+Enable a *service endpoint* for Azure AI services within the virtual network. The service endpoint routes traffic from the virtual network through an optimal path to the Azure AI service. For more information, see [Virtual Network service endpoints](../virtual-network/virtual-network-service-endpoints-overview.md).

+- Secure your Azure AI services resource by configuring the firewall to block all connections on the public endpoint for the Azure AI service.

+A private endpoint is a special network interface for an Azure resource in your [virtual network](../virtual-network/virtual-networks-overview.md). Creating a private endpoint for your Azure AI services resource provides secure connectivity between clients in your virtual network and your resource. The private endpoint is assigned an IP address from the IP address range of your virtual network. The connection between the private endpoint and the Azure AI service uses a secure private link.

+## Grant access to trusted Azure services for Azure OpenAI

+You can grant a subset of trusted Azure services access to Azure OpenAI, while maintaining network rules for other apps. These trusted services will then use managed identity to authenticate your Azure OpenAI service. The following table lists the services that can access Azure OpenAI if the managed identity of those services have the appropriate role assignment.

+|Service |Resource provider name |

+|||

+|Azure AI Services | `Microsoft.CognitiveServices` |

+|Azure Machine Learning |`Microsoft.MachineLearningServices` |

+|Azure Cognitive Search | `Microsoft.Search` |

+You can grant networking access to trusted Azure services by creating a network rule exception using the REST API:

+```bash

+accessToken=$(az account get-access-token --resource https://management.azure.com --query "accessToken" --output tsv)

+rid="/subscriptions/<your subscription id>/resourceGroups/<your resource group>/providers/Microsoft.CognitiveServices/accounts/<your Azure AI resource name>"

+curl -i -X PATCH https://management.azure.com$rid?api-version=2023-10-01-preview \

+-H "Content-Type: application/json" \

+-H "Authorization: Bearer $accessToken" \

+-d \

+'

+{

+ "properties":

+ {

+ "networkAcls": {

+ "bypass": "AzureServices"

+ }

+ }

+}

+'

+```

+To revoke the exception, set `networkAcls.bypass` to `None`.

+### Normalization in model version 2023-04-15

+Model version 2023-04-15, conversational language understanding provides normalization in the inference layer that doesn't affect training.

+The normalization layer normalizes the classification confidence scores to a confined range. The range selected currently is from `[-a,a]` where "a" is the square root of the number of intents. As a result, the normalization depends on the number of intents in the app. If there is a very low number of intents, the normalization layer has a very small range to work with. With a fairly large number of intents, the normalization is more effective.

+If this normalization doesnΓÇÖt seem to help intents that are out of scope to the extent that the confidence threshold can be used to filter out of scope utterances, it might be related to the number of intents in the app. Consider adding more intents to the app, or if you are using an orchestrated architecture, consider merging apps that belong to the same domain together.

+You can modify the following additional settings in the **Data parameters** section in Azure OpenAI Studio and [the API](../reference.md#completions-extensions).

+| `retrieved_documents` | number | Optional | 3 | Specifies the number of top-scoring documents from your data index used to generate responses. You might want to increase the value when you have short documents or want to provide more context. |

+| `strictness` | number | Optional | 3 | Sets the threshold to categorize documents as relevant to your queries. Raising the value means a higher threshold for relevance and filters out more less-relevant documents for responses. Setting this value too high might cause the model to fail to generate responses due to limited available documents. |

+The table in this section summarizes the 24 locales supported for pronunciation assessment, and each language is available on all [Speech to text regions](regions.md#speech-service). Latest update extends support from English to 23 additional languages and quality enhancements to existing features, including accuracy, fluency and miscue assessment. You should specify the language that you're learning or practicing improving pronunciation. The default language is set as `en-US`. If you know your target learning language, [set the locale](how-to-pronunciation-assessment.md#get-pronunciation-assessment-results) accordingly. For example, if you're learning British English, you should specify the language as `en-GB`. If you're teaching a broader language, such as Spanish, and are uncertain about which locale to select, you can run various accent models (`es-ES`, `es-MX`) to determine the one that achieves the highest score to suit your specific scenario.

+ kubectl config view --raw -o jsonpath="{.clusters[?(@.name == '')].cluster.certificate-authority-data}" | base64 -d | openssl x509 -text | grep -A2 Validity

+ kubectl apply -f aks-store-quickstart.yaml

+ kubectl get events --field-selector source=upgrader

+[node-image-upgrade]: ./node-image-upgrade.md

+| **HTTP/2** (Client-to-gateway) | Γ£ö∩╕Å⁴ | Γ¥î | Γ£ö∩╕Å |

+| API threat detection with [Defender for APIs](protect-with-defender-for-apis.md) | ✔️ | ❌ | ❌ |

+³CA root certificates for self-hosted gateway are managed separately per gateway<br/>

+⁴ Client protocol needs to be enabled.

+> * Migrating your API Management instance to new infrastructure is a long-running operation. Depending on your service configuration, you might have temporary downtime during migration, and you might need to update your network dependencies after migration to reach your API Management instance. Plan your migration accordingly.

+## What happens during migration?

+API Management platform migration from `stv1` to `stv2` involves updating the underlying compute alone and has no impact on the service/api configuration persisted in the storage layer.

+* The upgrade process involves creating a new compute in parallel the old compute. Both instances coexist for 48 hours.

+* The API Management status in the Portal will be "Updating".

+* Azure manages the management endpoint DNS, and updates to the new compute immediately on successful migration.

+* The Gateway DNS still points to the old compute if custom domain is in use.

+* If custom DNS isn't in use, the Gateway and Portal DNS points to the new compute immediately.

+* For an instance in internal VNet mode, customer manages the DNS, so the DNS entries continue to point to old compute until updated by the customer.

+* It's the DNS that points to either the new or the old compute and hence no downtime to the APIs.

+* Changes are required to your firewall rules, if any, to allow the new compute subnet reach the backends.

+For an API Management instance that's not deployed in a VNet, migrate your instance using the **Platform migration** blade in the Azure portal, or invoke the Migrate to `stv2` REST API.

+### Verify migration

+To verify that the migration was successful, when the status changes to `Online`, check the [platform version](compute-infrastructure.md#how-do-i-know-which-platform-hosts-my-api-management-instance) of your API Management instance. After successful migration, the value is `stv2`.

+### Update network dependencies

+On successful migration, update any network dependencies including DNS, firewall rules, and VNets to use the new VIP address.

+### Verify migration

+* To verify that the migration was successful, when the status changes to `Online`, check the [platform version](compute-infrastructure.md#how-do-i-know-which-platform-hosts-my-api-management-instance) of your API Management instance. After successful migration, the value is `stv2`.

+* Additionally check the Network status to ensure connectivity of the instance to its dependencies. In the portal, in the left-hand menu, under **Deployment and infrastructure**, select **Network** > **Network status**.

+### Update network dependencies

+On successful migration, update any network dependencies including DNS, firewall rules, and VNets to use the new VIP address/subnet address space.

+## Frequently asked questions

+- **What information do we need to choose a migration path?**

+

+ - What is the Network mode of the API Management instance?

+ - Are custom domains configured?

+ - Is a firewall involved?

+ - Any known dependencies taken by upstream/downstream on the IPs involved?

+ - Is it a multi-geo deployment?

+ - Can we modify the existing instance or is a parallel setup required?

+ - Can there be downtime?

+ - Can the migration be done in nonbusiness hours?

+- **What are the prerequisites for the migration?**

+ ***VNet-injected instances:*** you'll need a new subnet and public IP address to migrate (either External or Internal modes). The subnet must have an NSG attached to it following the rules for `stv2` platform as described [here](./api-management-using-with-vnet.md?tabs=stv2#configure-nsg-rules).

+

+ ***Non-VNet instances:*** no prerequisites are required. If you migrate preserving your public IP address, this will render your API Management instance unresponsive for approximately 15 minutes. If you can't afford any downtime, then choose the *"New IP"* option that makes API Management available on a new IP. Network dependencies need to be updated with the new public virtual IP address.

+- **Will the migration cause a downtime?**

+ ***VNet-injected instances:*** there's no downtime as the old and new managed gateways are available for 48 hours, to facilitate validation and DNS update. However, if the default domain names are in use, traffic is routed to the new managed gateway immediately. It's critical that all network dependencies are taken care of upfront, for the impacted APIs to be functional.

+

+ ***Non-VNet instances:*** there's a downtime of approximately 15 minutes only if you choose to preserve the original IP address. However, there's no downtime if you migrate with a new IP address.

+- **My traffic is force tunneled through a firewall. What changes are required?**

+ - First of all, make sure that the new subnet you created for the migration retains the following configuration (they should be already configured in your current subnet):

+ - Enable service endpoints as described [here](./api-management-using-with-vnet.md?tabs=stv2#force-tunnel-traffic-to-on-premises-firewall-using-expressroute-or-network-virtual-appliance)

+ - The UDR (user-defined route) has the hop from **ApiManagement** service tag set to "Internet" and not only to your firewall address

+ - The [requirements for NSG configuration for stv2](./api-management-using-with-vnet.md?tabs=stv2#configure-nsg-rules) remain the same whether you have firewall or not; make sure your new subnet has it

+ - Firewall rules referring to the current IP address range of the API Management instance should be updated to use the IP address range of your new subnet.

+- **Is it impossible that data or configuration losses can occur by/during the migration?**

+ `stv1` to `stv2` migration involves updating the compute platform alone and the internal storage layer isn't changed. Hence all the configuration is safe during the migration process.

+- **How to confirm that the migration is complete and successful?**

+ The migration is considered complete and successful when the status in the overview page reads *"Online"* along with the platform version being either 2.0 or 2.1. Also verify that the network status in the network blade shows green for all required connectivity.

+- **Can I do the migration using the portal?**

+ - Yes, the [Platform migration](./migrate-stv1-to-stv2.md?tabs=portal#scenario-1-migrate-api-management-instance-not-injected-in-a-vnet) blade in Azure portal guides through the options for non-VNet injected instances.

+ - VNet-injected instances can be migrated by changing the subnet in the **Network** blade.

+- **Can I preserve the IP address of the instance?**

+ **VNet-injected instances:** there's no way currently to preserve the IP address if your instance is injected into a VNet

+

+ **Non-VNet instances:** the IP address can be preserved, but there will be a downtime of approximately 15 minutes.

+- **Is there a migration path without modifying the existing instance?**

+ Yes, you need a side-by-side migration. That means you create a new API Management instance in parallel with your current instance and copy the configuration over to the new instance.

+- **What happens if the migration fails?**

+ If your API Management instance doesn't show the platform version as `stv2` and status as *"Online"* after you initiated the migration, it probably failed. Your service is automatically rolled back to the old instance and no changes are made. If you have problems (such as if status is *"Updating"* for more than 2 hours), contact Azure support.

+- **What functionality is not available during migration?**

+ **VNet injected instances:** API requests remain responsive during migration. Infrastructure configuration (such as custom domains, locations, and CA certificates) is locked for 30 minutes. After migration, you'll need to update any network dependencies including DNS, firewall rules, and VNets to use the new VIP address.

+ **Non-VNet-injected instances:**

+ - If you opted to preserve the original IP address: If you preserve the VIP address, API requests are unresponsive for approximately 15 minutes while the IP address is migrated to the new infrastructure. Infrastructure configuration (such as custom domains, locations, and CA certificates) is locked for 45 minutes.

+ - If you opted to migrate to a new IP address: API requests remain responsive during migration. Infrastructure configuration (such as custom domains, locations, and CA certificates) is locked for 30 minutes. After migration, you'll need to update any network dependencies including DNS, firewall rules, and VNets to use the new VIP address.

+- **How long will the migration take?**

+ The expected duration for the whole migration is approximately 45 minutes. The indicator to check if the migration was already performed is to check if Status of your instance is back to *"Online"* and not *"Updating"*. If it says *"Updating"* for more than 2 hours, contact Azure support.

+- **Is there a way to validate the VNet configuration before attempting migration?**

+ You can optionally deploy a new API Management instance with the new VNet, subnet, and VIP that you use for the actual migration. Navigate to the **Network status** page after the deployment is completed, and verify if every endpoint connectivity status is green. If yes, you can remove this new API Management instance and proceed with the real migration with your original `stv1` service.

+- **Can I roll back the migration if required?**

+ Yes, you can. If there's a failure during the migration process, the instance will automatically roll back to the `stv1` platform. However, if you encounter any other issues post migration, you have 48 hours to request a rollback by contacting Azure support. You should contact support if the instance is stuck in an "Updating" status for more than 2 hours.

+- **Is there any change required in custom domain/private DNS zones?**

+ **VNet-injected instances:** you'll need to update the private DNS zones to the new VNet IP address acquired after the migration. Pay attention to update non-Azure DNS zones too (for example your on-premises DNS servers pointing to API Management private IP address). However, in external mode, the migration process will automatically update the default domains if in use.

+

+ **Non-VNet injected instances:** No changes are required if the IP is preserved. If opted for a new IP, custom domains referring to the IP should be updated.

+- **My stv1 instance is deployed to multiple Azure regions (multi-geo). How do I upgrade to stv2?**

+ Multi-geo deployments include more managed gateways deployed in other locations. Each location should be migrated separately by providing a new subnet and a new public IP. Navigate to the *Locations* blade and perform the changes on each listed location. The instance is considered migrated to the new platform only when all the locations are migrated. Both gateways continue to operate normally throughout the migration process.

+- **Do we need a public IP even if the API Management instance is VNet injected in internal mode only?**

+ API Management `stv1` uses an Azure managed public IP even in an internal mode for management traffic. However `stv2` requires a user managed public IP for the same purpose. This public IP is only used for Azure internal management operations and not to expose your instance to the internet. More details [here](./api-management-howto-ip-addresses.md#ip-addresses-of-api-management-service-in-vnet).

+- **Can I upgrade my stv1 instance to the same subnet?**

+ - You can't migrate the stv1 instance to the same subnet in a single pass without downtime. However, you can optionally move your migrated instance back to the original subnet. More details [here](#optional-migrate-back-to-original-vnet-and-subnet).

+ - The old gateway takes up to 48 hours to vacate the subnet, so that you can initiate the move. However, you can request for a faster release of the subnet by submitting the subscription IDs and the desired release time through a support ticket.

+ - Releasing the old subnet calls for a purge of the old gateway, which forfeits the rollback to the old gateway if desired.

+ - A new public IP is required for each switch

+ - Ensure that the old subnet networking for [NSG](./api-management-using-with-internal-vnet.md?tabs=stv2#configure-nsg-rules) and [firewall](./api-management-using-with-vnet.md?tabs=stv2#force-tunnel-traffic-to-on-premises-firewall-using-expressroute-or-network-virtual-appliance) is updated for `stv2` dependencies.

+- **Can I test the new gateway before switching the live traffic?**

+ - Post successful migration, the old and the new managed gateways are active to receive traffic. The old gateway remains active for 48 hours.

+ - The migration process automatically updates the default domain names, and if being used, the traffic routes to the new gateways immediately.

+ - If custom domain names are in use, the corresponding DNS records might need to be updated with the new IP address if not using CNAME. Customers can update their host file to the new API Management IP and validate the instance before making the switch. During this validation process, the old gateway continues to serve the live traffic.

+- **Are there any considerations when using default domain name?**

+ Instances that are using the default DNS name in external mode have the DNS autoupdated by the migration process. Moreover, the management endpoint, which always uses the default domain name is automatically updated by the migration process. Since the switch happens immediately on a successful migration, the new instance starts receiving traffic immediately, and it's critical that any networking restrictions/dependencies are taken care of upfront to avoid impacted APIs being unavailable.

+- **What should we consider for self hosted gateways?**

+ You don't need to do anything in your self-hosted gateways. You just need to migrate API Management instances running in Azure that are impacted by the `stv1` platform retirement. Note that there could be a new IP for the Configuration endpoint of the API Management instance, and any networking restrictions pinned to the IP should be updated.

+- **How is the developer portal impacted by migration?**

+ There's no impact on developer portal. If custom domains are used, the DNS record should be updated with the effective IP, post migration. However, if the default domains are in use, they're automatically updated on successful migration. There's no downtime for the developer portal during the migration.

+- **Is there any impact on cost once we migrated to stv2?**

+ The billing model remains the same for `stv2` and there won't be any more cost incurred after the migration.

+- **How can we get help during migration?**

+ Check details [here](#help-and-support).

+ Title: Disable basic authentication for deployment

+description: Learn how to secure App Service deployment by disabling basic authentication.

+keywords: azure app service, security, deployment, FTP, MsDeploy

+# Disable basic authentication in App Service deployments

+This article shows you how to disable basic authentication (username and password authentication) when deploying code to App Service apps.

+App Service provides basic authentication for FTP and WebDeploy clients to connect to it by using [deployment credentials](deploy-configure-credentials.md). These APIs are great for browsing your siteΓÇÖs file system, uploading drivers and utilities, and deploying with MsBuild. However, enterprises often require more secure deployment methods than basic authentication, such as [Microsoft Entra ID](/entr)). Entra ID uses OAuth 2.0 token-based authorization and has many benefits and improvements that help mitigate the issues in basic authentication. For example, OAuth access tokens have a limited usable lifetime, and are specific to the applications and resources for which they're issued, so they can't be reused. Entra ID also lets you deploy from other Azure services using managed identities.

+## Disable basic authentication

+### [Azure portal](#tab/portal)

+1. In the [Azure portal], search for and select **App Services**, and then select your app.

+1. In the app's left menu, select **Configuration**.

+1. For **Basic Auth Publishing Credentials**, select **Off**, then select **Save**.

+ :::image type="content" source="media/configure-basic-auth-disable/basic-auth-disable.png" alt-text="A screenshot showing how to disable basic authentication for Azure App Service in the Azure portal.":::

+### [Azure CLI](#tab/cli)

+There are two different settings to configure when you disable basic authentication with Azure CLI, one for FTP and one for WebDeploy and Git.

+#### Disable for FTP

+To disable FTP access using basic authentication, you must have owner-level access to the app. Run the following CLI command by replacing the placeholders with your resource group name and app name:

+```azurecli-interactive

+az resource update --resource-group <group-name> --name ftp --namespace Microsoft.Web --resource-type basicPublishingCredentialsPolicies --parent sites/<app-name> --set properties.allow=false

+```

+#### Disable for WebDeploy and Git

+To disable basic authentication access to the WebDeploy port and the Git deploy URL (https://\<app-name>.scm.azurewebsites.net), run the following CLI command. Replace the placeholders with your resource group name and app name.

+```azurecli-interactive

+az resource update --resource-group <resource-group> --name scm --namespace Microsoft.Web --resource-type basicPublishingCredentialsPolicies --parent sites/<app-name> --set properties.allow=false

+```

+--

+To confirm that FTP access is blocked, try [connecting to your app using FTP/S](deploy-ftp.md). You should get a `401 Unauthenticted` message.

+To confirm that Git access is blocked, try [local Git deployment](deploy-local-git.md). You should get an `Authentication failed` message.

+## Deployment without basic authentication

+When you disable basic authentication, deployment methods based on basic authentication stop working, such as FTP and local Git deployment. For alternate deployment methods, see [Authentication types by deployment methods in Azure App Service](deploy-authentication-types.md).

+<!-- Azure Pipelines with App Service deploy task (manual config) need the newer version hosted agent that supports vs2022.

+OIDC GitHub actions -->

+## Create a custom role with no permissions for basic authentication

+To prevent a lower-priveldged user from enabling basic authentication for any app, you can create a custom role and assign the user to the role.

+### [Azure portal](#tab/portal)

+1. In the Azure portal, in the top menu, search for and select the subscription you want to create the custom role in.

+1. From the left navigation, select **Access Control (IAM)** > **Add** > **Add custom role**.

+1. Set the **Basic** tab as you wish, then select **Next**.

+1. In the **Permissions** tab, and select **Exclude permissions**.

+1. Find and select **Microsoft Web Apps**, then search for the following operations:

+

+ |Operation |Description |

+ |||

+ |`microsoft.web/sites/basicPublishingCredentialsPolicies/ftp` | FTP publishing credentials for App Service apps. |

+ |`microsoft.web/sites/basicPublishingCredentialsPolicies/scm` | SCM publishing credentials for App Service apps. |

+ |`microsoft.web/sites/slots/basicPublishingCredentialsPolicies/ftp` | FTP publishing credentials for App Service slots. |

+ |`microsoft.web/sites/slots/basicPublishingCredentialsPolicies/scm` | SCM publishing credentials for App Service slots. |

+

+1. Under each of these operations, select the box for **Write**, then select **Add**. This step adds the operation as **NotActions** for the role.

+ Your Permissions tab should look like the following screenshot:

+ :::image type="content" source="media/configure-basic-auth-disable/custom-role-no-basic-auth.png" alt-text="A screenshot showing the creation of a custom role with all basic authentication permissions excluded.":::

+1. Select **Review + create**, then select **Create**.

+1. You can now assign this role to your organizationΓÇÖs users.

+For more information, see [Create or update Azure custom roles using the Azure portal](../role-based-access-control/custom-roles-portal.md#step-2-choose-how-to-start)

+### [Azure CLI](#tab/cli)

+In the following command, replace *\<role-name>* and *\<subscription-guid>* (with the GUID of your subscription) and run in the cloud shell:

+```azurecli-interactive

+az role definition create --role-definition '{

+ "Name": "<role-name>",

+ "IsCustom": true,

+ "Description": "Prevents users from enabling basic authentication for all App Service apps or slots.",

+ "NotActions": [

+ "Microsoft.Web/sites/basicPublishingCredentialsPolicies/ftp/Write",

+ "Microsoft.Web/sites/basicPublishingCredentialsPolicies/scm/Write",

+ "Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/ftp/Write",

+ "Microsoft.Web/sites/slots/basicPublishingCredentialsPolicies/scm/Write"

+ ],

+ "AssignableScopes": ["/subscriptions/<subscription-guid>"]

+}'

+```

+You can now assign this role to your organizationΓÇÖs users.

+For more information, see [Create or update Azure custom roles using Azure CLI](../role-based-access-control/custom-roles-cli.md).

+--

+## Monitor for basic authentication attempts

+All successful and attempted logins are logged to the Azure Monitor `AppServiceAuditLogs` log type. To audit the attempted and successful logins on FTP and WebDeploy, follow the steps at [Send logs to Azure Monitor](troubleshoot-diagnostic-logs.md#send-logs-to-azure-monitor) and enable shipping of the `AppServiceAuditLogs` log type.

+To confirm that the logs are shipped to your selected service(s), try logging in via FTP or WebDeploy. The following example shows a Storage Account log.

