailed information on the metrics and logs created by AKS. [Other Azure services and features](#integrations) collect other data and enable other analysis options as shown in the following diagram and table.

+| Source | Description |

+| Resource logs | Control plane logs for AKS are implemented as resource logs. [Create a diagnostic setting](#aks-control-planeresource-logs) to send them to [Log Analytics workspace](../azure-monitor/logs/log-analytics-workspace-overview.md) where you can analyze and alert on them with log queries in [Log Analytics](../azure-monitor/logs/log-analytics-overview.md). |

+The **Monitoring** tab on the **Overview** page offers a quick way to get started viewing monitoring data in the Azure portal for each AKS cluster. This includes graphs with common metrics for the cluster separated by node pool. Click on any of these graphs to further analyze the data in [metrics explorer](../azure-monitor/essentials/metrics-getting-started.md).

+The **Overview** page also includes links to [Managed Prometheus](#integrations) and [Container insights](#integrations) for the current cluster. If you haven't already enabled these tools, you are prompted to do so. You may also see a banner at the top of the screen recommending that you enable other features to improve monitoring of your cluster.

+## Integrations

+The following Azure services and features of Azure Monitor can be used for extra monitoring of your Kubernetes clusters. You can enable these features during AKS cluster creation from the Integrations tab in the Azure portal, Azure CLI, Terraform, Azure Policy, or onboard your cluster to them later. Each of these features may incur cost, so refer to the pricing information for each before you enabled them.

+| Service / Feature | Description |

+|:|:|

+| [Container insights](../azure-monitor/containers/container-insights-overview.md) | Uses a containerized version of the [Azure Monitor agent](../azure-monitor/agents/agents-overview.md) to collect stdout/stderr logs, and Kubernetes events from each node in your cluster, supporting a [variety of monitoring scenarios for AKS clusters](../azure-monitor/containers/container-insights-overview.md#features-of-container-insights). You can enable monitoring for an AKS cluster when it's created by using [Azure CLI](../aks/learn/quick-kubernetes-deploy-cli.md), [Azure Policy](../azure-monitor/containers/container-insights-enable-aks-policy.md), Azure portal or Terraform. If you don't enable Container insights when you create your cluster, see [Enable Container insights for Azure Kubernetes Service (AKS) cluster](../azure-monitor/containers/container-insights-enable-aks.md) for other options to enable it.<br><br>Container insights store most of its data in a [Log Analytics workspace](../azure-monitor/logs/log-analytics-workspace-overview.md), and you'll typically use the same log analytics workspace as the [resource logs](monitor-aks-reference.md#resource-logs) for your cluster. See [Design a Log Analytics workspace architecture](../azure-monitor/logs/workspace-design.md) for guidance on how many workspaces you should use and where to locate them. |

+| [Azure Monitor managed service for Prometheus](../azure-monitor/essentials/prometheus-metrics-overview.md) | [Prometheus](https://prometheus.io/) is a cloud-native metrics solution from the Cloud Native Compute Foundation and the most common tool used for collecting and analyzing metric data from Kubernetes clusters. Azure Monitor managed service for Prometheus is a fully managed Prometheus-compatible monitoring solution in Azure. If you don't enable managed Prometheus when you create your cluster, see [Collect Prometheus metrics from an AKS cluster](../azure-monitor/essentials/prometheus-metrics-enable.md) for other options to enable it.<br><br>Azure Monitor managed service for Prometheus stores its data in an [Azure Monitor workspace](../azure-monitor/essentials/azure-monitor-workspace-overview.md), which is [linked to a Grafana workspace](../azure-monitor/essentials/azure-monitor-workspace-manage.md#link-a-grafana-workspace) so that you can analyze the data with Azure Managed Grafana. |

+| [Azure Managed Grafana](../managed-grafan#link-a-grafana-workspace) details on linking it to your Azure Monitor workspace so it can access Prometheus metrics for your cluster. |

+## Metrics

+Metrics play an important role in cluster monitoring, identifying issues, and optimizing performance in the AKS clusters. Platform metrics are captured using the out of the box metrics server installed in kube-system namespace, which periodically scrapes metrics from all Kubernetes nodes served by Kubelet. T=You should also enable Azure Managed Prometheus metrics to collect container metrics and Kubernetes object metrics, such as object state of Deployments. See [Collect Prometheus metrics from an AKS cluster](../azure-monitor/containers/prometheus-metrics-enable.md) to send data to Azure Managed service for Prometheus.

+- [List of default platform metrics](/azure/azure-monitor/reference/supported-metrics/microsoft-containerservice-managedclusters-metrics)

+- [List of default Prometheus metrics](../azure-monitor/containers/prometheus-metrics-scrape-default.md)

+## Logs

+### AKS control plane/resource logs

+Control plane logs for AKS clusters are implemented as [resource logs](../azure-monitor/essentials/resource-logs.md) in Azure Monitor. Resource logs aren't collected and stored until you create a diagnostic setting to route them to one or more locations. You'll typically send them to a Log Analytics workspace, which is where most of the data for Container insights is stored.

+See [Create diagnostic settings](../azure-monitor/essentials/diagnostic-settings.md) for the detailed process for creating a diagnostic setting using the Azure portal, CLI, or PowerShell. When you create a diagnostic setting, you specify which categories of logs to collect. The categories for AKS are listed in [AKS monitoring data reference](monitor-aks-reference.md#resource-logs).

+For more information on the difference between collection modes including how to change an existing setting, see [Select the collection mode](../azure-monitor/essentials/resource-logs.md#select-the-collection-mode).

+#### Sample log queries

+If the [diagnostic setting for your cluster](monitor-aks-reference.md#resource-logs) uses Azure diagnostics mode, the resource logs for AKS are stored in the [AzureDiagnostics](/azure/azure-monitor/reference/tables/azurediagnostics) table. You can distinguish different logs with the **Category** column. For a description of each category, see [AKS reference resource logs](monitor-aks-reference.md).

+To access a set of prebuilt queries in the Log Analytics workspace, see the [Log Analytics queries interface](../azure-monitor/logs/queries.md#queries-interface) and select resource type **Kubernetes Services**. For a list of common queries for Container insights, see [Container insights queries](../azure-monitor/containers/container-insights-log-query.md).

+### AKS data plane/Container Insights logs

+Container Insights collect various types of telemetry data from containers and Kubernetes clusters to help you monitor, troubleshoot, and gain insights into your containerized applications running in your AKS clusters. For a list of tables and their detailed descriptions used by Container insights, see the [Azure Monitor table reference](/azure/azure-monitor/reference/tables/tables-resourcetype#kubernetes-services). All these tables are available for [log queries](../azure-monitor/logs/log-query-overview.md).

+[Cost optimization settings](../azure-monitor/containers/container-insights-cost-config.md) allow you to customize and control the metrics data collected through the container insights agent. This feature supports the data collection settings for individual table selection, data collection intervals, and namespaces to exclude the data collection through [Azure Monitor Data Collection Rules (DCR)](../azure-monitor/essentials/data-collection-rule-overview.md). These settings control the volume of ingestion and reduce the monitoring costs of container insights. Container insights Collected Data can be customized through the Azure portal, using the following options. Selecting any options other than **All (Default)** leads to the container insights experience becoming unavailable.

+| Grouping | Tables | Notes |

+| | | |

+| All (Default) | All standard container insights tables | Required for enabling the default container insights visualizations |

+| Performance | Perf, InsightsMetrics | |

+| Logs and events | ContainerLog or ContainerLogV2, KubeEvents, KubePodInventory | Recommended if you enabled managed Prometheus metrics |

+| Workloads, Deployments, and HPAs | InsightsMetrics, KubePodInventory, KubeEvents, ContainerInventory, ContainerNodeInventory, KubeNodeInventory, KubeServices | |

+| Persistent Volumes | InsightsMetrics, KubePVInventory | |

+The **Logs and events** grouping captures the logs from the _ContainerLog_ or _ContainerLogV2_, _KubeEvents_, _KubePodInventory_ tables, but not the metrics. The recommended path to collect metrics is to enable [Azure Monitor managed service Prometheus for Prometheus](../azure-monitor/essentials/prometheus-metrics-overview.md) from your AKS cluster and to use [Azure Managed Grafana](../managed-grafan).

+#### ContainerLogV2 schema

+Azure Monitor Container Insights provides a schema for container logs known as ContainerLogV2, which is the recommended option. This format includes the following fields to facilitate common queries for viewing data related to AKS and Azure Arc-enabled Kubernetes clusters:

+- ContainerName

+- PodName

+- PodNamespace

+In addition, this schema is compatible with [Basic Logs](../azure-monitor/logs/basic-logs-configure.md?tabs=portal-1#set-a-tables-log-data-plan) data plan, which offers a low-cost alternative to standard analytics logs. The Basic log data plan lets you save on the cost of ingesting and storing high-volume verbose logs in your Log Analytics workspace for debugging, troubleshooting, and auditing, but not for analytics and alerts. For more information, see [Manage tables in a Log Analytics workspace](../azure-monitor/logs/manage-logs-tables.md?tabs=azure-portal).

+ContainerLogV2 is the recommended approach and is the default schema for customers onboarding container insights with Managed Identity Auth using ARM, Bicep, Terraform, Policy, and Azure portal. For more information about how to enable ContainerLogV2 through either the cluster's Data Collection Rule (DCR) or ConfigMap, see [Enable the ContainerLogV2 schema](../azure-monitor/containers/container-insights-logging-v2.md?tabs=configure-portal#enable-the-containerlogv2-schema-1).

+## Visualization

+Data visualization is an essential concept that makes it easier for system administrators and operational engineers to consume the collected information. Instead of looking at raw data, they can use visual representations, which quickly display the data and reveal trends that might be hidden when looking at raw data. You can use Grafana Dashboards or native Azure workbooks for data visualization.

+### Azure Managed Grafana

+The most common way to analyze and present Prometheus data is with a Grafana Dashboard. Azure Managed Grafana includes [prebuilt dashboards](../azure-monitor/visualize/grafana-plugin.md#use-out-of-the-box-dashboards) for monitoring Kubernetes clusters including several that present similar information as Container insights views. There are also various community-created dashboards to visualize multiple aspects of a Kubernetes cluster from the metrics collected by Prometheus.

+### Workbooks

+[Azure Monitor Workbooks](../azure-monitor/visualize/workbooks-overview.md) is a feature in Azure Monitor that provides a flexible canvas for data analysis and the creation of rich visual reports. Workbooks help you to create visual reports that help in data analysis. Reports in Container insights are recommended out-of-the-box for Azure workbooks. Azure provides built-in workbooks for each service, including Azure Kubernetes Service (AKS), which you can access from the Azure portal. On the **Azure Monitor** menu in the Azure portal, select **Containers**. In the **Monitoring** section, select **Insights**, choose a particular cluster, and then select the **Reports** tab. You can also view them from the [workbook gallery](../azure-monitor/visualize/workbooks-overview.md#the-gallery) in Azure Monitor.

+For instance, the [Cluster Optimization Workbook](../azure-monitor/containers/container-insights-reports.md#cluster-optimization-workbook) provides multiple analyzers that give you a quick view of the health and performance of your Kubernetes cluster. It has multiple analyzers that each provide different information related to your cluster. The workbook requires no configuration once Container insights is enabled on the cluster. Salient capabilities include the ability to detect liveness probe failures and their frequencies, identify and group event anomalies that indicate recent increases in event volume for more accessible analysis, and identify containers with high or low CPU and memory limits and requests, along with suggested limit and request values for these containers running in your AKS clusters.ΓÇï For more information about these workbooks, see [Reports in Container insights](../azure-monitor/containers/container-insights-reports.md).

+[Azure Monitor alerts](../azure-monitor/alerts/alerts-overview.md) help you detect and address issues before users notice them by proactively notifying you when Azure Monitor collected data indicates there might be a problem with your cloud infrastructure or application. They allow you to identify and address issues in your system before your customers notice them. You can set alerts on [metrics](../azure-monitor/alerts/alerts-metric-overview.md), [logs](../azure-monitor/alerts/alerts-unified-log.md), and the [activity log](../azure-monitor/alerts/activity-log-alerts.md). Different types of alerts have benefits and drawbacks.

+There are two types of metric rules used by Container insights based on either Prometheus metrics or platform metrics.

+### Prometheus metrics based alerts

+When you [enable collection of Prometheus metrics](#integrations) for your cluster, then you can download a collection of [recommended Prometheus alert rules](../azure-monitor/containers/container-insights-metric-alerts.md#enable-prometheus-alert-rules). This includes the following rules:

+ Level | Alerts |

+|:|:|

+| Pod level | KubePodCrashLooping<br>Job didn't complete in time<br>Pod container restarted in last 1 hour<br>Ready state of pods is less than 80%<br>Number of pods in failed state are greater than 0<br>KubePodNotReadyByController<br>KubeStatefulSetGenerationMismatch<br>KubeJobNotCompleted<br>KubeJobFailed<br>Average CPU usage per container is greater than 95%<br>Average Memory usage per container is greater than 95%<br>KubeletPodStartUpLatencyHigh |

+| Cluster level | Average PV usage is greater than 80%<br>KubeDeploymentReplicasMismatch<br>KubeStatefulSetReplicasMismatch<br>KubeHpaReplicasMismatch<br>KubeHpaMaxedOut<br>KubeCPUQuotaOvercommit<br>KubeMemoryQuotaOvercommit<br>KubeVersionMismatch<br>KubeClientErrors<br>CPUThrottlingHigh<br>KubePersistentVolumeFillingUp<br>KubePersistentVolumeInodesFillingUp<br>KubePersistentVolumeErrors |

+| Node level | Average node CPU utilization is greater than 80%<br>Working set memory for a node is greater than 80%<br>Number of OOM killed containers is greater than 0<br>KubeNodeUnreachable<br>KubeNodeNotReady<br>KubeNodeReadinessFlapping<br>KubeContainerWaiting<br>KubeDaemonSetNotScheduled<br>KubeDaemonSetMisScheduled<br>KubeletPlegDurationHigh<br>KubeletServerCertificateExpiration<br>KubeletClientCertificateRenewalErrors<br>KubeletServerCertificateRenewalErrors<br>KubeQuotaAlmostFull<br>KubeQuotaFullyUsed<br>KubeQuotaExceeded |

+### Platform metric based alerts

+The following table lists the recommended metric alert rules for AKS clusters. These alerts are based on [platform metrics](#monitoring-data) for the cluster.

+|:|:|

+### Log based alerts

+[Log alerts](../azure-monitor/alerts/alerts-types.md#log-alerts) allow you to alert on your [data plane](#aks-data-planecontainer-insights-logs) and [control plane](#aks-control-planeresource-logs) logs. Run queries at predefined intervals and create an alert based on the results. You may check for the count of certain records or perform calculations based on numeric columns.

+See [How to create log alerts from Container Insights](../azure-monitor/containers/container-insights-log-alerts.md) and [How to query logs from Container Insights](../azure-monitor/containers/container-insights-log-query.md).

+[Log alerts](../azure-monitor/alerts/alerts-unified-log.md) can measure two different things, which can be used to monitor in different scenarios:

+- [Result count](../azure-monitor/alerts/alerts-unified-log.md#result-count): Counts the number of rows returned by the query and can be used to work with events such as Windows event logs, Syslog, and application exceptions.

+- [Calculation of a value](../azure-monitor/alerts/alerts-unified-log.md#calculation-of-a-value): Makes a calculation based on a numeric column and can be used to include any number of resources. An example is CPU percentage.

+Depending on the alerting scenario required, log queries need to be created comparing a DateTime to the present time by using the `now` operator and going back one hour. To learn how to build log-based alerts, see [Create log alerts from Container insights](../azure-monitor/containers/container-insights-log-alerts.md).

+## Network Observability

+[Network observability](./network-observability-overview.md) is an important part of maintaining a healthy and performant Kubernetes cluster. By collecting and analyzing data about network traffic, you can gain insights into how your cluster is operating and identify potential problems before they cause outages or performance degradation.

+When the [Network Observability](/azure/aks/network-observability-overview) add-on is enabled, it collects and converts useful metrics into Prometheus format, which can be visualized in Grafana. When enabled, the collected metrics are automatically ingested into Azure Monitor managed service for Prometheus. A Grafana dashboard is available in the Grafana public dashboard repo to visualize the network observability metrics collected by Prometheus. For more information, see [Network Observability setup](./network-observability-managed-cli.md) for detailed instructions.

+- See [Monitoring AKS data reference](monitor-aks-reference.md) for a reference of the metrics, logs, and other important values created by AKS.

+[view-primary-logs]: monitor-aks.md#aks-control-planeresource-logs

+Congratulations, you have installed ALB Controller, deployed a backend application and modified header values via Gateway API on Application Gateway for Containers.

+The IPv6 Application Gateway preview is available to all public cloud regions where Application Gateway v2 SKU is supported. It's also available in [Microsoft Azure operated by 21Vianet](https://www.azure.cn/) and [Azure Government](https://azure.microsoft.com/overview/clouds/government/)

+The IPv6 Application Gateway preview is available to all public cloud regions where Application Gateway v2 SKU is supported. It's also available in [Microsoft Azure operated by 21Vianet](https://www.azure.cn/) and [Azure Government](https://azure.microsoft.com/overview/clouds/government/)

+You can configure input parameters for PowerShell, PowerShell Workflow, graphical, and Python runbooks. A runbook can have multiple parameters with different data types or no parameters. Input parameters can be mandatory or optional, and you can use default values for optional parameters.

+## Input types

+Azure Automation supports various input parameter values across the different runbook types. Supported input types for each type of runbook are listed in the following table.

+| Runbook type | Supported parameter inputs |

+|||

+| PowerShell | - String <br>- Security.SecureString <br>- INT32 <br>- Boolean <br>- DateTime <br>- Array <br>- Collections.Hashtable <br>- Management.Automation.SwitchParameter |

+| PowerShell Workflow | - String <br>- Security.SecureString <br>- INT32 <br>- Boolean <br>- DateTime <br>- Array <br>- Collections.Hashtable <br>- Management.Automation.SwitchParameter |

+| Graphical PowerShell| - String <br>- INT32 <br>- INT64 <br>- Boolean <br>- Decimal <br>- DateTime <br>- Object |

+| Python | - String | |

+| Type |Required. The data type is expected for the parameter value. Any .NET type is valid. |

+| Mandatory |Optional. The Boolean value specifies whether the parameter requires a value. If you set this to True, a value must be provided when the runbook is started. If you set this to False, a value is optional. If you don't specify a value for the `Mandatory` property, PowerShell considers the input parameter optional by default. |

+ configMap:

+ name: configmap-created-by-appconfig-provider

+ items:

+ - key: mysettings.json

+ path: mysettings.json

+Azure Arc resource bridge is a Kubernetes management cluster installed on the customerΓÇÖs on-premises infrastructure. The resource bridge is provided credentials to the infrastructure control plane that allows it to apply guest management services on the on-premises resources. Arc resource bridge enables projection of on-premises resources as ARM resources and management from ARM as "Arc-enabled" Azure resources.

+You can connect an SCVMM management server to Azure by deploying Azure Arc resource bridge in the VMM environment. Azure Arc resource bridge enables you to represent the SCVMM resources (clouds, VMs, templates etc.) in Azure and perform various operations on them:

+* Enable guest management

+* Install extensions

+* Learn how [Azure Arc-enabled VMware vSphere extends Azure's governance and management capabilities to VMware vSphere infrastructure](../vmware-vsphere/overview.md).

+* Learn how [Azure Arc-enabled SCVMM extends Azure's governance and management capabilities to System Center managed infrastructure(../system-center-virtual-machine-manager/overview.md).

+* Learn about [provisioning and managing on-premises Windows and Linux VMs running on Azure Stack HCI clusters](/azure-stack/hci/manage/azure-arc-enabled-virtual-machines).

+As a Microsoft-managed product, Arc resource bridges on a supported [private cloud provider](#private-cloud-providers) with an appliance version 1.0.15 or higher are automatically opted into cloud-manaaged upgrade. With cloud-managed upgrade, Microsoft manages the upgrade of your Arc resource bridge to be within supported versions, as long as the prerequisites are met. If prerequisites are not met, then cloud managed upgrade will fail.