+<pre>

+{

+ "time": "2020-07-16T17:42:32.9322528Z",

+ "ResourceId": "/SUBSCRIPTIONS/EF90E930-9D7F-4A60-8A99-748E0EEA69DE/RESOURCEGROUPS/FREEBERGDEMO/PROVIDERS/MICROSOFT.WEB/SITES/FREEBERG-WINDOWS",

+ "Category": "AppServiceAuditLogs",

+ "OperationName": "Authorization",

+ "Properties": {

+ "User": "$freeberg-windows",

+ "UserDisplayName": "$freeberg-windows",

+ "UserAddress": "24.19.191.170",

+ "Protocol": "FTP"

+ }

+}

+</pre>

+## Basic authentication related policies

+[Azure Policy](../governance/policy/overview.md) can help you enforce organizational standards and to assess compliance at-scale. You can use Azure Policy to audit for any apps that still use basic authentication, and remediate any noncompliant resources. The following are built-in policies for auditing and remediating basic authentication on App Service:

+- [Audit policy for FTP](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F871b205b-57cf-4e1e-a234-492616998bf7)

+- [Audit policy for SCM](https://ms.portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faede300b-d67f-480a-ae26-4b3dfb1a1fdc)

+- [Remediation policy for FTP](https://ms.portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff493116f-3b7f-4ab3-bf80-0c2af35e46c2)

+- [Remediation policy for SCM](https://ms.portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2c034a29-2a5f-4857-b120-f800fe5549ae)

+The following are corresponding policies for slots:

+- [Audit policy for FTP](https://ms.portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fec71c0bc-6a45-4b1f-9587-80dc83e6898c)

+- [Audit policy for SCM](https://ms.portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F847ef871-e2fe-4e6e-907e-4adbf71de5cf)

+- [Remediation policy for FTP](https://ms.portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff493116f-3b7f-4ab3-bf80-0c2af35e46c2)

+- [Remediation policy for SCM](https://ms.portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2c034a29-2a5f-4857-b120-f800fe5549ae)

+> To disable basic authentication for your App Service app, see [Disable basic authentication in App Service deployments](configure-basic-auth-disable.md).

+See [Disable basic authentication in App Service deployments](configure-basic-auth-disable.md).

+ while (True):

+Depending on your scenario, you might need connectivity to other URLs, such as those used by the Azure portal, management tools, or other Azure services. In particular, review these lists to ensure that you allow connectivity to any necessary endpoints:

+| **SCVMM** | You need an SCVMM management server running version 2016 or later.<br/><br/> A private cloud with minimum free capacity of 32 GB of RAM, 4 vCPUs with 100 GB of free disk space. <br/><br/> A VM network with internet access, directly or through proxy. Appliance VM will be deployed using this VM network.<br/><br/> Only Static IP allocation is supported and VMM Static IP Pool is required. Follow [these steps](https://learn.microsoft.com/system-center/vmm/network-pool?view=sc-vmm-2022) to create a VMM Static IP Pool and ensure that the Static IP Pool has at least four IP addresses. Dynamic IP allocation using DHCP is not supported. |

+ pip install "openai==0.28.1" num2words matplotlib plotly scipy scikit-learn pandas tiktoken redis langchain

+| Logging | [`ILogger<T>`]/[`ILogger`] obtained from [FunctionContext](/dotnet/api/microsoft.azure.functions.worker.functioncontext) or via [dependency injection](dotnet-isolated-process-guide.md#dependency-injection)| [`ILogger`] passed to the function<br/>[`ILogger<T>`] via [dependency injection](functions-dotnet-dependency-injection.md) |

+[`ILogger`]: /dotnet/api/microsoft.extensions.logging.ilogger

+[`ILogger<T>`]: /dotnet/api/microsoft.extensions.logging.logger-1

+```csharp

+using Microsoft.Extensions.Hosting;

+var host = new HostBuilder()

+ .ConfigureFunctionsWebApplication()

+ .ConfigureServices(services => {

+ services.AddApplicationInsightsTelemetryWorkerService();

+ services.ConfigureFunctionsApplicationInsights();

+ })

+ .Build();

+host.Run();

+```

+```csharp

+using Microsoft.Extensions.Hosting;

+var host = new HostBuilder()

+ .ConfigureFunctionsWebApplication()

+ .ConfigureServices(services => {

+ services.AddApplicationInsightsTelemetryWorkerService();

+ services.ConfigureFunctionsApplicationInsights();

+ })

+ .Build();

+host.Run();

+```

+```csharp

+using Microsoft.Extensions.Hosting;

+using Microsoft.Azure.Functions.Worker;

+namespace Company.FunctionApp

+{

+ internal class Program

+ {

+ static void Main(string[] args)

+ {

+ FunctionsDebugger.Enable();

+ var host = new HostBuilder()

+ .ConfigureFunctionsWorkerDefaults()

+ .ConfigureServices(services => {

+ services.AddApplicationInsightsTelemetryWorkerService();

+ services.ConfigureFunctionsApplicationInsights();

+ })

+ .Build();

+ host.Run();

+ }

+ }

+}

+```

+```csharp

+using Microsoft.Extensions.Hosting;

+var host = new HostBuilder()

+ .ConfigureFunctionsWebApplication()

+ .ConfigureServices(services => {

+ services.AddApplicationInsightsTelemetryWorkerService();

+ services.ConfigureFunctionsApplicationInsights();

+ })

+ .Build();

+host.Run();

+```

+```csharp

+using Microsoft.AspNetCore.Http;

+using Microsoft.AspNetCore.Mvc;

+using Microsoft.Azure.Functions.Worker;

+using Microsoft.Extensions.Logging;

+namespace Company.Function

+{

+ public class HttpTriggerCSharp

+ {

+ private readonly ILogger<HttpTriggerCSharp> _logger;

+ public HttpTriggerCSharp(ILogger<HttpTriggerCSharp> logger)

+ {

+ _logger = logger;

+ }

+ [Function("HttpTriggerCSharp")]

+ public IActionResult Run(

+ [HttpTrigger(AuthorizationLevel.Function, "get")] HttpRequest req)

+ {

+ _logger.LogInformation("C# HTTP trigger function processed a request.");

+ return new OkObjectResult($"Welcome to Azure Functions, {req.Query["name"]}!");

+ }

+ }

+}

+```

+```csharp

+using Microsoft.AspNetCore.Http;

+using Microsoft.AspNetCore.Mvc;

+using Microsoft.Azure.Functions.Worker;

+using Microsoft.Extensions.Logging;

+namespace Company.Function

+{

+ public class HttpTriggerCSharp

+ {

+ private readonly ILogger<HttpTriggerCSharp> _logger;

+ public HttpTriggerCSharp(ILogger<HttpTriggerCSharp> logger)

+ {

+ _logger = logger;

+ }

+ [Function("HttpTriggerCSharp")]

+ public IActionResult Run(

+ [HttpTrigger(AuthorizationLevel.Function, "get")] HttpRequest req)

+ {

+ _logger.LogInformation("C# HTTP trigger function processed a request.");

+ return new OkObjectResult($"Welcome to Azure Functions, {req.Query["name"]}!");

+ }

+ }

+}

+```

+```csharp

+using Microsoft.Azure.Functions.Worker;

+using Microsoft.Azure.Functions.Worker.Http;

+using Microsoft.Extensions.Logging;

+using System.Net;

+namespace Company.Function

+{

+ public class HttpTriggerCSharp

+ {

+ private readonly ILogger<HttpTriggerCSharp> _logger;

+ public HttpTriggerCSharp(ILogger<HttpTriggerCSharp> logger)

+ {

+ _logger = logger;

+ }

+ [Function("HttpTriggerCSharp")]

+ public HttpResponseData Run([HttpTrigger(AuthorizationLevel.Function, "get")] HttpRequestData req)

+ {

+ _logger.LogInformation("C# HTTP trigger function processed a request.");

+ var response = req.CreateResponse(HttpStatusCode.OK);

+ response.Headers.Add("Content-Type", "text/plain; charset=utf-8");

+ response.WriteString($"Welcome to Azure Functions, {req.Query["name"]}!");

+ return response;

+ }

+ }

+}

+```

+```csharp

+using Microsoft.AspNetCore.Http;

+using Microsoft.AspNetCore.Mvc;

+using Microsoft.Azure.Functions.Worker;

+using Microsoft.Extensions.Logging;

+namespace Company.Function

+{

+ public class HttpTriggerCSharp

+ {

+ private readonly ILogger<HttpTriggerCSharp> _logger;

+ public HttpTriggerCSharp(ILogger<HttpTriggerCSharp> logger)

+ {

+ _logger = logger;

+ }

+ [Function("HttpTriggerCSharp")]

+ public IActionResult Run(

+ [HttpTrigger(AuthorizationLevel.Function, "get")] HttpRequest req)

+ {

+ _logger.LogInformation("C# HTTP trigger function processed a request.");

+ return new OkObjectResult($"Welcome to Azure Functions, {req.Query["name"]}!");

+ }

+ }

+}

+```

+```csharp

+using Microsoft.Extensions.Hosting;

+var host = new HostBuilder()

+ .ConfigureFunctionsWebApplication()

+ .ConfigureServices(services => {

+ services.AddApplicationInsightsTelemetryWorkerService();

+ services.ConfigureFunctionsApplicationInsights();

+ })

+ .Build();

+host.Run();

+```

+```csharp

+using Microsoft.Extensions.Hosting;

+var host = new HostBuilder()

+ .ConfigureFunctionsWebApplication()

+ .ConfigureServices(services => {

+ services.AddApplicationInsightsTelemetryWorkerService();

+ services.ConfigureFunctionsApplicationInsights();

+ })

+ .Build();

+host.Run();

+```

+```csharp

+using Microsoft.Extensions.Hosting;

+using Microsoft.Azure.Functions.Worker;

+namespace Company.FunctionApp

+{

+ internal class Program

+ {

+ static void Main(string[] args)

+ {

+ FunctionsDebugger.Enable();

+ var host = new HostBuilder()

+ .ConfigureFunctionsWorkerDefaults()

+ .ConfigureServices(services => {

+ services.AddApplicationInsightsTelemetryWorkerService();

+ services.ConfigureFunctionsApplicationInsights();

+ })

+ .Build();

+ host.Run();

+ }

+ }

+}

+```

+```csharp

+using Microsoft.Extensions.Hosting;

+var host = new HostBuilder()

+ .ConfigureFunctionsWebApplication()

+ .ConfigureServices(services => {

+ services.AddApplicationInsightsTelemetryWorkerService();

+ services.ConfigureFunctionsApplicationInsights();

+ })

+ .Build();

+host.Run();

+```

+ :::image type="content" source="./media/tutorial-prioritized-routes/traffic-map.png" lightbox="./media/tutorial-prioritized-routes/traffic-map.png" alt-text="A screenshot that shows a map of Los Angeles, with the streets displaying traffic flow data.":::

+ :::image type="content" source="./media/tutorial-prioritized-routes/pins-map.png" lightbox="./media/tutorial-prioritized-routes/pins-map.png" alt-text="A screenshot that shows a map with a route containing a blue teardrop pin marking the start point and a blue round pin marking the end point.":::

+ :::image type="content" source="./media/tutorial-prioritized-routes/prioritized-routes.png" lightbox="./media/tutorial-prioritized-routes/prioritized-routes.png" alt-text="A screenshot that displays both a private as well as a commercial vehicle route on a map using the Azure Route Service.":::

+| Red Hat Enterprise Linux Server 8.6+ | Γ£ô³ | Γ£ô | Γ£ô² |

+| Red Hat Enterprise Linux Server 8.0-8.5 | Γ£ô | Γ£ô | Γ£ô² |

+| October 2023| **Windows** <ul><li>Minimize CPU spikes when resetting an Event Log subscription</li><li>Enable multiple IIS subscriptions to use same filter</li><li>Cleanup files and folders for inactive tenants in multi-tenant mode</li><li>AMA installer will not install unnecessary certs</li><li>AMA emits Telemetry table locally</li><li>Update Metric Extension to v2.2023.721.1630</li><li>Update AzureSecurityPack to v4.29.0.4</li><li>Update AzureWatson to v1.0.99</li></ul>**Linux**<ul><li> Add support for Process metrics counters for Log Analytics upload and Azure Monitor Metrics</li><li>Use rsyslog omfwd TCP for improved syslog reliability</li><li>Support Palo Alto CEF logs where hostname is followed by 2 spaces</li><li>Bug and reliability improvements</li></ul> |1.21.0|1.28.11|

+1. <a name="custom-props"></a>(Optional) In the **Custom properties**, if you've configured action groups for this alert rule, you can add your own properties to include in the alert notification payload. You can use these properties in the actions called by the action group, such as webhook, Azure function or logic app actions.

+ The custom properties are specified as key:value pairs, using either static text, a dynamic value extracted from the alert payload, or a combination of both.

+ The format for extracting a dynamic value from the alert payload is: `${<path to schema field>}`. For example: ${data.essentials.monitorCondition}.

+ Use the [common alert schema](alerts-common-schema.md) format to specify the field in the payload, whether or not the action groups configured for the alert rule use the common schema.

+ :::image type="content" source="media/alerts-create-new-alert-rule/alerts-rule-actions-tab.png" alt-text="Screenshot that shows the Actions tab when creating a new alert rule.":::

+ In the following examples, values in the **custom properties** are used to utilize data from a payload that uses the common alert schema:

+ **Example 1**

+ This example creates an "Additional Details" tag with data regarding the "window start time" and "window end time".

+ - **Name:** "Additional Details"

+ - **Value:** "Evaluation windowStartTime: \${data.alertContext.condition.windowStartTime}. windowEndTime: \${data.alertContext.condition.windowEndTime}"

+ - **Result:** "AdditionalDetails:Evaluation windowStartTime: 2023-04-04T14:39:24.492Z. windowEndTime: 2023-04-04T14:44:24.492Z"

+ **Example 2**

+ This example adds the data regarding the reason of resolving or firing the alert.

+ - **Name:** "Alert \${data.essentials.monitorCondition} reason"

+ - **Value:** "\${data.alertContext.condition.allOf[0].metricName} \${data.alertContext.condition.allOf[0].operator} \${data.alertContext.condition.allOf[0].threshold} \${data.essentials.monitorCondition}. The value is \${data.alertContext.condition.allOf[0].metricValue}"

+ - **Result:** Example results could be something like:

+ - "Alert Resolved reason: Percentage CPU GreaterThan5 Resolved. The value is 3.585"

+ - ΓÇ£Alert Fired reason": "Percentage CPU GreaterThan5 Fired. The value is 10.585"

+ > [!NOTE]

+ > The [common schema](alerts-common-schema.md) overwrites custom configurations. Therefore, you can't use both custom properties and the common schema for log alerts.

+

+ <!-- convertborder later -->

+ :::image type="content" source="media/alerts-troubleshoot/history-tab-alert-processing-rule-suppression.png" lightbox="media/alerts-troubleshoot/history-tab-alert-processing-rule-suppression.png" alt-text="Screenshot of alert history tab with suppression from alert processing rule." border="false":::

+ This action only looks at Azure Resource Manager role assignments that are at the subscription scope, and of type *User*. Make sure that you assigned the role at the subscription level, and not at the resource level or resource group level.

+ The alert emails provide a link to unsubscribe from the action group. To check if you accidentally unsubscribed from this action group, either:

+ :::image type="content" source="media/alerts-troubleshoot/action-group-status.png" lightbox="media/alerts-troubleshoot/action-group-status.png" alt-text="Screenshot of action group status column.":::

+ :::image type="content" source="media/alerts-troubleshoot/unsubscribe-action-group.png" lightbox="media/alerts-troubleshoot/unsubscribe-action-group.png" alt-text="Screenshot of email about being unsubscribed from alert action group.":::

+ To subscribe again ΓÇô either use the link in the unsubscribe confirmation email you received, or remove the email address from the action group, and then add it back again.

+ Email is [rate limited](alerts-rate-limiting.md) to no more than 100 emails every hour to each email address. If you pass this threshold, additional email notifications are dropped. Check if you received a message indicating that your email address is temporarily rate limited:

+ <!-- convertborder later -->

+ :::image type="content" source="media/alerts-troubleshoot/email-paused.png" lightbox="media/alerts-troubleshoot/email-paused.png" alt-text="Screenshot of an email about being rate limited." border="false":::

+ If you want to receive high-volume of notifications without rate limiting, consider using a different action, such as one of the following actions:

+

+ - Webhook

+ - Logic app

+ - Azure function

+ - Automation runbooks

+

+ None of these actions are rate limited.

+ <!-- convertborder later -->

+ :::image type="content" source="media/alerts-troubleshoot/history-tab-alert-processing-rule-suppression.png" lightbox="media/alerts-troubleshoot/history-tab-alert-processing-rule-suppression.png" alt-text="Screenshot of alert history tab with suppression from alert processing rule." border="false":::

+ SMS and voice calls are rate limited to no more than one notification every five minutes per phone number. If you pass this threshold, the notifications are dropped.

+ - SMS - check your SMS history for a message indicating that your phone number is rate limited.

+ If you want to receive high-volume of notifications without rate limiting, consider using a different action, such as one of the following actions:

+

+ - Webhook

+ - Logic app

+ - Azure function

+ - Automation runbooks

+

+ None of these actions are rate limited.

+ Open your SMS history and check if you opted out of SMS delivery from this specific action group (using the DISABLE action_group_short_name reply) or from all action groups (using the STOP reply). To subscribe again, either send the relevant SMS command (ENABLE action_group_short_name or START), or remove the SMS action from the action group, and then add it back again. For more information, see [SMS alert behavior in action groups](alerts-sms-behavior.md).

+ <!-- convertborder later -->

+ :::image type="content" source="media/alerts-troubleshoot/history-tab-alert-processing-rule-suppression.png" lightbox="media/alerts-troubleshoot/history-tab-alert-processing-rule-suppression.png" alt-text="Screenshot of alert history tab with suppression from alert processing rule." border="false":::

+ Verify the webhook endpoint you configured is correct and the endpoint is working correctly. Check your webhook logs or instrument its code so you could investigate (for example, log the incoming payload).

+If you received a notification for an alert (such as an email or an SMS) more than once, or the alert's action (such as webhook or Azure function) was triggered multiple times, follow these steps:

+ In some cases, multiple similar alerts are fired at around the same time. So, it might just seem like the same alert triggered its actions multiple times. For example, an activity log alert rule might be configured to fire both when an event starts and finishes (succeeded or failed), by not filtering on the event status field.

+ <!-- convertborder later -->

+ :::image type="content" source="media/alerts-troubleshoot/action-repeated-multi-action-groups.png" lightbox="media/alerts-troubleshoot/action-repeated-multi-action-groups.png" alt-text="Screenshot of multiple action groups in an alert." border="false":::

+If your notification does not contain this note and you received the alert, but believe some of its fields are missing or incorrect, follow these steps:

+ <!-- convertborder later -->

+ :::image type="content" source="media/alerts-troubleshoot/webhook.png" lightbox="media/alerts-troubleshoot/webhook.png" alt-text="Screenshot of webhook action schema option." border="false":::

+ Check if the format specified at the action level is what you expect. For example, you might have developed code that responds to alerts (webhook, function, logic app, etc.), expecting one format, but later in the action you or another person specified a different format.

+ [Activity log alerts](./activity-log-alerts.md) are alerts that are based on events written to the Azure Activity Log, such as events about creating, updating, or deleting Azure resources, service health and resource health events, or findings from Azure Advisor and Azure Policy. If you received an alert based on the activity log but some fields that you need are missing or incorrect, first check the events in the activity log itself. If the Azure resource did not write the fields you are looking for in its activity log event, those fields aren't included in the corresponding alert.

+ :::image type="content" source="media/alerts-troubleshoot/alerts-troubleshoot-alert-processing-rules-status.png" lightbox="media/alerts-troubleshoot/alerts-troubleshoot-alert-processing-rules-status.png" alt-text="Screenshot of alert processing rule list highlighting the status field and status filter.":::

+ Check if the alert processing rule processed your alert by clicking on the fired alert in the portal, and look at the history tab.

+ <!-- convertborder later -->

+ :::image type="content" source="media/alerts-troubleshoot/history-tab-alert-processing-rule-suppression.png" lightbox="media/alerts-troubleshoot/history-tab-alert-processing-rule-suppression.png" alt-text="Screenshot of alert history tab with suppression from alert processing rule." border="false":::

+ <!-- convertborder later -->

+ :::image type="content" source="media/alerts-troubleshoot/action-repeated-multi-action-groups.png" lightbox="media/alerts-troubleshoot/action-repeated-multi-action-groups.png" alt-text="Screenshot of action repeated in multiple action groups." border="false":::

+When opening a case about a specific fired alert (such as ΓÇô if you did not receive its email notification), you need to provide the alert ID.

+ <!-- convertborder later -->

+ :::image type="content" source="media/alerts-troubleshoot/get-alert-id.png" lightbox="media/alerts-troubleshoot/get-alert-id.png" alt-text="Screenshot of finding the alert ID field in the alert summary tab." border="false":::

+- Go back to the [Azure portal](https://portal.azure.com) to check if you solved your issue with guidance in this article.

+ :::image type="content" source="media/itsmc-overview/azure-add-new-resource.png" lightbox="media/itsmc-overview/azure-add-new-resource.png" alt-text="Screenshot that shows the menu item for creating a resource.":::

+ :::image type="content" source="media/itsmc-overview/add-itsmc-solution.png" lightbox="media/itsmc-overview/add-itsmc-solution.png" alt-text="Screenshot that shows the Create button in Azure Marketplace.":::

+ :::image type="content" source="media/itsmc-overview/itsmc-solution-workspace.png" lightbox="media/itsmc-overview/itsmc-solution-workspace.png" alt-text="Screenshot that shows the Azure Log Analytics Workspace section.":::

+ :::image type="content" source="media/itsmc-definition/create-new-connection-from-resource.png" lightbox="media/itsmc-definition/create-new-connection-from-resource.png" alt-text="Screenshot that shows recent resources in the Azure portal.":::

+ :::image type="content" source="media/itsmc-overview/add-new-itsm-connection.png" lightbox="media/itsmc-overview/add-new-itsm-connection.png" alt-text="Screenshot that shows the ITSM Connections menu item.":::

+ :::image type="content" source="media/itsmc-overview/itsmc-connections-refresh.png" lightbox="media/itsmc-overview/itsmc-connections-refresh.png" alt-text="Screenshot that shows the Sync button on the connection's pane.":::

+ :::image type="content" source="media/itsmc-overview/action-groups-selection-big.png" lightbox="media/itsmc-overview/action-groups-selection-big.png" alt-text="Screenshot that shows selecting Action groups.":::

+ :::image type="content" source="media/itsmc-overview/action-groups-details.png" lightbox="media/itsmc-overview/action-groups-details.png" alt-text="Screenshot that shows the Create an action group screen.":::

+ :::image type="content" source="media/itsmc-definition/action-group-pen.png" lightbox="media/itsmc-definition/action-group-pen.png" alt-text="Screenshot that shows selections for creating an action group.":::

+

+ :::image type="content" source="media/itsmc-definition/itsm-action-incident.png" lightbox="media/itsmc-definition/itsm-action-incident.png" alt-text="Screenshot that shows the ITSM Ticket area with an incident work item type.":::

+

+ :::image type="content" source="media/itsmc-definition/itsm-action-event.png" lightbox="media/itsmc-definition/itsm-action-event.png" alt-text="Screenshot that shoes the ITSM Ticket section with an even work item type.":::

+

+ :::image type="content" source="media/itsmc-definition/itsm-action-alert.png" lightbox="media/itsmc-definition/itsm-action-alert.png" alt-text="Screenshot that shows the ITSM Ticket area with an alert work item type.":::

+> [!NOTE]

+> This example is designed solely to show you the mechanics of how the `TrackAvailability()` API call works within an Azure function. It doesn't show you how to write the underlying HTTP test code or business logic that's required to turn this example into a fully functional availability test. By default, if you walk through this example, you'll be creating a basic availability HTTP GET test.