+While Microsoft manages the upgrade of your Arc resource bridge, it's still important for you to ensure that your resource bridge is healthy, online, in a `Running` status, and on a supported version. To do so, run the `az arcappliance show` command from your management machine, or check the Azure resource of your Arc resource bridge. If your appliance VM isn't in a healthy state, cloud-managed upgrade might fail, and your version may become unsupported.

+To manually upgrade your Arc resource bridge, make sure you're using the latest `az arcappliance` CLI extension by running the extension upgrade command from the management machine:

+For example, to upgrade a resource bridge on VMware, run: `az arcappliance upgrade vmware --config-file c:\contosoARB01-appliance.yaml`

+To upgrade a resource bridge on System Center Virtual Machine Manager (SCVMM), run: `az arcappliance upgrade scvmm --config-file c:\contosoARB01-appliance.yaml`

+For Arc-enabled VMware vSphere, manual upgrade is available, but appliances on version 1.0.15 and higher automatically receive cloud-managed upgrade as the default experience. Appliances that are earlier than version 1.0.15 must be manually upgraded. A manual upgrade only upgrades the appliance to the next version, not the latest version. If you have multiple versions to upgrade, another option is to review the steps for [performing a recovery](/azure/azure-arc/vmware-vsphere/recover-from-resource-bridge-deletion), then delete the appliance VM and perform the recovery steps. This deploys a new Arc resource bridge using the latest version and reconnects pre-existing Azure resources.

+Azure Arc VM management (preview) on Azure Stack HCI supports upgrade of an Arc resource bridge on Azure Stack HCI, version 22H2 up until appliance version 1.0.14 and `az arcappliance` CLI extension version 0.2.33. These upgrades can be done through manual upgrade. However, HCI version 22H2 won't be supported for appliance version 1.0.15 or higher because it's being deprecated. Customers on HCI 22H2 will receive limited support. To use appliance version 1.0.15 or higher, you must transition to Azure Stack HCI, version 23H2 (preview). In version 23H2 (), the LCM tool manages upgrades across all components as a "validated recipe" package. For more information, visit the [Arc VM management FAQ page](/azure-stack/hci/manage/azure-arc-vms-faq).

+For Arc-enabled System Center Virtual Machine Manager (SCVMM), the manual upgrade feature is available for appliance version 1.0.14 and higher. Appliances below version 1.0.14 need to perform the recovery option to get to version 1.0.15 or higher. Review the steps for [performing the recovery operation](/azure/azure-arc/system-center-virtual-machine-manager/disaster-recovery), then delete the appliance VM from SCVMM and perform the recovery steps. This deploys a new resource bridge and reconnects pre-existing Azure resources.

+Arc resource bridge typically releases a new version on a monthly cadence, at the end of the month, although it's possible that delays could push the release date further out. Regardless of when a new release comes out, if you're within n-3 supported versions, then your Arc resource bridge version is supported. To stay updated on releases, visit the [Arc resource bridge release notes](https://github.com/Azure/ArcResourceBridge/releases) on GitHub.

+- Browse your VMM resources (VMs, templates, VM networks, and storage) in Azure, providing you with a single pane view for your infrastructure across both environments.

+- Install the Arc-connected machine agents at scale on SCVMM VMs to [govern, protect, configure, and monitor them](../servers/overview.md#supported-cloud-operations).

+You have the flexibility to start with either option, or incorporate the other one later without any disruption. With both options, you'll enjoy the same consistent experience.

+- Administrators can install Arc agents on SCVMM VMs at-scale and install corresponding extensions to use Azure management services like Microsoft Defender for Cloud, Azure Update Manager, Azure Monitor, etc.

+Azure Arc-enabled SCVMM works with VMM 2019 and 2022 versions and supports SCVMM management servers with a maximum of 15,000 VMs.

+- East US 2

+- West US 2

+- West US 3

+- Central US

+description: In this QuickStart, you learn how to use the helper script to connect your System Center Virtual Machine Manager management server to Azure Arc.

+> - If VMM server is running on Windows Server 2016 machine, ensure that [Open SSH package](https://github.com/PowerShell/Win32-OpenSSH/releases) is installed.

+> - If you deploy an older version of appliance (version lesser than 0.2.25), Arc operation fails with the error *Appliance cluster is not deployed with AAD authentication*. To fix this issue, download the latest version of the onboarding script and deploy the resource bridge again.

+> - Azure Arc Resource Bridge deployment using private link is currently not supported.

+| **SCVMM** | You need an SCVMM management server running version 2019 or later.<br/><br/> A private cloud with minimum free capacity of 32 GB of RAM, 4 vCPUs with 100 GB of free disk space. <br/><br/> A VM network with internet access, directly or through proxy. Appliance VM will be deployed using this VM network.<br/><br/> Only Static IP allocation is supported and VMM Static IP Pool is required. Follow [these steps](https://learn.microsoft.com/system-center/vmm/network-pool?view=sc-vmm-2022) to create a VMM Static IP Pool and ensure that the Static IP Pool has at least four IP addresses. Dynamic IP allocation using DHCP isn't supported. |

+| **SCVMM accounts** | An SCVMM admin account that can perform all administrative actions on all objects that VMM manages. <br/><br/> The user should be part of local administrator account in the SCVMM server. If the SCVMM server is installed in a High Availability configuration, the user should be a part of the local administrator accounts in all the SCVMM cluster nodes. <br/><br/>This will be used for the ongoing operation of Azure Arc-enabled SCVMM and the deployment of the Arc Resource bridge VM. |

+| **Azure login** | You would be asked to sign in to Azure by visiting [this site](https://www.microsoft.com/devicelogin) and pasting the prompted code. |

+| **Static IP pool** | Select the VMM static IP pool that will be used to allot the IP address. |

+| **Appliance proxy settings** | Enter *Y* if there's a proxy in your appliance network, else enter *N*.|

+Once the command execution is completed, your setup is complete, and you can try out the capabilities of Azure Arc-enabled SCVMM.

+ ./resource-bridge-onboarding-script.ps1 -Force -Subscription <Subscription> -ResourceGroup <ResourceGroup> -AzLocation <AzLocation> -ApplianceName <ApplianceName> -CustomLocationName <CustomLocationName> -VMMservername <VMMservername>

+> - After successful deployment, save the config YAML files in a secure location. The config files are required to perform management operations on the resource bridge.

+> In consumption plan functions, automatic scaling is not supported for SQL trigger. If the automatic scaling process stops the function, all processing of events will stop and it will need to be manually restarted.

+>

+> Use premium or dedicated plans for [scaling benefits](functions-scale.md) with SQL trigger.

+>

+|Korea South| 40 | 20 |

+| | Azure Storage - for Azure VMs only | Γ£ô (Preview) | | Γ£ô |

+| | Event Hubs - for Azure VMs only | Γ£ô (Preview) | | Γ£ô |

+| | Microsoft Defender for Cloud - Olny uses MDE agent | | | |

+| | Automation Update Management - Moved to Azure Update Manager | Γ£ô | Γ£ô | |

+| | Update Manager - no longer uses agents | | | |

+| | Change Tracking | Γ£ô | Γ£ô | |

+| | SQL Best Practices Assessment | Γ£ô | | |

+| | Azure Storage - for Azrue VMs only | Γ£ô (Preview) | | Γ£ô | |

+| | Event Hubs - for azure VMs only | Γ£ô (Preview) | | Γ£ô | |

+| | Microsoft Defender for Cloud - Only use MDE agent | | | |

+| | Automation Update Management - Moved to Azure Update Manager | Γ£ô | Γ£ô | |

+| | Update Manager - no longer uses agents | | | |

+| | Change Tracking | Γ£ô | Γ£ô | |

+## How to process data for a metric alert rule in a specific region

+## Metric alert rule with dynamic threshold fires too much or is too noisy

+## Metric alert rule with dynamic threshold doesn't fire enough

+## Network error when creating a metric alert rule using dimensions

+If you're creating a metric alert rule that uses dimensions, you might encounter a network error. This can happen if you create a metric alert rule that specifies a lot of dimension values. For example, if you create a metric alert rule that monitors the heartbeat metric for 200 computers, specifying each computer as a unique dimension value. This creates a payload with a large amount of text, that is too large to be sent over the network, and you may receive the following network error: `The network connectivity issue encountered for 'microsoft.insights'; cannot fulfill the request`.

+

+To resolve this, we recommend that you either:

+ΓÇó Define multiple rules (each with a subset of the dimension values).

+ΓÇó Use the **StartsWith** operator if the dimension values have common names.

+ΓÇó If relevant, configure the rule to monitor all dimension values if thereΓÇÖs no need to individually monitor the specific dimension values.

+- [Resource log collection](../../aks/monitor-aks.md#aks-control-planeresource-logs) of Kubernetes main node logs in your Azure Kubernetes Service (AKS) cluster to analyze log data generated by main components, such as `kube-apiserver` and `kube-controller-manager`.

+The logs for AKS control plane components are implemented in Azure as [resource logs](../essentials/resource-logs.md). Container Insights doesn't use these logs, so you need to create your own log queries to view and analyze them. For details on log structure and queries, see [How to query logs from Container Insights](../../aks/monitor-aks.md#aks-control-planeresource-logs).

+[Create a diagnostic setting](../../aks/monitor-aks.md#aks-control-planeresource-logs) for each AKS cluster to send resource logs to a Log Analytics workspace. Use [Azure Policy](../essentials/diagnostic-settings-policy.md) to ensure consistent configuration across multiple clusters.

+> * Entries in the Activity Log are typically a result of changes (create, update or delete operations) or an action having been initiated. Operations focused on reading details of a resource are not typically captured.

+#customer-intent: As an IT manager, I want to understand the data and service resilience benefits Azure Monitor availability zones provide to ensure my data and services are sufficiently protected in the event of datacenter failure.

+[Azure availability zones](../../reliability/availability-zones-overview.md) protect applications and data from datacenter failures and can enhance the resilience of Azure Monitor features that rely on a Log Analytics workspace. This article describes the data and service resilience benefits Azure Monitor availability zones provide by default to [dedicated clusters](logs-dedicated-clusters.md) in supported regions.

+## How availability zones enhance data and service resilience in Azure Monitor Logs

+Each Azure region that supports availability zones is made of one or more datacenters, or zones, equipped with independent power, cooling, and networking infrastructure.

+Azure Monitor Logs availability zones are [zone-redundant](../../reliability/availability-zones-overview.md#zonal-and-zone-redundant-services), which means that Microsoft manages spreading service requests and replicating data across different zones in supported regions. If one zone is affected by an incident, Microsoft manages failover to a different availability zone in the region automatically. You don't need to take any action because switching between zones is seamless.

+A subset of the availability zones that support data resilience currently also support service resilience for Azure Monitor Logs, as listed in the [Service resilience - supported regions](#service-resiliencesupported-regions) section. In regions that support service resilience, Azure Monitor Logs service operations - for example, log ingestion, queries, and alerts - can continue in the event of a zone failure. In regions that only support data resilience, your stored data is protected against zonal failures, but service operations might be impacted by regional incidents.

+## Data resilience - supported regions

+> [!NOTE]

+> Moving to a dedicated cluster in a region that supports availablility zones protects data ingested after the move, not historical data.

+> - When linking storage account for privacy and compliance typically, saved queries and log alerts are deleted from workspace permanently and can't be restored. To prevent lose of existing saved queries and log alerts, copy saved queries and log alerts using a template as described in [Workspace move procedure](./move-workspace-region.md).

+> - A single storage account can be linked for custom log and IIS logs, query, and alert.

+> - When linking storage account for custom log and IIS logs ingestion, you might need to consider linking more storage accounts depending on the ingestion rate. You can link up to five storage accounts to a workspace.

+| [Data retention and archive](#data-retention-and-archive) | You can set different retention settings for each workspace and each table in a workspace. You need a separate workspace if you require different retention settings for different resources that send data to the same tables. |

+|[Resilience](#resilience)| To ensure that data in your workspace is available in the event of a region failure, you can ingest data into multiple workspaces in different regions.|

+### Resilience

+To ensure that critical data in your workspace is available in the event of a region failure, you can ingest some or all of your data into multiple workspaces in different regions.

+This option requires managing integration with other services and products separately for each workspace. Even though the data will be available in the alternate workspace in case of failure, resources that rely on the data, such as alerts and workbooks, won't know to switch over to the alternate workspace. Consider storing ARM templates for critical resources with configuration for the alternate workspace in Azure DevOps, or as disabled policies that can quickly be enabled in a failover scenario.

+* Capacity pools with Basic network features have a minimum size of 4 TiB. For capacity pools with Standard network features, the minimum size is 1 TiB. For more information, see [Resource limits](azure-netapp-files-resource-limits.md)

+| Minimum size of a single capacity pool | 1 TiB* | No |

+\* [!INCLUDE [Limitations for capacity pool minimum of 1 TiB](includes/2-tib-capacity-pool.md)]

+* You must have already [created a NetApp account](azure-netapp-files-create-netapp-account.md).

+* If this is your first time using a 1-TiB capacity pool, you must first register the feature:

+ 1. Register the feature:

+ ```azurepowershell-interactive

+ Register-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANF1TiBPoolSize

+ ```

+ 2. Check the status of the feature registration:

+ > [!NOTE]

+ > The **RegistrationState** may be in the `Registering` state for up to 60 minutes before changing to `Registered`. Wait until the status is **Registered** before continuing.

+ ```azurepowershell-interactive

+ Get-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANF1TiBPoolSize

+ ```

+ You can also use [Azure CLI commands](/cli/azure/feature) `az feature register` and `az feature show` to register the feature and display the registration status.

+ The minimum capacity pool size is 1 TiB. You can change the size of a capacity pool in 1-TiB increments.

+

+ >[!NOTE]

+ >[!INCLUDE [Limitations for capacity pool minimum of 1 TiB](includes/2-tib-capacity-pool.md)]

+

+* [Capacity pool enhancement:](azure-netapp-files-set-up-capacity-pool.md) New lower limits

+ * 2 TiB capacity pool: The 2 TiB lower limit for capacity pools using Standard network features is now generally available (GA).

+ * 1 TiB capacity pool: Azure NetApp Files now supports a lower limit of 1 TiB for capacity pool sizing with Standard network features. This feature is currently in preview.

+* [Metrics enhancement: Throughput limits](azure-netapp-files-metrics.md#volumes)

+ Azure NetApp Files now supports a "throughput limit reached" metric for volumes. The metric is a Boolean value that denotes the volume is hitting its QoS limit. With this metric, you know whether or not to adjust volumes so they meet the specific needs of your workloads.

+* [Standard network features in US Gov regions](azure-netapp-files-network-topologies.md#supported-regions) is now generally available (GA)

+* [Azure NetApp Files datastores for Azure VMware Solution](../azure-vmware/attach-azure-netapp-files-to-azure-vmware-solution-hosts.md#supported-regions) in US Gov regions

+ "explicit-values-for-loc-params": {

+ "level": "warning"

+ },

+ },

+ },

+ "azuredatalakestore.net",

+output concatOutput string = concat(prefix, 'And', uniqueString(resourceGroup().id))

+exports.bicep

+> The Bicep parameters file is only supported in [Bicep CLI](./install.md) version 0.18.4 or newer, [Azure CLI](/cli/azure/install-azure-cli) version 2.47.0 or newer, and [Azure PowerShell](/powershell/azure/install-azure-powershell) version 9.7.1 or newer.

+> To use the statement with ARM JSON templates, Bicep modules, and template specs, you need to have [Bicep CLI](./install.md) version 0.22.6 or later, and [Azure CLI](/cli/azure/install-azure-cli) version 2.53.0 or later.

+The deployment script resource is only available in the regions where Azure Container Instance is available. See [Resource availability for Azure Container Instances in Azure regions](../../container-instances/container-instances-region-availability.md).

+- [explicit-values-for-loc-params](./linter-rule-explicit-values-for-loc-params.md)

+> The Bicep parameters file is only supported in [Bicep CLI](./install.md) version 0.18.4 or newer, [Azure CLI](/cli/azure/install-azure-cli) version 2.47.0 or newer, and [Azure PowerShell](/powershell/azure/install-azure-powershell) version 9.7.1 or newer.

+- In-band DTMF is not supported, use RFC 2833 DTMF instead.

+# Monitor Direct Routing

+The process of making and receiving calls through direct routing involves the following components:

+## Monitoring Availability of Session Border Controllers using Session Initiation Protocol (SIP) OPTIONS Messages

+## Monitor with Azure Portal and SBC logs

+During the initial pairing phase, there may be issues related particularly to misconfiguration of the SBCs or the direct routing service.

+The following tools can be used to monitor your configuration:

+If calls can be made, [Azure monitors logs](../../analytics/logs/voice-and-video-logs.md) can help provide descriptive SIP error codes

+ Title: Teams Meeting Audio Conferencing

+description: Use Azure Communication Services SDKs to retrieve Teams Meeting Audio Conferencing Details

+# Microsoft Teams Meeting Audio Conferencing

+In this article, you learn how to use Azure Communication Services Calling SDK to retrieve Microsoft Teams Meeting audio conferencing details. This functionality allows users who are already connected to a Microsoft Teams Meeting to be able to get the conference ID and dial in phone number associated with the meeting. At present, Teams audio conferencing feature returns a conference ID and only one dial-in toll or toll-free phone number depending on the priority assigned. In the future, Teams audio conferencing feature will return a collection of all toll and toll-free numbers, giving users control on what Teams meeting dial-in details to use

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- A deployed Communication Services resource. [Create a Communication Services resource](../../quickstarts/create-communication-resource.md).

+- A user access token to enable the calling client. For more information, see [Create and manage access tokens](../../quickstarts/identity/access-tokens.md).

+- Optional: Complete the quickstart to [add voice calling to your application](../../quickstarts/voice-video-calling/getting-started-with-calling.md)

+## Next steps

+- [Learn how to manage calls](./manage-calls.md)

+- [Learn how to manage video](./manage-video.md)

+- [Learn how to record calls](./record-calls.md)

+- [Learn how to transcribe calls](./call-transcription.md)

+ spec:

+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials

+The Managed Application uses an Azure Service Bus Queue to track and record all **Create Blob** events. You will use the Queue created in the Managed Resource Group by the Managed Application and add it as an Event Subscriber for any storage account that you're creating blobs for.

+### [Azure portal](#tab/azure-portal)

+### [CLI](#tab/cli-or-sdk)

+```azurecli

+```azurecli

+### [Azure portal](#tab/azure-portal)

+### [CLI](#tab/cli-or-sdk)

+```azurecli

+> [!NOTE]

+> Every blob creation event will not result in a digest being created. Digests are created after a certain block size is reached. Currently, a digest will be created for every **4 blob creation events**.

+### [Azure portal](#tab/azure-portal)

+### [Python SDK](#tab/cli-or-sdk)

+ Title: Parameterizing mapping data flows

+description: Learn how to parameterize a mapping data flow from Azure Data Factory and Azure Synapse Analytics pipelines

+# Parameterizing mapping data flows

+Mapping data flows in Azure Data Factory and Synapse pipelines support the use of parameters. Define parameters inside of your data flow definition and use them throughout your expressions. The parameter values are set by the calling pipeline via the Execute Data Flow activity. You have three options for setting the values in the data flow activity expressions:

+* Use the pipeline control flow expression language to set a dynamic value

+* Use the data flow expression language to set a dynamic value

+* Use either expression language to set a static literal value

+Use this capability to make your data flows general-purpose, flexible, and reusable. You can parameterize data flow settings and expressions with these parameters.

+## Create parameters in a mapping data flow

+To add parameters to your data flow, click on the blank portion of the data flow canvas to see the general properties. In the settings pane, you'll see a tab called **Parameter**. Select **New** to generate a new parameter. For each parameter, you must assign a name, select a type, and optionally set a default value.

+## Use parameters in a mapping data flow

+Parameters can be referenced in any data flow expression. Parameters begin with $ and are immutable. you'll find the list of available parameters inside of the Expression Builder under the **Parameters** tab.

+You can quickly add additional parameters by selecting **New parameter** and specifying the name and type.

+## Using parameterized linked services in a mapping data flow

+Parameterized linked services can be used in a mapping data flow (for either dataset or inline source types).