+>

+> To follow these instructions, you must use the [dedicated plan](../../azure-functions/dedicated-plan.md) to allow editing code in App Service Editor.

+### Create a timer trigger function

+1. Create an Azure Functions resource.

+ - If you already have an Application Insights resource:

+ - By default, Azure Functions creates an Application Insights resource. But if you want to use a resource you created previously, you must specify that during creation.

+ - Follow the instructions on how to [create an Azure Functions resource](../../azure-functions/functions-create-scheduled-function.md#create-a-function-app) with the following modification:

+ On the **Monitoring** tab, select the **Application Insights** dropdown box and then enter or select the name of your resource.

+ :::image type="content" source="media/availability-azure-functions/app-insights-resource.png" alt-text="Screenshot that shows selecting your existing Application Insights resource on the Monitoring tab.":::

+ - If you don't have an Application Insights resource created yet for your timer-triggered function:

+ - By default, when you're creating your Azure Functions application, it creates an Application Insights resource for you. Follow the instructions on how to [create an Azure Functions resource](../../azure-functions/functions-create-scheduled-function.md#create-a-function-app).

+ > [!NOTE]

+ > You can host your functions on a Consumption, Premium, or App Service plan. If you're testing behind a virtual network or testing nonpublic endpoints, you'll need to use the Premium plan in place of the Consumption plan. Select your plan on the **Hosting** tab. Ensure the latest .NET version is selected when you create the function app.

+1. Create a timer trigger function.

+ 1. In your function app, select the **Functions** tab.

+ 1. Select **Add**. On the **Add function** pane, select the following configurations:

+ 1. **Development environment**: **Develop in portal**

+ 1. **Select a template**: **Timer trigger**

+ 1. Select **Add** to create the timer trigger function.

+ :::image type="content" source="media/availability-azure-functions/add-function.png" alt-text="Screenshot that shows how to add a timer trigger function to your function app." lightbox="media/availability-azure-functions/add-function.png":::

+### Add and edit code in the App Service Editor

+Go to your deployed function app, and under **Development Tools**, select the **App Service Editor** tab.

+To create a new file, right-click under your timer trigger function (for example, **TimerTrigger1**) and select **New File**. Then enter the name of the file and select **Enter**.

+1. Create a new file called **function.proj** and paste the following code:

+ ```xml

+ <Project Sdk="Microsoft.NET.Sdk">

+ <PropertyGroup>

+ <TargetFramework>netstandard2.0</TargetFramework>

+ </PropertyGroup>

+ <ItemGroup>

+ <PackageReference Include="Microsoft.ApplicationInsights" Version="2.15.0" /> <!-- Ensure youΓÇÖre using the latest version -->

+ </ItemGroup>

+ </Project>

+ ```

+ :::image type="content" source="media/availability-azure-functions/function-proj.png" alt-text=" Screenshot that shows function.proj in the App Service Editor." lightbox="media/availability-azure-functions/function-proj.png":::

+1. Create a new file called **runAvailabilityTest.csx** and paste the following code:

+ ```csharp

+ using System.Net.Http;

+ public async static Task RunAvailabilityTestAsync(ILogger log)

+ {

+ using (var httpClient = new HttpClient())

+ {

+ // TODO: Replace with your business logic

+ await httpClient.GetStringAsync("https://www.bing.com/");

+ }

+ }

+ ```

+1. Define the `REGION_NAME` environment variable as a valid Azure availability location.

+ Run the following command in the [Azure CLI](https://learn.microsoft.com/cli/azure/account?view=azure-cli-latest#az-account-list-locations&preserve-view=true) to list available regions.

+ ```azurecli

+ az account list-locations -o table

+ ```

+1. Copy the following code into the **run.csx** file. (You replace the pre-existing code.)

+ ```csharp

+ #load "runAvailabilityTest.csx"

+ using System;

+ using System.Diagnostics;

+ using Microsoft.ApplicationInsights;

+ using Microsoft.ApplicationInsights.Channel;

+ using Microsoft.ApplicationInsights.DataContracts;

+ using Microsoft.ApplicationInsights.Extensibility;

+ private static TelemetryClient telemetryClient;

+ // =============================================================

+ // ****************** DO NOT MODIFY THIS FILE ******************

+ // Business logic must be implemented in RunAvailabilityTestAsync function in runAvailabilityTest.csx

+ // If this file does not exist, please add it first

+ // =============================================================

+ public async static Task Run(TimerInfo myTimer, ILogger log, ExecutionContext executionContext)

+ {

+ if (telemetryClient == null)

+ {

+ // Initializing a telemetry configuration for Application Insights based on connection string

+ var telemetryConfiguration = new TelemetryConfiguration();

+ telemetryConfiguration.ConnectionString = Environment.GetEnvironmentVariable("APPLICATIONINSIGHTS_CONNECTION_STRING");

+ telemetryConfiguration.TelemetryChannel = new InMemoryChannel();

+ telemetryClient = new TelemetryClient(telemetryConfiguration);

+ }

+ string testName = executionContext.FunctionName;

+ string location = Environment.GetEnvironmentVariable("REGION_NAME");

+ var availability = new AvailabilityTelemetry

+ {

+ Name = testName,

+ RunLocation = location,

+ Success = false,

+ };

+ availability.Context.Operation.ParentId = Activity.Current.SpanId.ToString();

+ availability.Context.Operation.Id = Activity.Current.RootId;

+ var stopwatch = new Stopwatch();

+ stopwatch.Start();

+ try

+ {

+ using (var activity = new Activity("AvailabilityContext"))

+ {

+ activity.Start();

+ availability.Id = Activity.Current.SpanId.ToString();

+ // Run business logic

+ await RunAvailabilityTestAsync(log);

+ }

+ availability.Success = true;

+ }

+ catch (Exception ex)

+ {

+ availability.Message = ex.Message;

+ throw;

+ }

+ finally

+ {

+ stopwatch.Stop();

+ availability.Duration = stopwatch.Elapsed;

+ availability.Timestamp = DateTimeOffset.UtcNow;

+ telemetryClient.TrackAvailability(availability);

+ telemetryClient.Flush();

+ }

+ }

+ ```

+To avoid confusion, send the telemetry from different development stages to separate Application Insights resources with separate connection strings.

+If your system is an instance of Azure Cloud Services, there's [another method of setting separate connection strings](../../azure-monitor/app/azure-web-apps-net-core.md).

+### About resources and connection strings

+When you set up Application Insights monitoring for your web app, you create an Application Insights resource in Azure. You open this resource in the Azure portal to see and analyze the telemetry collected from your app. The resource is identified by a connection string. When you install the Application Insights package to monitor your app, you configure it with the connection string so that it knows where to send the telemetry.

+#### Get the connection string

+The connection string identifies the resource that you created.

+You need the connection strings of all the resources to which your app will send data.

+1. Create a new workspace-based Application Insights resource in the new region.

+1. Modify your application to use the new region resource's [connection string](./sdk-connection-string.md).

+This article walks through migrating from instrumentation keys to [connection strings](sdk-connection-string.md#overview).

+ :::image type="content" source="./media/autoscale-overview/Autoscale_Overview_v4.png" lightbox="./media/autoscale-overview/Autoscale_Overview_v4.png" alt-text="Diagram that shows autoscale flow.":::

+<!-- convertborder later -->

+<!-- convertborder later -->

+<!-- convertborder later -->

+<!-- convertborder later -->

+ <!-- convertborder later -->

+ :::image type="content" source="media/autoscale-troubleshoot/autoscale-vmss-metric-chart-ex-2.png" lightbox="media/autoscale-troubleshoot/autoscale-vmss-metric-chart-ex-2.png" alt-text="Screenshot that shows a virtual machine scale set autoscale metrics charts example." border="false":::

+<!-- convertborder later -->

+<!-- convertborder later -->

+[Reliability](/azure/well-architected/resiliency/overview) refers to the ability of a system to recover from failures and continue to function. Instead of trying to prevent failures altogether in the cloud, the goal is to minimize the effects of a single failing component. Use the following information to minimize failure of your Log Analytics workspaces and to protect the data they collect.

+[Security](/azure/well-architected/security/overview) is one of the most important aspects of any architecture. Azure Monitor provides features to employ both the principle of least privilege and defense-in-depth. Use the following information to maximize the security of your Log Analytics workspaces and ensure that only authorized users access collected data.

+[Cost optimization](/azure/well-architected/cost/overview) refers to ways to reduce unnecessary expenses and improve operational efficiencies. You can significantly reduce your cost for Azure Monitor by understanding your different configuration options and opportunities to reduce the amount of data that it collects. See [Azure Monitor cost and usage](usage-estimated-costs.md) to understand the different ways that Azure Monitor charges and how to view your monthly bill.

+[Operational excellence](/azure/well-architected/devops/overview) refers to operations processes required keep a service running reliably in production. Use the following information to minimize the operational requirements for supporting Log Analytics workspaces.

+[Performance efficiency](/azure/well-architected/scalability/overview) is the ability of your workload to scale to meet the demands placed on it by users in an efficient manner. Use the following information to ensure that your Log Analytics workspaces and log queries are configured for maximum performance.

+| :::image type="content" source="./media/container-insights-analyze/containers-ready-icon.png" alt-text="Ready running status icon.":::|

+| :::image type="content" source="./media/container-insights-analyze/containers-waiting-icon.png" alt-text="Waiting or Paused status icon."::: | Waiting or Paused|

+| :::image type="content" source="./media/container-insights-analyze/containers-grey-icon.png" alt-text="Last reported running status icon."::: | Last reported running but hasn't responded for more than 30 minutes|

+| :::image type="content" source="./media/container-insights-analyze/containers-green-icon.png" alt-text="Successful status icon."::: | Successfully stopped or failed to stop|

+| :::image type="content" source="./media/container-insights-analyze/containers-ready-icon.png" alt-text="Ready running status icon.":::|

+| :::image type="content" source="./media/container-insights-analyze/containers-waiting-icon.png" alt-text="Waiting or Paused status icon."::: | Waiting or Paused|

+| :::image type="content" source="./media/container-insights-analyze/containers-grey-icon.png" alt-text="Last reported running status icon."::: | Last reported running but hasn't responded in more than 30 minutes|

+| :::image type="content" source="./media/container-insights-analyze/containers-terminated-icon.png" alt-text="Terminated status icon."::: | Successfully stopped or failed to stop|

+| :::image type="content" source="./media/container-insights-analyze/containers-failed-icon.png" alt-text="Failed status icon."::: | Failed state |

+| ContainerNodeInventory | Yes | No | Data collection setting for namespaces isn't applicable since Kubernetes Node isn't a namespace scoped resource |

+| KubeNodeInventory | Yes | No | Data collection setting for namespaces isn't applicable Kubernetes Node isn't a namespace scoped resource |

+| KubeEvents | No | Yes | Data collection setting for interval isn't applicable for the Kubernetes Events |

+| Perf | Yes | Yes\* | \*Data collection setting for namespaces isn't applicable for the Kubernetes Node related metrics since the Kubernetes Node isn't a namespace scoped object. |

+| Insights.container/nodes| Yes | No | Node isn't a namespace scoped resource |

+If you're currently using the above tables for other custom alerts or charts, then modifying your data collection settings may degrade those experiences. If you're excluding namespaces or reducing data collection frequency, review your existing alerts, dashboards, and workbooks using this data.

+| Logs and events | ContainerLog or ContainerLogV2, KubeEvents, KubePodInventory | Recommended if you enabled managed Prometheus metrics |

+3. If you have not configured Container Insights, select the 'Configure Azure Monitor' button. For clusters already onboarded to Insights, select the "Monitoring Settings" button in the toolbar.

+4. If you're configuring Container Insights for the first time or have not migrated to using [managed identity authentication](../containers/container-insights-onboard.md#authentication), select the "Use managed identity" checkbox.

+3. If you have not configured Container Insights, select the 'Configure Azure Monitor' button. For clusters already onboarded to Insights, select the "Monitoring Settings" button in the toolbar.

+4. Using the dropdown, choose one of the "Cost presets", for more configuration, you may select the "Edit collection settings".

+3. If you have not configured Container Insights, select the 'Configure Azure Monitor' button. For clusters already onboarded to Insights, select the "Monitoring Settings" button in the toolbar.

+4. If you're configuring Container Insights for the first time, select the "Use managed identity" checkbox.

+5. Using the dropdown, choose one of the "Cost presets", for more configuration, you may select the "Edit advanced collection settings".

+- Recommended alerts don't work as intended if the Data collection interval is configured more than 1-minute interval. To continue using Recommended alerts, migrate to the [Prometheus metrics addon](../essentials/prometheus-metrics-overview.md)

+<!-- convertborder later -->

+<!-- convertborder later -->

+<!-- convertborder later -->

+<!-- convertborder later -->

+<!-- convertborder later -->

+<!-- convertborder later -->

+<!-- convertborder later -->

+<!-- convertborder later -->

+<!-- convertborder later -->

+<!-- convertborder later -->

+ <!-- convertborder later -->

+ :::image type="content" source="media/container-insights-optout/container-properties-page.png" lightbox="media/container-insights-optout/container-properties-page.png" alt-text="Screenshot that shows the Container properties page." border="false":::

+<!-- convertborder later -->

+<!-- convertborder later -->

+## Frequently asked questions

+This section provides answers to common questions.

+### Is there a maximum amount of data that I can collect in Azure Monitor?

+There's no limit to the amount of metric data you can collect, but this data is stored for a maximum of 93 days. See [Retention of metrics](./data-platform-metrics.md#retention-of-metrics). There's no limit on the amount of log data that you can collect, but the pricing tier you choose for the Log Analytics workspace might affect the limit. See [Pricing details](https://azure.microsoft.com/pricing/details/monitor/).

+### How do I access data collected by Azure Monitor?

+Insights and solutions provide a custom experience for working with data stored in Azure Monitor. You can work directly with log data by using a log query written in Kusto Query Language (KQL). In the Azure portal, you can write and run queries and interactively analyze data by using Log Analytics. Analyze metrics in the Azure portal with the metrics explorer. See [Analyze log data in Azure Monitor](../logs/log-query-overview.md) and [Analyze metrics with Azure Monitor metrics explorer](./analyze-metrics.md).

+* **Archive**: Lets you keep older, less used data in your workspace at a reduced cost. You can access data in the archived state by using [search jobs](../logs/search-jobs.md) and [restore](../logs/restore.md). You can keep data in archived state for up to 12 years.

+The Analytics log data plan includes 30 days of interactive retention. You can increase the interactive retention period to up to 730 days at an [additional cost](https://azure.microsoft.com/pricing/details/monitor/). If needed, you can reduce the interactive retention period to as little as four days using the API or CLI. However, since 30 days are included in the ingestion price, lowering the retention period below 30 days doesn't reduce costs. You can set the archive period to a total retention time of up to 4,383 days (12 years).

+> Currently, you can set total retention to up to 12 years through the Azure portal and API. CLI and PowerShell are limited to seven years; support for 12 years will follow.

+PATCH https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/tables/{tableName}?api-version=2022-10-01

+|properties.totalRetentionInDays | integer | The table's total data retention including archive period. This value can be between 4 and 730; or 1095, 1460, 1826, 2191, 2556, 2922, 3288, 3653, 4018, or 4383. Set this property to null if you don't want to archive data. |

+PATCH https://management.azure.com/subscriptions/00000000-0000-0000-0000-00000000000/resourcegroups/testRG/providers/Microsoft.OperationalInsights/workspaces/testWS/tables/CustomLog_CL?api-version=2022-10-01

+GET /subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/MyResourceGroupName/providers/Microsoft.OperationalInsights/workspaces/MyWorkspaceName/Tables/SecurityEvent?api-version=2022-10-01

+GET /subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/MyResourceGroupName/providers/Microsoft.OperationalInsights/workspaces/MyWorkspaceName/Tables?api-version=2022-10-01

+## Frequently asked questions

+This section provides answers to common questions.

+### Why am I seeing duplicate records in Azure Monitor Logs?

+Occasionally, you might notice duplicate records in Azure Monitor Logs. This duplication is typically from one of the following two conditions:

+

+- Components in the pipeline have retries to ensure reliable delivery at the destination. Occasionally, this capability might result in duplicates for a small percentage of telemetry items.

+- If the duplicate records come from a virtual machine, you might have both the Log Analytics agent and Azure Monitor Agent installed. If you still need the Log Analytics agent installed, configure the Log Analytics workspace to no longer collect data that's also being collected by the data collection rule used by Azure Monitor Agent.

+Archiving is a low-cost solution for keeping data that you no longer use regularly in your workspace for compliance or occasional investigation. [Set table-level retention](../logs/data-retention-archive.md) to override the default workspace retention and to archive data within your workspace.

+|properties.retentionInDays | integer | The table's data retention in days. In `Basic Logs`, the value is eight days, fixed. In `Analytics Logs`, the value is between four and 730 days.|

+- [Set retention and archive](../logs/data-retention-archive.md)

+The map feature of VM insights visualizes virtual machine dependencies by discovering running processes that have active network connection between servers, inbound and outbound connection latency, or ports across any TCP-connected architecture over a specified time range.

+By default, the charts show performance counters for the last hour. By using the **TimeRange** selector, you can query for historical time ranges of up to 30 days to show how performance looked in the past.

+* US Gov Arizona

+Assume that you created a 4 TiB Standard capacity pool. The billing structure is at the Standard capacity tier rate for the entire 4 TiB.

+ * 3 TiB of allocated capacity at the hot tier rate

+ * 1 TiB of unallocated capacity at the hot tier rate

+ * 1 TiB capacity at the hot tier rate

+ * 3 TiB capacity at the cool tier rate

+ * 0.5 TiB capacity at the hot tier rate

+ * 2 TiB of unallocated capacity at the hot tier rate

+ * 1.5 TiB capacity at the cool tier rate

+ * 0.25 TiB capacity at the hot tier rate

+ * 0.75 TiB capacity at the cool tier rate

+* Southeast Asia

+## November 2023

+* [Azure NetApp Files datastores for Azure VMware Solution](../azure-vmware/attach-azure-netapp-files-to-azure-vmware-solution-hosts.md#supported-regions) in select US Gov regions

+

+ Azure NetApp Files now supports [Azure NetApp Files datastores for Azure VMware Solution](../azure-vmware/attach-azure-netapp-files-to-azure-vmware-solution-hosts.md?tabs=azure-portal) in US Gov Arizona and US Gov Virginia regions. Azure NetApp Files datastores for Azure VMware Solution provide the ability to scale storage independently of compute and can go beyond the limits of the local instance storage provided by vSAN reducing total cost of ownership.

+ Title: Azure mobile app alerts and notifications

+description: Use Azure mobile app notifications to get up-to-date alerts and information on your resources and services.

+# Azure mobile app alerts and notifications

+Use Azure mobile app notifications to get up-to-date alerts and information on your resources and services.

+Azure mobile app notifications offer users flexibility in how they receive push notifications.

+Azure mobile app notifications are a way to monitor and manage your Azure resources from your mobile device. You can use the Azure mobile app to view the status of your resources, get alerts on issues, and take corrective actions.

+This article describes different options for configuring your notifications in the Azure mobile app.

+## Enable push notifications for Service Health alerts

+To enable push notifications for Service Health on specific subscriptions:

+1. Open the Azure mobile app and sign in with your Azure account.

+1. Select the menu icon on the top left corner, then select **Settings**.

+1. Select **Service Health issue alerts**.

+ :::image type="content" source="media/alerts-notifications/service-health.png" alt-text="Screenshot showing the Service Health issue alerts section of the Settings page in the Azure mobile app.":::

+1. Use the toggle switches to select subscriptions for which you want to receive push notifications.

+1. Select **Save** to confirm your changes.

+## Enable push notifications for custom alerts

+You can enable push notifications in the Azure mobile app for custom alerts that you define. To do so, you first [create a new alert rule](/azure/azure-monitor/alerts/alerts-create-new-alert-rule?tabs=metric) in the Azure portal.

+1. Sign in to the [Azure portal](https://portal.azure.com) using the same Azure account information that you're using in the Azure mobile app.

+1. In the Azure portal, open **Azure Monitor**.

+1. Select **Alerts**.

+1. Select **Create alert rule** and select the target resource that you want to monitor.

+1. Configure the condition, severity, and action group for your alert rule. You can use an existing [action group](/azure/azure-monitor/alerts/action-groups), or create a new one.

+1. In the action group, make sure to add a notification type of **Push Notification** and select the Azure mobile app as the destination. This enables notifications in your Azure mobile app.

+1. Select **Create alert rule** to save your changes.

+## View alerts

+There are several ways to view current alerts on the Azure mobile app.

+### Notifications list view

+Select the **Notifications** icon on the bottom toolbar to see a list view of all current alerts.

+In the list view you have the option to search for specific alerts or utilize the filter option in the top right of the screen to filter by specific subscriptions.

+When you select a specific alert, you'll see an alert details page that will provide more information, including:

+- Severity

+- Fired time

+- App Service plan

+- Alert condition

+- User response

+- Why the alert fired

+- Additional details

+ - Description

+ - Monitor service

+ - AlertID

+ - Suppression status

+ - Target resource type

+ - Signal type

+You can change the user response by selecting the edit option (pencil icon) next to the current response. Select either **New**, **Acknowledged**, or **Closed**, and then select **Done** in the top right corner. You can also select **History** near the top of the screen to view the timeline of events for the alert.

+### Alerts card on Home view

+You can also view alerts on the **Alerts** tile on your [Azure mobile app **Home**](home.md).

+The **Alerts** tile includes two viewing options: **List** or **Chart**.

+The **List** view will show your latest alerts along with top level information including:

+- Title

+- Alert state

+- Severity

+- Time

+You can select **See All** to display the notifications list view showing all of your alerts.

+Alternately, you can select the **Chart** view to see the severity of the latest alerts on a bar chart.

+## Next steps

+- Learn more about the [Azure mobile app](overview.md).

+- Download the Azure mobile app for free from the [Apple App Store](https://aka.ms/azureapp/ios/doc), [Google Play](https://aka.ms/azureapp/android/doc) or [Amazon App Store](https://aka.ms/azureapp/amazon/doc).

+- Learn about [alerts and notifications](alerts-notifications.md) in the Azure mobile app.

+Currently, Azure CLI doesn't support deploying remote Bicep files. You can use [Bicep CLI](./install.md#visual-studio-code-and-bicep-extension) to [build](/cli/azure/bicep) the Bicep file to a JSON template, and then load the JSON file to the remote location. For more information, see [Deploy remote ARM JSON templates](../templates/deploy-cli.md#deploy-remote-template).

+To pass parameter values, you can use either inline parameters or a parameters file. The parameters file can be either a [Bicep parameters file](#bicep-parameter-files) or a [JSON parameters file](#json-parameter-files).