+For the inline source type, the linked service parameters are exposed in the data flow activity settings within the pipeline as shown below.

+For the dataset source type, the linked service parameters are exposed directly in the dataset configuration.

+## Assign parameter values from a pipeline

+Once you've created a data flow with parameters, you can execute it from a pipeline with the Execute Data Flow Activity. After you add the activity to your pipeline canvas, you'll be presented with the available data flow parameters in the activity's **Parameters** tab.

+When assigning parameter values, you can use either the [pipeline expression language](control-flow-expression-language-functions.md) or the [data flow expression language](data-transformation-functions.md) based on spark types. Each mapping data flow can have any combination of pipeline and data flow expression parameters.

+### Pipeline expression parameters

+Pipeline expression parameters allow you to reference system variables, functions, pipeline parameters, and variables similar to other pipeline activities. When you click **Pipeline expression**, a side-nav will open allowing you to enter an expression using the expression builder.

+When referenced, pipeline parameters are evaluated and then their value is used in the data flow expression language. The pipeline expression type doesn't need to match the data flow parameter type.

+#### String literals vs expressions

+When assigning a pipeline expression parameter of type string, by default quotes will be added and the value will be evaluated as a literal. To read the parameter value as a data flow expression, check the expression box next to the parameter.

+If data flow parameter `stringParam` references a pipeline parameter with value `upper(column1)`.

+- If expression is checked, `$stringParam` evaluates to the value of column1 all uppercase.

+- If expression isn't checked (default behavior), `$stringParam` evaluates to `'upper(column1)'`

+#### Passing in timestamps

+In the pipeline expression language, System variables such as `pipeline().TriggerTime` and functions like `utcNow()` return timestamps as strings in format 'yyyy-MM-dd\'T\'HH:mm:ss.SSSSSSZ'. To convert these into data flow parameters of type timestamp, use string interpolation to include the desired timestamp in a `toTimestamp()` function. For example, to convert the pipeline trigger time into a data flow parameter, you can use `toTimestamp(left('@{pipeline().TriggerTime}', 23), 'yyyy-MM-dd\'T\'HH:mm:ss.SSS')`.

+> [!NOTE]

+> Data Flows can only support up to 3 millisecond digits. The `left()` function is used trim off additional digits.

+#### Pipeline parameter example

+Say you have an integer parameter `intParam` that is referencing a pipeline parameter of type String, `@pipeline.parameters.pipelineParam`.

+`@pipeline.parameters.pipelineParam` is assigned a value of `abs(1)` at runtime.

+When `$intParam` is referenced in an expression such as a derived column, it will evaluate `abs(1)` return `1`.

+### Data flow expression parameters

+Select **Data flow expression** will open up the data flow expression builder. You'll be able to reference functions, other parameters and any defined schema column throughout your data flow. This expression will be evaluated as is when referenced.

+> [!NOTE]

+> If you pass in an invalid expression or reference a schema column that doesn't exist in that transformation, the parameter will evaluate to null.

+### Passing in a column name as a parameter

+A common pattern is to pass in a column name as a parameter value. If the column is defined in the data flow schema, you can reference it directly as a string expression. If the column isn't defined in the schema, use the `byName()` function. Remember to cast the column to its appropriate type with a casting function such as `toString()`.

+For example, if you wanted to map a string column based upon a parameter `columnName`, you can add a derived column transformation equal to `toString(byName($columnName))`.

+> [!NOTE]

+> In data flow expressions, string interpolation (substituting variables inside of the string) isn't supported. Instead, concatenate the expression into string values. For example, `'string part 1' + $variable + 'string part 2'`

+## Next steps

+* [Execute data flow activity](control-flow-execute-data-flow-activity.md)

+* [Control flow expressions](control-flow-expression-language-functions.md)

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+| Supported use cases:| :::image type="icon" source="./media/icons/yes-icon.png"::: Vulnerability assessment (powered by Defender Vulnerability Management)<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Software inventory (powered by Defender Vulnerability Management)<br />:::image type="icon" source="./media/icons/yes-icon.png":::Secret scanning |

+- **AWS**: AWS accounts get the [AWS Foundational Security Best Practices standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html) and [Microsoft Cloud Security Benchmark (MCSB)](concept-regulatory-compliance.md) assigned by default. AWS Foundational Security Best Practices standard contains AWS-specific guidelines for security and compliance best practices based on common compliance frameworks.

+1. Enter a name and description.

+ > [!IMPORTANT]

+ > Make sure the name is unique. If you create a custom standard with the same name as an existing standard, it causes a conflict in the information displayed in the dashboard.

+1. (Optional) Select the three dot button (**...**) > **Manage effect and parameters** to manage the effects and parameters of each recommendation, and save the setting.

+Your new standard takes effect after you create it. You can see the effects of your new standard:

+- On the Regulatory compliance page, you will see the new custom standard alongside existing standards.

+- The [Defender Cloud Security Posture Management (CSPM) plan](concept-cloud-security-posture-management.md) must be enabled.

+- You need **Contributor**, **Security Admin**, or **Owner** permissions on the Azure subscriptions.

+- For AWS accounts and GCP projects, you need **Contributor**, **Security Admin**, or **Owner** permissions on the Defender for Cloud AWS or GCP connectors.

+**You can define a governance rule as follows**:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Navigate to **Microsoft Defender for Cloud** > **Environment settings** > **Governance rules**.

+ :::image type="content" source="./media/governance-rules/add-rule.png" alt-text="Screenshot of page for adding a governance rule." lightbox="media/governance-rules/add-rule.png":::

+1. Specify a rule name and scope in which to apply the rule.

+1. Set a priority level.

+ Rules are run in priority order from the highest (1) to the lowest (1000).

+1. Specify a description to help you identify the rule.

+1. Select **Next**

+1. Specify how recommendations are impacted by the rule.

+ :::image type="content" source="./media/governance-rules/create-rule-conditions.png" alt-text="Screenshot of page for adding conditions for a governance rule." lightbox="media/governance-rules/create-rule-conditions.png":::

+1. Set the owner to specify who's responsible for fixing recommendations covered by the rule.

+1. Specify remediation time frame to set the time that can elapse between when resources are identified as requiring remediation, and the time that the remediation is due.

+ For recommendations issued by MCSB, if you don't want the resources to affect your secure score until they're overdue, select **Apply grace period**.

+1. (Optional) By default owners and their managers are notified weekly about open and overdue tasks. If you don't want them to receive these weekly emails, clear the notification options.

+1. Select **Create**.

+If there are existing recommendations that match the definition of the governance rule, you can either:

+- Assign an owner and due date to recommendations that don't already have an owner or due date.

+- Overwrite the owner and due date of existing recommendations.

+When you delete or disable a rule, all existing assignments and notifications remain.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Navigate to **Microsoft Defender for Cloud** > **Environment settings** > **Governance rules**.

+

+

+

+## Review the governance report

+The governance report lets you select subscriptions that have governance rules and, for each rule and owner, shows you how many recommendations are completed, on time, overdue, or unassigned.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Navigate to **Microsoft Defender for Cloud** > **Environment settings** > **Governance rules** >**Governance report**.

+ :::image type="content" source="media/governance-rules/governance-report.png" alt-text="Screenshot of the governance rules page that shows where the governance report button is located." lightbox="media/governance-rules/governance-report.png":::

+1. Select a subscription.

+From the governance report, you can drill down into recommendations by scope, display name, priority, remediation timeframe, owner type, owner details, grace period and cloud.

+> [!IMPORTANT]

+> This page discusses how to use the new recommendations experience where you have the ability to prioritize your recommendations by their effective risk level. To view this experience, you must select **Try it now**.

+>

+> :::image type="content" source="media/review-security-recommendations/try-it-now.png" alt-text="Screenshot that shows where the try it now button is located on the recommendation page." lightbox="media/review-security-recommendations/try-it-now.png":::

+You can now review critical and other recommendations to understand the recommendation and remediation steps. Use the graph to understand the risk to your business, including which resources are exploitable, and the effect that the recommendation has on your business.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Navigate to **Microsoft Defender for Cloud** > **Recommendations**.

+1. Select a recommendation to remediate.

+1. Select **Take action**

+1. Locate the Remediate section and follow the remediation instructions.

+ :::image type="content" source="./media/implement-security-recommendations/security-center-remediate-recommendation.png" alt-text="This screenshot shows manual remediation steps for a recommendation." lightbox="./media/implement-security-recommendations/security-center-remediate-recommendation.png":::

+To simplify remediation and improve your environment's security (and increase your secure score), many recommendations include a **Fix** option to help you quickly remediate a recommendation on multiple resources. If the Fix button is not present in the recommendation, then there is no option to apply a quick fix.

+**To remediate a recommendation with the Fix button**:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Navigate to **Microsoft Defender for Cloud** > **Recommendations**.

+1. Select a recommendation to remediate.

+1. Select **Take action** > **Fix**.

+After remediation completes, it can take several minutes for the change to take place.

+| Environment | - Have an application registry in ServiceNow. <br>- Enable Defender Cloud Security Posture Management (DCSPM) |

+1. Navigate to **System OAuth** > **Application Registry**.

+ :::image type="content" border="true" source="./media/integration-servicenow/new.png" alt-text="Screenshot of where to start a new instance." lightbox="media/integration-servicenow/new.png":::

+ :::image type="content" border="true" source="./media/integration-servicenow/app-details.png" alt-text="Screenshot of application details." lightbox="media/integration-servicenow/app-details.png":::

+ :::image type="content" border="true" source="./media/integration-servicenow/add-servicenow.png" alt-text="Screenshot of how to add ServiceNow." lightbox="media/integration-servicenow/add-servicenow.png":::

+1. Select **Default** or **Customized** based on your requirement.

+

+ > [!NOTE]

+ > Enforce and Deny are applicable to Azure recommendations and are supported on a subset of recommendations.

+> [!NOTE]

+> **Third-party application access via OAuth** must be set to `On` on for each Azure DevOps Organization. [Learn more about OAuth and how to enable it in your organizations](/azure/devops/organizations/accounts/change-application-access-policies).

+11. Select **Next: Review and generate**.

+12. Review the information, and then select **Create**.

+| November 27 | [General availability of agentless secret scanning in Defender for Servers and Defender CSPM](#general-availability-of-agentless-secret-scanning-in-defender-for-servers-and-defender-cspm) |

+### General availability of agentless secret scanning in Defender for Servers and Defender CSPM

+November 27, 2023

+Agentless secret scanning enhances the security cloud based Virtual Machines (VM) by identifying plaintext secrets on VM disks. Agentless secret scanning provides comprehensive information to help prioritize detected findings and mitigate lateral movement risks before they occur. This proactive approach prevents unauthorized access, ensuring your cloud environment remains secure.

+We're announcing the General Availability (GA) of agentless secret scanning, which is included in both the [Defender for Servers P2](tutorial-enable-servers-plan.md) and the [Defender CSPM](tutorial-enable-cspm-plan.md) plans.

+Agentless secret scanning utilizes cloud APIs to capture snapshots of your disks, conducting out-of-band analysis that ensures that there is no effect on your VM's performance. Agentless secret scanning broadens the coverage offered by Defender for Cloud over cloud assets across Azure, AWS, and GCP environments to enhance your cloud security.

+With this release, Defender for Cloud's detection capabilities now support additional database types, data store signed URLs, access tokens, and more.

+Learn how to [manage secrets with agentless secret scanning](secret-scanning.md).

+ Title: Exempt a recommendation in Microsoft Defender for Cloud

+In Microsoft Defender for Cloud, you can [exempt protected resources from Defender for Cloud security recommendations](exempt-resource.md). This article describes how to review and work with exempted resources.

+> [!IMPORTANT]

+> This page discusses how to use the new recommendations experience where you have the ability to prioritize your recommendations by their effective risk level. To view this experience, you must select **Try it now**.

+>

+> :::image type="content" source="media/review-security-recommendations/try-it-now.png" alt-text="Screenshot that shows where the try it now button is located on the recommendation page." lightbox="media/review-security-recommendations/try-it-now.png":::

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Navigate to **Defender for Cloud** > **Recommendations**.

+1. Select **All**, **Yes** or **No**.

+1. Select **Apply**.

+You can also find all resources that have been exempted from one or more recommendations on the Inventory page.

+**To review exempted resources on the Defender for Cloud's Inventory page**:

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Navigate to **Defender for Cloud** > **Recommendations**.

+1. Select **Add filter**

+ :::image type="content" source="media/review-exemptions/inventory-exemptions.png" alt-text="Defender for Cloud's asset inventory page and the filter to find resources with exemptions." lightbox="media/review-exemptions/inventory-exemptions.png":::

+1. Select **Contains Exemptions**.

+1. Select **Yes**.

+1. Select **OK**.

+In Defender for Cloud, navigate to the **Overview** dashboard to get a holistic look at your environments, including:

+> [!IMPORTANT]

+> This page discusses how to use the new recommendations experience where you have the ability to prioritize your recommendations by their effective risk level. To view this experience, you must select **Try it now**.

+>

+> :::image type="content" source="media/review-security-recommendations/try-it-now.png" alt-text="Screenshot that shows where the try it now button is located on the recommendation page." lightbox="media/review-security-recommendations/try-it-now.png":::

+**To review recommendations**:

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Navigate to **Defender for Cloud** > **Recommendations**.

+ - **Recommendation status** indicates whether the recommendation is assigned, and the status of the due date for fixing the recommendation.

+It's important to review all of the details related to a recommendation before trying to understand the process needed to resolve the recommendation. We recommend ensuring that all of the recommendation details are correct before resolving the recommendation.

+**To review a recommendation's details**:

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Navigate to **Defender for Cloud** > **Recommendations**.

+1. Select a recommendation.

+You can perform many actions to interact with recommendations. If an option isn't available, it isn't relevant for the recommendation.

+**To explore a recommendation**:

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Navigate to **Defender for Cloud** > **Recommendations**.

+1. Select a recommendation.

+1. In the recommendation, you can perform the following actions:

+ - Select **Open query** to view detailed information about the affected resources using an Azure Resource Graph Explorer query.

+ - Select **View policy definition** to view the Azure Policy entry for the underlying recommendation (if relevant).

+1. In **Findings**, you can review affiliated findings by severity.

+

+

+

+

+ :::image type="content" source="media/review-security-recommendations/recommendation-take-action.png" alt-text="Screenshot that shows what you can see in the recommendation when you select the take action tab." lightbox="media/review-security-recommendations/recommendation-take-action.png":::

+

+1. In **Graph**, you can view and investigate all context that is used for risk prioritization, including [attack paths](how-to-manage-attack-path.md). You can select a node in an attack path to view the details of the selected node.

+**To manage recommendations assigned to you**:

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Navigate to **Defender for Cloud** > **Recommendations**.

+1. Select **Add filter** > **Owner**.

+1. Select **Apply**.

+1. In **Take action** > **Change owner & due date**, select **Edit assignment** to change the recommendation owner and due date if needed.

+You can use [Azure Resource Graph](../governance/resource-graph/index.yml) to write a [Kusto Query Language (KQL)](/azure/data-explorer/kusto/query/) to query Defender for Cloud security posture data across multiple subscriptions. Azure Resource Graph provides an efficient way to query at scale across cloud environments by viewing, filtering, grouping, and sorting data.

+**To review recommendations in Azure Resource Graph**:

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Navigate to **Defender for Cloud** > **Recommendations**.

+1. Select a recommendation.

+1. Select **Open query**.

+1. Select **run query**.

+ :::image type="content" source="./media/review-security-recommendations/run-query.png" alt-text="Screenshot of Azure Resource Graph Explorer showing the results for the recommendation shown in the previous screenshot." lightbox="media/review-security-recommendations/run-query.png":::

+1. Review the results.

+### Example

+In this example, this recommendation details page shows 15 affected resources:

+When you open the underlying query, and run it, Azure Resource Graph Explorer returns the same affected resources for this recommendation.

+ Title: Manage secrets with agentless secret scanning

+# Manage secrets with agentless secret scanning

+By using agentless secret scanning, you can proactively discover the following types of secrets across your environments (in Azure, AWS and GCP cloud providers):

+- Insecure SSH private keys:

+ - Supports RSA algorithm for PuTTy files.

+ - PKCS#8 and PKCS#1 standards.

+ - OpenSSH standard.

+- Plaintext Azure SQL connection strings, supports SQL PAAS.

+- Plaintext Azure database for PostgreSQL.

+- Plaintext Azure database for MySQL.

+- Plaintext Azure database for MariaDB.

+- Plaintext Azure Cosmos DB, including PostgreSQL, MySQL and MariaDB.

+- Plaintext AWS RDS connection string, supports SQL PAAS:

+ - Plaintext Amazon Aurora with Postgres and MySQL flavors.

+ - Plaintext Amazon custom RDS with Oracle and SQL Server flavors.

+- Plaintext Azure storage account connection strings.

+- Plaintext Azure storage account SAS tokens.

+- Plaintext AWS access keys.

+- Plaintext AWS S3 pre-signed URL.

+- Plaintext Google storage signed URL.

+- Plaintext Azure AD Client Secret.

+- Plaintext Azure DevOps Personal Access Token.

+- Plaintext GitHub Personal Access Token.

+- Plaintext Azure App Configuration Access Key.

+- Plaintext Azure Cognitive Service Key.

+- Plaintext Azure AD User Credentials.

+- Plaintext Azure Container Registry Access Key.

+- Plaintext Azure App Service Deployment Password.

+- Plaintext Azure Databricks Personal Access Token.

+- Plaintext Azure SignalR Access Key.

+- Plaintext Azure API Management Subscription Key.

+- Plaintext Azure Bot Framework Secret Key.

+- Plaintext Azure Machine Learning Web Service API Key.

+- Plaintext Azure Communication Services Access Key.

+- Plaintext Azure EventGrid Access Key.

+- Plaintext Amazon Marketplace Web Service (MWS) Access Key.

+- Plaintext Azure Maps Subscription Key.

+- Plaintext Azure Web PubSub Access Key.

+- Plaintext OpenAI API Key.

+- Plaintext Azure Batch Shared Access Key.

+- Plaintext NPM Author Token.

+- Plaintext Azure Subscription Management Certificate.

+Secret findings can be found using the [Cloud Security Explorer](#remediate-secrets-with-cloud-security-explorer) and the [Secrets tab](#remediate-secrets-from-your-asset-inventory) with their metadata like secret type, file name, file path, last access time, and more.

+The following secrets can also be accessed from the `Security Recommendations` and `Attack Path`, across Azure, AWS and GCP cloud providers:

+- Insecure SSH private keys:

+ - Supporting RSA algorithm for PuTTy files.

+ - PKCS#8 and PKCS#1 standards.

+ - OpenSSH standard.

+- Plaintext Azure database connection string:

+ - Plaintext Azure SQL connection strings, supports SQL PAAS.

+ - Plaintext Azure database for PostgreSQL.

+ - Plaintext Azure database for MySQL.

+ - Plaintext Azure database for MariaDB.

+ - Plaintext Azure Cosmos DB, including PostgreSQL, MySQL and MariaDB.

+- Plaintext AWS RDS connection string, supports SQL PAAS:

+ - Plaintext Amazon Aurora with Postgres and MySQL flavors.

+ - Plaintext Amazon custom RDS with Oracle and SQL Server flavors.

+- Plaintext Azure storage account connection strings.

+- Plaintext Azure storage account SAS tokens.

+- Plaintext AWS access keys.

+- Plaintext AWS S3 pre-signed URL.

+- Plaintext Google storage signed URL.

+The agentless scanner verifies whether SSH private keys can be used to move laterally in your network. Keys that aren't successfully verified are categorized as `unverified` on the Recommendation page.

+Security standards in Defender for Cloud are based on [Azure Policy](../governance/policy/overview.md) [initiatives](../governance/policy/concepts/initiative-definition-structure.md) or on the Defender for Cloud native platform. At the time of writing (November 2023) AWS and GCP standards are Defender for Cloud platform-based, and Azure standards are currently based on Azure Policy.