+ "value1",

+ "value2"

+"resourceTags": {

+ "type": "object",

+ "defaultValue": {

+ "Cost Center": "IT Department"

+ }

+}

+The evaluation of parameters follows a sequential order, meaning that if a value is assigned multiple times, only the last assigned value is used. To ensure proper parameter assignment, it's advised to provide your parameters file initially and selectively override specific parameters using the _KEY=VALUE_ syntax. It's important to mention that if you're supplying a `bicepparam` parameters file, you can use this argument only once.

+### Bicep parameter files

+Rather than passing parameters as inline values in your script, you might find it easier to use a parameters file, either a [Bicep parameters file](#bicep-parameter-files) or a [JSON parameters file](#json-parameter-files) that contains the parameter values. The parameters file must be a local file. External parameters files aren't supported with Azure CLI. For more information about the parameters file, see [Create Resource Manager parameters file](./parameter-files.md).

+With Azure CLI version 2.53.0 or later, and Bicep CLI version 0.22.6 or later, you can deploy a Bicep file by utilizing a Bicep parameter file. With the `using` statement within the Bicep parameters file, there's no need to provide the `--template-file` switch when specifying a Bicep parameter file for the `--parameters` switch. Including the `--template-file` switch will result in an "Only a .bicep template is allowed with a .bicepparam file" error.

+The following example shows a parameters file named _storage.bicepparam_. The file is in the same directory where the command is run.

+ --parameters storage.bicepparam

+### JSON parameter files

+The following example shows a parameters file named _storage.parameters.json_. The file is in the same directory where the command is run.

+ --template-file storage.bicep \

+ --parameters '@storage.parameters.json'

+For more information about the parameters file, see [Create Resource Manager parameters file](./parameter-files.md).

+To pass parameter values, you can use either inline parameters or a parameters file. The parameters file can be either a [Bicep parameters file](#bicep-parameter-files) or a [JSON parameters file](#json-parameters-files).

+### Bicep parameter files

+Rather than passing parameters as inline values in your script, you might find it easier to use a parameters file, either a `.bicepparam` file or a JSON parameters file, that contains the parameter values. The Bicep parameters file must be a local file.

+With Azure PowerShell version 10.4.0 or later, and Bicep CLI version 0.22.6 or later, you can deploy a Bicep file by utilizing a Bicep parameter file. With the `using` statement within the Bicep parameters file, there is no need to provide the `-TemplateFile` switch when specifying a Bicep parameter file for the `-TemplateParameterFile` switch.

+The following example shows a parameters file named _storage.bicepparam_. The file is in the same directory where the command is run.

+New-AzResourceGroupDeployment `

+ -Name ExampleDeployment `

+ -ResourceGroupName ExampleResourceGroup `

+ -TemplateParameterFile storage.bicepparam

+For more information about the parameters file, see [Create Resource Manager parameters file](./parameter-files.md).

+### JSON parameters files

+The JSON parameters file can be a local file or an external file with an accessible URI. For more information about the parameters file, see [Create Resource Manager parameters file](./parameter-files.md).

+To pass a local parameters file, use the `TemplateParameterFile` switch with a JSON parameters file:

+New-AzResourceGroupDeployment `

+ -Name ExampleDeployment `

+ -ResourceGroupName ExampleResourceGroup `

+New-AzResourceGroupDeployment `

+ -Name ExampleDeployment `

+ -ResourceGroupName ExampleResourceGroup `

+ Title: Configure development environment for deployment scripts in Bicep | Microsoft Docs

+description: Configure development environment for deployment scripts in Bicep.

+ms.devlang: azurecli

+# Configure development environment for deployment scripts in Bicep files

+Learn how to create a development environment for developing and testing deployment scripts with a deployment script image. You can either create an [Azure container instance](../../container-instances/container-instances-overview.md) or use [Docker](https://docs.docker.com/get-docker/). Both options are covered in this article.

+## Prerequisites

+### Azure PowerShell container

+If you don't have an Azure PowerShell deployment script, you can create a *hello.ps1* file by using the following content:

+```powershell

+param([string] $name)

+$output = 'Hello {0}' -f $name

+Write-Output $output

+$DeploymentScriptOutputs = @{}

+$DeploymentScriptOutputs['text'] = $output

+```

+```powershell

+param([string] $name, [string] $subscription)

+$output = 'Hello {0}' -f $name

+#Write-Output $output

+Connect-AzAccount -UseDeviceAuthentication

+Set-AzContext -subscription $subscription

+$kv = Get-AzKeyVault

+#Write-Output $kv

+$DeploymentScriptOutputs = @{}

+$DeploymentScriptOutputs['greeting'] = $output

+$DeploymentScriptOutputs['kv'] = $kv.resourceId

+Write-Output $DeploymentScriptOutputs

+```

+In an Azure PowerShell deployment script, the variable `$DeploymentScriptOutputs` is used to store the output values. For more information about working with Azure PowerShell outputs, see [Work with outputs from PowerShell scripts](./deployment-script-bicep.md#work-with-outputs-from-powershell-scripts).

+### Azure CLI container

+For an Azure CLI container image, you can create a *hello.sh* file by using the following content:

+```bash

+FIRSTNAME=$1

+LASTNAME=$2

+OUTPUT="{\"name\":{\"displayName\":\"$FIRSTNAME $LASTNAME\",\"firstName\":\"$FIRSTNAME\",\"lastName\":\"$LASTNAME\"}}"

+echo -n "Hello "

+echo $OUTPUT | jq -r '.name.displayName'

+```

+In an Azure CLI deployment script, an environment variable called `AZ_SCRIPTS_OUTPUT_PATH` stores the location of the script output file. The environment variable isn't available in the development environment container. For more information about working with Azure CLI outputs, see [Work with outputs from CLI scripts](deployment-script-bicep.md#work-with-outputs-from-cli-scripts).

+## Use Azure PowerShell container instance

+To author Azure PowerShell scripts on your computer, you need to create a storage account and mount the storage account to the container instance. So that you can upload your script to the storage account and run the script on the container instance. The storage account that you create to test your script is not the same storage account that the deployment script service uses to execute the script. Deployment script service creates a unique name as a file share on every execution.

+### Create an Azure PowerShell container instance

+The following Bicep file creates a container instance and a file share, and then mounts the file share to the container image.

+```bicep

+@description('Specify a project name that is used for generating resource names.')

+param projectName string

+@description('Specify the resource location.')

+param location string = resourceGroup().location

+@description('Specify the container image.')

+param containerImage string = 'mcr.microsoft.com/azuredeploymentscripts-powershell:az9.7'

+@description('Specify the mount path.')

+param mountPath string = '/mnt/azscripts/azscriptinput'

+var storageAccountName = toLower('${projectName}store')

+var fileShareName = '${projectName}share'

+var containerGroupName = '${projectName}cg'

+var containerName = '${projectName}container'

+resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {

+ name: storageAccountName

+ location: location

+ sku: {

+ name: 'Standard_LRS'

+ }

+ kind: 'StorageV2'

+ properties: {

+ accessTier: 'Hot'

+ }

+}

+resource fileShare 'Microsoft.Storage/storageAccounts/fileServices/shares@2023-01-01' = {

+ name: '${storageAccountName}/default/${fileShareName}'

+ dependsOn: [

+ storageAccount

+ ]

+}

+resource containerGroup 'Microsoft.ContainerInstance/containerGroups@2023-05-01' = {

+ name: containerGroupName

+ location: location

+ properties: {

+ containers: [

+ {

+ name: containerName

+ properties: {

+ image: containerImage

+ resources: {

+ requests: {

+ cpu: 1

+ memoryInGB: json('1.5')

+ }

+ }

+ ports: [

+ {

+ protocol: 'TCP'

+ port: 80

+ }

+ ]

+ volumeMounts: [

+ {

+ name: 'filesharevolume'

+ mountPath: mountPath

+ }

+ ]

+ command: [

+ '/bin/sh'

+ '-c'

+ 'pwsh -c \'Start-Sleep -Seconds 1800\''

+ ]

+ }

+ }

+ ]

+ osType: 'Linux'

+ volumes: [

+ {

+ name: 'filesharevolume'

+ azureFile: {

+ readOnly: false

+ shareName: fileShareName

+ storageAccountName: storageAccountName

+ storageAccountKey: storageAccount.listKeys().keys[0].value

+ }

+ }

+ ]

+ }

+}

+```

+The default value for the mount path is `/mnt/azscripts/azscriptinput`. This is the path in the container instance where it's mounted to the file share.

+The default container image specified in the Bicep file is **mcr.microsoft.com/azuredeploymentscripts-powershell:az9.7**. See a list of all [supported Azure PowerShell versions](https://mcr.microsoft.com/v2/azuredeploymentscripts-powershell/tags/list).

+The Bicep file suspends the container instance after 1,800 seconds. You have 30 minutes before the container instance goes into a terminated state and the session ends.

+Use the following script to deploy the Bicep file:

+```azurepowershell

+$projectName = Read-Host -Prompt "Enter a project name that is used to generate resource names"

+$location = Read-Host -Prompt "Enter the location (i.e. centralus)"

+$templateFile = Read-Host -Prompt "Enter the Bicep file path and file name"

+$resourceGroupName = "${projectName}rg"

+New-AzResourceGroup -Location $location -name $resourceGroupName

+New-AzResourceGroupDeployment -resourceGroupName $resourceGroupName -TemplateFile $templatefile -projectName $projectName

+```

+### Upload the deployment script

+Upload your deployment script to the storage account. Here's an example of a PowerShell script:

+```azurepowershell

+$projectName = Read-Host -Prompt "Enter the same project name that you used earlier"

+$fileName = Read-Host -Prompt "Enter the deployment script file name with the path"

+$resourceGroupName = "${projectName}rg"

+$storageAccountName = "${projectName}store"

+$fileShareName = "${projectName}share"

+$context = (Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName).Context

+Set-AzStorageFileContent -Context $context -ShareName $fileShareName -Source $fileName -Force

+```

+You can also upload the file by using the Azure portal or the Azure CLI.

+### Test the deployment script

+1. In the Azure portal, open the resource group where you deployed the container instance and the storage account.

+2. Open the container group. The default container group name is the project name appended with *cg*. The container instance is in the **Running** state.

+3. In the resource menu, select **Containers**. The container instance name is the project name appended with *container*.

+ :::image type="content" source="./media/deployment-script-bicep-configure-dev/deployment-script-container-instance-connect.png" alt-text="Screenshot of the deployment script connect container instance option in the Azure portal.":::

+4. Select **Connect**, and then select **Connect**. If you can't connect to the container instance, restart the container group and try again.

+5. In the console pane, run the following commands:

+ ```console

+ cd /mnt/azscripts/azscriptinput

+ ls

+ pwsh ./hello.ps1 "John Dole"

+ ```

+ The output is **Hello John Dole**.

+ :::image type="content" source="./media/deployment-script-bicep-configure-dev/deployment-script-container-instance-test.png" alt-text="Screenshot of the deployment script connect container instance test output displayed in the console.":::

+## Use an Azure CLI container instance

+To author Azure CLI scripts on your computer, create a storage account and mount the storage account to the container instance. Then, you can upload your script to the storage account and run the script on the container instance. The storage account that you create to test your script isn't the same storage account that the deployment script service uses to execute the script. The deployment script service creates a unique name as a file share on every execution.

+### Create an Azure CLI container instance

+The following Bicep file creates a container instance and a file share, and then mounts the file share to the container image:

+```bicep

+@description('Specify a project name that is used for generating resource names.')

+param projectName string

+@description('Specify the resource location.')

+param location string = resourceGroup().location

+@description('Specify the container image.')

+param containerImage string = 'mcr.microsoft.com/azure-cli:2.9.1'

+@description('Specify the mount path.')

+param mountPath string = '/mnt/azscripts/azscriptinput'

+var storageAccountName = toLower('${projectName}store')

+var fileShareName = '${projectName}share'

+var containerGroupName = '${projectName}cg'

+var containerName = '${projectName}container'

+resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {

+ name: storageAccountName

+ location: location

+ sku: {

+ name: 'Standard_LRS'

+ }

+ kind: 'StorageV2'

+ properties: {

+ accessTier: 'Hot'

+ }

+}

+resource fileshare 'Microsoft.Storage/storageAccounts/fileServices/shares@2023-01-01' = {

+ name: '${storageAccountName}/default/${fileShareName}'

+ dependsOn: [

+ storageAccount

+ ]

+}

+resource containerGroup 'Microsoft.ContainerInstance/containerGroups@2023-05-01' = {

+ name: containerGroupName

+ location: location

+ properties: {

+ containers: [

+ {

+ name: containerName

+ properties: {

+ image: containerImage

+ resources: {

+ requests: {

+ cpu: 1

+ memoryInGB: json('1.5')

+ }

+ }

+ ports: [

+ {

+ protocol: 'TCP'

+ port: 80

+ }

+ ]

+ volumeMounts: [

+ {

+ name: 'filesharevolume'

+ mountPath: mountPath

+ }

+ ]

+ command: [

+ '/bin/bash'

+ '-c'

+ 'echo hello; sleep 1800'

+ ]

+ }

+ }

+ ]

+ osType: 'Linux'

+ volumes: [

+ {

+ name: 'filesharevolume'

+ azureFile: {

+ readOnly: false

+ shareName: fileShareName

+ storageAccountName: storageAccountName

+ storageAccountKey: storageAccount.listKeys().keys[0].value

+ }

+ }

+ ]

+ }

+}

+```

+The default value for the mount path is `/mnt/azscripts/azscriptinput`. This is the path in the container instance where it's mounted to the file share.

+The default container image specified in the Bicep file is **mcr.microsoft.com/azure-cli:2.9.1**. See a list of [supported Azure CLI versions](https://mcr.microsoft.com/v2/azure-cli/tags/list). The deployment script uses the available CLI images from Microsoft Container Registry (MCR). It takes about one month to certify a CLI image for a deployment script. Don't use the CLI versions that were released within 30 days. To find the release dates for the images, see [Azure CLI release notes](/cli/azure/release-notes-azure-cli). If you use an unsupported version, the error message lists the supported versions.

+The Bicep file suspends the container instance after 1,800 seconds. You have 30 minutes before the container instance goes into a terminal state and the session ends.

+To deploy the Bicep file:

+```azurepowershell

+$projectName = Read-Host -Prompt "Enter a project name that is used to generate resource names"

+$location = Read-Host -Prompt "Enter the location (i.e. centralus)"

+$templateFile = Read-Host -Prompt "Enter the Bicep file path and file name"

+$resourceGroupName = "${projectName}rg"

+New-AzResourceGroup -Location $location -name $resourceGroupName

+New-AzResourceGroupDeployment -resourceGroupName $resourceGroupName -TemplateFile $templatefile -projectName $projectName

+```

+### Upload the deployment script

+Upload your deployment script to the storage account. The following is a PowerShell example:

+```azurepowershell

+$projectName = Read-Host -Prompt "Enter the same project name that you used earlier"

+$fileName = Read-Host -Prompt "Enter the deployment script file name with the path"

+$resourceGroupName = "${projectName}rg"

+$storageAccountName = "${projectName}store"

+$fileShareName = "${projectName}share"

+$context = (Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName).Context

+Set-AzStorageFileContent -Context $context -ShareName $fileShareName -Source $fileName -Force

+```

+You also can upload the file by using the Azure portal or the Azure CLI.

+### Test the deployment script

+1. In the Azure portal, open the resource group where you deployed the container instance and the storage account.

+1. Open the container group. The default container group name is the project name appended with *cg*. The container instance is shown in the **Running** state.

+1. In the resource menu, select **Containers**. The container instance name is the project name appended with *container*.

+ :::image type="content" source="./media/deployment-script-bicep-configure-dev/deployment-script-container-instance-connect.png" alt-text="Screenshot of the deployment script connect container instance option in the Azure portal.":::

+1. Select **Connect**, and then select **Connect**. If you can't connect to the container instance, restart the container group and try again.

+1. In the console pane, run the following commands:

+ ```console

+ cd /mnt/azscripts/azscriptinput

+ ls

+ ./hello.sh John Dole

+ ```

+ The output is **Hello John Dole**.

+ :::image type="content" source="./media/deployment-script-bicep-configure-dev/deployment-script-container-instance-test-cli.png" alt-text="Screenshot of the deployment script container instance test output displayed in the console.":::

+## Use Docker

+You can use a pre-configured Docker container image as your deployment script development environment. To install Docker, see [Get Docker](https://docs.docker.com/get-docker/).

+You also need to configure file sharing to mount the directory, which contains the deployment scripts into Docker container.

+1. Pull the deployment script container image to the local computer:

+ ```command

+ docker pull mcr.microsoft.com/azuredeploymentscripts-powershell:az4.3

+ ```

+ The example uses version PowerShell 4.3.0.

+ To pull a CLI image from an MCR:

+ ```command

+ docker pull mcr.microsoft.com/azure-cli:2.0.80

+ ```

+ This example uses version CLI 2.0.80. Deployment script uses the default CLI containers images found [here](https://hub.docker.com/_/microsoft-azure-cli).

+1. Run the Docker image locally.

+ ```command

+ docker run -v <host drive letter>:/<host directory name>:/data -it mcr.microsoft.com/azuredeploymentscripts-powershell:az4.3

+ ```

+ Replace **&lt;host driver letter>** and **&lt;host directory name>** with an existing folder on the shared drive. It maps the folder to the _/data_ folder in the container. For example, to map _D:\docker_:

+ ```command

+ docker run -v d:/docker:/data -it mcr.microsoft.com/azuredeploymentscripts-powershell:az4.3

+ ```

+ **-it** means keeping the container image alive.

+ A CLI example:

+ ```command

+ docker run -v d:/docker:/data -it mcr.microsoft.com/azure-cli:2.0.80

+ ```

+1. The following screenshot shows how to run a PowerShell script, given that you have a *helloworld.ps1* file in the shared drive.

+ :::image type="content" source="./medi.png" alt-text="Screenshot of the Resource Manager template deployment script using Docker command.":::

+After the script is tested successfully, you can use it as a deployment script in your Bicep files.

+## Next steps

+In this article, you learned how to use deployment scripts. To walk through a deployment script tutorial:

+> [!div class="nextstepaction"]

+> [Use deployment scripts in Bicep](./deployment-script-bicep.md)

+ - Specify a [user-assigned managed identity]() in the `identity` property (see [Sample Bicep files](#sample-bicep-files)). When specified, the script service calls `Connect-AzAccount -Identity` before invoking the deployment script. The managed identity must have the required access to complete the operation in the script. Currently, only user-assigned managed identity is supported for the `identity` property. To log in with a different identity, use the second method in this list.

+ If a managed identity is used, the deployment principle needs the **Managed Identity Operator** role (a built-in role) assigned to the managed identity resource.

+- <a id='identity'></a>`identity`: For deployment script API version 2020-10-01 or later, a user-assigned managed identity is optional unless you need to perform any Azure-specific actions in the script or running deployment script in private network. For more information, see [Access private virtual network](#access-private-virtual-network). For the API version 2019-10-01-preview, a managed identity is required as the deployment script service uses it to execute the scripts. When the identity property is specified, the script service calls `Connect-AzAccount -Identity` before invoking the user script. Currently, only user-assigned managed identity is supported. To log in with a different identity, you can call [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) in the script.

+## Work with outputs from PowerShell scripts

+## Work with outputs from CLI scripts

+In contrast to the Azure PowerShell deployment scripts, CLI/bash doesn't expose a common variable for storing script outputs. Instead, it utilizes an environment variable named `AZ_SCRIPTS_OUTPUT_PATH` to indicate the location of the script outputs file. When executing a deployment script within a Bicep file, the Bash shell automatically configures this environment variable for you. Its predefined value is set as */mnt/azscripts/azscriptoutput/scriptoutputs.json*. The outputs are required to conform to a valid JSON string object structure. The file's contents should be formatted as a key-value pair. For instance, an array of strings should be saved as { "MyResult": [ "foo", "bar"] }. Storing only the array results, such as [ "foo", "bar" ], is considered invalid.

+In the preceding Bicep sample, a storage account is created and configured to be used by the deployment script. This is necessary for storing the script output. An alternative solution, without specifying your own storage account, involves setting `cleanupPreference` to `OnExpiration`and configuring `retentionInterval` for a duration that allows ample time for reviewing the outputs before the storage account is removed.

+For more information about using `AZ_SCRIPTS_OUTPUT_PATH`, see [Work with outputs from CLI script](#work-with-outputs-from-cli-scripts).

+ "arguments": "'foo' 'bar'",

+ "azCliVersion": "2.40.0",

+ "cleanupPreference": "OnExpiration",

+ "forceUpdateTag": "20231101T163748Z",

+ "id": "/subscriptions/01234567-89AB-CDEF-0123-456789ABCDEF/resourceGroups/myds0624rg/providers/Microsoft.Resources/deploymentScripts/runBashWithOutputs",

+ "/subscriptions/01234567-89AB-CDEF-0123-456789ABCDEF/resourcegroups/myidentity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myuami": {

+ "kind": "AzureCLI",

+ "name": "runBashWithOutputs",

+ "Result": [

+ {

+ "id": "/subscriptions/01234567-89AB-CDEF-0123-456789ABCDEF/resourceGroups/mytest/providers/Microsoft.KeyVault/vaults/mykv1027",

+ "resourceGroup": "mytest"

+ }

+ ]

+ "resourceGroup": "mytest",

+ "scriptContent": "result=$(az keyvault list); echo \"arg1 is: $1\"; echo $result | jq -c '{Result: map({id: .id})}' > $AZ_SCRIPTS_OUTPUT_PATH",

+ "containerInstanceId": "/subscriptions/01234567-89AB-CDEF-0123-456789ABCDEF/resourceGroups/mytest/providers/Microsoft.ContainerInstance/containerGroups/eg6n7wvuyxn7iazscripts",

+ "endTime": "2023-11-01T16:39:12.080950+00:00",

+ "expirationTime": "2023-11-02T16:39:12.080950+00:00",

+ "startTime": "2023-11-01T16:37:53.139700+00:00",

+ "storageAccountId": null

+ },

+ "storageAccountSettings": {

+ "storageAccountKey": null,

+ "storageAccountName": "dsfruro267qwb4i"

+ "createdAt": "2023-10-31T19:06:57.060909+00:00",

+ "lastModifiedAt": "2023-11-01T16:37:51.859570+00:00",

+ "timeout": "0:30:00",

+ - **Always**: Delete the two supporting resources once script execution gets in a terminal state. If an existing storage account is used, the script service deletes the file share created by the service. Because the `deploymentScripts` resource might still be present after the supporting resources are cleaned up, the script service persists the script execution results, for example, stdout, outputs, and return value before the resources are deleted.

+## Limitations

+When defining a user function, there are some restrictions:

+* The function can't access variables.

+* The function can only use parameters that are defined in the function.

+* The function can't use the [reference](bicep-functions-resource.md#reference) function or any of the [list](bicep-functions-resource.md#list) functions.

+* Parameters for the function can't have default values.

+With [Bicep version 0.23 or newer](./install.md), you have the flexibility to invoke another user-defined function within a user-defined function. In the preceding example, with the function definition of `sayHelloString`, you can redefine the `sayHelloObject` function as:

+```bicep

+func sayHelloObject(name string) object => {

+ hello: sayHelloString(name)

+}

+```

+Before deploying your ARM template, you can preview the changes the template makes to your environment. Use the [what-if operation](./deploy-what-if.md) to verify that the template makes the changes that you expect. What-if also validates the template for errors.

+ "value1",

+ "value2"

+"resourceTags": {

+ "type": "object",

+ "defaultValue": {

+ "Cost Center": "IT Department"

+ }

+}

+ --parameters 'storage.parameters.json'

+With Azure CLI version 2.53.0 or later, and Bicep CLI version 0.22.6 or later, you can deploy a Bicep file by utilizing a Bicep parameter file. With the `using` statement within the Bicep parameters file, there is no need to provide the `--template-file` switch when specifying a Bicep parameter file for the `--parameters` switch. Including the `--template-file` switch results in an "Only a .bicep template is allowed with a .bicepparam file" error.

+For more details about comments and metadata, see [Understand the structure and syntax of ARM templates](./syntax.md#comments-and-metadata).

+To pass parameter values, you can use either inline parameters or a parameters file. The parameter file can be either a [Bicep parameters file](#bicep-parameter-files) or a [JSON parameters file](#json-parameter-files).

+### JSON parameter files

+New-AzResourceGroupDeployment `

+ -Name ExampleDeployment `

+ -ResourceGroupName ExampleResourceGroup `

+New-AzResourceGroupDeployment `

+ -Name ExampleDeployment `

+ -ResourceGroupName ExampleResourceGroup `

+For more information about parameters file, see [Create Resource Manager parameters file](./parameter-files.md).

+### Bicep parameter files

+With Azure PowerShell version 10.4.0 or later, and Bicep CLI version 0.22.6 or later, you can deploy an ARM template file by utilizing a [Bicep parameter file](../bicep/parameter-files.md). With the `using` statement within the Bicep parameters file, there is no need to provide the `-TemplateFile` switch when specifying a Bicep parameter file for the `-TemplateParameterFile` switch.

+The following example shows a parameters file named _storage.bicepparam_. The file is in the same directory where the command is run.

+```powershell

+New-AzResourceGroupDeployment `

+ -Name ExampleDeployment `

+ -ResourceGroupName ExampleResourceGroup `

+ -TemplateParameterFile storage.bicepparam

+```

+For more information about Bicep parameters file, see [Bicep parameters file](../bicep/parameter-files.md).

+> When you run an Azure CLI deployment script, an environment variable called `AZ_SCRIPTS_OUTPUT_PATH` stores the location of the script output file. The environment variable isn't available in the development environment container. For more information about working with Azure CLI outputs, see [Work with outputs from CLI script](deployment-script-template.md#work-with-outputs-from-cli-scripts).

+ "apiVersion": "2023-01-01",

+ "apiVersion": "2023-01-01",

+ "storageAccountKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-01-01').keys[0].value]"

+ "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"

+## Work with outputs from PowerShell scripts

+## Work with outputs from CLI scripts

+In contrast to the Azure PowerShell deployment scripts, CLI/bash doesn't expose a common variable for storing script outputs. Instead, it utilizes an environment variable named `AZ_SCRIPTS_OUTPUT_PATH` to indicate the location of the script outputs file. When executing a deployment script within a Bicep file, the Bash shell automatically configures this environment variable for you. Its predefined value is set as */mnt/azscripts/azscriptoutput/scriptoutputs.json*. The outputs are required to conform to a valid JSON string object structure. The file's contents should be formatted as a key-value pair. For instance, an array of strings should be saved as { "MyResult": [ "foo", "bar"] }. Storing only the array results, such as [ "foo", "bar" ], is considered invalid.

+For more information about using `AZ_SCRIPTS_OUTPUT_PATH`, see [Work with outputs from CLI script](#work-with-outputs-from-cli-scripts).

+ "arguments": "'foo' 'bar'",

+ "azCliVersion": "2.40.0",

+ "cleanupPreference": "OnExpiration",

+ "forceUpdateTag": "20231101T163748Z",

+ "id": "/subscriptions/01234567-89AB-CDEF-0123-456789ABCDEF/resourceGroups/myds0624rg/providers/Microsoft.Resources/deploymentScripts/runBashWithOutputs",

+ "/subscriptions/01234567-89AB-CDEF-0123-456789ABCDEF/resourcegroups/myidentity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myuami": {

+ "kind": "AzureCLI",

+ "name": "runBashWithOutputs",

+ "Result": [

+ {

+ "id": "/subscriptions/01234567-89AB-CDEF-0123-456789ABCDEF/resourceGroups/mytest/providers/Microsoft.KeyVault/vaults/mykv1027",

+ "resourceGroup": "mytest"

+ }

+ ]

+ "resourceGroup": "mytest",

+ "scriptContent": "result=$(az keyvault list); echo \"arg1 is: $1\"; echo $result | jq -c '{Result: map({id: .id})}' > $AZ_SCRIPTS_OUTPUT_PATH",

+ "containerInstanceId": "/subscriptions/01234567-89AB-CDEF-0123-456789ABCDEF/resourceGroups/mytest/providers/Microsoft.ContainerInstance/containerGroups/eg6n7wvuyxn7iazscripts",

+ "endTime": "2023-11-01T16:39:12.080950+00:00",

+ "expirationTime": "2023-11-02T16:39:12.080950+00:00",

+ "startTime": "2023-11-01T16:37:53.139700+00:00",

+ "storageAccountId": null

+ },

+ "storageAccountSettings": {

+ "storageAccountKey": null,

+ "storageAccountName": "dsfruro267qwb4i"

+ "createdAt": "2023-10-31T19:06:57.060909+00:00",

+ "lastModifiedAt": "2023-11-01T16:37:51.859570+00:00",

+ "timeout": "0:30:00",

+ - **Always**: Delete the two supporting resources once script execution gets in a terminal state. If an existing storage account is used, the script service deletes the file share created by the service. Because the `deploymentScripts` resource might still be present after the supporting resources are cleaned up, the script service persists the script execution results, for example, stdout, outputs, and return value before the resources are deleted.

+ Declaring `$DeploymentScriptOutputs` is only required when testing the script on a local machine. Declaring the variable allows the script to be run on a local machine and in a `deploymentScript` resource without having to make changes. The value assigned to `$DeploymentScriptOutputs` is available as outputs in the deployments. For more information, see [Work with outputs from PowerShell deployment scripts](./deployment-script-template.md#work-with-outputs-from-powershell-scripts) or [Work with outputs from CLI deployment scripts](./deployment-script-template.md#work-with-outputs-from-cli-scripts).

+ `$DeploymentScriptOutputs` is used to store output value. To learn more, see [Work with outputs from PowerShell deployment scripts](./deployment-script-template.md#work-with-outputs-from-powershell-scripts) or [Work with outputs from CLI deployment scripts](./deployment-script-template.md#work-with-outputs-from-cli-scripts).

+* US Gov Arizona

+* US Gov Virginia

+### UserErrorSnasphotRestoreContextMissingForDBRecovery

+

+**Error message**: Snapshot based point in time restore operation could not be started because one of the previous restore steps is not complete

+**Cause**: Snapshot attach and mount or SystemDB recovery isn't done on the target VM.

+**Recommended action**: Retry the operation after completing a snapshot attach and mount operation on the target machine.

+### UserErrorInvalidScenarioForSnapshotPointInTimeRecovery

+**Cause**: The snapshot point-in-time restore operation failed as the underlying database on the target machine is protected with Azure Backup.

+**Recommended action**: Retry the restore operation after you stop protection of the databases on the target machine and ensure that the *Backint path is empty*. [Learn more about Backint path](https://aka.ms/HANABackupConfigurations).

+>[!Note]

+>- Currently, the snapshots are stored on your storage account/operational tier, and isn't stored in Recovery Services vault. Thus, the vault features, such as Cross-region restore,Cross-subscription restore, and security capabilities, aren't supported.

+>- Original Location Restore (OLR) isn't supported.

+>- HANA System Replication (HSR)) isn't supported.

+>- For pricing, as per SAP advisory, you must do a weekly full backup + logs streaming/Backint based backup so that the existing protected instance fee and storage cost are applied. For snapshot backup, the snapshot data created by Azure Backup is saved in your storage account and incurs snapshot storage charges. Thus, in addition to streaming/Backint backup charges, you're charged for per GB data stored in your snapshots, which is charged separately. Learn more about [Snapshot pricing](https://azure.microsoft.com/pricing/details/managed-disks/) and [Streaming/Backint based backup pricing](https://azure.microsoft.com/pricing/details/backup/?ef_id=_k_CjwKCAjwp8OpBhAFEiwAG7NaEsaFZUxIBD-FH1IUIfF-7yZRWAYJSMHP67InGf0drY0X2Km71KOKDBoCktgQAvD_BwE_k_&OCID=AIDcmmf1elj9v5_SEM__k_CjwKCAjwp8OpBhAFEiwAG7NaEsaFZUxIBD-FH1IUIfF-7yZRWAYJSMHP67InGf0drY0X2Km71KOKDBoCktgQAvD_BwE_k_&gclid=CjwKCAjwp8OpBhAFEiwAG7NaEsaFZUxIBD-FH1IUIfF-7yZRWAYJSMHP67InGf0drY0X2Km71KOKDBoCktgQAvD_BwE).

+### Start tasks: lifetime and idempotency

+As with other tasks, the node [start task](jobs-and-tasks.md#start-task) should be idempotent. Start tasks are rerun when the compute node

+restarts or when the Batch agent restarts. An idempotent task is simply one that produces a consistent result when run multiple times.

+Start tasks shouldn't be long-running or be coupled to the lifetime of the compute node. If you need to start programs that are services or

+service-like in nature, construct a start task that enables these programs to be started and managed by operating system facilities such as

+`systemd` on Linux or Windows Services. The start task should still be constructed as idempotent such that subsequent execution of the

+start task is handled properly if these programs were previously installed as services.

+> [!TIP]

+> When Batch reruns your start task, it will attempt to delete the start task directory and create it again. If Batch fails to

+> recreate the start task directory, then the compute node will fail to launch the start task.

+These services must not take file locks on any files in Batch-managed directories on the node, because otherwise Batch is unable to delete

+those directories due to the file locks. For example, instead of configuring launch of the service directly from the start task working

+directory, copy the files elsewhere in an idempotent fashion. Then install the service from that location using the operating system

+facilities.

+### Isolated nodes

+Consider using isolated VM sizes for workloads with compliance or regulatory requirements. Supported isolated sizes in virtual machine configuration mode include `Standard_E80ids_v4`, `Standard_M128ms`, `Standard_F72s_v2`, `Standard_G5`, `Standard_GS5`, and `Standard_E64i_v3`. For more information about isolated VM sizes, see [Virtual machine isolation in Azure](../virtual-machines/isolation.md).

+Each individual compute node has the exact same data disk specification attached if specified as part of the Batch pool instance. Only

+must be crafted to be idempotent. Re-execution of the start tasks on compute nodes is possible. If the start

+Azure data disks attached to Batch Windows compute nodes are presented unpartitioned and unformatted. You need to enumerate disks

+## Batch API

+### Timeout Failures

+Timeout failures don't necessarily indicate that the service failed to process the request. When a timeout failure occurs,

+you should either retry the operation or retrieve the state of the resource, as appropriate for the situation, to verify the

+status of whether the operation succeeded or failed.

+> [!TIP]

+> Naming of these users or groups are implementation artifacts and are subject to change at any time.

+description: Understand two different ways to select experiment targets and target scoping in Azure Chaos Studio.

+Every chaos experiment is made up of a different combination of faults and targets, building up to a unique outage scenario to test your system's resilience against. You can select a fixed set of targets for your chaos experiment, or provide a rule in which all matching fault-onboarded resources are included as targets in your experiment. Chaos Studio enables you to do both by providing both manual and query-based target selection.

+List-based manual target selection allows you to select a fixed set of onboarded targets for a particular fault in your chaos experiment. Depending on the selected fault, you can select one or more onboarded resources to target. The aforementioned resources are added to the experiment upon creation time. In order to modify the list, you must navigate to the experiment's page and add or remove fault targets manually. An example of manual target selection is shown below.

+Query-based dynamic target selection allows you to input a KQL query that selects all onboarded targets that match the query result set. Using your query, you can filter targets based on common Azure resource parameters including type, region, name, and more. Upon experiment creation time, only the query itself is added to your chaos experiment.

+The inputted query runs and adds onboarded targets to your experiment that match its result set upon experiment execution time. Thus, any resources onboarded to Chaos Studio after experiment creation time that match the query result set upon experiment execution time are targeted by your experiment. You can preview your query's result set when adding it to your experiment, but it may not match the result set at experiment execution time. An example of a possible dynamic target query is shown below.

+## Target scoping

+Certain faults in Chaos Studio allow you to further target specific functionality within your Azure resources. If scope selection is available for a target and not configured, the resource will be targeted fully by the selected fault. An example of scope selection on a Virtual Machine Scale Sets instance being targeted by the **VMSS Shutdown (version 2.0)** fault is shown below.

+[  ](images/tutorial-dynamic-targets-fault-zones.png#lightbox)

+- [Learn about target selection and scoping](chaos-studio-target-selection.md)

+> The following refers to logs enabled through [Azure Monitor](../../../../azure-monitor/overview.md) (see also [FAQ](../../../../azure-monitor/overview.md#frequently-asked-questions)). To enable these logs for your Communications Services, see: [Enable logging in Diagnostic Settings](../enable-logging.md)

+> The following refers to logs enabled through [Azure Monitor](../../../../azure-monitor/overview.md) (see also [FAQ](../../../../azure-monitor/overview.md#frequently-asked-questions)). To enable these logs for your Communications Services, see: [Enable logging in Diagnostic Settings](../enable-logging.md)

+The content in this article refers to logs enabled through [Azure Monitor](../../../../azure-monitor/overview.md) (see also [FAQ](../../../../azure-monitor/overview.md#frequently-asked-questions)). To enable these logs for Communication Services, see [Enable logging in diagnostic settings](../enable-logging.md).

+> The following refers to logs enabled through [Azure Monitor](../../../../azure-monitor/overview.md) (see also [FAQ](../../../../azure-monitor/overview.md#frequently-asked-questions)). To enable these logs for your Communications Services, see: [Enable logging in Diagnostic Settings](../enable-logging.md)

+ (See also [FAQ](../../../../azure-monitor/overview.md#frequently-asked-questions)).

+The content in this article refers to logs enabled through [Azure Monitor](../../../../azure-monitor/overview.md) (see also [FAQ](../../../../azure-monitor/overview.md#frequently-asked-questions)). To enable these logs for Communication Services, see [Enable logging in diagnostic settings](../enable-logging.md).

+> The following refers to logs enabled through [Azure Monitor](../../../../azure-monitor/overview.md) (see also [FAQ](../../../../azure-monitor/overview.md#frequently-asked-questions)). To enable these logs for your Communications Services, see: [Enable logging in Diagnostic Settings](../enable-logging.md)

+ (see also [FAQ](../../../../azure-monitor/overview.md#frequently-asked-questions)).

+The content in this article refers to logs enabled through [Azure Monitor](../../../../azure-monitor/overview.md) (see also [FAQ](../../../../azure-monitor/overview.md#frequently-asked-questions)). To enable these logs for Communication Services, see [Enable logging in diagnostic settings](../enable-logging.md).

+|Operation|Number Type |Scope|Timeframe (s)| Limit (request #) | Message units per minute|

+|||--|-|-|-|

+|Send Message|Toll-Free|Per Number|60|200|200|

+|Send Message|Short Code |Per Number|60|6000|6000|

+|Send Message|Alphanumeric Sender ID |Per resource|60|600|600|

+If you have requirements that exceed the rate-limits, submit [a request to Azure Support](../../azure-portal/supportability/how-to-create-azure-support-request.md) to enable higher throughput.

+| 4009 | Message is rejected by Microsoft Entitlement System| Most often this happens if fraudulent activity is detected. Please contact support for more details |

+| 5002 | Carrier does not support delivery report | Most often this happens if a carrier does not support delivery reports. No action required as message may have been delivered already. |

+ Title: Connect to 3270 apps on IBM mainframes

+description: Integrate 3270 screen-driven apps with workflows in Azure Logic Apps using the IBM 3270 connector.

+ms.suite: integration

+tags: connectors

+# Integrate 3270 screen-driven apps on IBM mainframes with Azure using Azure Logic Apps and IBM 3270 connector

+To access and run IBM mainframe apps, which you usually execute by navigating through 3270 emulator screens, from Consumption and Standard workflows in Azure Logic Apps, you can use the **IBM 3270** connector. That way, you can integrate your IBM mainframe apps with Azure, Microsoft, and other apps, services, and systems by creating automated workflows with Azure Logic Apps. The connector communicates with IBM mainframes by using the TN3270 protocol. The **IBM 3270** connector is available in all Azure Logic Apps regions except for Azure Government and Microsoft Azure operated by 21Vianet.

+This how-to guide describes the following aspects about the **IBM 3270** connector:

+- Why use the IBM 3270 connector in Azure Logic Apps

+- How does the IBM 3270 connector run 3270 screen-driven apps

+- Prerequisites and setup for using the IBM 3270 connector

+- Steps for adding IBM 3270 connector actions to your workflow

+## Why use this connector?

+To access apps on IBM mainframes, you typically use a 3270 terminal emulator, often called a "green screen". This method is a time-tested way but has limitations. Although Host Integration Server (HIS) helps you work

+directly with these apps, sometimes, separating the screen and business logic might not be possible. Or, maybe you no longer have information for how the host applications work.

+To extend these scenarios, the **IBM 3270** connector in Azure Logic Apps works with the [3270 Design Tool](/host-integration-server/core/application-integration-3270designer-1), which you use to record, or "capture", the host screens used for a specific task, define the navigation flow for that task through your mainframe app, and define the methods with input and output parameters for that task. The design tool converts that information into metadata that the 3270 connector uses when running an action in your workflow.

+After you generate the metadata file from the 3270 Design Tool, you add that file as a map artifact either to your Standard logic app resource or to your linked integration account for a Consumption logic app in Azure Logic Apps. That way, your workflow can access your app's metadata when you add an **IBM 3270** connector action. The connector reads the metadata file from your logic app resource (Standard) or your integration account (Consumption), handles navigation through the 3270 screens, and dynamically presents the parameters to use with the 3270 connector in your workflow. You can then provide data to the host application, and the connector returns the results to your workflow. As a result, you can integrate your legacy apps with Azure, Microsoft, and other apps, services, and systems that Azure Logic Apps supports.

+## Connector technical reference

+The IBM 3270 connector has different versions, based on [logic app type and host environment](../logic-apps/logic-apps-overview.md#resource-environment-differences).

+| Logic app | Environment | Connection version |

+|--|-|--|

+| **Consumption** | Multi-tenant Azure Logic Apps | Managed connector, which appears in the designer under the **Enterprise** label. This connector provides only single action and no triggers. For more information, see [IBM 3270 managed connector reference](/connectors/si3270). |

+| **Standard** | Single-tenant Azure Logic Apps and App Service Environment v3 (ASE v3 with Windows plans only) | Managed connector, which appears in the connector gallery under **Runtime** > **Shared**, and the built-in, [service provider-based](../logic-apps/custom-connector-overview.md#service-provider-interface-implementation) connector, which appears in the connector gallery under **Runtime** > **In-App**. The built-in version differs in the following ways: -<br><br>- The built-in connector requires that you upload your HIDX file to your Standard logic app resource, not an integration account. <br><br>- The built-in connector can directly connect to a 3270 server and access Azure virtual networks using a connection string. <br><br>- The built-in version supports server authentication with TLS (SSL) encryption for data in transit, message encoding for its operation, and Azure virtual network integration. <br><br>For more information, see the following documentation: <br><br>- [IBM 3270 managed connector reference](/connectors/si3270) <br>- [IBM 3270 built-in connector reference](#built-in-reference) |

+<a name="built-in-reference"></a>

+### Built-in connector reference

+The following section describes the operations for the IBM 3270 connector, which currently includes only the following action:

+### Execute a navigation plan

+| Parameter | Required | Type | Description |

+|--|-|-|-|

+| **HIDX Name** | Yes | String | Select the 3270 HIDX file that you want to use. |

+| **Method Name** | Yes | String | Select the method in the HIDX file that you want to use. |

+| **Advanced parameters** | No | Varies | This list appears after you select a method so that you can add other parameters to use with the selected method. The available parameters vary based on your HIDX file and the method that you select. |

+This operation also includes advanced parameters, which appear after you select a method, for you to select and use with the selected method. These parameters vary based on your HIDX file and the method that you select.

+## Prerequisites

+- An Azure account and subscription. If you don't have an Azure subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- Access to the TN3270 server that hosts your 3270 screen-driven app

+- The Host Integration Designer XML (HIDX) file that provides the necessary metadata for the **IBM 3270** connector to run your 3270 screen-driven app.

+ To create this HIDX file, [download and install the 3270 Design Tool](https://aka.ms/3270-design-tool-download). The only prerequisite is [Microsoft .NET Framework 4.8](https://aka.ms/net-framework-download).

+ This tool helps you record the screens, navigation paths, methods, and parameters for the tasks in your app that you add and run as 3270 connector actions. The tool generates a Host Integration Designer XML (HIDX) file that provides the necessary metadata for the connector to run your 3270 screen-driven app.

+ After you download and install this tool, [follow these steps to connect with your TN3270 host server, design the required metadata artifact, and generate the HIDX file](/host-integration-server/core/application-integration-la3270apps).

+- The Standard or Consumption logic app resource and workflow where you want to run your 3270 screen-driven app

+ The IBM 3270 connector doesn't have triggers, so use any trigger to start your workflow, such as the **Recurrence** trigger or **Request** trigger. You can then add the 3270 connector actions.

+- An [integration account](../logic-apps/logic-apps-enterprise-integration-create-integration-account.md), which is required based on the 3270 connector version that you use and is an Azure resource where you can centrally store B2B artifacts such as trading partners, agreements, maps, schemas, and certificates to use with specific workflow actions.

+ | Workflow | Description |

+ |-|-|

+ | Standard | - 3270 built-in connector: Upload HIDX file to Standard logic app resource. <br><br>- 3270 managed connector: Upload HIDX file to your Standard logic app resource or your [linked integration account](../logic-apps/enterprise-integration/create-integration-account.md?tabs=standard#link-to-logic-app). |

+ | Consumption | 3270 managed connector: Upload HIDX file to your [linked integration account](../logic-apps/enterprise-integration/create-integration-account.md?tabs=consumption#link-to-logic-app). |

+ For more information, see [Upload the HIDX file](#upload-hidx-file).

+<a name="upload-hidx-file"></a>

+## Upload the HIDX file

+For your workflow to use the HIDX file, follow these steps:

+### [Standard](#tab/standard)

+1. Go to the folder where you saved your HIDX file, and copy the file.

+1. In the [Azure portal](https://portal.azure.com), choose the following steps, based on the connector version:

+ - 3270 built-in connector: [Upload your HIDX file to your Standard logic app resource](../logic-apps/logic-apps-enterprise-integration-maps.md?tabs=standard#add-map-to-standard-logic-app-resource).