+[Agentless secret scanning](secret-scanning.md) | GA | NA | NA

+| [Agentless secret scanning](secret-scanning.md) | Γ£ö | Γ£ö |

+Defender for Cloud's regulatory standards and benchmarks are represented as [security standards](security-policy-concept.md). Each standard is an initiative defined in Azure Policy.

+In Defender for Cloud, you assign security standards to specific scopes such as Azure subscriptions, AWS accounts, and GCP projects that have Defender for Cloud enabled.

+Defender for Cloud continually assesses the environment-in-scope against standards. Based on assessments, it shows in-scope resources as being compliant or noncompliant with the standard, and provides remediation recommendations.

+- You need `Owner` or `Policy Contributor` permissions to add a standard.

+**To assign regulatory compliance standards on Azure**:

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Navigate to **Microsoft Defender for Cloud** > **Regulatory compliance**. For each standard, you can see the applied subscription.

+1. Select **Manage compliance policies**.

+ :::image type="content" source="media/update-regulatory-compliance-packages/manage-compliance.png" alt-text="Screenshot of the regulatory compliance page that shows you where to select the manage compliance policy button." lightbox="media/update-regulatory-compliance-packages/manage-compliance.png":::

+1. Select the subscription or management group on which you want to assign the security standard.

+ > [!NOTE]

+ > We recommend selecting the highest scope for which the standard is applicable so that compliance data is aggregated and tracked for all nested resources.

+1. Select **Security policies**.

+1. Locate the standard you want to enable and toggle the status to **On**.

+ If any information is needed in order to enable the standard, the **Set parameters** page appears for you to type in the information.

+The selected standard appears in **Regulatory compliance** dashboard as enabled for the subscription it was enabled on.

+## Assign a standard (AWS)

+**To assign regulatory compliance standards on AWS accounts**:

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Navigate to **Microsoft Defender for Cloud** > **Regulatory compliance**. For each standard, you can see the applied subscription.

+1. Select **Manage compliance policies**.

+**To assign regulatory compliance standards on GCP projects**:

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Navigate to **Microsoft Defender for Cloud** > **Regulatory compliance**. For each standard, you can see the applied subscription.

+1. Select **Manage compliance policies**.

+ :::image type="content" source="media/update-regulatory-compliance-packages/assign-standard-gcp-from-list.png" alt-text="Screenshot that shows how to assign a standard to your GCP project." lightbox="media/update-regulatory-compliance-packages/assign-standard-gcp-from-list.png":::

+ Title: environment.yaml schema

+description: Learn how to use environment.yaml to define parameters in your environment definition.

+#customer intent: As a developer, I want to know which parameters I can assign for parameters in environment.yaml.

+# Parameters and data types in environment.yaml

+ADE environment definitions are infrastructure as code (IaC), written in Bicep or Terraform, stored in repositories. Environment definitions can be modified and adapted for your specific requirements and then used to create a deployment environment on Azure. The environment.yaml schema defines and describes the types of Azure resources included in environment definitions.

+## What is environment.yaml?

+The environment.yaml file acts as a manifest, describing the resources used and the template location for the environment definition.

+### Sample environment.yaml

+The following script is a generic example of an environment.yaml required for your environment definition.

+```yml

+name: WebApp

+version: 1.0.0

+summary: Azure Web App Environment

+description: Deploys a web app in Azure without a datastore

+runner: ARM

+templatePath: azuredeploy.json

+```

+### Definitions

+The following table describes the properties that you can use in environment.yaml.

+| **Property** | **Type** | **Description** | **Required** | **Examples** |

+| | -- | -- | | -- |

+| name | string | The display name of the catalog item. | Yes | |

+| version | string | The version of the catalog item. | | 1.0.0 |

+| summary | string | A short summary string about the catalog item. | | |

+| description | string | A description of the catalog item. | | |

+| runner | string | The container image to use when executing actions. | | ARM template </br> Terraform |

+| templatePath | string | The relative path of the entry template file. | Yes | main.tf </br> main.bicep </br> azuredeploy.json |

+| parameters | array | Input parameters to use when creating the environment and executing actions. | | #/definitions/Parameter |

+## Parameters in environment.yaml

+Parameters enable you to reuse an environment definition in different scenarios. For example, you might want developers in different regions to deploy the same environment. You can define a location parameter to prompt the developer to enter the desired location as they create their environment.

+### Sample environment.yaml with parameters

+The following script is an example of a environment.yaml file that includes two parameters; `location` and `name`:

+```yml

+name: WebApp

+summary: Azure Web App Environment

+description: Deploys a web app in Azure without a datastore

+runner: ARM

+templatePath: azuredeploy.json

+parameters:

+- id: "location"

+ name: "location"

+ description: "Location to deploy the environment resources"

+ default: "[resourceGroup().location]"

+ type: "string"

+ required: false

+- id: "name"

+ name: "name"

+ description: "Name of the Web App "

+ default: ""

+ type: "string"

+ required: false

+```

+### Parameter definitions

+The following table describes the data types that you can use in environment.yaml. The data type names used in the environment.yaml manifest file differ from the ones used in ARM templates.

+Each parameter can use any of the following properties:

+| **Properties** | **Type** | **Description** | **Further Settings** |

+| -- | -- | | |

+| ID | string | Unique ID of the parameter. | |

+| name | string | Display name of the parameter. | |

+| description | string | Description of the parameter. | |

+| default | array </br> boolean </br> integer </br> number </br> object </br> string | The default value of the parameter. | |

+| type | array </br> boolean </br> integer </br> number </br> object </br> string | The data type of the parameter. This data type must match the parameter data type in the ARM template, BICEP file, or Terraform file with the corresponding parameter name. | **Default type:** string |

+| readOnly | boolean | Whether or not this parameter is read-only. | |

+| required | boolean | Whether or not this parameter is required. | |

+| allowed | array | An array of allowed values. | "items": { </br> "type": "string" </br> }, </br> "minItems": 1, </br> "uniqueItems": true, |

+## YAML schema

+There's a defined schema for Azure Deployment Environments environment.yaml files, which can make editing these files a little easier. You can add the schema definition to the beginning of your environment.yaml file:

+```yml

+# yaml-language-server: $schema=https://github.com/Azure/deployment-environments/releases/download/2022-11-11-preview/manifest.schema.json

+```

+

+Here's an example environment definition that uses the schema:

+```yml

+# yaml-language-server: $schema=https://github.com/Azure/deployment-environments/releases/download/2022-11-11-preview/manifest.schema.json

+name: FunctionApp

+version: 1.0.0

+summary: Azure Function App Environment

+description: Deploys an Azure Function App, Storage Account, and Application Insights

+runner: ARM

+templatePath: azuredeploy.json

+parameters:

+ - id: name

+ name: Name

+ description: 'Name of the Function App.'

+ type: string

+ required: true

+ - id: supportsHttpsTrafficOnly

+ name: 'Supports Https Traffic Only'

+ description: 'Allows https traffic only to Storage Account and Functions App if set to true.'

+ type: boolean

+ - id: runtime

+ name: Runtime

+ description: 'The language worker runtime to load in the function app.'

+ type: string

+ allowed:

+ - 'dotnet'

+ - 'dotnet-isolated'

+ - 'java'

+ - 'node'

+ - 'powershell'

+ - 'python'

+ default: 'dotnet-isolated'

+```

+## Related content

+- [Add and configure an environment definition in Azure Deployment Environments](configure-environment-definition.md)

+- [Parameters in ARM templates](../azure-resource-manager/templates/parameters.md)

+- [Data types in ARM templates](../azure-resource-manager/templates/data-types.md)

+The IaC template contains the environment definition (template), and the environment file, which provides metadata about the template. Your development teams use the environment definitions that you provide in the catalog to deploy environments in Azure.

+ - An environment as a YAML file.

+ To learn more about the options and data types you can use in environment.yaml, see [Parameters and data types in environment.yaml](concept-environment-yaml.md#what-is-environmentyaml).

+Parameters are defined in the environment.yaml file.

+To learn more about the parameters and their data types you can use in environment.yaml, see [Parameters and data types in environment.yaml](concept-environment-yaml.md#parameters-in-environmentyaml).

+A catalog is a repository hosted in [GitHub](https://github.com) or [Azure DevOps](https://dev.azure.com/).

+1. Ensure that the [identity](./how-to-configure-managed-identity.md) attached to the dev center has [access to the key vault secret](./how-to-configure-managed-identity.md#grant-the-managed-identity-access-to-the-key-vault-secret) where your personal access token is stored.

+Azure Deployment Environments supports authenticating to GitHub repositories by using either classic tokens or fine-grained tokens. In this example, you create a fine-grained token.

+ |**Resource owner**|Select the owner of the repository.|

+ |**Repository access**|Select **Only select repositories**.|

+ |**Select repositories**|Select the repository that contains the environment definitions.|

+ |**Repository permissions**|Expand **Repository permissions**, and for **Contents**, from the **Access** list, select **Code read**.|

+ :::image type="content" source="media/how-to-configure-catalog/github-repository-permissions.png" alt-text="Screenshot of the GitHub New fine-grained personal access token page, showing the Repository permissions with Contents highlighted." lightbox="media/how-to-configure-catalog/github-repository-permissions.png":::

+> [!IMPORTANT]

+> When working with a private repository stored within a GitHub organization, you must ensure that the GitHub PAT is configured to give access to the correct organization and the repositories within it.

+> - Classic tokens within the organization must be SSO authorized to the specific organization after they are created.

+> - Fine grained tokens must have the owner of the token set as the organization itself to be authorized.

+>

+> Incorrectly configured PATs can result in a *Repository not found* error.

+1. Ensure that the [identity](./how-to-configure-managed-identity.md) attached to the dev center has [access to the key vault secret](./how-to-configure-managed-identity.md#grant-the-managed-identity-access-to-the-key-vault-secret) where your personal access token is stored.

+The entitlements service of Azure Data Manager for Energy allows you to create groups and manage memberships of the groups. An entitlement group defines permissions on services/data sources for a given data partition in your Azure Data Manager for Energy instance. Users added to a given group obtain the associated permissions. Please note that different groups and associated user entitlements need to be set for a new data partition even in the same Azure Data Manager for Energy instance.

+Some user, data, and service groups are created by default when a data partition is provisioned. Details of these groups and their hierarchy scope is in [Bootstrapped OSDU Entitlements Groups](https://community.opengroup.org/osdu/platform/deployment-and-operations/infra-azure-provisioning/-/blob/master/docs/osdu-entitlement-roles.md).

+If you haven't yet created entitlements groups, follow the directions as outlined in [How to manage users](how-to-manage-users.md). If you would like to see what groups you have, use [Get entitlements groups for a given user](how-to-manage-users.md#get-entitlements-groups-for-a-given-user-in-a-data-partition). Data access isolation is achieved with this dedicated ACL (access control list) per object within a given data partition.

+> [How to convert a segy to zgy file](./how-to-convert-segy-to-zgy.md)

+If you haven't yet created entitlements groups, follow the directions as outlined in [How to manage users](how-to-manage-users.md). If you would like to see what groups you have, use [Get entitlements groups for a given user](how-to-manage-users.md#get-entitlements-groups-for-a-given-user-in-a-data-partition). Data access isolation is achieved with this dedicated ACL (access control list) per object within a given data partition.

+> [How to convert SEGY to OVDS](./how-to-convert-segy-to-ovds.md)

+In this article, you learn how to manage users and their memberships in OSDU groups in Azure Data Manager for Energy. [Entitlements APIs](https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/tree/master/) are used to add or remove users to OSDU groups and to check the entitlements when the user tries to access the OSDU services or data. For more information about OSDU groups, see [entitlement services](concepts-entitlements.md).

+4. Keep all these parameter values handy as they are needed for executing different user management requests via the Entitlements API.

+It's the same value that you use to register your application during the provisioning of your [Azure Data Manager for Energy instance](quickstart-create-microsoft-energy-data-services-instance.md). It is often referred to as `app-id`.

+2. Copy the `access_token` value from the response. You need it to pass as one of the headers in all calls to the Entitlements APIs.

+2. Input the `object-id` (OID) of the users (or the application or client ID if managing access for an application) as parameters in the calls to the Entitlements API of your Azure Data Manager for Energy instance.

+## First time addition of users in a new data partition

+In order to add entitlements to a new data partition of Azure Data Manager for Energy instance, use the SPN token of the app that was used to provision the instance. If you try to directly use user tokens for adding entitlements, it results in 401 error. The SPN token must be used to add initial users in the system and those users (with admin access) can then manage additional users.

+The SPN is generated using client_credentials flow

+```bash

+curl --location --request POST 'https://login.microsoftonline.com/<tenant-id>/oauth2/token' \

+--header 'Content-Type: application/x-www-form-urlencoded' \

+--data-urlencode 'grant_type=client_credentials' \

+--data-urlencode 'scope=<client-id>.default' \

+--data-urlencode 'client_id=<client-id>' \

+--data-urlencode 'client_secret=<client-secret>' \

+--data-urlencode 'resource=<client-id>'

+```

+## Get the list of all available groups in a data partition

+## Add user(s) to an OSDU group in a data partition

+## Add user(s) to an entitlements group in a data partition

+## Get entitlements groups for a given user in a data partition

+## Delete entitlement groups of a given user in a data partition

+1. The deployment takes a few minutes to complete. On the **Deployment** page, select **Go to resource**.

+Before subscribing to the events for the Blob storage, let's create the endpoint for the event message. Typically, the endpoint takes actions based on the event data. To simplify this quickstart, you deploy a [prebuilt web app](https://github.com/Azure-Samples/azure-event-grid-viewer) that displays the event messages. The deployed solution includes an App Service plan, an App Service web app, and source code from GitHub.

+1. The deployment takes a few minutes to complete. On the **Deployment** page, select **Go to resource group**.

+4. For **Endpoint**, choose **Select an endpoint**, and enter the URL of your web app and add `api/updates` to the home page URL (for example: `https://spegridsite.azurewebsites.net/api/updates`), and then select **Confirm Selection**.

+You trigger an event for the Blob storage by uploading a file. The file doesn't need any specific content.

+ :::image type="content" source="./media/blob-event-quickstart-portal/upload-file.png" alt-text="Screenshot showing Upload blob page." lightbox="./media/blob-event-quickstart-portal/upload-file.png":::

+The **Event Grid Subscription Reader** and **Event Grid Subscription Contributor** roles are for managing event subscriptions. They're important when implementing [event domains](event-domains.md) because they give users the permissions they need to subscribe to topics in your event domain. These roles are focused on event subscriptions and don't grant access for actions such as creating topics.

+The **Event Grid Contributor** role allows you to create and manage Event Grid resources.

+If you need to specify permissions that are different than the built-in roles, create custom roles.

+To complete this quickstart, make sure that you have an Azure subscription. If you don't have one, [create a free account](https://azure.microsoft.com/free/) before you begin.

+1. In the Azure portal, select **All services** in the left menu, and select **star (`*`)** next to **Event Hubs** in the **Analytics** category. Confirm that **Event Hubs** is added to **FAVORITES** in the left navigational menu.

+There are two factors that influence scaling with Event Hubs.

+- Throughput units (standard tier) or processing units (premium tier)

+- Partitions

+The throughput capacity of event hubs is controlled by **throughput units**. Throughput units are prepurchased units of capacity. A single throughput unit lets you:

+* Ingress: Up to 1 MB per second or 1,000 events per second (whichever comes first).

+* Egress: Up to 2 MB per second or 4,096 events per second.

+Beyond the capacity of the purchased throughput units, ingress is throttled and Event Hubs throws a [ServerBusyException](/dotnet/api/microsoft.azure.eventhubs.serverbusyexception). Egress doesn't produce throttling exceptions, but is still limited to the capacity of the purchased throughput units. If you receive publishing rate exceptions or are expecting to see higher egress, be sure to check how many throughput units you have purchased for the namespace. You can manage throughput units on the **Scale** page of the namespaces in the [Azure portal](https://portal.azure.com). You can also manage throughput units programmatically using the [Event Hubs APIs](./event-hubs-samples.md).

+Throughput units are prepurchased and are billed per hour. Once purchased, throughput units are billed for a minimum of one hour. Up to 40 throughput units can be purchased for an Event Hubs namespace and are shared across all event hubs in that namespace.

+For more information about the autoinflate feature, see [Automatically scale throughput units](event-hubs-auto-inflate.md).

+ [Event Hubs Premium](./event-hubs-premium-overview.md) provides superior performance and better isolation within a managed multitenant PaaS environment. The resources in a Premium tier are isolated at the CPU and memory level so that each tenant workload runs in isolation. This resource container is called a **Processing Unit** (PU). You can purchase 1, 2, 4, 8 or 16 processing Units for each Event Hubs Premium namespace.

+For example, Event Hubs Premium namespace with one PU and one event hub (100 partitions) can approximately offer core capacity of ~5-10 MB/s ingress and 10-20 MB/s egress for both AMQP or Kafka workloads.

+* For more information on how to deploy ErGwScale, see [Configure a virtual network gateway for ExpressRoute using the Azure portal](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-portal-resource-manager).

+> [!NOTE]

+> Office 365 service tags and FQDN tags are supported in Azure Firewall policy only. They aren't supported in classic rules.

+* An Azure Managed Prometheus workspace. You can think of this workspace as a unique Azure Monitor logs environment with its own data repository, data sources, and solutions. For the instructions, see [Create an Azure Managed Prometheus workspace](../azure-monitor/essentials/azure-monitor-workspace-manage.md).

+* Azure Managed Grafana workspace. For the instructions, see [Create an Azure Managed Grafana workspace](../managed-grafan).

+> [!IMPORTANT]

+> If you delete and IoT Central application, it's not possible to recover it. It is possible to create a new application with the same name, but it will be a new application with no data. You need to wait for several minutes before you can create a new application with the same name.

+1. In an elevated PowerShell session, run the following commands to download IoT Edge for Linux on Windows.

+ :::image type="content" source="media/howto-connect-rigado-cascade-500/primary-key-sas.png" alt-text="Screenshot that shows the primary SAS key for your device connection group." lightbox="media/howto-connect-rigado-cascade-500/primary-key-sas.png":::

+This how-to guide shows you how to extend your IoT Central application with custom rules and notifications. The example shows sending a notification to an operator when a device stops sending telemetry. The solution uses an [Azure Stream Analytics](../../stream-analytics/index.yml) query to detect when a device stops sending telemetry. The Stream Analytics job uses [Azure Functions](../../azure-functions/index.yml) to send notification emails using [SendGrid](https://sendgrid.com/docs/for-developers/partners/microsoft-azure/).

+* Create a Stream Analytics query that detects when a device stops sending data.

+* Create a Stream Analytics query that detects when a device stops sending data.

+In this example, the downstream device doesn't need a device template. The downstream device is registered in IoT Central so you can generate the credentials it needs to connect the IoT Edge device. Because the IoT Edge module transforms the data, all the downstream device telemetry arrives in IoT Central as if the IoT Edge device has sent it.

+1. Select the **Modules** tab and check the status of the three modules. It takes a few minutes for the IoT Edge runtime to start up in the virtual machine. When the virtual machine is running, the status of the three modules is **Running**. If the IoT Edge runtime doesn't start, see [Troubleshoot your IoT Edge device](../../iot-edge/troubleshoot.md).

+The sample device you use to test the scenario is written in Node.js. Make sure you have Node.js and npm installed on your local machine. If you don't want to install these prerequisites, use the [Azure Cloud Shell](https://shell.azure.com/) where they are preinstalled.

+Go to [Azure IoT explorer releases](https://github.com/Azure/azure-iot-explorer/releases) and expand the list of assets for the most recent release. Download and install the most recent version of the application. The installation package configures a way for you to launch the application on your platform. For example, in Windows you can launch the application from the Start menu.

+| 256KB max message size. | 512KB max message size. |

+ 1. In Edge, select __...__ and then select __Settings__.

+ 1. From settings, search for `DNS` and then disable __Use secure DNS to specify how to look up the network address for websites__.

+

+ :::image type="content" source="./media/how-to-troubleshoot-secure-connection-workspace/disable-dns-over-http.png" alt-text="Screenshot of the use secure DNS setting in Microsoft Edge.":::

+To make a REST call, you need an OAuth 2.0 bearer-type authentication header. For information about setting up authentication to your workspace and making a parameterized REST call, see [Use REST to manage resources](../how-to-manage-rest.md).