+ - 3279 managed connector:

+ - [Upload your HIDX file to a linked integration account](../logic-apps/logic-apps-enterprise-integration-maps.md?tabs=standard#add-map-to-integration-account). Make sure that you select **HIDX** as the **Map type**.

+ - [Upload your HIDX file to your Standard logic app resource](../logic-apps/logic-apps-enterprise-integration-maps.md?tabs=standard#add-map-to-standard-logic-app-resource).

+1. Now, [add an IBM 3270 action to your workflow](#add-ibm-3270-action).

+### [Consumption](#tab/consumption)

+1. Go to the folder where you saved your HIDX file, and copy the file.

+1. In the [Azure portal](https://portal.azure.com), [upload the HIDX file as a map artifact to your linked integration account](../logic-apps/logic-apps-enterprise-integration-maps.md?tabs=consumption#add-map-to-integration-account). Make sure that you select **HIDX** as the **Map type**.

+1. Now, [add an IBM 3270 action to your workflow](#add-ibm-3270-action).

+Later in this guide, when you add an **IBM 3270** connector action to your workflow for the first time, you're prompted to create a connection between your workflow and the mainframe system. After you create the connection, you can select your previously added HIDX file, the method to run, and the parameters to use.

+<a name="add-ibm-3270-action"></a>

+## Add an IBM 3270 action

+A Standard logic app workflow can use the IBM 3270 managed connector and the IBM 3270 built-in connector. However, a Consumption logic app workflow can use only the IBM 3270 managed connector. Each version has different actions. Based on whether you have a Consumption or Standard logic app workflow, follow the corresponding steps:

+### [Standard](#tab/standard)

+1. In the [Azure portal](https://portal.azure.com), open your Standard logic app resource and workflow where you've already add a trigger.

+1. If you haven't already added a trigger, [follow these general steps to add the trigger that you want to your workflow](../logic-apps/create-workflow-with-trigger-or-action.md?tabs=standard#add-trigger).

+ This example continues with the **Request** trigger named **When a HTTP request is received**.

+1. [Follow these general steps to add the **IBM 3270** built-in connector action named **Execute a navigation plan**](../logic-apps/create-workflow-with-trigger-or-action.md?tabs=standard#add-action).

+1. When the connection information box appears, provide the following necessary parameter values:

+ | Property | Required | Value | Description |

+ |-|-|-|-|

+ | **Connection Name** | Yes | <*connection-name*> | A name for your connection |

+ | **Code Page** | No | <*code-page*> | The code page number for the host to use for converting text. If left blank, the connector uses `37` as the default value. |

+ | **Device Type** | No | <*IBM-terminal-model*> | The model name or number for the IBM terminal to emulate. If left blank, the connector uses default values. |

+ | **Log Exception Screens** | No | True or false | Log the host screen if an error occurs during screen navigation. |

+ | **Logical Unit Name** | No | <*logical-unit-name*> | The specific logical unit name to request from the host |

+ | **Port Number** | No | <*TN3270-server-port*> | The port used by your TN3270 server. If left blank, the connector uses `23` as the default value. |

+ | **Server** | Yes | <*TN3270-server-name*> | The server name for your TN3270 service |

+ | **Timeout** | No | <*timeout-seconds*> | The timeout duration in seconds while waiting for screens |

+ | **Use TLS** | No | On or off | Turn on or turn off TLS encryption. |

+ | **Validate TN3270 Server Certificate** | No | On or off | Turn on or turn off validation for the server's certificate. |

+ For example:

+ :::image type="content" source="./media/integrate-3270-apps-ibm-mainframe/connection-properties-standard.png" alt-text="Screenshot shows Azure portal, Standard workflow designer, and IBM 3270 connection properties." lightbox="./media/integrate-3270-apps-ibm-mainframe/connection-properties-standard.png":::

+1. When you're done, select **Create New**.

+1. When the action information box appears, provide the necessary parameter values:

+ | Property | Required | Value | Description |

+ |-|-|-|-|

+ | **HIDX Name** | Yes | <*HIDX-file-name*> | Select the 3270 HIDX file that you want to use. |

+ | **Method Name** | Yes | <*method-name*> | Select the method in the HIDX file that you want to use. After you select a method, the **Add new parameter** list appears so you can select parameters to use with that method. |

+ | **Advanced parameters** | No | Varies | This list appears after you select a method so that you can add other parameters to use with the selected method. The available parameters vary based on your HIDX file and the method that you select. |

+ For example:

+ **Select the HIDX file**

+ :::image type="content" source="./media/integrate-3270-apps-ibm-mainframe/select-hidx-file-standard.png" alt-text="Screenshot shows Standard workflow designer, 3270 action, and selected HIDX file." lightbox="./media/integrate-3270-apps-ibm-mainframe/select-hidx-file-standard.png":::

+ **Select the method**

+ :::image type="content" source="./media/integrate-3270-apps-ibm-mainframe/select-method-standard.png" alt-text="Screenshot shows Standard workflow designer, 3270 action, and selected method." lightbox="./media/integrate-3270-apps-ibm-mainframe/select-method-standard.png":::

+ **Select the parameters**

+ :::image type="content" source="./media/integrate-3270-apps-ibm-mainframe/add-parameters-standard.png" alt-text="Screenshot shows Standard workflow designer, 3270 action, and more parameters." lightbox="./media/integrate-3270-apps-ibm-mainframe/add-parameters-standard.png":::

+1. When you're done, save your workflow. On designer toolbar, select **Save**.

+### [Consumption](#tab/consumption)

+1. In the [Azure portal](https://portal.azure.com), open your Consumption logic app resource and workflow where you've already add a trigger.

+1. If you haven't already added a trigger, [follow these general steps to add the trigger that you want to your workflow](../logic-apps/create-workflow-with-trigger-or-action.md?tabs=consumption#add-trigger).

+ This example continues with the **Request** trigger named **When a HTTP request is received**.

+1. [Follow these general steps to add the **IBM 3270** managed connector action named **Run a mainframe program over a TN3270 connection**](../logic-apps/create-workflow-with-trigger-or-action.md?tabs=consumption#add-action). You can find the connector under the **Enterprise** category.

+1. When the connection information box appears, provide the following necessary parameter values:

+ | Property | Required | Value | Description |

+ |-|-|-|-|

+ | **Connection name** | Yes | <*connection-name*> | A name for your connection |

+ | **Integration Account ID** | Yes | <*integration-account-name*> | Your integration account's name |

+ | **Integration Account SAS URL** | Yes | <*integration-account-SAS-URL*> | Your integration account's Shared Access Signature (SAS) URL, which you can generate from your integration account's settings in the Azure portal. <p>1. On your integration account menu, under **Settings**, select **Callback URL**. <br>2. In the right-hand pane, copy the **Generated Callback URL** value. |

+ | **Server** | Yes | <*TN3270-server-name*> | The server name for your TN3270 service |

+ | **Port** | No | <*TN3270-server-port*> | The port used by your TN3270 server. If left blank, the connector uses `23` as the default value. |

+ | **Device Type** | No | <*IBM-terminal-model*> | The model name or number for the IBM terminal to emulate. If left blank, the connector uses default values. |

+ | **Code Page** | No | <*code-page-number*> | The code page number for the host. If left blank, the connector uses `37` as the default value. |

+ | **Logical Unit Name** | No | <*logical-unit-name*> | The specific logical unit name to request from the host |

+ | **Enable SSL?** | No | On or off | Turn on or turn off TLS encryption. |

+ | **Validate host ssl certificate?** | No | On or off | Turn on or turn off validation for the server's certificate. |

+ For example:

+ :::image type="content" source="./media/integrate-3270-apps-ibm-mainframe/connection-properties-consumption.png" alt-text="Screenshot shows Azure portal, Consumption workflow designer, and IBM 3270 connection properties." lightbox="./media/integrate-3270-apps-ibm-mainframe/connection-properties-consumption.png":::

+1. When you're done, select **Create**.

+1. When the action information box appears, provide the necessary parameter values:

+ | Property | Required | Value | Description |

+ |-|-|-|-|

+ | **HIDX Name** | Yes | <*HIDX-file-name*> | Select the 3270 HIDX file that you want to use. |

+ | **Method Name** | Yes | <*method-name*> | Select the method in the HIDX file that you want to use. After you select a method, the **Add new parameter** list appears so you can select parameters to use with that method. |

+ | **Add new parameter** | No | Varies | This list appears after you select a method so that you can add other parameters to use with the selected method. The available parameters vary based on your HIDX file and the method that you select. |

+ For example:

+ **Select the HIDX file**

+ :::image type="content" source="./media/integrate-3270-apps-ibm-mainframe/select-hidx-file-consumption.png" alt-text="Screenshot shows Consumption workflow designer, 3270 action, and selected HIDX file." lightbox="./media/integrate-3270-apps-ibm-mainframe/select-hidx-file-consumption.png":::

+ **Select the method**

+ :::image type="content" source="./media/integrate-3270-apps-ibm-mainframe/select-method-consumption.png" alt-text="Screenshot shows Consumption workflow designer, 3270 action, and selected method." lightbox="./media/integrate-3270-apps-ibm-mainframe/select-method-consumption.png":::

+ **Select the parameters**

+ :::image type="content" source="./media/integrate-3270-apps-ibm-mainframe/add-parameters-consumption.png" alt-text="Screenshot shows Consumption workflow designer, 3270 action, and selected parameters." lightbox="./media/integrate-3270-apps-ibm-mainframe/add-parameters-consumption.png":::

+1. When you're done, save your workflow. On designer toolbar, select **Save**.

+## Test your workflow

+### [Standard](#tab/standard)

+1. To run your workflow, on the designer, select workflow menu, select **Overview**. On the **Overview** toolbar, select **Run** > **Run**.

+ After your workflow finishes running, your workflow's run history appears. Successful steps show check marks, while unsuccessful steps show an exclamation point (**!**).

+1. To review the inputs and outputs for each step, expand that step.

+1. To review the outputs, select **See raw outputs**.

+1. To review the inputs and outputs for each step, expand that step.

+1. To review the outputs, select **See raw outputs**.

+### [Consumption](#tab/consumption)

+1. To run your workflow, on the designer toolbar, select **Run Trigger** > **Run**.

+ After your workflow finishes running, your workflow's run history appears. Successful steps show check marks, while unsuccessful steps show an exclamation point (**!**).

+1. To review the inputs and outputs for each step, expand that step.

+1. To review the outputs, select **See raw outputs**.

+1. To review the inputs and outputs for each step, expand that step.

+1. To review the outputs, select **See raw outputs**.

+## Next steps

+- [Monitor workflow run status, review trigger and workflow run history, and set up alerts in Azure Logic Apps](../logic-apps/monitor-logic-apps.md?tabs=standard)

+- [View metrics for workflow health and performance in Azure Logic Apps](../logic-apps/view-workflow-metrics.md?tabs=standard)

+- [Monitor and collect diagnostic data for workflows in Azure Logic Apps](../logic-apps/monitor-workflows-collect-diagnostic-data.md?tabs=standard)

+- [Enable and view enhanced telemetry in Application Insights for Standard workflows in Azure Logic Apps](../logic-apps/enable-enhanced-telemetry-standard-workflows.md)

+ Title: Connect to CICS programs on IBM mainframes

+description: Integrate CICS programs with Standard workflows in Azure Logic Apps using the IBM CICS connector.

+ms.suite: integration

+# Integrate CICS programs on IBM mainframes with Standard workflows in Azure Logic Apps

+To access and run IBM mainframe apps on Customer Information Control System (CICS) systems from Standard workflows in Azure Logic Apps, you can use the **CICS Program Call** built-in, service provider-based connector. CICS provides a Transaction Program (TP) Monitor with an integrated Transaction Manager (TM). The connector communicates with IBM CICS transaction programs by using TCP/IP. The CICS connector is available in all Azure Logic Apps regions except for Azure Government and Microsoft Azure operated by 21Vianet.

+This how-to guide describes the following aspects about the CICS connector:

+* Why use the CICS connector in Azure Logic Apps

+* Prerequisites and setup for using the CICS connector

+* Steps for adding CICS connector actions to your Standard logic app workflow

+## Why use this connector?

+CICS systems were one of the first mission-critical systems that run on mainframes. Microsoft [Host Integration Server (HIS)](/host-integration-server/what-is-his) provides connectivity to CICS systems using TCP/IP, HTTP, and APPC LU6.2. Customers have used the HIS Transaction Integrator (TI) to integrate CICS systems with Windows on premises for many years. The **CICS Program Call** connector uses TCP/IP and HTTP [programming models](/host-integration-server/core/choosing-the-appropriate-programming-model1) to interact with CICS transaction programs.

+The following diagram shows how the CICS connector interacts with an IBM mainframe system:

+To extend these hybrid cloud scenarios, the CICS connector in a Standard workflow works with the [HIS Designer for Logic Apps](/host-integration-server/core/application-integration-ladesigner-2), which you can use to create a *program definition* or *program map* of the mainframe transaction program. For this task, the HIS Designer uses a [programming model](/host-integration-server/core/choosing-the-appropriate-programming-model1) that determines the characteristics of the data exchange between the mainframe and the workflow. The HIS Designer converts that information into metadata that the CICS connector uses when running an action in your workflow.

+After you generate the metadata file as Host Integration Designer XML (HIDX) file from the HIS Designer, you can add that file as a map artifact to your Standard logic app resource. That way, your workflow can access your app's metadata when you add a CICS connector action. The connector reads the metadata file from your logic app resource, and dynamically presents parameters to use with the CICS connector in your workflow. You can then provide parameters to the host application, and the connector returns the results to your workflow. As a result, you can integrate your legacy apps with Azure, Microsoft, other apps, services, and systems that Azure Logic Apps supports.

+## Connector technical reference

+The following section describes the operations for the CICS connector, which currently includes only the following action:

+### Call a CICS program

+| Parameter | Required | Type | Description |

+|--|-|-|-|

+| **HIDX Name** | Yes | String | Select the CICS HIDX file that you want to use. |

+| **Method Name** | Yes | String | Select the method in the HIDX file that you want to use. |

+| **Advanced parameters** | No | Varies | This list appears after you select a method so that you can add other parameters to use with the selected method. The available parameters vary based on your HIDX file and the method that you select. |

+This operation also includes advanced parameters, which appear after you select a method, for you to select and use with the selected method. These parameters vary based on your HIDX file and the method that you select.

+## Limitations

+Currently, this connector requires that you upload your HIDX file directly to your Standard logic app resource, not an integration account.

+## Prerequisites

+* An Azure account and subscription. If you don't have an Azure subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* Access to the mainframe that hosts the CICS system

+* The Host Integration Designer XML (HIDX) file that provides the necessary metadata for the **CICS Program Call** connector to execute your mainframe program.

+ To create this HIDX file, [download and install the HIS Designer for Azure Logic Apps](https://aka.ms/his-designer-logicapps-download). The only prerequisite is [Microsoft .NET Framework 4.8](https://aka.ms/net-framework-download).

+ To invoke a mainframe program, your workflow needs to understand the mainframe program's type, parameters, and return values. The CICS connector manages this process and data conversions, which are required for providing input data from the workflow to the mainframe program and for sending any output data generated from the mainframe program to the workflow. The connector also provides tabular data definition and code page translation. For this process, Azure Logic Apps requires that you provide this information as metadata.

+ To create this metadata, use the [HIS Designer for Logic Apps](/host-integration-server/core/application-integration-ladesigner-2). With this tool, you can manually create the methods, parameters, and return values that you use in your workflow. You can also import COBOL or RPG program definitions (copybooks) that provide this information.

+ The tool generates a Host Integration Designer XML (HIDX) file that provides the necessary metadata for the connector. If you're using HIS, you can use the TI Designer to create the HIDX file.

+* The Standard logic app workflow where you want to integrate with the CICS system

+ The CICS connector doesn't have triggers, so use any trigger to start your workflow, such as the **Recurrence** trigger or **Request** trigger. You can then add the CICS connector actions. To get started, create a blank workflow in your Standard logic app resource.

+<a name="define-generate-app-metadata"></a>

+## Define and generate metadata

+After you download and install the HIS Designer for Azure Logic Apps, follow [these steps to generate the HIDX file from the metadata artifact](/host-integration-server/core/application-integration-lahostapps).

+<a name="upload-hidx-file"></a>

+## Upload the HIDX file

+For your workflow to use the HIDX file, follow these steps:

+1. Go to the folder where you saved your HIDX file, and copy the file.

+1. In the [Azure portal](https://portal.azure.com), [upload the HIDX file as a map to your Standard logic app resource](../logic-apps/logic-apps-enterprise-integration-maps.md?tabs=standard#add-map-to-standard-logic-app-resource).

+1. Now, [add a CICS action to your workflow](#add-cics-action).

+Later in this guide, when you add a **CICS Program Call** connector action to your workflow for the first time, you're prompted to create a connection between your workflow and the mainframe system. After you create the connection, you can select your previously added HIDX file, the method to run, and the parameters to use.

+<a name="add-cics-action"></a>

+## Add a CICS action

+1. In the [Azure portal](https://portal.azure.com), open your Standard logic app resource and workflow in the designer.

+1. If you haven't already added a trigger to start your workflow, [follow these general steps to add the trigger that you want](../logic-apps/create-workflow-with-trigger-or-action.md?tabs=standard#add-trigger).

+ This example continues with the **Request** trigger named **When a HTTP request is received**.

+ :::image type="content" source="media/integrate-cics-apps-ibm-mainframe/request-trigger.png" alt-text="Screenshot shows Azure portal, Standard workflow designer, and Request trigger." lightbox="media/integrate-cics-apps-ibm-mainframe/request-trigger.png":::

+1. To add a CICS connector action, [follow these general steps to add the **CICS Program Call** built-in connector action named **Call a CICS Program**](../logic-apps/create-workflow-with-trigger-or-action.md?tabs=standard#add-trigger).

+1. After the connection details pane appears, provide the following information, such as the host server name and CICS system configuration information:

+ | Parameter | Required | Value | Description |

+ |--|-|-|-|

+ | **Connection Name** | Yes | <*connection-name*> | The name for your connection |

+ | **Programming Model** | Yes | <*CICS-programming-model*> | The selected CICS programming model. For more information, see [Programming Models](/host-integration-server/core/programming-models2) and [Choosing the Appropriate Programming Model](/host-integration-server/core/programming-models2). |

+ | **Code Page** | No | <*code-page*> | The code page number to use for converting text |

+ | **Password** | No | <*password*> | The optional user password for connection authentication |

+ | **Port Number** | Yes | <*port-number*> | The port number to use for connection authentication |

+ | **Server Name** | Yes | <*server-name*> | The server name |

+ | **Timeout** | No | <*time-out*> | The timeout period in seconds while waiting for responses from the server |

+ | **User Name** | No | <*user-Name*> | The optional username for connection authentication |

+ | **Use TLS** | No | True or false | Secure the connection with Transport Security Layer (TLS). |

+ | **Validate Server certificate** | No | True or false | Validate the server's certificate. |

+ | **Server certificate common name** | No | <*server-cert-common-name*> | The name of the Transport Security layer (TLS) certificate to use |

+ | **Use IBM Request Header Format** | No | True or false | The server expects ELM or TRM headers in the IBM format |

+ For example:

+ :::image type="content" source="./media/integrate-cics-apps-ibm-mainframe/cics-connection.png" alt-text="Screenshot shows CICS action's connection properties." lightbox="./media/integrate-cics-apps-ibm-mainframe/cics-connection.png":::

+1. When you're done, select **Create New**.

+1. After the action details pane appears, in the **Parameters** section, provide the required information:

+ | Parameter | Required | Value | Description |

+ |--|-|-|-|

+ | **HIDX Name** | Yes | <*HIDX-file-name*> | Select the CICS HIDX file that you want to use. |

+ | **Method Name** | Yes | <*method-name*> | Select the method in the HIDX file that you want to use. |

+ | **Advanced parameters** | No | Varies | This list appears after you select a method so that you can add other parameters to use with the selected method. The available parameters vary based on your HIDX file and the method that you select. |

+ For example:

+ **Select HIDX file and method**

+ :::image type="content" source="./media/integrate-cics-apps-ibm-mainframe/action-parameters.png" alt-text="Screenshot shows CICS action with selected HIDX file and method.":::

+ **Select advanced parameters**

+ :::image type="content" source="./media/integrate-cics-apps-ibm-mainframe/action-advanced-parameters.png" alt-text="Screenshot shows CICS action with all parameters." lightbox="./media/integrate-cics-apps-ibm-mainframe/action-advanced-parameters.png":::

+1. When you're done, save your workflow. On designer toolbar, select **Save**.

+## Test your workflow

+1. To run your workflow, on the workflow menu, select **Overview**. On the **Overview** toolbar, select **Run** > **Run**.

+ After your workflow finishes running, your workflow's run history appears. Successful steps show check marks, while unsuccessful steps show an exclamation point (**!**).

+1. To review the inputs and outputs for each step, expand that step.

+1. To review the outputs, select **See raw outputs**.

+## Next steps

+* [Monitor workflow run status, review trigger and workflow run history, and set up alerts in Azure Logic Apps](../logic-apps/monitor-logic-apps.md?tabs=standard)

+* [View metrics for workflow health and performance in Azure Logic Apps](../logic-apps/view-workflow-metrics.md?tabs=standard)

+* [Monitor and collect diagnostic data for workflows in Azure Logic Apps](../logic-apps/monitor-workflows-collect-diagnostic-data.md?tabs=standard)

+* [Enable and view enhanced telemetry in Application Insights for Standard workflows in Azure Logic Apps](../logic-apps/enable-enhanced-telemetry-standard-workflows.md)

+ Title: Parse and generate IBM host files

+description: Learn how to parse and generate offline IBM host files.

+ms.suite: integration

+# Parse and generate host files from IBM mainframes for Standard workflows in Azure Logic Apps

+To parse and generate new IBM host files and i Series physical files from Standard workflows in Azure Logic Apps, you can use the **IBM Host File** built-in, service provider-based connector. Since the introduction of mainframe systems, ubiquitous host files are used to store abundant data for mission critical systems. Although this connector doesn't require access to an IBM mainframe or midrange system, you must make the host file available to a Standard workflow by using other mechanisms such as FTP, blob storage, Host Integration Server, or a partner software appliance. The **IBM Host File** connector is available in all Azure Logic Apps regions except for Azure Government and Microsoft Azure operated by 21Vianet.

+This how-to guide describes the following aspects about the **IBM Host File** connector:

+* Why use the **IBM Host File** connector in Azure Logic Apps

+* Prerequisites and setup for using the **IBM Host File** connector

+* Steps for adding the **IBM Host File** connector actions to your Standard logic app workflow

+## Why use this connector?

+On IBM mainframes, *access methods*, which are special components in the operating system, handle file processing. In the 1970s, Virtual Storage Access Method (VSAM) was built and became the most widely used access method on IBM mainframes. VSAM provides the following types of files: entry-sequenced datasets, key-sequenced datasets, and relative record datasets.

+Today, the market has multiple solutions that directly connect to host files and run data operations. Many solutions require that you install software on the mainframe system. Although this option works well for some customers, others want to avoid growing the footprint in their mainframe systems.

+[Microsoft Host Integration Server (HIS)](/host-integration-server/what-is-his) provides a managed adapter for host files and doesn't require installing software on the mainframe. However, HIS requires that you enable the [IBM Distributed File Manager (DFM)](https://www.ibm.com/docs/en/zos/2.2.0?topic=management-distributed-file-manager) mainframe subsystem, which requires LU 6.2. This managed provider also requires you to configure an HIS System Network Architecture (SNA) gateway that provides access to the DFM.

+In most ways, the managed provider operates as a normal data provider. You can connect to a host file system, execute commands, and retrieve data. Although a great alternative for some customers, the **IBM Host File** connector requires that you make IBM host files available in binary format to Standard workflows in Azure Logic Apps. This requirement reduces the complexity of this solution and lets you use your choice of tools to access and manage data in host files. After you make the host file available in a place where the Standard workflow can use a trigger to read the file, the **IBM Host File** connector operation can parse that file.

+For customers interested in accessing and using databases, such as SQL Server or Cosmos DB, in their mainframe environments, the **IBM Host File** connector provides the capability to generate host files in JSON format. That way, you can use these host files in your cloud database of choice, and send the data back as a host file to your mainframe or midrange environments.

+The following diagram shows how the **IBM Host File** connector in Azure Logic Apps interacts with other systems:

+To extend hybrid cloud scenarios, the **IBM Host File** connector works with the [HIS Designer for Logic Apps](/host-integration-server/core/application-integration-ladesigner-2), which you can use to create a *data definition* or *data map* of the mainframe host file. For this task, the HIS Designer converts that data into metadata that the **IBM Host File** connector uses when running an action in your workflow. The connector performs the data type conversions, which are required to receive input from preceding workflow operations and to send output for use by subsequent workflow actions. The connector also provides tabular data definition and code page translation.

+After you generate the metadata file as a Host Integration Designer XML (HIDX) file from the HIS Designer, you can add that file as a map artifact to your Standard logic app resource. That way, your workflow can access your app's metadata when you add an **IBM Host File** connector action. The connector reads the metadata file from your logic app resource, and dynamically presents the binary file's structure to use with the **IBM Host File** connector actions in your workflow.

+## Connector technical reference

+The following section describes the operations for the **IBM Host File** connector, which currently includes only the following actions:

+### Parse Host File Contents action

+| Parameter | Required | Type | Description |

+|--|-|-|-|

+| **HIDX Name** | Yes | String | Select the mainframe host file HIDX file that you want to use. |

+| **Schema Name** | Yes | String | Select the host file schema in the HIDX file that you want to use. |

+| **Binary contents** | Yes | Binary | Select the binary data with a fixed length record extracted from the mainframe. |

+### Generate Host File Contents action

+| Parameter | Required | Type | Description |

+|--|-|-|-|

+| **HIDX Name** | Yes | String | Select the mainframe host file HIDX file that you want to use. |

+| **Schema Name** | Yes | String | Select the host file schema in the HIDX file that you want to use. |

+| **Rows** | Yes | JSON | Select the Array or individual rows. To enter an entire data object in JSON format, you can select the **Switch to input entire array** option. |

+## Limitations

+Currently, this connector requires that you upload your HIDX file directly to your Standard logic app resource, not an integration account.

+## Prerequisites

+* An Azure account and subscription. If you don't have an Azure subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* The Host Integration Designer XML (HIDX) file that provides the necessary metadata for the **IBM Host File** connector to recognize the host file data structure.

+ To create this HIDX file, [download and install the HIS Designer for Azure Logic Apps](https://aka.ms/his-designer-logicapps-download). The only prerequisite is [Microsoft .NET Framework 4.8](https://aka.ms/net-framework-download).

+ To effectively parse and generate host files, your workflow needs to understand the host file metadata. However, as a key difference between a host file and a database table, the host file doesn't have the metadata that describes the data structure. To create this metadata, use the [HIS Designer for Logic Apps](/host-integration-server/core/application-integration-ladesigner-2). With this tool, you can manually create the host file structure that your workflow uses. You can also import COBOL definitions (copybooks) that provide these data structures.

+ The tool generates a Host Integration Designer XML (HIDX) file that provides the necessary metadata for the connector to recognize the host file data structure. If you're using HIS, you can use the TI Designer to create the HIDX file.

+* The Standard logic app workflow where you want to parse or generate the host file.

+ The **IBM Host File** connector doesn't have triggers, so use any trigger to start your workflow, such as the **Recurrence** trigger or **Azure Blob Storage** trigger. You can then add the **IBM Host File** connector actions. To get started, create a blank workflow in your Standard logic app resource.

+<a name="define-generate-hostfile-metadata"></a>

+## Define and generate metadata

+After you download and install the HIS Designer for Azure Logic Apps, follow [these steps to generate the HIDX file from the metadata artifact](/host-integration-server/core/application-integration-lahostfiles).

+<a name="upload-hidx-file"></a>

+## Upload the HIDX file

+For your workflow to use the HIDX file, follow these steps:

+1. Go to the folder where you saved your HIDX file, and copy the file.

+1. In the [Azure portal](https://portal.azure.com), [upload the HIDX file as a map to your Standard logic app resource](../logic-apps/logic-apps-enterprise-integration-maps.md?tabs=standard#add-map-to-standard-logic-app-resource).

+1. Now, [add an **IBM Host File** action to your workflow](#add-host-files-action).

+Later in this guide, when you add the **Parse Host File Contents** action to your workflow for the first time, you're prompted to create a connection. After you create the connection, you can select your previously added HIDX file, the schema, and the parameters to use.

+<a name="add-host-files-action"></a>

+## Add a Parse Host File Contents action

+1. In the [Azure portal](https://portal.azure.com), open your Standard logic app resource and workflow in the designer.

+1. If you haven't already added a trigger to start your workflow, [follow these general steps to add the trigger that you want](../logic-apps/create-workflow-with-trigger-or-action.md?tabs=standard#add-trigger).

+ This example continues with the **Azure Blob Storage** built-in, service provider-based trigger named **When a blob is added or updated**.

+ :::image type="content" source="media/integrate-host-files-ibm-mainframe/blob-storage-trigger.png" alt-text="Screenshot shows Azure portal, Standard workflow designer, and Azure Blob Storage trigger." lightbox="media/integrate-host-files-ibm-mainframe/blob-storage-trigger.png":::

+1. To get the content from the added or updated blob, [follow these general steps to add the **Azure Blob Storage** built-in connector action named **Read blob content**](../logic-apps/create-workflow-with-trigger-or-action.md?tabs=standard#add-action).

+1. [Follow these general steps to add the **IBM Host File** built-in connector action named **Parse Host File Contents**](../logic-apps/create-workflow-with-trigger-or-action.md?tabs=standard#add-action).

+1. After the connection details pane appears, provide the following information:

+ | Parameter | Required | Value | Description |

+ |--|-|-|-|

+ | **Connection Name** | Yes | <*connection-name*> | The name for your connection |

+ | **Code Page** | No | <*code-page*> | The code page number to use for converting text |

+ | **From iSeries** | No | <*mf-iseries*> | Whether the file originates from an i Series server |

+ For example:

+ :::image type="content" source="./media/integrate-host-files-ibm-mainframe/parse-host-file-contents-connection.png" alt-text="Screenshot showing the Parse Host File Contents action's connection properties." lightbox="./media/integrate-host-files-ibm-mainframe/parse-host-file-contents-connection.png":::

+1. When you're done, select **Create New**.

+1. After the action details pane appears, in the **Parameters** section, provide the required information:

+ | Parameter | Required | Value | Description |

+ |--|-|-|-|

+ | **HIDX Name** | Yes | <*HIDX-file-name*> | Select the mainframe host file HIDX file that you want to use. |

+ | **Schema Name** | Yes | <*schema-name*> | Select the schema in the HIDX file that you want to use. |

+ | **Binary Contents** | Yes | <*binary-contents*> | Select the binary data with a fixed length record extracted from the host. |

+ For example, the following image shows Visual Studio with a sample host file HIDX file with a **CUSTOMER** table and **CUSTOMER_RECORD** schema in the HIS Designer for Logic Apps:

+ :::image type="content" source="./media/integrate-host-files-ibm-mainframe/visual-studio-customers-hidx.png" alt-text="Screenshot shows Visual Studio and the host file schema in the HIDX file." lightbox="./media/integrate-host-files-ibm-mainframe/visual-studio-customers-hidx.png":::

+ **Provide HIDX file and schema**

+ :::image type="content" source="./media/integrate-host-files-ibm-mainframe/parse-host-file-contents-parameters.png" alt-text="Screenshot shows the Parse Host File Contents action with selected HIDX file and schema.":::

+ **Select binary data to read from blob**

+ :::image type="content" source="./media/integrate-host-files-ibm-mainframe/parse-host-file-contents-binary.png" alt-text="Screenshot shows the Parse Host File Contents action, dynamic content list, and selecting binary data to read from JSON file in Blob Storage account." lightbox="./media/integrate-host-files-ibm-mainframe/parse-host-file-contents-binary.png":::

+ When you're done, the **Parse Host File Contents** action looks like the following example with a subsequent action that creates a file on an SFTP server:

+ :::image type="content" source="./media/integrate-host-files-ibm-mainframe/parse-host-file-contents-complete.png" alt-text="Screenshot shows the completed Parse Host File Contents action." lightbox="./media/integrate-host-files-ibm-mainframe/parse-host-file-contents-complete.png":::

+1. When you're done, save your workflow. On designer toolbar, select **Save**.

+## Add a Generate Host File Contents action

+1. In the [Azure portal](https://portal.azure.com), open your Standard logic app resource and workflow in the designer.

+1. If you haven't already added a trigger to start your workflow, [follow these general steps to add the trigger that you want](../logic-apps/create-workflow-with-trigger-or-action.md?tabs=standard#add-trigger).

+ This example continues with the **Azure Blob Storage** built-in, service provider-based trigger named **When a blob is added or updated**.

+ :::image type="content" source="media/integrate-host-files-ibm-mainframe/blob-storage-trigger.png" alt-text="Screenshot shows Azure portal, Standard workflow designer, and Azure Blob Storage trigger." lightbox="media/integrate-host-files-ibm-mainframe/blob-storage-trigger.png":::

+1. To get the content from the added or updated blob, [follow these general steps to add the **Azure Blob Storage** built-in connector action named **Read blob content**](../logic-apps/create-workflow-with-trigger-or-action.md?tabs=standard#add-action).

+1. [Follow these general steps to add the **IBM Host File** built-in connector action named **Generate Host File Contents**](../logic-apps/create-workflow-with-trigger-or-action.md?tabs=standard#add-action).

+1. After the connection details pane appears, provide the following information:

+ | Parameter | Required | Value | Description |

+ |--|-|-|-|

+ | **Connection Name** | Yes | <*connection-name*> | The name for your connection |

+ | **Code Page** | No | <*code-page*> | The code page number to use for converting text |

+ | **From iSeries** | No | <*mf-iseries*> | Whether the file originates from an i Series server |

+ For example:

+ :::image type="content" source="./media/integrate-host-files-ibm-mainframe/generate-host-file-contents-connection.png" alt-text="Screenshot showing Generate Host File Contents action's connection properties." lightbox="./media/integrate-host-files-ibm-mainframe/generate-host-file-contents-connection.png":::

+1. When you're done, select **Create New**.

+1. After the action details pane appears, in the **Parameters** section, provide the required information:

+ | Parameter | Required | Value | Description |

+ |--|-|-|-|

+ | **HIDX Name** | Yes | <*HIDX-file-name*> | Provide the name for the mainframe host file HIDX file that you want to use. |

+ | **Schema Name** | Yes | <*schema-name*> | Provide name for the schema in the HIDX file that you want to use. |

+ | **Rows** | Yes | <*rows*> | Provide an array of records to convert to IBM format. To select the output from a preceding workflow operation, follow these steps: <br><br>1. Select inside the **Rows** box, and then select the dynamic content option (lightning bolt). <br><br>2. From the dynamic content list, select the output from a preceding action. For example, from the **Read blob content** section, select **Response from read blob action Content**. <br><br>**Tip**: To enter an entire data object in JSON format, select the **Switch to input entire array** option. |

+ For example, the following image shows Visual Studio with a sample HIDX file in the HIS Designer for Logic Apps:

+ :::image type="content" source="./media/integrate-host-files-ibm-mainframe/visual-studio-customers-hidx.png" alt-text="Screenshot shows the host file schema in the HIDX file." lightbox="./media/integrate-host-files-ibm-mainframe/visual-studio-customers-hidx.png":::

+ **Provide HIDX file and schema**

+ :::image type="content" source="./media/integrate-host-files-ibm-mainframe/generate-host-file-contents-parameters.png" alt-text="Screenshot shows the Generate Host File Contents action with selected HIDX file and schema." lightbox="./media/integrate-host-files-ibm-mainframe/generate-host-file-contents-parameters.png":::

+ **Select rows from blob to read and convert**

+ :::image type="content" source="./media/integrate-host-files-ibm-mainframe/generate-host-file-contents-rows.png" alt-text="Screenshot shows the Generate Host File Contents action, dynamic content list, and selecting rows to read and convert from JSON file in Blob Storage account.":::

+ When you're done, the **Generate Host File Contents** action looks like the following example with a subsequent action that creates a file on an SFTP server:

+ :::image type="content" source="./media/integrate-host-files-ibm-mainframe/generate-host-file-contents-complete.png" alt-text="Screenshot shows the completed Generate Host File Contents action." lightbox="./media/integrate-host-files-ibm-mainframe/generate-host-file-contents-complete.png":::

+1. When you're done, save your workflow. On designer toolbar, select **Save**.

+## Test your workflow

+1. To run your workflow, on the workflow menu, select **Overview**. On the **Overview** toolbar, select **Run** > **Run**.

+ After your workflow finishes running, your workflow's run history appears. Successful steps show check marks, while unsuccessful steps show an exclamation point (**!**).

+1. To review the inputs and outputs for each step, expand that step.

+1. To review the outputs, select **See raw outputs**.

+## Next steps

+* [Monitor workflow run status, review trigger and workflow run history, and set up alerts in Azure Logic Apps](../logic-apps/monitor-logic-apps.md?tabs=standard)

+* [View metrics for workflow health and performance in Azure Logic Apps](../logic-apps/view-workflow-metrics.md?tabs=standard)

+* [Monitor and collect diagnostic data for workflows in Azure Logic Apps](../logic-apps/monitor-workflows-collect-diagnostic-data.md?tabs=standard)

+* [Enable and view enhanced telemetry in Application Insights for Standard workflows in Azure Logic Apps](../logic-apps/enable-enhanced-telemetry-standard-workflows.md)

+ Title: Connect to IMS programs on IBM mainframes

+description: Integrate IMS programs with Standard workflows in Azure Logic Apps using the IBM IMS connector.

+ms.suite: integration

+# Integrate IMS programs on IBM mainframes with Standard workflows in Azure Logic Apps

+To access and run IBM mainframe apps on Information Management System (IMS) systems from Standard workflows in Azure Logic Apps, you can use the **IMS Program Call** built-in, service provider-based connector. IMS provides a Transaction Program (TP) Monitor with an integrated Transaction Manager (TM) and hierarchical database. The connector communicates with IBM IMS transaction programs by using IMS Connect, which is an IMS TM network component. This component provides high performance communications for IMS systems between one or more TCP/IP clients and one or more IMS systems. The IMS connector is available in all Azure Logic Apps regions except for Azure Government and Microsoft Azure operated by 21Vianet.

+This how-to guide describes the following aspects about the IMS connector:

+* Why use the IMS connector in Azure Logic Apps

+* Prerequisites and setup for using the IMS connector

+* Steps for adding IMS connector actions to your Standard logic app workflow

+## Why use this connector?

+IMS systems were one of the first mission-critical systems that run on mainframes. Microsoft [Host Integration Server (HIS)](/host-integration-server/what-is-his) provides connectivity to IMS systems by following two models: IMS Connect and APPC LU6.2. Customers have used the HIS Transaction Integrator (TI) to integrate their IMS systems with Windows on premises for many years. The **IMS Program Call** connector uses the IMS Connect model to interact with IMS transaction programs through TCP/IP.

+The following diagram shows how the IMS connector interacts with an IBM mainframe system:

+To extend these hybrid cloud scenarios, the IMS connector in a Standard workflow works with the [HIS Designer for Logic Apps](/host-integration-server/core/application-integration-ladesigner-2), which you can use to create a *program definition* or *program map* of the mainframe transaction program. For this task, the HIS Designer converts that information into metadata that the IMS connector uses when running an action in your workflow.

+After you generate the metadata file as a Host Integration Designer XML (HIDX) file from the HIS Designer, you can add that file as a map artifact to your Standard logic app resource. That way, your workflow can access your app's metadata when you add an IMS connector action. The connector reads the metadata file from your logic app resource, and dynamically presents the parameters to use with the IMS connector in your workflow. You can then provide parameters to the host application, and the connector returns the results to your workflow. As a result, you can integrate your legacy apps with Azure, Microsoft, other apps, services, and systems that Azure Logic Apps supports.

+## Connector technical reference

+The following section describes the operations for the IMS connector, which currently includes only the following action:

+### Call an IMS program

+| Parameter | Required | Type | Description |

+|--|-|-|-|

+| **HIDX Name** | Yes | String | Select the IMS HIDX file that you want to use. |

+| **Method Name** | Yes | String | Select the method in the HIDX file that you want to use. |

+| **Advanced parameters** | No | Varies | This list appears after you select a method so that you can add other parameters to use with the selected method. The available parameters vary based on your HIDX file and the method that you select. |

+This operation also includes advanced parameters, which appear after you select a method, for you to select and use with the selected method. These parameters vary based on your HIDX file and the method that you select.

+## Limitations

+Currently, this connector requires that you upload your HIDX file directly to your Standard logic app resource, not an integration account.

+## Prerequisites

+* An Azure account and subscription. If you don't have an Azure subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* Access to the mainframe that hosts the IMS system

+* The Host Integration Designer XML (HIDX) file that provides the necessary metadata for the **IMS Program Call** connector to execute your mainframe program.

+ To create this HIDX file, [download and install the HIS Designer for Azure Logic Apps](https://aka.ms/his-designer-logicapps-download). The only prerequisite is [Microsoft .NET Framework 4.8](https://aka.ms/net-framework-download).

+ To invoke a mainframe program, your workflow needs to understand the mainframe program's type, parameters, and return values. The IMS connector manages the process and data conversions, which are required for providing input data from the workflow to the mainframe program and for sending any output data generated from the mainframe program to the workflow. The connector also provides tabular data definition and code page translation. For this process, Azure Logic Apps requires that you provide this information as metadata.

+ To create this metadata, use the [HIS Designer for Logic Apps](/host-integration-server/core/application-integration-ladesigner-2). With this tool, you can manually create the methods, parameters, and return values that you can use in your workflow. The tool also allows you to import COBOL or RPG program definitions (copybooks) that provide this information.

+ The tool generates a Host Integration Designer XML (HIDX) file that provides the necessary metadata for the connector. If you're using HIS, you can use the TI Designer to create the HIDX file.

+* The Standard logic app workflow to use for integrating with the IMS system

+ The IMS connector doesn't have triggers, so use any trigger to start your workflow, such as the **Recurrence** trigger or **Request** trigger. You can then add the IMS connector actions. To get started, create a blank workflow in your Standard logic app resource.

+<a name="define-generate-app-metadata"></a>

+## Define and generate metadata

+After you download and install the HIS Designer for Azure Logic Apps, follow [these steps to generate the HIDX file from the metadata artifact](/host-integration-server/core/application-integration-lahostapps).

+<a name="upload-hidx-file"></a>

+## Upload the HIDX file

+For your workflow to use the HIDX file, follow these steps:

+1. Go to the folder where you saved your HIDX file, and copy the file.

+1. In the [Azure portal](https://portal.azure.com), [upload the HIDX file as a map to your Standard logic app resource](../logic-apps/logic-apps-enterprise-integration-maps.md?tabs=standard#add-map-to-standard-logic-app-resource).

+1. Now, [add an IMS action to your workflow](#add-ims-action).

+Later in this guide, when you add a **IMS Program Call** connector action to your workflow for the first time, you're prompted to create a connection between your workflow and the mainframe system. After you create the connection, you can select your previously added HIDX file, the method to run, and the parameters to use.

+<a name="add-ims-action"></a>

+## Add an IMS action

+1. In the [Azure portal](https://portal.azure.com), open your Standard logic app resource and workflow in the designer.

+1. If you haven't already added a trigger to start your workflow, [follow these general steps to add the trigger that you want](../logic-apps/create-workflow-with-trigger-or-action.md?tabs=standard#add-trigger).

+ This example continues with the **Request** trigger named **When a HTTP request is received**.

+ :::image type="content" source="media/integrate-ims-apps-ibm-mainframe/request-trigger.png" alt-text="Screenshot shows Azure portal, Standard workflow designer, and Request trigger.":::

+1. To add an IMS connector action, [follow these general steps to add the **IMS Program Call** built-in connector action named **Call an IMS Program**](../logic-apps/create-workflow-with-trigger-or-action.md?tabs=standard#add-trigger).

+1. After the connection details pane appears, provide the following information:

+ | Parameter | Required | Value | Description |

+ |--|-|-|-|

+ | **Connection Name** | Yes | <*connection-name*> | The name for your connection |

+ | **The IMS System ID** | Yes | <*IMS-system-ID*> | The name of the IMS system where the IMS Connect model directs incoming requests |

+ | **ITOC Exit Name** | No | <*ITOC-exit-name*> | The name for the exit routine that IMS uses to handle incoming requests |

+ | **MFS Mod Name** | No | <*MFS-Mod-Name*> | The name associated with the outbound IMS message output descriptor |

+ | **Use the HWSO1 Security Exit** | No | True or false | The server uses the HWSO1 security exit. |

+ | **Server certificate common name** | No | <*server-cert-common-name*> | The name of the Transport Security layer (TLS) certificate to use |

+ | **Code Page** | No | <*code-page*> | The code page number to use for converting text |

+ | **Password** | No | <*password*> | The optional user password for connection authentication |

+ | **Port Number** | Yes | <*port-number*> | The port number to use for connection authentication |

+ | **Server Name** | Yes | <*server-name*> | The server name |

+ | **Timeout** | No | <*time-out*> | The timeout period in seconds while waiting for responses from the server |

+ | **User Name** | No | <*user-Name*> | The optional username for connection authentication |

+ | **Use TLS** | No | True or false | Secure the connection with Transport Security Layer (TLS). |

+ | **Validate Server certificate** | No | True or false | Validate the server's certificate. |

+ For example:

+ :::image type="content" source="./media/integrate-ims-apps-ibm-mainframe/ims-connection.png" alt-text="Screenshot shows IMS action's connection properties." lightbox="./media/integrate-ims-apps-ibm-mainframe/ims-connection.png":::

+1. When you're done, select **Create New**.