+For how to publish and submit a job to pipeline endpoint using the SDK v1, see [Publish pipelines](how-to-deploy-pipelines.md).

+**Q. How do I manage my reserved instances for MariaDB?**

+A. You will not be able to purchase or renew MariaDB reserved instances starting **December 1 2023**. You can renew the reserved instances before December first using Azure portal. For any reserved instances expiring after *December 1 2023*, will be converted to Pay As You Go billing model. After migrating your workload to Azure Database for MySQL Flexible server, you can [purchase reserved instances](../mysql/single-server/concept-reserved-pricing.md) for MySQL Flexible Server.

+- To find answers to some of the most frequently asked questions about NSG flow logs, see [Flow logs FAQ](frequently-asked-questions.yml#flow-logs).

+> | Microsoft.OperationalInsights/workspaces/read | Get an existing workspace |

+> | Microsoft.OperationalInsights/workspaces/sharedkeys/action | Retrieve the shared keys for the workspace |

+ - `Microsoft.OperationalInsights/workspaces/read` ¹

+ - `Microsoft.OperationalInsights/workspaces/sharedkeys/action` ¹

+1. [Create a Language resource](https://portal.azure.com/#create/Microsoft.CognitiveServicesTextAnalytics) in the Azure portal to get your key and endpoint.

+1. After it deploys, select **Go to resource**.

+In the Language resource, under **Resource Management** > **Keys and Endpoints** you can find the endpoint and keys for your language resource. Use the endpoint and key to enable `azure_ai` extension to invoke the model deployment.

+select azure_ai.set_setting('azure_cognitive.endpoint','https://<endpoint>.cognitiveservices.azure.com');

+##### `timeout_ms`

+##### `throw_on_error`

+##### `disable_service_logs`

+`boolean DEFAULT false` the Language service logs your input text for 48 hours solely to allow for troubleshooting issues. Setting this property to `true` disables input logging and might limit our ability to investigate issues that occur.

+##### `timeout_ms`

+##### `throw_on_error`

+##### `disable_service_logs`

+`boolean DEFAULT false` the Language service logs your input text for 48 hours solely to allow for troubleshooting issues. Setting this property to `true` disables input logging and might limit our ability to investigate issues that occur.

+`azure_cognitive.language_detection_result`, a result containing the detected language name, its two-letter ISO 639-1 representation and the confidence score for the detection. For example in `(Portuguese,pt,0.97)`, the language is `Portuguese`, and detection confidence is `0.97`.

+##### `timeout_ms`

+##### `throw_on_error`

+##### `disable_service_logs`

+`boolean DEFAULT false` the Language service logs your input text for 48 hours solely to allow for troubleshooting issues. Setting this property to `true` disables input logging and might limit our ability to investigate issues that occur.

+`text[]`, a collection of key phrases identified in the text. For example, if invoked with a `text` set to `'For more information, see Cognitive Services Compliance and Privacy notes.'`, and `language` set to `'en'`, it could return `{"Cognitive Services Compliance","Privacy notes",information}`.

+##### `timeout_ms`

+##### `throw_on_error`

+##### `disable_service_logs`

+`boolean DEFAULT false` the Language service logs your input text for 48 hours solely to allow for troubleshooting issues. Setting this property to `true` disables input logging and might limit our ability to investigate issues that occur.

+`azure_cognitive.linked_entity[]`, a collection of linked entities, where each defines the name, data source entity identifier, language, data source, URL, collection of `azure_cognitive.linked_entity_match` (defining the text and confidence score) and finally a Bing entity search API identifier. For example, if invoked with a `text` set to `'For more information, see Cognitive Services Compliance and Privacy notes.'`, and `language` set to `'en'`, it could return `{"(\"Cognitive computing\",\"Cognitive computing\",en,Wikipedia,https://en.wikipedia.org/wiki/Cognitive_computing,\"{\"\"(\\\\\"\"Cognitive Services\\\\\"\",0.78)\

+"\"}\",d73f7d5f-fddb-0908-27b0-74c7db81cd8d)","(\"Regulatory compliance\",\"Regulatory compliance\",en,Wikipedia,https://en.wikipedia.org/wiki/Regulatory_compliance

+,\"{\"\"(Compliance,0.28)\"\"}\",89fefaf8-e730-23c4-b519-048f3c73cdbd)","(\"Information privacy\",\"Information privacy\",en,Wikipedia,https://en.wikipedia.org/wiki

+/Information_privacy,\"{\"\"(Privacy,0)\"\"}\",3d0f2e25-5829-4b93-4057-4a805f0b1043)"}`.

+##### `timeout_ms`

+##### `throw_on_error`

+##### `disable_service_logs`

+`boolean DEFAULT false` the Language service logs your input text for 48 hours solely to allow for troubleshooting issues. Setting this property to `true` disables input logging and might limit our ability to investigate issues that occur.

+`azure_cognitive.entity[]`, a collection of entities, where each defines the text identifying the entity, category of the entity and confidence score of the match. For example, if invoked with a `text` set to `'For more information, see Cognitive Services Compliance and Privacy notes.'`, and `language` set to `'en'`, it could return `{"(\"Cognitive Services\",Skill,\"\",0.94)"}`.

+##### `timeout_ms`

+##### `throw_on_error`

+##### `domain`

+##### `disable_service_logs`

+`boolean DEFAULT true` the Language service logs your input text for 48 hours solely to allow for troubleshooting issues. Setting this property to `true` disables input logging and might limit our ability to investigate issues that occur.

+`azure_cognitive.pii_entity_recognition_result`, a result containing the redacted text and entities as `azure_cognitive.entity[]`. Each entity contains the nonredacted text, personal data category, subcategory and a score indicating the confidence that the entity correctly matches the identified substring. For example, if invoked with a `text` set to `'My phone number is +1555555555, and the address of my office is 16255 NE 36th Way, Redmond, WA 98052.'`, and `language` set to `'en'`, it could return `("My phone number is ***********, and the address of my office is ************************************.","{""(+1555555555,PhoneNumber,\\""\\"",0.8)"",""(\\""16255 NE 36th Way, Redmond, WA 98052\\"",Address,\\""\\"",1)""}")`.

+##### `timeout_ms`

+##### `throw_on_error`

+##### `sentence_count`

+##### `disable_service_logs`

+`boolean DEFAULT false` the Language service logs your input text for 48 hours solely to allow for troubleshooting issues. Setting this property to `true` disables input logging and might limit our ability to investigate issues that occur.

+`text[]`, a collection of summaries with each one not exceeding the defined `sentence_count`. For example, if invoked with a `text` set to `'PostgreSQL features transactions with atomicity, consistency, isolation, durability (ACID) properties, automatically updatable views, materialized views, triggers, foreign keys, and stored procedures. It is designed to handle a range of workloads, from single machines to data warehouses or web services with many concurrent users. It was the default database for macOS Server and is also available for Linux, FreeBSD, OpenBSD, and Windows.'`, and `language` set to `'en'`, it could return `{"PostgreSQL is a database system with advanced features such as atomicity, consistency, isolation, and durability (ACID) properties. It is designed to handle a range of workloads, from single machines to data warehouses or web services with many concurrent users. PostgreSQL was the default database for macOS Server and is available for Linux, BSD, OpenBSD, and Windows."}`.

+##### `timeout_ms`

+##### `throw_on_error`

+##### `sentence_count`

+##### `sort_by`

+##### `disable_service_logs`

+`boolean DEFAULT false` the Language service logs your input text for 48 hours solely to allow for troubleshooting issues. Setting this property to `true` disables input logging and might limit our ability to investigate issues that occur.

+`azure_cognitive.sentence[]`, a collection of extracted sentences along with their rank score. For example, if invoked with a `text` set to `'PostgreSQL features transactions with atomicity, consistency, isolation, durability (ACID) properties, automatically updatable views, materialized views, triggers, foreign keys, and stored procedures. It is designed to handle a range of workloads, from single machines to data warehouses or web services with many concurrent users. It was the default database for macOS Server and is also available for Linux, FreeBSD, OpenBSD, and Windows.'`, and `language` set to `'en'`, it could return `{"(\"PostgreSQL features transactions with atomicity, consistency, isolation, durability (ACID) properties, automatically updatable views, materialized views, triggers, foreign keys, and stored procedures.\",0.16)","(\"It is designed to handle a range of workloads, from single machines to data warehouses or web services with many concurrent users.\",0)","(\"It was the default database for macOS Server and is also available for Linux, FreeBSD, OpenBSD, and Windows.\",1)"}`.

+Invoke [Azure OpenAI embeddings](../../ai-services/openai/reference.md#embeddings) easily to get a vector representation of the input, which can be used then in [vector similarity](./how-to-use-pgvector.md#vector-similarity) searches and consumed by machine learning models.

+1. Grant Access to Azure OpenAI in the desired subscription.

+1. Grant permissions toΓÇ»[create Azure OpenAI resources and to deploy models](../../ai-services/openai/how-to/role-based-access-control.md).

+In the Azure OpenAI resource, under **Resource Management** > **Keys and Endpoints** you can find the endpoint and the keys for your Azure OpenAI resource. Use the endpoint and one of the keys to enable `azure_ai` extension to invoke the model deployment.

+> To remove the extension from the currently connected database use `DROP EXTENSION azure_ai;`.

+az postgres flexible-server stop --resource-group resourcegroupname --name myservername

+Point cloud asset conversion has a hard limit of 12.5 billion points per converted asset. If larger data sets need to be rendered, the source file needs to be split into multiple assets that obey the 12.5 billion points constraint each. The renderer doesn't limit you on the number of unique assets being loaded, and the [streaming data technique](#point-cloud-data-streaming) ensures that prioritization works seamlessly across all loaded instances.

+## Point cloud data streaming

+Point cloud asset files are automatically configured for dynamic data streaming during conversion. That means that unlike triangular mesh assets, point cloud assets of significant size aren't fully downloaded to the rendering VM, but rather partially loaded from storage as needed.

+Regardless of the point cloud file size, the great benefit of the data streaming approach is that the renderer can start early with presenting the data. The decision of the renderer which data to prioritize, is based on camera view and proximity across all loaded point cloud models. No custom interaction through the API is necessary. Furthermore, data streaming automatically manages the budget and priorities based on how much particular data is relevant for the current view.

+In case multiple point cloud assets are instantiated on the scene, the streaming system makes sure to prioritize data seamlessly across all point clouds, just as it would be a single asset. Accordingly, splitting the source file is a convenient way to work around the size limitation per file.

+* **Maximum number of distinct materials** in a singular triangular mesh asset: 65,535. For more information about automatic material count reduction, see the [material deduplication](../how-tos/conversion/configure-model-conversion.md#material-deduplication) chapter.

+* **Maximum dimension of a single texture**: 16,384 x 16,384. Larger textures can't be used by the renderer. The conversion process can sometimes reduce larger textures in size, but in general it fails to process textures larger than this limit.

+* **Maximum number of points in a single point cloud asset**: 12.5 billion.

+### Standard size

+Remote Rendering with `Standard` size server has a maximum scene size of 20 million primitives. When the renderer on a 'Standard' server size hits this limitation, it switches rendering to a checkerboard background:

+### Premium size

+Remote Rendering with `Premium` size doesn't enforce a hard maximum, but performance may be degraded if your content exceeds the rendering capabilities of the service. Furthermore, for triangular meshes (and unlike point clouds), the available amount of graphics memory is a hard limit. It's not possible to map the amount of graphics memory to a specific number of triangles, because there are many contributing factors that depend on the source mesh and settings:

+* number and resolution of textures,

+* amount of unique geometry versus sub-mesh instantiation inside the mesh (see also [instancing objects](../how-tos/conversion/configure-model-conversion.md#instancing)),

+* [vertex streams](../how-tos/conversion/configure-model-conversion.md#vertex-format) being used,

+* the [rendering composition mode](../concepts/rendering-modes.md) used with the `Premium` size.

+For [point clouds](../overview/features/point-cloud-rendering.md) there's no real limit since point cloud assets use the [data streaming approach](../overview/features/point-cloud-rendering.md#point-cloud-data-streaming). With data streaming, the renderer automatically manages the memory budget on the graphics card, based on the actual visible geometry.

+* If your application is dealing with dynamic content, the number of rendered primitives can be queried dynamically during runtime. Use a [performance assessment query](../overview/features/performance-queries.md#performance-assessment-queries) and check for the sum of the values in the two members `PolygonsRendered` and `PointsRendered` in the `PerformanceAssessment` struct. The `PolygonsRendered` / `PointsRendered` field is set to `bad` when the renderer hits the primitive limitation. The checkerboard background is always faded in with some delay to ensure user action can be taken after this asynchronous query. User action can, for instance, be hiding or deleting model instances.

+Custom skills can be more challenging to debug because the code runs externally, so the debug session can't be used to debug them. This section describes how to locally debug your Custom Web API skill, debug session, Visual Studio Code and [ngrok](https://ngrok.com/docs) or [Tunnelmole](https://github.com/robbie-cahill/tunnelmole-client). This technique works with custom skills that execute in [Azure Functions](../azure-functions/functions-overview.md) or any other Web Framework that runs locally (for example, [FastAPI](https://fastapi.tiangolo.com/)).

+### Get a public URL

+#### Using Tunnelmole

+Tunnelmole is an open source tunneling tool that can create a public URL that forwards requests to your local machine through a tunnel.

+1. Install Tunnelmole:

+ - npm: `npm install -g tunnelmole`

+ - Linux: `curl -s https://tunnelmole.com/sh/install-linux.sh | sudo bash`

+ - Mac: `curl -s https://tunnelmole.com/sh/install-mac.sh --output install-mac.sh && sudo bash install-mac.sh`

+ - Windows: Install by using npm. Or if you don't have NodeJS installed, download the [precompiled .exe file for Windows](https://tunnelmole.com/downloads/tmole.exe) and put it somewhere in your PATH.

+2. Run this command to create a new tunnel:

+ ```console

+ Γ₧£ ~ tmole 7071

+ http://m5hdpb-ip-49-183-170-144.tunnelmole.net is forwarding to localhost:7071

+ https://m5hdpb-ip-49-183-170-144.tunnelmole.net is forwarding to localhost:7071

+ ```

+In the preceding example, `https://m5hdpb-ip-49-183-170-144.tunnelmole.net` forwards to port `7071` on your local machine, which is the default port where Azure functions are exposed.

+#### Using ngrok

+[**ngrok**](https://ngrok.com/docs) is a popular, closed source, cross-platform application that can create a tunneling or forwarding URL, so that internet requests reach your local machine. Use ngrok to forward requests from an enrichment pipeline in your search service to your machine to allow local debugging.

+2. Open a terminal and go to the folder with the ngrok executable.

+3. Run ngrok with the following command to create a new tunnel:

+4. When ngrok starts, copy and save the public forwarding URL for the next step. The forwarding URL is randomly generated.

+Within the debug session, modify your Custom Web API Skill URI to call the Tunnelmole or ngrok forwarding URL. Ensure that you append "/api/FunctionName" when using Azure Function for executing the skillset code.

+description: Review differences in API versions and learn the steps for migrating code to the newest Azure AI Search service REST API version.

+Use this article to migrate data plane REST API calls to newer *stable* versions of the [**Search REST API**](/rest/api/searchservice/).

+> New filter controls on the table of contents provide version-specific API reference pages. To get the right information, open a reference page and then apply the filter.

+Azure AI Search strives for backward compatibility. To upgrade and continue with existing functionality, you can usually just change the API version number. Conversely, situations calling for change codes include:

+If any of these situations apply to you, change your code to maintain existing functionality. Otherwise, no changes should be necessary, although you might want to start using features added in the new version.

+## Upgrade to 2023-11-01

+This version has breaking changes and behavioral differences for semantic ranking and vector search support.

+[Semantic ranking](semantic-search-overview.md) no longer uses `queryLanguage`. It also requires a `semanticConfiguration` definition. If you're migrating from 2020-06-30-preview, a semantic configuration replaces `searchFields`. See [Migrate from preview version](semantic-how-to-query-request.md#migrate-from-preview-versions) for steps.

+[Vector search](vector-search-overview.md) support was introduced in [Create or Update Index (2023-07-01-preview)](/rest/api/searchservice/preview-api/create-or-update-index). If you're migrating from that version, there are new options and several breaking changes. New options include vector filter mode, vector profiles, and an exhaustive K-nearest neighbors algorithm and query-time exhaustive k-NN flag. Breaking changes include renaming and restructuring the vector configuration in the index, and vector query syntax.

+If you added vector support using 2023-10-01-preview, there are no breaking changes. There's one behavior difference: the `vectorFilterMode` default changed from postfilter to prefilter. Change the API version and test your code to confirm the migration from the previous preview version (2023-07-01-preview).

+> [!TIP]

+> You can upgrade a 2023-07-01-preview index in the Azure portal. The portal detects the previous version and provides a **Migrate** button. Select **Edit JSON** to review the updated schema before selecting **Migrate**. The new and changed schema conforms to the steps described in this section. Portal migration only handles indexes with one vector field. Indexes with more than one vector field require manual migration.

+Here are the steps for migrating from 2023-07-01-preview:

+1. Call [Get Index](/rest/api/searchservice/indexes/get?view=rest-searchservice-2023-11-01&tabs=HTTP&preserve-view=true) to retrieve the existing definition.

+1. Modify the vector search configuration. This API introduces the concept of "vector profiles" which bundles together vector-related configurations under one name. It also renames `algorithmConfigurations` to `algorithms`.

+ + Rename `algorithmConfigurations` to `algorithms`. This is only a renaming of the array. The contents are backwards compatible. This means your existing HNSW configuration parameters can be used.

+ + Add `profiles`, giving a name and an algorithm configuration for each one.

+ **Before migration (2023-07-01-preview)**:

+ ```http

+ "vectorSearch": {

+ "algorithmConfigurations": [

+ {

+ "name": "myHnswConfig",

+ "kind": "hnsw",

+ "hnswParameters": {

+ "m": 4,

+ "efConstruction": 400,

+ "efSearch": 500,

+ "metric": "cosine"

+ }

+ }

+ ]}

+ ```

+ **After migration (2023-11-01)**:

+ ```http

+ "vectorSearch": {

+ "profiles": [

+ {

+ "name": "myHnswProfile",

+ "algorithm": "myHnswConfig"

+ }

+ ],

+ "algorithms": [

+ {

+ "name": "myHnswConfig",

+ "kind": "hnsw",

+ "hnswParameters": {

+ "m": 4,

+ "efConstruction": 400,

+ "efSearch": 500,

+ "metric": "cosine"

+ }

+ }

+ ]

+ }

+ ```

+1. Modify vector field definitions, replacing `vectorSearchConfiguration` with `vectorSearchProfile`. Other vector field properties remain unchanged. For example, they can't be filterable, sortable, or facetable, nor use analyzers or normalizers or synonym maps.

+ **Before (2023-07-01-preview)**:

+ ```http

+ {

+ "name": "contentVector",

+ "type": "Collection(Edm.Single)",

+ "key": false,

+ "searchable": true,

+ "retrievable": true,

+ "filterable": false,

+ "sortable": false,

+ "facetable": false,

+ "analyzer": "",

+ "searchAnalyzer": "",

+ "indexAnalyzer": "",

+ "normalizer": "",

+ "synonymMaps": "",

+ "dimensions": 1536,

+ "vectorSearchConfiguration": "myHnswConfig"

+ }

+ ```

+ **After (2023-11-01)**:

+ ```http

+ {

+ "name": "contentVector",

+ "type": "Collection(Edm.Single)",

+ "searchable": true,

+ "retrievable": true,

+ "filterable": false,

+ "sortable": false,

+ "facetable": false,

+ "analyzer": "",

+ "searchAnalyzer": "",

+ "indexAnalyzer": "",

+ "normalizer": "",

+ "synonymMaps": "",

+ "dimensions": 1536,

+ "vectorSearchProfile": "myHnswProfile"

+ }

+ ```

+1. Call [Create or Update Index](/rest/api/searchservice/indexes/create-or-update?view=rest-searchservice-2023-11-01&tabs=HTTP&preserve-view=true) to post the changes.

+1. Modify [Search POST](/rest/api/searchservice/documents/search-post?view=rest-searchservice-2023-11-01&tabs=HTTP&preserve-view=true) to change the query syntax. This API change enables support for polymorphic vector query types.

+ + Rename `vectors` to `vectorQueries`.

+ + For each vector query, add `kind`, setting it to "vector".

+ + For each vector query, rename `value` to `vector`.

+ + Optionally, add `vectorFilterMode` if you're using [filter expressions](vector-search-filters.md). The default is prefilter for indexes created after 2023-10-01. Indexes created before that date only support postfilter, regardless of how you set the filter mode.

+ **Before (2023-07-01-preview)**:

+ ```http

+ {

+ "search": (this parameter is ignored in vector search),

+ "vectors": [{

+ "value": [

+ 0.103,

+ 0.0712,

+ 0.0852,

+ 0.1547,

+ 0.1183

+ ],

+ "fields": "contentVector",

+ "k": 5

+ }],

+ "select": "title, content, category"

+ }

+ ```

+ **After (2023-11-01)**:

+ ```http

+ {

+ "search": "(this parameter is ignored in vector search)",

+ "vectorQueries": [

+ {

+ "kind": "vector",

+ "vector": [

+ 0.103,

+ 0.0712,

+ 0.0852,

+ 0.1547,

+ 0.1183

+ ],

+ "fields": "contentVector",

+ "k": 5

+ }

+ ],

+ "vectorFilterMode": "preFilter",

+ "select": "title, content, category"

+ }

+ ```

+These steps complete the migration to 2023-11-01 API version.

+In this version, there's one breaking change and several behavioral differences. Generally available features include:

+* [BM25 ranking algorithm](index-ranking-similarity.md) replaces the previous ranking algorithm with newer technology. New services use this algorithm automatically. For existing services, you must set parameters to use the new algorithm.

+If you called the [Name Entity Recognition](cognitive-search-skill-named-entity-recognition.md) skill in your code, the call fails. Replacement functionality is [Entity Recognition Skill (V3)](cognitive-search-skill-entity-recognition-v3.md). Follow the recommendations in [Deprecated skills](cognitive-search-skill-deprecated.md) to migrate to a supported skill.

+If your code is using complex types with one of the older preview API versions, you might be using an index definition format that looks like this:

+2. Translate the index from the ΓÇ£flatΓÇ¥ format to the new format. You have to write code for this task since there's no sample code available at the time of this writing.

+A [fixed-sized chunking and embedding generation sample](https://github.com/Azure-Samples/azure-search-power-skills/blob/main/Vector/EmbeddingGenerator/README.md) demonstrates both chunking and vector embedding generation using [Azure OpenAI](/azure/ai-services/openai/) embedding models. This sample uses an [Azure AI Search custom skill](cognitive-search-custom-skill-web-api.md) in the [Power Skills repo](https://github.com/Azure-Samples/azure-search-power-skills/tree/main#readme) to wrap the chunking step.

+> Looking for migration guidance from 2023-07-01-preview? See [Upgrade REST APIs](search-api-migration.md).

+Looking for preview-to-stable version migration guidance? See [Upgrade REST APIs](search-api-migration.md) for steps.

+Code samples in the [azure-search-vector](https://github.com/Azure/cognitive-search-vector-pr) repository demonstrate end-to-end workflows that include schema definition, vectorization, indexing, and queries.

+There's demo code for [Python](https://github.com/Azure/cognitive-search-vector-pr/tree/main/demo-python), [C#](https://github.com/Azure/cognitive-search-vector-pr/tree/main/demo-dotnet) [Java](https://github.com/Azure/cognitive-search-vector-pr/tree/main/demo-java), and [JavaScript](https://github.com/Azure/cognitive-search-vector-pr/tree/main/demo-javascript).

+| [**2023-11-01 Search REST API**](/rest/api/searchservice/search-service-api-versions#2023-11-01) | API | New stable version of the Search REST APIs for [vector fields](vector-search-how-to-create-index.md), [vector queries](vector-search-how-to-query.md), and [semantic ranking](semantic-how-to-query-request.md). See [Upgrade REST APIs](search-api-migration.md) for migration steps to generally available features.|

+| [Microsoft RSA Root Certificate Authority 2017](https://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt) | 0x1ed397095fd8b4b347701eaabe7f45b3<br>73a5e64a3bff8316ff0edccc618a906e4eae4d74 |

+| [**Baltimore CyberTrust Root**](https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt) | 020000b9<br>d4de20d05e66fc53fe1a50882c78db2852cae474 |

+| [**DigiCert Global Root CA**](https://cacerts.digicert.com/DigiCertGlobalRootCA.crt) | 0x083be056904246b1a1756ac95991c74a<br>A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 |

+| [**DigiCert Global Root G2**](https://cacerts.digicert.com/DigiCertGlobalRootG2.crt) | 0x033af1e6a711a9a0bb2864b11d09fae5<br>DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 |

+| [**DigiCert Global Root G3**](https://cacerts.digicert.com/DigiCertGlobalRootG3.crt) | 0x055556bcf25ea43535c3a40fd5ab4572<br>7E04DE896A3E666D00E687D33FFAD93BE83D349E |

+| [**Microsoft ECC Root Certificate Authority 2017**](https://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crt) | 0x66f23daf87de8bb14aea0c573101c2ec<br>999A64C37FF47D9FAB95F14769891460EEC4C3C5 |

+| [**Microsoft RSA Root Certificate Authority 2017**](https://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt) | 0x1ed397095fd8b4b347701eaabe7f45b3<br>73A5E64A3BFF8316FF0EDCCC618A906E4EAE4D74 |

+#### Notes on execution order and priority

+- Setting the **order** number in automation rules determines their order of execution.

+- Each trigger type maintains its own queue.

+- For rules created in the Azure portal, the **order** field will be automatically populated with the number following the highest number used by existing rules of the same trigger type.

+- However, for rules created in other ways (command line, API, etc.), the **order** number must be assigned manually.

+- There is no validation mechanism preventing multiple rules from having the same order number, even within the same trigger type.

+- You can allow two or more rules of the same trigger type to have the same order number, if you don't care which order they run in.

+- For rules of the same trigger type with the same order number, the execution engine randomly selects which rules will run in which order.

+- For rules of different *incident trigger* types, all applicable rules with the *incident creation* trigger type will run first (according to their order numbers), and only then the rules with the *incident update* trigger type (according to *their* order numbers).

+- Rules always run sequentially, never in parallel.

+Automation rules fully support cross-workspace and [multitenant deployments](extend-sentinel-across-workspaces-tenants.md#manage-workspaces-across-tenants-using-azure-lighthouse) (in the case of multitenant, using [Azure Lighthouse](../lighthouse/index.yml)).

+Therefore, if your Microsoft Sentinel deployment uses a multitenant architecture, you can have an automation rule in one tenant run a playbook that lives in a different tenant, but permissions for Sentinel to run the playbooks must be defined in the tenant where the playbooks reside, not in the tenant where the automation rules are defined.

+The first step in designing and defining your automation rule is figuring out which incidents or alerts you want it to apply to. This determination will directly impact how you create the rule.

+Do you want this automation to be activated when new incidents or alerts are created? Or anytime an incident gets updated?

+1. Under **Rule expiration**, if you want your automation rule to expire, set an expiration date (and optionally, a time). Otherwise, leave it as *Indefinite*.

+1. The **Order** field is pre-populated with the next available number for your rule's trigger type. This number determines where in the sequence of automation rules (of the same trigger type) this rule will run. You can change the number if you want this rule to run before an existing rule.

+ See [Notes on execution order and priority](automate-incident-handling-with-automation-rules.md#notes-on-execution-order-and-priority) for more information.

+Automation rules are run sequentially, according to the order you determine. Each automation rule is executed after the previous one has finished its run. Within an automation rule, all actions are run sequentially in the order in which they are defined. See [Notes on execution order and priority](automate-incident-handling-with-automation-rules.md#notes-on-execution-order-and-priority) for more information.

+**Storage queues** are part of the [Azure Storage](https://azure.microsoft.com/services/storage/) infrastructure. They allow you to store large numbers of messages. You access messages from anywhere in the world via authenticated calls using HTTP or HTTPS. A queue message can be up to 64 KB in size. A queue might contain millions of messages, up to the total capacity limit of a storage account. Queues are commonly used to create a backlog of work to process asynchronously. For more information, see [What are Azure Storage queues](../storage/queues/storage-queues-introduction.md).

+**Service Bus queues** are part of a broader [Azure messaging](https://azure.microsoft.com/services/service-bus/) infrastructure that supports queuing, publish/subscribe, and more advanced integration patterns. They're designed to integrate applications or application components that might span multiple communication protocols, data contracts, trust domains, or network environments. For more information about Service Bus queues/topics/subscriptions, see the [Service Bus queues, topics, and subscriptions](service-bus-queues-topics-subscriptions.md).

+This section compares Storage queues and Service Bus queues from the perspective of [capacity and quotas](service-bus-quotas.md) that might apply.

+| Maximum message size |64 KB<br/><br/>(48 KB when using Base 64 encoding)<br/><br/>Azure supports large messages by combining queues and blobs ΓÇô at which point you can enqueue up to 200 GB for a single item. |256 KB or 100 MB<br/><br/>(including both header and body, maximum header size: 64 KB).<br/><br/>Depends on the [service tier](service-bus-premium-messaging.md). |

+* Both queues support authorizing access using Microsoft Entra ID. Authorizing users or applications using OAuth 2.0 token returned by Microsoft Entra ID provides superior security and ease of use over shared access signatures (SAS). With Microsoft Entra ID, there's no need to store the tokens in your code and risk potential security vulnerabilities. For more information, see [Azure Storage - Microsoft Entra authentication](../storage/queues/assign-azure-role-data-access.md) and [Azure Service Bus - Microsoft Entra authentication](service-bus-authentication-and-authorization.md#azure-active-directory).

+By gaining a deeper understanding of the two technologies, you can make a more informed decision on which queue technology to use, and when. The decision on when to use Storage queues or Service Bus queues clearly depends on many factors. These factors depend heavily on the individual needs of your application and its architecture.

+You might prefer to choose Storage queues for reasons such as the following ones:

+Service Bus queues provide many advanced features such as the following ones. So, they might be a preferred choice if you're building a hybrid application or if your application otherwise requires these features.

+#### [Other](#tab/none)

+| Default environment variable name | Description | Example value |

+| | -- | -- |

+| AZURE_REDIS_HOST | Redis host | `<redis-server-name>.redis.cache.windows.net` |

+| AZURE_REDIS_PORT | Redis port | `6380` |

+| AZURE_REDIS_DATABASE | Redis database | `0` |

+| AZURE_REDIS_PASSWORD | Redis key | `<redis-key>` |

+| AZURE_REDIS_SSL | SSL setting | `true` |

+| spring.cloud.azure.storage.blob.account-name | Your Blob storage-account-name for Spring Cloud Azure version 4.0 or above | `<storage-account-name>` |

+| spring.cloud.azure.storage.blob.account-key | Your Blob Storage account key for Spring Cloud Azure version 4.0 or above | `<account-key>` |

+| spring.cloud.azure.storage.blob.endpoint | Your Blob Storage endpoint for Spring Cloud Azure version 4.0 or above | `https://<storage-account-name>.blob.core.windows.net/` |

+Guest/server - NVMe interface | Yes, for Windows machines. Not supported for Linux machines.

+- Jammy Tiny: Suitable for building a minimal image for the smallest possible size and security footprint. Like building a Java Native Image, it can make the final container image smaller. The integrated libraries are limited. For example, you can't [connect to an app instance for troubleshooting](how-to-connect-to-app-instance-for-troubleshooting.md) because there's no `shell` library.

+ - Most Go apps.

+ - Java apps. Some Apache Tomcat configuration options, such as setting *bin/setenv.sh*, aren't available because Tiny has no shell.

+- Jammy Base: Suitable for most apps without native extensions.

+ - Java apps and .NET Core apps.

+ - Go apps that require some C libraries.

+ - Node.js, Python, or Web Servers apps without native extensions.

+- Jammy Full: Includes most libraries, and is suitable for apps with native extensions. For example, it includes a more complete library of fonts. If your app relies on the native extension, then use the `Full` stack.

+ - Node.js or Python apps with native extensions.

+ :::image type="content" source="media/how-to-enterprise-deploy-polyglot-apps/add-container-registry.png" alt-text="Screenshot of Azure portal that shows the Container registry page with Add container registry button." lightbox="media/how-to-enterprise-deploy-polyglot-apps/add-container-registry.png":::

+ :::image type="content" source="media/how-to-enterprise-deploy-polyglot-apps/show-container-registry.png" alt-text="Screenshot of the Azure portal that shows the Container registry page." lightbox="media/how-to-enterprise-deploy-polyglot-apps/show-container-registry.png":::

+ :::image type="content" source="media/how-to-enterprise-deploy-polyglot-apps/edit-container-registry.png" alt-text="Screenshot of the Azure portal that shows the Container registry page with Edit container registry pane open for the current container registry in the list." lightbox="media/how-to-enterprise-deploy-polyglot-apps/edit-container-registry.png":::

+ :::image type="content" source="media/how-to-enterprise-deploy-polyglot-apps/delete-container-registry.png" alt-text="Screenshot of Azure portal that shows the Container registry page with Delete container registry pane open for the current container registry in the list." lightbox="media/how-to-enterprise-deploy-polyglot-apps/delete-container-registry.png":::

+The build service can use a container registry, and can also change the associated container registry. This process is time consuming. When the change happens, all the builder and build resources under the build service rebuild, and then the final container images get pushed to the new container registry.

+ :::image type="content" source="media/how-to-enterprise-deploy-polyglot-apps/switch-build-service-container-registry.png" alt-text="Screenshot of the Azure portal that shows the Build Service page with referenced container registry highlighted." lightbox="media/how-to-enterprise-deploy-polyglot-apps/switch-build-service-container-registry.png":::

+The following features aren't supported in Azure Spring Apps due to the limitation of Java Native Image. Azure Spring Apps will support them when the Java Native Image and the community overcomes the limitation.

+| | Indicates whether to autoconfigure Spring Boot environment properties from bindings at runtime. This feature requires Spring Cloud Bindings to have already been installed at build time or it does nothing. The default value is *false*. | `BPL_SPRING_CLOUD_BINDINGS_DISABLED` | `--env BPL_SPRING_CLOUD_BINDINGS_DISABLED=false` |

+| Enable configuration of labels on the created image. | Configures both OCI-specified labels with short environment variable names and arbitrary labels using a space-delimited syntax in a single environment variable. | `BP_IMAGE_LABELS` <br> `BP_OCI_AUTHORS` <br> see more environment variables [here](https://github.com/paketo-buildpacks/image-labels). | `--build-env BP_OCI_AUTHORS=<value>` |

+| Integrate JProfiler agent. | Indicates whether to integrate JProfiler support. The default value is *false*. | `BP_JPROFILER_ENABLED` | build phase: <br>`--build-env BP_JPROFILER_ENABLED=true` <br> runtime phase: <br> `--env BPL_JPROFILER_ENABLED=true` <br> `BPL_JPROFILER_PORT=<port>` (optional, defaults to *8849*) <br> `BPL_JPROFILER_NOWAIT=true` (optional. Indicates whether the JVM executes before JProfiler gets attached. The default value is *true*.) |

+| | Indicates whether the JVM executes before JProfiler gets attached. The default value is *true*. | `BPL_JPROFILER_NOWAIT` | `--env BPL_JPROFILER_NOWAIT=true` |

+| Enable configuration of labels on the created image. | Configures both OCI-specified labels with short environment variable names and arbitrary labels using a space-delimited syntax in a single environment variable. | `BP_IMAGE_LABELS` <br> `BP_OCI_AUTHORS` <br> See more environment variables [here](https://github.com/paketo-buildpacks/image-labels). | `--build-env BP_OCI_AUTHORS=<value>` |

+| Enable configuration of labels on the created image. | Configures both OCI-specified labels with short environment variable names and arbitrary labels using a space-delimited syntax in a single environment variable. | `BP_IMAGE_LABELS` <br> `BP_OCI_AUTHORS` <br> See more environment variables [here](https://github.com/paketo-buildpacks/image-labels). | `--build-env BP_OCI_AUTHORS=<value>` |

+| Enable configuration of labels on the created image. | Configures both OCI-specified labels with short environment variable names and arbitrary labels using a space-delimited syntax in a single environment variable. | `BP_IMAGE_LABELS` <br> `BP_OCI_AUTHORS` <br> See more environment variables [here](https://github.com/paketo-buildpacks/image-labels). | `--build-env BP_OCI_AUTHORS=<value>` |

+| Enable configuration of labels on the created image. | Configures both OCI-specified labels with short environment variable names and arbitrary labels using a space-delimited syntax in a single environment variable. | `BP_IMAGE_LABELS` <br> `BP_OCI_AUTHORS` <br> See more environment variables [here](https://github.com/paketo-buildpacks/image-labels). | `--build-env BP_OCI_AUTHORS=<value>` |

+| Enable configuration of labels on the created image | Configures both OCI-specified labels with short environment variable names and arbitrary labels using a space-delimited syntax in a single environment variable. | `BP_IMAGE_LABELS` <br> `BP_OCI_AUTHORS` <br> See more environment variables [here](https://github.com/paketo-buildpacks/image-labels). | `--build-env BP_OCI_AUTHORS=<value>` |

+| 3.2.x | 2022.0.3+ also known as Kilburn | 2026-02-23 |

+| 3.2.x | 2022.0.3+ also known as Kilburn | 2024-11-23 |

+## Zero downtime migration

+You may want to migrate a custom domain currently serving a production website to your static web app with zero downtime. DNS providers do not accept multiple records for the same name/host, so you can separately validate your ownership of the domain and route traffic to your web app.

+1. Open your static web app in the Azure portal.

+1. Add a **TXT record** for your custom domain (APEX or subdomain). Instead of entering the *Host* value as displayed, enter the *Host* in your DNS provider as follows:

+ * For APEX domains, enter `_dnsauth.www.<YOUR-DOMAIN.COM>`.

+ * For subdomains, enter `_dnsauth.<SUBDOMAIN>.<YOUR-DOMAIN.COM>`.

+1. Once your domain is validated, you can migrate your traffic to your static web app by updating your `CNAME`, `ALIAS`, or `A` record to point to your [default host name](./apex-domain-external.md)

+ Title: 'Estimate costs: AzCopy with Azure Blob Storage'

+description: Learn how to estimate the cost to transfer data to, from, or between containers in Azure Blob Storage.

+# Estimate the cost of using AzCopy to transfer blobs

+This article helps you estimate the cost to transfer blobs by using AzCopy.

+All calculations are based on a fictitious price. You can find each price in the [sample prices](#sample-prices) section at the end of this article.

+> [!IMPORTANT]

+> These prices are meant only as examples, and shouldn't be used to calculate your costs. For official prices, see the [Azure Blob Storage pricing](https://azure.microsoft.com/pricing/details/storage/blobs/) or [Azure Data Lake Storage pricing](https://azure.microsoft.com/pricing/details/storage/data-lake/) pricing pages. For more information about how to choose the correct pricing page, see [Understand the full billing model for Azure Blob Storage](../common/storage-plan-manage-costs.md).

+## The cost to upload

+When you run the [azcopy copy](../common/storage-use-azcopy-blobs-upload.md?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json) command, you'll specify a destination endpoint. That endpoint can be either a Blob Service endpoint (`blob.core.windows.net`) or a Data Lake Storage endpoint (`dfs.core.windows.net`) endpoint. This section calculates the cost of using each endpoint to upload **1,000** blobs that are **5 GiB** each in size.

+### Cost of uploading to the Blob Service endpoint

+If you upload data to the Blob Service endpoint, then by default, AzCopy uploads each blob in 8-MiB blocks. This size is configurable.

+AzCopy uses the [Put Block](/rest/api/storageservices/put-block) operation to upload each block. After the final block is uploaded, AzCopy commits those blocks by using the [Put Block List](/rest/api/storageservices/put-block-list) operation. Both operations are billed as _write_ operations.

+The following table calculates the number of write operations required to upload these blobs.

+| Calculation | Value |

+|--|-|

+| Number of MiB in 5 GiB | 5,120 |

+| PutBlock operations per blob (5,120 MiB / 8-MiB block) | 640 |

+| PutBlockList operations per blob | 1 |

+| **Total write operations (1,000 * 641)** | **641,000** |

+> [!TIP]

+> You can reduce the number of operations by configuring AzCopy to use a larger block size.

+After each blob is uploaded, AzCopy uses the [Get Blob Properties](/rest/api/storageservices/get-blob-properties) operation as part of validating the upload. The [Get Blob Properties](/rest/api/storageservices/get-blob-properties) operation is billed as an _All other operations_ operation.

+Using the [Sample prices](#sample-prices) that appear in this article, the following table calculates the cost to upload these blobs.

+| Price factor | Hot | Cool | Cold | Archive |

+||-|-|--|-|

+| Price of a single write operation (price / 10,000) | $0.0000055 | $0.00001 | $0.000018 | $0.00001 |

+| **Cost of write operations (641,000 * operation price)** | **$3.5255** | **$6.4100** | **$11.5380** | **$3.5255** |

+| Price of a single _other_ operation (price / 10,000) | $0.00000044 | $0.00000044 | $0.00000052 | $0.00000044 |

+| **Cost to get blob properties (1000 * _other_ operation price)** | **$0.0004** | **$0.0004** | **$0.0005** | **$0.0004** |

+| **Total cost (write + properties)** | **$3.53** | **$6.41** | **$11.54** | **$3.53** |

+> [!NOTE]

+> If you upload to the archive tier, each [Put Block](/rest/api/storageservices/put-block) operation is charged at the price of a **hot** write operation. Each [Put Block List](/rest/api/storageservices/put-block-list) operation is charged the price of an **archive** write operation.

+### Cost of uploading to the Data Lake Storage endpoint

+If you upload data to the Data Lake Storage endpoint, then AzCopy uploads each blob in 4-MiB blocks. This value is not configurable.

+AzCopy uploads each block by using the [Path - Update](/rest/api/storageservices/datalakestoragegen2/path/update) operation with the action parameter set to `append`. After the final block is uploaded, AzCopy commits those blocks by using the [Path - Update](/rest/api/storageservices/datalakestoragegen2/path/update) operation with the action parameter set to `flush`. Both operations are billed as _write_ operations.

+The following table calculates the number of write operations required to upload these blobs.

+| Calculation | Value

+|||

+| Number of MiB in 5 GiB | 5,120 |

+| Path - Update (append) operations per blob (5,120 MiB / 4-MiB block) | 1,280 |

+| Path - Update (flush) operations per blob | 1 |

+| **Total write operations (1,000 * 1,281)** | **1,281,00** |

+After each blob is uploaded, AzCopy uses the [Get Blob Properties](/rest/api/storageservices/get-blob-properties) operation as part of validating the upload. The [Get Blob Properties](/rest/api/storageservices/get-blob-properties) operation is billed as an _All other operations_ operation.

+Using the [Sample prices](#sample-prices) that appear in this article, the following table calculates the cost to upload these blobs

+| Price factor | Hot | Cool | Cold | Archive |

+||-|--|--|--|

+| Price of a single write operation (price / 10,000) | $0.00000715 | $0.000013 | $0.0000234 | $0.0000143 |

+| **Cost of write operations (1,281,000 * operation price)** | **$9.1592** | **$16.6530** | **$29.9754** | **$18.3183** |

+| Price of a single _other_ operation (price / 10,000) | $0.00000044 | $0.00000044 | $0.00000052 | $0.00000044 |

+| **Cost to get blob properties (1000 * operation price)** | **$0.0004** | **$0.0004** | **$0.0005** | **$0.0004** |

+| **Total cost (write + properties)** | **$9.16** | **$16.65** | **$29.98** | **$18.32** |

+## The cost to download

+When you run the [azcopy copy](../common/storage-use-azcopy-blobs-download.md?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json) command, you'll specify a source endpoint. That endpoint can be either a Blob Service endpoint (`blob.core.windows.net`) or a Data Lake Storage endpoint (`dfs.core.windows.net`) endpoint. This section calculates the cost of using each endpoint to download **1,000** blobs that are **5 GiB** each in size.

+### Cost of downloading from the Blob Service endpoint

+If you download blobs from the Blob Service endpoint, AzCopy uses the [List Blobs](/rest/api/storageservices/list-blobs) to enumerate blobs. A [List Blobs](/rest/api/storageservices/list-blobs) is billed as a _List and create container_ operation. One [List Blobs](/rest/api/storageservices/list-blobs) operation returns up to 5,000 blobs. Therefore, in this example, only one [List Blobs](/rest/api/storageservices/list-blobs) operation is required.

+For each blob, AzCopy uses the [Get Blob Properties](/rest/api/storageservices/get-blob-properties) operation, and the [Get Blob](/rest/api/storageservices/get-blob) operation. The [Get Blob Properties](/rest/api/storageservices/get-blob-properties) operation is billed as an _All other operations_ operation and the [Get Blob](/rest/api/storageservices/get-blob) operation is billed as a _read_ operation.

+If you download blobs from the cool or cold tier, you're also charged a data retrieval per GiB downloaded.

+Using the [Sample prices](#sample-prices) that appear in this article, the following table calculates the cost to download these blobs.

+> [!NOTE]

+> This table excludes the archive tier because you can't download directly from that tier. See [Blob rehydration from the archive tier](archive-rehydrate-overview.md).

+| Price factor | Hot | Cool | Cold |

+|-|-|-|-|

+| Price of a single list operation (price/ 10,000) | $0.0000055 | $0.0000055 | $0.0000065 |

+| **Cost of listing operations (1 * operation price)** | **$0.0000055** | **$0.0000055** | **$0.0000065** |

+| Price of a single _other_ operation (price / 10,000) | $0.00000044 | $0.00000044 | $0.00000052 |

+| **Cost to get blob properties (1000 * operation price)** | **$0.00044** | **$0.00044** | **$0.00052** |

+| Price of a single read operation (price / 10,000) | $0.00000044 | $0.000001 | $0.00001 |

+| **Cost of read operations (1000 * operation price)** | **$0.00044** | **$0.001** | **$0.01** |

+| Price of data retrieval (per GiB) | $0.00 | $0.01 | $0.03 |

+| **Cost of data retrieval (5 * operation price)** | **$0.00** | **$0.05** | **$0.15** |

+| **Total cost (list + properties + read + retrieval)** | **$0.001** | **$0.051** | **$0.161** |

+### Cost of downloading from the Data Lake Storage endpoint

+If you download blobs from the Data Lake Storage endpoint, AzCopy uses the [List Blobs](/rest/api/storageservices/list-blobs) to enumerate blobs. A [List Blobs](/rest/api/storageservices/list-blobs) is billed as a _List and create container_ operation. One [List Blobs](/rest/api/storageservices/list-blobs) operation returns up to 5,000 blobs. Therefore, in this example, only one [List Blobs](/rest/api/storageservices/list-blobs) operation is required.

+For each blob, AzCopy uses the [Get Blob Properties](/rest/api/storageservices/get-blob-properties) operation which is billed as an _All other operations_ operation. AzCopy downloads each block (4 MiB in size) by using the [Path - Read](/rest/api/storageservices/datalakestoragegen2/path/read) operation. Each [Path - Read](/rest/api/storageservices/datalakestoragegen2/path/read) call is billed as a _read_ operation.

+If you download blobs from the cool or cold tier, you're also charged a data retrieval per GiB downloaded.

+The following table calculates the number of write operations required to upload the blobs.

+| Calculation | Value |

+|-||

+| Number of MiB in 5 GiB | 5,120 |

+| Path - Update operations per blob (5,120 MiB / 4-MiB block) | 1,280 |

+| Total read operations (1000* 1,280) | **1,280,000** |

+Using the [Sample prices](#sample-prices) that appear in this article, the following table calculates the cost to download these blobs.

+> [!NOTE]

+> This table excludes the archive tier because you can't download directly from that tier. See [Blob rehydration from the archive tier](archive-rehydrate-overview.md).

+| Price factor | Hot | Cool | Cold |

+|--|-|-|-|

+| Price of a single list operation (price/ 10,000) | $0.0000055 | $0.0000055 | $0.0000065 |

+| **Cost of listing operations (1 * operation price)** | **$0.0000055** | **$0.0000055** | **$0.0000065** |

+| Price of a single _other_ operation (price / 10,000) | $0.00000044 | $0.00000044 | $0.00000052 |

+| **Cost to get blob properties (1000 * operation price)** | **$0.00044** | **$0.00044** | **$0.00052** |

+| Price of a single read operation (price / 10,000) | $0.00000057 | $0.00000130 | $0.00001300 |

+| **Cost of read operations (1,281,000 * operation price)** | **$0.73017** | **$1.6653** | **$16.653** |

+| Price of data retrieval (per GiB) | $0.00000000 | $0.01000000 | $0.03000000 |

+| **Cost of data retrieval (5 * operation price)** | **$0.00** | **$0.05** | **$0.15** |

+| **Total cost (list + properties + read + retrieval)** | **$0.731** | **$1.716** | **$16.804** |

+## The cost to copy between containers

+When you run the [azcopy copy](../common/storage-use-azcopy-blobs-copy.md?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json) command, you'll specify a source and destination endpoint. These endpoints can be either a Blob Service endpoint (`blob.core.windows.net`) or a Data Lake Storage endpoint (`dfs.core.windows.net`) endpoint. This section calculates the cost to copy **1,000** blobs that are **5 GiB** each in size.

+> [!NOTE]

+> Blobs in the archive tier can be copied only to an online tier. Because all of these examples assume the same tier for source and destination, the archive tier is excluded from these tables.

+### Cost of copying blobs within the same account

+Regardless of which endpoint you specify (Blob Service or Data Lake Storage), AzCopy uses the [List Blobs](/rest/api/storageservices/list-blobs) to enumerate blobs at the source location. A [List Blobs](/rest/api/storageservices/list-blobs) is billed as a _List and create container_ operation. One [List Blobs](/rest/api/storageservices/list-blobs) operation returns up to 5,000 blobs. Therefore, in this example, only one [List Blobs](/rest/api/storageservices/list-blobs) operation is required.

+For each blob, AzCopy uses the [Get Blob Properties](/rest/api/storageservices/get-blob-properties) operation for both the source blob and the blob that is copied to the destination. The [Get Blob Properties](/rest/api/storageservices/get-blob-properties) operation is billed as an _All other operations_ operation. AzCopy uses the [Copy Blob](/rest/api/storageservices/copy-blob) operation to copy blobs to another container which is billed as a _write_ operation that is based on the destination tier.

+| Price factor | Hot | Cool | Cold |

+|-|-|-|-|

+| Price of a single list operation (price/ 10,000) | $0.0000055 | $0.0000055 | $0.0000065 |

+| **Cost of listing operations (1 * operation price)** | **$0.0000055** | **$0.0000055** | **$0.0000065** |

+| Price of a single other operations (price / 10,000) | $0.00000044 | $0.00000044 | $0.00000052 |

+| **Cost to get blob properties (2000 * operation price)** | **$0.00088** | **$0.00088** | **$0.00104** |

+| Price of a single write operation (price / 10,000) | $0.0000055 | $0.00001 | $0.000018 |

+| **Cost to write (1000 * operation price)** | **$3.53** | **$0.0055** | **$0.01** |

+| **Total cost (listing + properties + write)** | **$3.5309** | **$0.0064** | **$0.0110** |

+### Cost of copying blobs to another account in the same region

+This scenario is identical to the previous one except that you're also billed for data retrieval and for read operation that is based on the source tier.

+| Price factor | Hot | Cool | Cold |

+|-|--|-|-|

+| **Total from previous section** | **$3.5309** | **$0.0064** | **$0.0110** |

+| Price of a single read operation (price / 10,000) | $0.00000044 | $0.000001 | $0.00001 |

+| **Cost of read operations (1,000 * operation price)** | **$0.00044** | **$0.001** | **$0.01** |

+| Price of data retrieval (per GiB) | Free | $0.01 | $0.03 |

+| **Cost of data retrieval (5 * operation price)** | **$0.00** | **$.05** | **$.15** |

+| **Total cost (previous section + retrieval + read)** | **$3.53134** | **$0.0574** | **$0.171** |

+### Cost of copying blobs to an account located in another region

+This scenario is identical to the previous one except you are billed for network egress charges.

+| Price factor | Hot | Cool | Cold |

+|--|--|-|-|

+| **Total cost from previous section** | **$3.53134** | **$0.0574** | **$0.171** |

+| Price of network egress (per GiB) | $0.02 | $0.02 | $0.02 |

+| **Total cost of network egress (5 * price of egress)** | **$.10** | **$.10** | **$.10** |

+| **Total cost (previous section + egress)** | **$3.5513** | **$0.0774** | **$0.191** |

+## The cost to synchronize changes

+When you run the [azcopy sync](../common/storage-use-azcopy-blobs-synchronize.md?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json) command, you'll specify a source and destination endpoint. These endpoints can be either a Blob Service endpoint (`blob.core.windows.net`) or a Data Lake Storage endpoint (`dfs.core.windows.net`) endpoint.

+> [!NOTE]

+> Blobs in the archive tier can be copied only to an online tier. Because all of these examples assume the same tier for source and destination, the archive tier is excluded from these tables.

+### Cost to synchronize a container with a local file system

+If you want to keep a container updated with changes to a local file system, then AzCopy performs the exact same tasks as described in the [Cost of uploading to the Blob Service endpoint](#cost-of-uploading-to-the-blob-service-endpoint) section in this article. Blobs are uploaded only if the last modified time of a local file is different than the last modified time of the blob in the container. Therefore, you are billed _write_ transactions only for blobs that are uploaded.

+If you want to keep a local file system updated with changes to a container, then AzCopy performs the exact same tasks as described in the [Cost of downloading from the Blob Service endpoint](#cost-of-downloading-from-the-blob-service-endpoint) section of this article. Blobs are downloaded only If the last modified time of a local blob is different than the last modified time of the blob in the container. Therefore, you are billed _read_ transactions only for blobs that are downloaded.

+### Cost to synchronize containers

+If you want to keep two containers synchronized, then AzCopy performs the exact same tasks as described in the [The cost to copy between containers](#the-cost-to-copy-between-containers) section in this article. A blob is copied only if the last modified time of a blob in the source container is different than the last modified time of a blob in the destination container. Therefore, you are billed _write_ and _read_ transactions only for blobs that are copied.

+The [azcopy sync](../common/storage-use-azcopy-blobs-synchronize.md?toc=/azure/storage/blobs/toc.json&bc=/azure/storage/blobs/breadcrumb/toc.json) command uses the [List Blobs](/rest/api/storageservices/list-blobs) operation on both source and destination accounts when synchronizing containers that exist in separate accounts.

+## Summary of calculations

+The following table contains all of the estimates presented in this article. All estimates are based on transferring **1000** blobs that are each **5 GiB** in size and use the sample prices listed in the next section.

+| Scenario | Hot | Cool | Cold | Archive |

+||-||||

+| Upload blobs (Blob Service endpoint) | $3.53 | $6.41 | $11.54 | $3.53 |

+| Upload blobs (Data Lake Storage endpoint) | $9.16 | $16.65 | $29.98 | $18.32 |

+| Download blobs (Blob Service endpoint) | $0.001 | $0.051 | $0.161 | N/A |

+| Download blobs (Data Lake Storage endpoint) | $0.731 | $1.716 | $16.804 | N/A |

+| Copy blobs | $3.5309 | $0.0064 | $0.0110 | N/A |

+| Copy blobs to another account | $3.53134 | $0.0574 | $0.171 | N/A |

+| Copy blobs to an account in another region | $3.5513 | $0.0774 | $0.191 | N/A |

+## Sample prices

+The following table includes sample (fictitious) prices for each request to the Blob Service endpoint (`blob.core.windows.net`). For official prices, see [Azure Blob Storage pricing](https://azure.microsoft.com/pricing/details/storage/blobs/).

+| Price factor | Hot | Cool | Cold | Archive |

+|--|||||

+| Price of write transactions (per 10,000) | $0.055 | $0.10 | $0.18 | $0.10 |

+| Price of read transactions (per 10,000) | $0.0044 | $0.01 | $0.10 | $5.00 |

+| Price of data retrieval (per GiB) | Free | $0.01 | $0.03 | $0.02 |

+| List and container operations (per 10,000) | $0.055 | $0.055 | $0.065 | $0.055 |

+| All other operations (per 10,000) | $0.0044 | $0.0044 | $0.0052 | $0.0044 |

+The following table includes sample prices (fictitious) prices for each request to the Data Lake Storage endpoint (`dfs.core.windows.net`). For official prices, see [Azure Data Lake Storage pricing](https://azure.microsoft.com/pricing/details/storage/data-lake/).

+| Price factor | Hot | Cool | Cold | Archive |

+|--|-|-|-||

+| Price of write transactions (every 4MiB, per 10,000) | $0.0715 | $0.13 | $0.234 | $0.143 |

+| Price of read transactions (every 4MiB, per 10,000) | $0.0057 | $0.013 | $0.13 | $7.15 |

+| Price of data retrieval (per GiB) | Free | $0.01 | $0.03 | $0.022 |

+| Iterative Read operations (per 10,000) | $0.0715 | $0.0715 | $0.0845 | $0.0715 |

+## Operations used by AzCopy commands

+The following table shows the operations that are used by each AzCopy command. To map each operation to a price, see [Map each REST operation to a price](map-rest-apis-transaction-categories.md).

+### Commands that target the Blob Service Endpoint

+| Command | Scenario | Operations |

+||-|--|

+| [azcopy bench](../common/storage-ref-azcopy-bench.md?toc=/azure/storage/blobs/toc.json) | Upload | [Put Block](/rest/api/storageservices/put-block-list) and [Put Block List](/rest/api/storageservices/put-block-list) |

+| [azcopy bench](../common/storage-ref-azcopy-bench.md?toc=/azure/storage/blobs/toc.json) | Download | [List Blobs](/rest/api/storageservices/list-blobs), [Get Blob Properties](/rest/api/storageservices/get-blob-properties), and [Get Blob](/rest/api/storageservices/get-blob) |

+| [azcopy copy](../common/storage-ref-azcopy-copy.md?toc=/azure/storage/blobs/toc.json) | Upload | [Put Block](/rest/api/storageservices/put-block-list) and [Put Block List](/rest/api/storageservices/put-block-list), [Get Blob Properties](/rest/api/storageservices/get-blob-properties) |

+| [azcopy copy](../common/storage-ref-azcopy-copy.md?toc=/azure/storage/blobs/toc.json) | Download | [List Blobs](/rest/api/storageservices/list-blobs), [Get Blob Properties](/rest/api/storageservices/get-blob-properties), and [Get Blob](/rest/api/storageservices/get-blob) |

+| [azcopy copy](../common/storage-ref-azcopy-copy.md?toc=/azure/storage/blobs/toc.json) | Perform a dry run | [List Blobs](/rest/api/storageservices/list-blobs) |

+| [azcopy copy](../common/storage-ref-azcopy-copy.md?toc=/azure/storage/blobs/toc.json) | Copy from Amazon S3| [Put Blob from URL](/rest/api/storageservices/put-blob-from-url) |

+| [azcopy copy](../common/storage-ref-azcopy-copy.md?toc=/azure/storage/blobs/toc.json) | Copy from Google Cloud Storage | [Put Blob from URL](/rest/api/storageservices/put-blob-from-url) |

+| [azcopy copy](../common/storage-ref-azcopy-copy.md?toc=/azure/storage/blobs/toc.json) | Copy to another container | [List Blobs](/rest/api/storageservices/list-blobs), [Get Blob Properties](/rest/api/storageservices/get-blob-properties), and [Copy Blob](/rest/api/storageservices/copy-blob) |

+| [azcopy sync](../common/storage-ref-azcopy-sync.md?toc=/azure/storage/blobs/toc.json) | Update local with changes to container | [List Blobs](/rest/api/storageservices/list-blobs), [Get Blob Properties](/rest/api/storageservices/get-blob-properties), and [Get Blob](/rest/api/storageservices/get-blob) |

+| [azcopy sync](../common/storage-ref-azcopy-sync.md?toc=/azure/storage/blobs/toc.json) | Update container with changes to local file system | [List Blobs](/rest/api/storageservices/list-blobs), [Get Blob Properties](/rest/api/storageservices/get-blob-properties), [Put Block](/rest/api/storageservices/put-block-list), and [Put Block List](/rest/api/storageservices/put-block-list) |

+| [azcopy sync](../common/storage-ref-azcopy-sync.md?toc=/azure/storage/blobs/toc.json) | Synchronize containers | [List Blobs](/rest/api/storageservices/list-blobs), [Get Blob Properties](/rest/api/storageservices/get-blob-properties), and [Copy Blob](/rest/api/storageservices/copy-blob) |

+| [azcopy set-properties](../common/storage-ref-azcopy-set-properties.md?toc=/azure/storage/blobs/toc.json) | Set blob tier | [Set Blob Tier](/rest/api/storageservices/set-blob-tier) |

+| [azcopy set-properties](../common/storage-ref-azcopy-set-properties.md?toc=/azure/storage/blobs/toc.json) | Set metadata | [Set Blob Metadata](/rest/api/storageservices/set-blob-metadata) |

+| [azcopy set-properties](../common/storage-ref-azcopy-set-properties.md?toc=/azure/storage/blobs/toc.json) | Set blob tags | [Set Blob Tags](/rest/api/storageservices/set-blob-tags) |

+| [azcopy list](../common/storage-ref-azcopy-list.md?toc=/azure/storage/blobs/toc.json) | List blobs in a container| [List Blobs](/rest/api/storageservices/list-blobs) |

+| [azcopy make](../common/storage-ref-azcopy-make.md?toc=/azure/storage/blobs/toc.json) | Create a container | [Create Container](/rest/api/storageservices/create-container) |

+| [azcopy remove](../common/storage-ref-azcopy-remove.md?toc=/azure/storage/blobs/toc.json) | Delete a container | [Delete Container](/rest/api/storageservices/delete-container) |

+| [azcopy remove](../common/storage-ref-azcopy-remove.md?toc=/azure/storage/blobs/toc.json) | Delete a blob | [Delete Blob](/rest/api/storageservices/delete-blob) |

+### Commands that target the Data Lake Storage endpoint

+| Command | Scenario | Operations |

+||-|--|

+| [azcopy bench](../common/storage-ref-azcopy-bench.md?toc=/azure/storage/blobs/toc.json) | Upload | [Path - Update](/rest/api/storageservices/datalakestoragegen2/path/update) (Append), and [Path - Update](/rest/api/storageservices/datalakestoragegen2/path/update) (Flush) |

+| [azcopy bench](../common/storage-ref-azcopy-bench.md?toc=/azure/storage/blobs/toc.json) | Download | [List Blobs](/rest/api/storageservices/list-blobs), [Get Blob Properties](/rest/api/storageservices/get-blob-properties), and [Path - Read](/rest/api/storageservices/datalakestoragegen2/path/read)|

+| [azcopy copy](../common/storage-ref-azcopy-copy.md?toc=/azure/storage/blobs/toc.json) | Upload | [Path - Update](/rest/api/storageservices/datalakestoragegen2/path/update), and [Get Blob Properties](/rest/api/storageservices/get-blob-properties) |

+| [azcopy copy](../common/storage-ref-azcopy-copy.md?toc=/azure/storage/blobs/toc.json) | Download |[List Blobs](/rest/api/storageservices/list-blobs), [Get Blob Properties](/rest/api/storageservices/get-blob-properties), and [Path - Read](/rest/api/storageservices/datalakestoragegen2/path/read) |

+| [azcopy copy](../common/storage-ref-azcopy-copy.md?toc=/azure/storage/blobs/toc.json) | Perform a dry run | [List Blobs](/rest/api/storageservices/list-blobs) |

+| [azcopy copy](../common/storage-ref-azcopy-copy.md?toc=/azure/storage/blobs/toc.json) | Copy from Amazon S3| Not supported |

+| [azcopy copy](../common/storage-ref-azcopy-copy.md?toc=/azure/storage/blobs/toc.json) | Copy from Google Cloud Storage | Not supported |

+| [azcopy copy](../common/storage-ref-azcopy-copy.md?toc=/azure/storage/blobs/toc.json) | Copy to another container | [List Blobs](/rest/api/storageservices/list-blobs), and [Copy Blob](/rest/api/storageservices/copy-blob). if --preserve-permissions-true, then [Path - Get Properties](/rest/api/storageservices/datalakestoragegen2/path/get-properties) (Get Access Control List) and [Path - Update](/rest/api/storageservices/datalakestoragegen2/path/update) (Set access control) otherwise, [Get Blob Properties](/rest/api/storageservices/get-blob-properties). |

+| [azcopy sync](../common/storage-ref-azcopy-sync.md?toc=/azure/storage/blobs/toc.json) | Update local with changes to container | [List Blobs](/rest/api/storageservices/list-blobs), [Get Blob Properties](/rest/api/storageservices/get-blob-properties), and [Get Blob](/rest/api/storageservices/get-blob) |

+| [azcopy sync](../common/storage-ref-azcopy-sync.md?toc=/azure/storage/blobs/toc.json) | Update container with changes to local file system | [List Blobs](/rest/api/storageservices/list-blobs), [Get Blob Properties](/rest/api/storageservices/get-blob-properties), [Path - Update](/rest/api/storageservices/datalakestoragegen2/path/update) (Append), and [Path - Update](/rest/api/storageservices/datalakestoragegen2/path/update) (Flush)|

+| [azcopy sync](../common/storage-ref-azcopy-sync.md?toc=/azure/storage/blobs/toc.json) | Synchronize containers | [List Blobs](/rest/api/storageservices/list-blobs), [Get Blob Properties](/rest/api/storageservices/get-blob-properties), and [Copy Blob](/rest/api/storageservices/copy-blob) |

+| [azcopy set-properties](../common/storage-ref-azcopy-set-properties.md?toc=/azure/storage/blobs/toc.json) | Set blob tier | Not supported |

+| [azcopy set-properties](../common/storage-ref-azcopy-set-properties.md?toc=/azure/storage/blobs/toc.json) | Set metadata | Not supported |

+| [azcopy set-properties](../common/storage-ref-azcopy-set-properties.md?toc=/azure/storage/blobs/toc.json) | Set blob tags | Not supported |

+| [azcopy list](../common/storage-ref-azcopy-list.md?toc=/azure/storage/blobs/toc.json) | List blobs in a container| [List Blobs](/rest/api/storageservices/list-blobs)|

+| [azcopy make](../common/storage-ref-azcopy-make.md?toc=/azure/storage/blobs/toc.json) | Create a container | [Filesystem - Create](/rest/api/storageservices/datalakestoragegen2/filesystem/create) |

+| [azcopy remove](../common/storage-ref-azcopy-remove.md?toc=/azure/storage/blobs/toc.json) | Delete a container | [Filesystem - Delete](/rest/api/storageservices/datalakestoragegen2/filesystem/delete) |

+| [azcopy remove](../common/storage-ref-azcopy-remove.md?toc=/azure/storage/blobs/toc.json) | Delete a blob | [Filesystem - Delete](/rest/api/storageservices/datalakestoragegen2/filesystem/delete) |

+## See also

+- [Plan and manage costs for Azure Blob Storage](../common/storage-plan-manage-costs.md)

+- [Map each REST operation to a price](map-rest-apis-transaction-categories.md)

+- [Get started with AzCopy](../common/storage-use-azcopy-v10.md)

+| [Copy Blob](/rest/api/storageservices/copy-blob) | Write² | Write² | Write² |

+| [Set Blob Expiry](/rest/api/storageservices/set-blob-expiry) | Other | Other | Write |

+² When the source object is in a different account, the source account incurs one transaction for each read request to the source object.

+- **Anonymous read access** for blob data is supported, but not recommended. When anonymous access is configured, clients can read blob data without authorization. We recommend that you disable anonymous access for all of your storage accounts. For more information, see [Overview: Remediating anonymous read access for blob data](../blobs/anonymous-read-access-overview.md).

+Storage Explorer supports Azure RBAC access to Storage Accounts, Blobs, Queues, and Tables. If you need access to File Shares, you'll need to assign Azure roles that grant permission to list storage account keys.

+| v1.32.1 | November 15, 2023 | November 1, 2024 |

+| v1.32.0 | November 1, 2023 | November 1, 2024 |

+### Supportive tools and guides

+The following resources can also help you forecast the cost of using Azure Blob Storage:

+- [Estimating Pricing for Azure Block Blob Deployments](https://azure.github.io/Storage/docs/application-and-user-data/code-samples/estimate-block-blob/)

+- [Estimate the cost of archiving data](../blobs/archive-cost-estimation.md)

+- [Estimate the cost of using AzCopy to transfer blobs](../blobs/azcopy-cost-estimation.md)

+- [Map each REST operation to a price](../blobs/map-rest-apis-transaction-categories.md)

+> Cost analysis supports different kinds of Azure account types. To view the full list of supported account types, see [Understand Cost Management data](../../cost-management-billing/costs/understand-cost-mgt-data.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn). To view cost data, you need at least read access for your Azure account. For information about assigning access to Microsoft Cost Management data, see [Assign access to data](../../cost-management-billing/costs/assign-access-acm-data.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn).

+ Title: Calculate the size of blob containers with PowerShell

+description: Calculate the size of all Azure Blob Storage containers in a storage account.

+# Calculate the size of blob containers with PowerShell

+This script calculates the size of all Azure Blob Storage containers in a storage account.

+> This PowerShell script provides an estimated size for the containers in an account and should not be used for billing calculations. For a script that calculates container size for billing purposes, see [Calculate the size of a Blob storage container for billing purposes](../scripts/storage-blobs-container-calculate-billing-size-powershell.md).

+```powershell

+# This script will show how to get the total size of the blobs in all containers in a storage account.

+# Before running this, you need to create a storage account, at least one container,

+# and upload some blobs into that container.

+# note: this retrieves all of the blobs in each container in one command.

+# Run the Connect-AzAccount cmdlet to connect to Azure.

+# Requests that are sent as part of this tool will incur transactional costs.

+#

+$containerstats = @()

+# Provide the name of your storage account and resource group

+$storage_account_name = "<name-of-your-storage-account>"

+$resource_group = "<name-of-your-resource-group"

+# Get a reference to the storage account and the context.

+$storageAccount = Get-AzStorageAccount `

+ -ResourceGroupName $resource_group `

+ -Name $storage_account_name

+$Ctx = $storageAccount.Context

+$container_continuation_token = $null

+do {

+ $containers = Get-AzStorageContainer -Context $Ctx -MaxCount 5000 -ContinuationToken $container_continuation_token

+ $container_continuation_token = $null;

+ if ($containers -ne $null)

+ {

+ $container_continuation_token = $containers[$containers.Count - 1].ContinuationToken

+

+ for ([int] $c = 0; $c -lt $containers.Count; $c++)

+ {

+ $container = $containers[$c].Name

+ Write-Verbose "Processing container : $container"

+ $total_usage = 0

+ $total_blob_count = 0

+ $soft_delete_usage = 0

+ $soft_delete_count = 0

+ $version_usage = 0

+ $version_count =

+ $snapshot_count = 0

+ $snapshot_usage = 0

+ $blob_continuation_token = $null

+

+ do {

+ $blobs = Get-AzStorageBlob -Context $Ctx -IncludeDeleted -IncludeVersion -Container $container -ConcurrentTaskCount 100 -MaxCount 5000 -ContinuationToken $blob_continuation_token

+ $blob_continuation_token = $null;

+

+ if ($blobs -ne $null)

+ {

+ $blob_continuation_token = $blobs[$blobs.Count - 1].ContinuationToken

+

+ for ([int] $b = 0; $b -lt $blobs.Count; $b++)

+ {

+ $total_blob_count++

+ $total_usage += $blobs[$b].Length

+

+ if ($blobs[$b].IsDeleted)

+ {

+ $soft_delete_count++

+ $soft_delete_usage += $blobs[$b].Length

+ }

+

+ if ($blobs[$b].SnapshotTime -ne $null)

+ {

+ $snapshot_count++

+ $snapshot_usage+= $blobs[$b].Length

+ }

+

+ if ($blobs[$b].VersionId -ne $null)

+ {

+ $version_count++

+ $version_usage += $blobs[$b].Length

+ }

+ }

+

+ If ($blob_continuation_token -ne $null)

+ {

+ Write-Verbose "Blob listing continuation token = {0}".Replace("{0}",$blob_continuation_token.NextMarker)

+ }

+ }

+ } while ($blob_continuation_token -ne $null)

+

+ Write-Verbose "Calculated size of $container = $total_usage with soft_delete usage of $soft_delete_usage"

+ $containerstats += [PSCustomObject] @{

+ Name = $container

+ TotalBlobCount = $total_blob_count

+ TotalBlobUsageinGB = $total_usage/1GB

+ SoftDeletedBlobCount = $soft_delete_count

+ SoftDeletedBlobUsageinGB = $soft_delete_usage/1GB

+ SnapshotCount = $snapshot_count

+ SnapshotUsageinGB = $snapshot_usage/1GB

+ VersionCount = $version_count

+ VersionUsageinGB = $version_usage/1GB

+ }

+ }

+ }

+

+ If ($container_continuation_token -ne $null)

+ {

+ Write-Verbose "Container listing continuation token = {0}".Replace("{0}",$container_continuation_token.NextMarker)

+ }

+} while ($container_continuation_token -ne $null)

+Write-Host "Total container stats"

+$containerstats | Format-Table -AutoSize

+```

+| [Get-AzStorageContainer](/powershell/module/az.storage/get-azstoragecontainer) | Lists the storage containers. |

+> To get the non-operating system Microsoft patches or to install only the OS patches, we recommend you to change the patch repository as this is an operating system setting and not an option that you can configure within Azure Update Manager.

+If scheduled patching is configured on your machine using the Azure Update Manager, the Auto update on the client is disabled. To edit the registry and configure the setting, see [First party updates on Windows](support-matrix.md#first-party-updates-on-windows).

+1. On the **Select resources** pane, select the machine and select **Add**. Follow the procedure from step 5 listed in **From Overview blade** of [Configure settings on a single VM](#configure-settings-on-a-single-vm).

+### Alerting (preview)

+### Azure Stack HCI patching (preview)

+| AlmaLinux | 9.2 |

+| Azure Linux | 2.0 |

+| CentOS | 6.10 and 7 |

+| Oracle Linux | 6.10, 7 and 8+ |

+| Red Hat Enterprise Linux (RHEL) | 6.10, 7, 8 and 9.2 |

+| Rocky Linux | 9.1 |

+| SUSE Linux Enterprise Server (SLES) | 12 and 15 (SP2, SP3 and SP4) |

+| Ubuntu | 16+ |

+> - Red Hat Enterprise Linux 6.X and Oracle Linux 6.x have reached their end-of-life (EOL). RHEL 6.10 has available [extended life cycle (ELS) support](https://www.redhat.com/en/resources/els-datasheet) through [June 30, 2024]( https://access.redhat.com/product-life-cycles/?product=Red%20Hat%20Enterprise%20Linux,OpenShift%20Container%20Platform%204).

+An in-place upgrade allows you to go from an older operating system to a newer one while keeping your settings, server roles, and data intact. This article teaches you how to move your Azure VMs to a later version of Windows Server using an in-place upgrade. Currently, upgrading to Windows Server 2012, Windows Server 2016, Windows Server 2019 and Windows Server 2022 are supported.

+ - Upgrade options for Windows Server 2012 from Windows Server 2008 (64-bit) or Windows Server 2008 R2

+- Verify the operating system disk has enough [free space to perform the in-place upgrade](/windows-server/get-started/hardware-requirements#storage-controller-and-disk-space-requirements). If more space is needed [follow these steps](./windows/expand-os-disk.md) to expand the operating system disk attached to the VM.

+## Upgrade VM to volume license (KMS server activation)

+The upgrade media provided by Azure requires the VM to be configured for Windows Server volume licensing. This is the default behavior for any Windows Server VM that was installed from a generalized image in Azure. If the VM was imported into Azure, then it might need to be converted to volume licensing to use the upgrade media provided by Azure. To confirm the VM is configured for volume license activation follow these steps to [configure the appropriate KMS client setup key](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems#step-1-configure-the-appropriate-kms-client-setup-key). If the activation configuration was changed, then follow these steps to [verify connectivity to Azure KMS service](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems#step-2-verify-the-connectivity-between-the-vm-and-azure-kms-service).

+## Upgrade to Managed Disks

+ ## Create snapshot of the operating system disk

+| sku | Windows Server upgrade media version. This must be either: `server2016Upgrade` or `server2019Upgrade` or `server2022Upgrade` or `server2012Upgrade` |

+If you have more than one subscription, you should run `Set-AzsSubscription -SubscriptionId <String>` to specify which subscription to use.

+# Customer specific parameters

+# Target version for the upgrade - must be either server2022Upgrade, server2019Upgrade, server2016Upgrade or server2012Upgrade

+## Perform in-place upgrade to Windows Server 2016, 2019, or 2022

+## Perform in-place upgrade to Windows Server 2012 only

+To initiate the in-place upgrade the VM must be in the `Running` state. Once the VM is in a running state use the following steps to perform the upgrade.

+1. Connect to the VM using [RDP](./windows/connect-rdp.md#connect-to-the-virtual-machine) or [RDP-Bastion](../bastion/bastion-connect-vm-rdp-windows.md#rdp).

+1. Determine the drive letter for the upgrade disk (typically E: or F: if there are no other data disks).

+1. Start Windows PowerShell.

+1. Change directory to the only directory on the upgrade disk.

+1. Execute the following command to start the upgrade:

+

+ ```powershell

+ .\setup.exe

+ ```

+1. When Windows Setup launches, select **Install now**.

+1. For **Get important updates for Windows Setup**, select **No thanks**.

+1. Select the correct Windows Server 2012 "Upgrade to" image based on the current version and configuration of the VM using the [Windows Server upgrade matrix](/windows-server/get-started/upgrade-overview).

+1. On the **License terms** page, select **I accept the license terms** and then select **Next**.

+1. For **What type of installation do you want?" select **Upgrade: Install Windows and keep files, settings, and applications**.

+1. Setup will product a **Compatibility report**, you can ignore any warnings and select **Next**.

+1. When complete, the machine will reboot and you will automatically be disconnected from the RDP session. After the VM is disconnected from the RDP session the progress of the upgrade can be monitored through the [screenshot functionality available in the Azure portal](/troubleshoot/azure/virtual-machines/boot-diagnostics#enable-boot-diagnostics-on-existing-virtual-machine).

+## Post upgrade steps

+Once the upgrade process has completed successfully the following steps should be taken to clean up any artifacts which were created during the upgrade process:

+- Delete the snapshots of the OS disk and data disk(s) if they were created.

+- Delete the upgrade media Managed Disk.

+- Enable any antivirus, anti-spyware or firewall software that may have been disabled at the start of the upgrade process.

+- For more information, see [Perform an in-place upgrade of Windows Server](/windows-server/get-started/perform-in-place-upgrade)

+- For information about using Azure Migrate to upgrade, see [Azure Migrate Windows Server upgrade](/azure/migrate/how-to-upgrade-windows)

+* The current preview of connected group has a limitation where traffic from a connected group can't communicate with a private endpoint in this connected group. However, this limitation will be removed once the feature is generally available.

+ * Customers don't own the default outbound access IP. This IP might change, and any dependency on it could cause issues in the future.

+- [cPacket Cloud Visbility](https://www.cpacket.com/solutions/cloud-visibility/)

+VPN Gateway provides an easy way to view and disconnect current point-to-site VPN sessions. This article helps you view and disconnect current sessions. The session status is updated every 5 minutes. It isn't updated immediately.

+Because this feature allows the disconnection of VPN clients, Reader permissions on the VPN gateway resource aren't sufficient. The Contributor role is needed to visualize point-to-site VPN sessions correctly.

+> [!NOTE]

+>

+For more information about point-to-site connections, see [About Point-to-site VPN](point-to-site-about.md).