+1. After the action details pane appears, in the **Parameters** section, provide the required information:

+ | Parameter | Required | Value | Description |

+ |--|-|-|-|

+ | **HIDX Name** | Yes | <*HIDX-file-name*> | Select the IMS HIDX file that you want to use. |

+ | **Method Name** | Yes | <*method-name*> | Select the method in the HIDX file that you want to use. |

+ | **Advanced parameters** | No | Varies | This list appears after you select a method so that you can add other parameters to use with the selected method. The available parameters vary based on your HIDX file and the method that you select. |

+ For example:

+ **Select HIDX file and method**

+ :::image type="content" source="./media/integrate-ims-apps-ibm-mainframe/action-parameters.png" alt-text="Screenshot shows IMS action with selected HIDX file and method." lightbox="./media/integrate-ims-apps-ibm-mainframe/action-parameters.png":::

+ **Select advanced parameters**

+ :::image type="content" source="./media/integrate-ims-apps-ibm-mainframe/action-advanced-parameters.png" alt-text="Screenshot shows IMS action with all parameters." lightbox="./media/integrate-ims-apps-ibm-mainframe/action-advanced-parameters.png":::

+1. When you're done, save your workflow. On designer toolbar, select **Save**.

+## Test your workflow

+1. To run your workflow, on the workflow menu, select **Overview**. On the **Overview** toolbar, select **Run** > **Run**.

+ After your workflow finishes running, your workflow's run history appears. Successful steps show check marks, while unsuccessful steps show an exclamation point (**!**).

+1. To review the inputs and outputs for each step, expand that step.

+1. To review the outputs, select **See raw outputs**.

+## Next steps

+* [Monitor workflow run status, review trigger and workflow run history, and set up alerts in Azure Logic Apps](../logic-apps/monitor-logic-apps.md?tabs=standard)

+* [View metrics for workflow health and performance in Azure Logic Apps](../logic-apps/view-workflow-metrics.md?tabs=standard)

+* [Monitor and collect diagnostic data for workflows in Azure Logic Apps](../logic-apps/monitor-workflows-collect-diagnostic-data.md?tabs=standard)

+* [Enable and view enhanced telemetry in Application Insights for Standard workflows in Azure Logic Apps](../logic-apps/enable-enhanced-telemetry-standard-workflows.md)

+# [Workload profiles environment](#tab/workload-profiles)

+> When using workload profiles, inbound NSG rules only apply for traffic going through your virtual network. If your container apps are set to accept traffic from the public internet, incoming traffic goes through the public endpoint instead of the virtual network.

+| Protocol | Source | Source ports | Destination | Destination ports | Description |

+| TCP | Your client IPs | \* | Your container app's subnet¹ | `443`, `30,000-32,676`² | Allow your Client IPs to access Azure Container Apps. |

+# [Consumption only environment](#tab/consumption-only)

+| Protocol | Source | Source ports | Destination | Destination ports | Description |

+| TCP | Your client IPs | \* | Your container app's subnet¹ | `443` | Allow your Client IPs to access Azure Container Apps. |

+| TCP | Your client IPs | \* | The `staticIP` of your container app environment | `443` | Allow your Client IPs to access Azure Container Apps. |

+| TCP | Your container app's subnet | \* | Your container app's subnet | \* | Required to allow the container app envoy sidecar to connect to envoy service. |

+² The full range is required when creating your Azure Container Apps as a port within the range will by dynamically allocated. Once created, the required ports are two immutable, static values, and you can update your NSG rules.

+# [Workload profiles environment](#tab/workload-profiles)

+| Protocol | Source | Source ports | Destination | Destination ports | Description |

+| TCP | Your container app's subnet | \* | `AzureMonitor` | `443` | Only required when using Azure Monitor. Allows outbound calls to Azure Monitor. |

+# [Consumption only environment](#tab/consumption-only)

+| Protocol | Source | Source ports | Destination | Destination ports | Description |

+| TCP | Your container app's subnet | \* | `AzureMonitor` | `443` | Only required when using Azure Monitor. Allows outbound calls to Azure Monitor. |

+description: Review Azure Cosmos DB for MongoDB vCore supported features and syntax including; commands, query support, datatypes, aggregation, operators and indexes.

+Azure Cosmos DB for MongoDB vCore allows you to experience the familiar MongoDB advantages while accessing the enhanced enterprise features offered by Azure Cosmos DB. It ensures compatibility by following the MongoDB wire protocol, allowing you to leverage existing client drivers, SDKs and other tools you're already familiar with.

+

+## Protocol support

+Azure Cosmos DB for MongoDB provides comprehensive support for MongoDB query language constructs. Below you can find the detailed list of currently supported database commands, operators, stages, and options.

+> [!NOTE]

+> This article only lists the supported server commands, and excludes client-side wrapper functions. Client-side wrapper functions such as `deleteMany()` and `updateMany()` internally utilize the `delete()` and `update()` server commands. Functions utilizing supported server commands are compatible with the Azure Cosmos DB for MongoDB.

+<table>

+<tr><td><b>Category</b></td><td><b>Command</b></td><td><b>Supported</b></td></tr>

+<tr><td rowspan="4">Aggregation Commands</td><td><code>aggregate</td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>count</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>distinct</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>mapReduce</code></td><td>Deprecated</td></tr>

+<tr><td rowspan="3">Authentication Commands</td><td><code>authenticate</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>getnonce</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>logout</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td rowspan="1">Geospatial Commands</td><td><code>geoSearch</code></td><td>Deprecated</td></tr>

+<tr><td rowspan="1">Query Plan Cache Commands</td><td></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td rowspan="32">Administrative Commands</td><td><code>cloneCollectionAsCapped</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No. Capped collections are currently not supported.</td></tr>

+<tr><td><code>collMod</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Partial</td></tr>

+<tr><td><code>compact</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>connPoolSync</code></td><td>Deprecated</td></tr>

+<tr><td><code>convertToCapped</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No. Capped collections are currently not supported.</td></tr>

+<tr><td><code>create</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Partial</td></tr>

+<tr><td><code>createIndexes</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>currentOp</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>drop</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>dropDatabase</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>dropConnections</code></td><td>As a PaaS service, this will be managed by Azure.</td></tr>

+<tr><td><code>dropIndexes</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>filemd5</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>fsync</code></td><td>As a PaaS service, this will be managed by Azure.</td></tr>

+<tr><td><code>fsyncUnlock</code></td><td>As a PaaS service, this will be managed by Azure.</td></tr>

+<tr><td><code>getDefaultRWConcern</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>getClusterParameter</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>getParameter</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>killCursors</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>killOp</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>listCollections</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>listDatabases</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>listIndexes</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>logRotate</code></td><td>As a PaaS service, this will be managed by Azure.</td></tr>

+<tr><td><code>reIndex</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>renameCollection</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>rotateCertificates</code></td><td>As a PaaS service, this will be managed by Azure.</td></tr>

+<tr><td><code>setFeatureCompatibilityVersion</code></td><td>As a PaaS service, this will be managed by Azure.</td></tr>

+<tr><td><code>setIndexCommitQuorum</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>setParameter</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Partial</td></tr>

+<tr><td><code>setDefaultRWConcern</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>shutdown</code></td><td>As a PaaS service, this will be managed by Azure.</td></tr>

+<tr><td rowspan="1">User & Role Management Commands</td><td></td><td>Not supported today, but will be made available through Azure Active Directory in the future.</td></tr>

+<tr><td rowspan="1">Replication Commands</td><td></td><td>Azure manages replication, removing the necessity for customers to replicate manually.</td></tr>

+<tr><td rowspan="35">Sharding Commands</td><td><code>enableSharding</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>isdbgrid</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>reshardCollection</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>shardCollection</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>unsetSharding</code></td><td>Deprecated</td></tr>

+<tr><td><code>addShard</code></td><td rowspan="29">As a Platform-as-a-Service (PaaS) offering, Azure manages shard management and rebalancing. Users only need to specify the sharding strategy for the collections and Azure will handle the rest.</td></tr>

+<tr><td><code>addShardToZone</code></td></tr>

+<tr><td><code>clearJumboFlag</code></td></tr>

+<tr><td><code>cleanupOrphaned</code></td></tr>

+<tr><td><code>removeShard</code></td></tr>

+<tr><td><code>removeShardFromZone</code></td></tr>

+<tr><td><code>setShardVersion</code></td></tr>

+<tr><td><code>mergeChunks</code></td></tr>

+<tr><td><code>checkShardingIndex</code></td></tr>

+<tr><td><code>getShardMap</code></td></tr>

+<tr><td><code>getShardVersion</code></td></tr>

+<tr><td><code>medianKey</code></td></tr>

+<tr><td><code>splitVector</code></td></tr>

+<tr><td><code>shardingState</code></td></tr>

+<tr><td><code>cleanupReshardCollection</code></td></tr>

+<tr><td><code>flushRouterConfig</code></td></tr>

+<tr><td><code>balancerCollectionStatus</code></td></tr>

+<tr><td><code>balancerStart</code></td></tr>

+<tr><td><code>balancerStatus</code></td></tr>

+<tr><td><code>balancerStop</code></td></tr>

+<tr><td><code>configureCollectionBalancing</code></td></tr>

+<tr><td><code>listShards</code></td></tr>

+<tr><td><code>split</code></td></tr>

+<tr><td><code>moveChunk</code></td></tr>

+<tr><td><code>updateZoneKeyRange</code></td></tr>

+<tr><td><code>movePrimary</code></td></tr>

+<tr><td><code>abortReshardCollection</code></td></tr>

+<tr><td><code>commitReshardCollection</code></td></tr>

+<tr><td><code>refineCollectionShardKey</code></td></tr>

+<tr><td><code>reshardCollection</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td rowspan="9">Query and Write Operation Commands</td><td><code>change streams</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>delete</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>find</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>findAndModify</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>getLastError</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>getMore</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Partial</td></tr>

+<tr><td><code>insert</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>resetError</code></td><td>Deprecated</td></tr>

+<tr><td><code>update</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td rowspan="8">Session Commands</td><td><code>abortTransaction</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>commitTransaction</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>endSessions</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>killAllSessions</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>killAllSessionsByPattern</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>killSessions</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>refreshSessions</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>startSession</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td rowspan="25">Diagnostic Commands</td><td><code>availableQueryOptions</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>buildInfo</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>collStats</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>connPoolStats</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>connectionStatus</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Partial</td></tr>

+<tr><td><code>dataSize</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>dbHash</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>dbStats</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>driverOIDTest</code></td><td>As a PaaS service, this will be managed by Azure.</td></tr>

+<tr><td><code>explain</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>features</code></td><td>As a PaaS service, this will be managed by Azure.</td></tr>

+<tr><td><code>getCmdLineOpts</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>getLog</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>hostInfo</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Partial</td></tr>

+<tr><td><code>_isSelf</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>listCommands</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>lockInfo</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>netstat</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>ping</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>profile</code></td><td>As a PaaS service, this will be managed by Azure.</td></tr>

+<tr><td><code>serverStatus</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>shardConnPoolStats</code></td><td>Deprecated</td></tr>

+<tr><td><code>top</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>validate</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>whatsmyuri</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td rowspan="1">System Events Auditing Commands</td><td><code>logApplicationMessage</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+</table>

+## Operators

+Below are the list of operators currently supported on Azure Cosmos DB for MongoDB vCore:

+<table>

+<tr><td><b>Category</b></td><td><b>Operator</b></td><td><b>Supported</b></td></tr>

+<tr><td rowspan="8">Comparison Query Operators</td><td><code>$eq</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$gt</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$gte</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$in</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$lt</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$lte</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$ne</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$nin</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td rowspan="4">Logical Query Operators</td><td><code>$and</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$not</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$nor</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$or</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td rowspan="2">Element Query Operators</td><td><code>$exists</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$type</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td rowspan="6">Evaluation Query Operators</td><td><code>$expr</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$jsonSchema</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$mod</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$regex</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$text</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$where</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td rowspan="1">Geospatial Operators</td><td></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td rowspan="3">Array Query Operators</td><td><code>$all</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$elemMatch</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$size</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td rowspan="4">Bitwise Query Operators</td><td><code>$bitsAllClear</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$bitsAllSet</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$bitsAnyClear</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$bitsAnySet</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td rowspan="4">Projection Operators</td><td><code>$</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$elemMatch</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$meta</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$slice</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td rowspan="3">Miscellaneous Query Operators</td><td><code>$comment</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$rand</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$natural</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td rowspan="9">Field Update Operators</td><td><code>$currentDate</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$inc</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$min</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$max</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$mul</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$rename</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$set</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$setOnInsert</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$unset</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td rowspan="12">Array Update Operators</td><td><code>$</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$[]</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$[identifier]</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$addToSet</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$pop</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$pull</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$push</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$pullAll</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$each</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$position</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$slice</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$sort</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td rowspan="1">Bitwise Update Operators</td><td><code>$bit</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td rowspan="16">Arithmetic Expression Operators</td><td><code>$abs</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$add</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$ceil</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$divide</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$exp</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$floor</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$ln</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$log</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$log10</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$mod</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$multiply</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$pow</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$round</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$sqrt</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$subtract</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$trunc</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td rowspan="20">Array Expression Operators</td><td><code>$arrayElemAt</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$arrayToObject</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$concatArrays</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$filter</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$firstN</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$in</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$indexOfArray</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$isArray</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$lastN</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$map</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$maxN</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$minN</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$objectToArray</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$range</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$reduce</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$reverseArray</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$size</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$slice</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$sortArray</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$zip</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td rowspan="4">Bitwise Operators</td><td><code>$bitAnd</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$bitNot</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$bitOr</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$bitXor</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td rowspan="3">Boolean Expression Operators</td><td><code>$and</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$not</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$or</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td rowspan="7">Comparison Expression Operators</td><td><code>$cmp</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$eq</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$gt</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$gte</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$lt</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$lte</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$ne</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td rowspan="1">Custom Aggregation Expression Operators</td><td colspan="2">Not supported.</td></tr>

+<tr><td rowspan="2">Data Size Operators</td><td><code>$bsonSize</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$binarySize</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td rowspan="22">Date Expression Operators</td><td><code>$dateAdd</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$dateDiff</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$dateFromParts</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$dateFromString</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$dateSubtract</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$dateToParts</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$dateToString</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$dateTrunc</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$dayOfMonth</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$dayOfWeek</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$dayOfYear</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$hour</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$isoDayOfWeek</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$isoWeek</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$isoWeekYear</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$millisecond</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$minute</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$month</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$second</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$toDate</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$week</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$year</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td rowspan="1">Literal Expression Operator</td><td><code>$literal</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td rowspan="3">Miscellaneous Operators</td><td><code>$getField</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$rand</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$sampleRate</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td rowspan="3">Object Expression Operators</td><td><code>$mergeObjects</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$objectToArray</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$setField</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td rowspan="7">Set Expression Operators</td><td><code>$allElementsTrue</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$anyElementTrue</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$setDifference</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$setEquals</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$setIntersection</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$setIsSubset</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$setUnion</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td rowspan="23">String Expression Operators</td><td><code>$concat</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$dateFromString</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$dateToString</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$indexOfBytes</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$indexOfCP</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$ltrim</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$regexFind</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$regexFindAll</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$regexMatch</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$replaceOne</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$replaceAll</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$rtrim</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$split</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$strLenBytes</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$strLenCP</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$strcasecmp</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$substr</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$substrBytes</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$substrCP</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$toLower</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$toString</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$trim</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$toUpper</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td rowspan="1">Text Expression Operator</td><td><code>$meta</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td rowspan="1">Timestamp Expression Operators</td><td colspan="2">Not supported.</td></tr>

+<tr><td rowspan="1">Trigonometry Expression Operators</td><td colspan="2">Not supported.</td></tr>

+<tr><td rowspan="11">Type Expression Operators</td><td><code>$convert</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$isNumber</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$toBool</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$toDate</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$toDecimal</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$toDouble</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$toInt</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$toLong</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$toObjectId</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$toString</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$type</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td rowspan="22">Accumulators ($group, $bucket, $bucketAuto, $setWindowFields)</td><td><code>$accumulator</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$addToSet</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$avg</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$bottom</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$bottomN</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$count</code>/td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$first</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$firstN</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$last</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$lastN</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$max</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$maxN</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$median</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$mergeObjects</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$min</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$percentile</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$push</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$stdDevPop</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$stdDevSamp</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$sum</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$top</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$topN</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td rowspan="10">Accumulators (in Other Stages)</td><td><code>$avg</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$first</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$last</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$max</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$median</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$min</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$percentile</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$stdDevPop</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$stdDevSamp</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$sum</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td rowspan="1">Variable Expression Operators</td><td colspan="2">Not supported.</td></tr>

+<tr><td rowspan="1">Window Operators</td><td colspan="2">Not supported.</td></tr>

+<tr><td rowspan="3">Conditional Expression Operators</td><td><code>$cond</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$ifNull</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$switch</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td rowspan="44">Aggregation Pipeline Stages</td><td><code>$addFields</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$bucket</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$bucketAuto</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$changeStream</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$changeStreamSplitLargeEvent</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$collStats</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$count</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$densify</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$documents</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$facet</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$fill</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$geoNear</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$graphLookup</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$group</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$indexStats</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$limit</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$listSampledQueries</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$listSearchIndexes</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$listSessions</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$lookup</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$match</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$merge</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$out</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$planCacheStats</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$project</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$redact</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$replaceRoot</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$replaceWith</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$sample</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$search</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$searchMeta</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$set</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$setWindowFields</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$skip</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$sort</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$sortByCount</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$unionWith</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$unset</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$unwind</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$shardedDataDistribution</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$changeStream</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$currentOp</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td><code>$listLocalSessions</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td><code>$documents</code></td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+> AvgObjsize and size in "collStats" works with document size less than 2KB only.

+</table>

+<table>

+<tr><td>Command</td><td>Supported</td></tr>

+<tr><td>Single Field Index</td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td>Compound Index</td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td>Multikey Index</td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td>Text Index</td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td>Geospatial Index</td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td>Hashed Index</td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td>Vector Index (only available in Cosmos DB)</td><td><img src="medi)</td></tr>

+</table>

+<table>

+<tr><td>Command</td><td>Supported</td></tr>

+<tr><td>TTL</td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td>Unique</td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td>Partial</td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+<tr><td>Case Insensitive</td><td><img src="media/compatibility/no-icon.svg" alt="No">No</td></tr>

+<tr><td>Sparse</td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+ <tr><td>Background</td><td><img src="media/compatibility/yes-icon.svg" alt="Yes">Yes</td></tr>

+</td></tr>

+</table>

+* United States

+* India

+ Title: Azure Monitor Agent in Defender for Cloud

+# Azure Monitor Agent in Defender for Cloud

+To make sure that your server resources are secure, Microsoft Defender for Cloud uses agents installed on your servers to send information about your servers to Microsoft Defender for Cloud for analysis.

+In this article, we give an overview of AMA preferences for when you deploy Defender for SQL servers on machines.

+> As part of the Defender for Cloud updated strategy, Azure Monitor Agent will no longer be required for the Defender for Servers offering. However, it will still be required for Defender for SQL Server on machines. As a result, the previous autoprovisioning process for both agents has been adjusted accordingly. Learn more about [this announcement](upcoming-changes.md#defender-for-cloud-plan-and-strategy-for-the-log-analytics-agent-deprecation).

+## Azure Monitor Agent in Defender for Servers

+Azure Monitor Agent (AMA) is still available for deployment on your servers but is not required to receive Defender for Servers features and capabilities. To ensure your servers are secured, receive all the security content of Defender for Servers, verify [Defender for Endpoint (MDE) integration](integration-defender-for-endpoint.md) and [agentless disk scanning](concept-agentless-data-collection.md) are enabled on your subscriptions. This will ensure youΓÇÖll seamlessly be up to date and receive all the alternative deliverables once they are provided.

+The following information on availability is relevant for the [Defender for SQL](defender-for-sql-introduction.md) plan only.

+ - [Enable Defender for SQL servers on machines](defender-for-sql-usage.md)

+## Deploy the SQL server-targeted AMA autoprovisioning process

+Deploying Azure Monitor Agent with Defender for Cloud is available for SQL servers on machines as detailed [here](defender-for-sql-autoprovisioning.md#migrate-to-the-sql-server-targeted-ama-autoprovisioning-process).

+- Cloud security posture management (CSPM) ΓÇô **SecurityCenterFree solution**

+As in Log Analytics workspaces, Defender for Cloud users are eligible for [500 MB of free data](faq-defender-for-servers.yml) daily on defined data types that include security events.

+- [File integrity monitoring](file-integrity-monitoring-enable-ama.md)

+| Foundational CSPM | ΓÇó There are no charges when you use foundational CSPM with no plans enabled.<br /><br />ΓÇó AWS/GCP machines don't need to be set up with Azure Arc for foundational CSPM. On-premises machines do.<br /><br />ΓÇó Some foundational recommendations rely only agents: Antimalware / endpoint protection (Log Analytics agent or Azure Monitor agent) \| OS baselines recommendations (Log Analytics agent or Azure Monitor agent and Guest Configuration extension) \|

+ Title: Deploy Resources with Azure for Students

+description: Learn how to deploy resource with your Azure for Students subscription

+# Tutorial: Deploy Resources with Azure for Students

+With Azure for Students, you have access to the entire Azure platform and all its services. These tutorials will show you everything you need to know about some popular services that can be deployed using your Azure for Students subscription.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Deploy an App on Azure

+> * Deploy a Virtual Machine

+> * Deploy a SQL Database

+> * Deploy Azure AI Speech-to-Test

+> * Deploy Azure AI Custom Vision Service

+## Prerequisites

+You must have an Azure for Students account.

+## Follow the tutorials to deploy resources

+[Deploy an App on Azure](https://learn.microsoft.com/azure/app-service/)

+[Deploy a Virtual Machine](https://learn.microsoft.com/azure/virtual-machines/)

+[Deploy a SQL Database](https://learn.microsoft.com/azure/azure-sql/?view=azuresql)

+[Deploy Azure AI Speech-to-Test](https://learn.microsoft.com/azure/ai-services/speech-service/index-speech-to-text)

+[Deploy Azure AI Custom Vision Service](https://learn.microsoft.com/azure/ai-services/custom-vision-service/)

+## Next steps

+- [Learn about the education hub](about-education-hub.md)

+- [Support options](educator-service-desk.md)

+<iframe width="560" height="315" src="https://www.youtube.com/embed/UrkHiUx19Po?si=EREdwKeBAGnlOeSS" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>

+* To learn how to add a custom domain to your Azure Front Door profile, see [Configure a custom domain on Azure Front Door using the Azure portal](standard-premium/how-to-add-custom-domain.md).

+* Learn more about how [End-to-end TLS with Azure Front Door](end-to-end-tls.md).

+* [Configure a custom domain](standard-premium/how-to-add-custom-domain.md) on Azure Front Door using the Azure portal.

+* Learn about [End-to-end TLS with Azure Front Door](end-to-end-tls.md).

+* Learn how to [enable HTTPS for your custom domain](how-to-configure-https-custom-domain.md).

+* Learn more about [custom domains in Azure Front Door](../domain.md).

+* Learn about [End-to-end TLS with Azure Front Door](../end-to-end-tls.md).

+* Learn about [caching with Azure Front Door Standard/Premium](../front-door-caching.md).

+* [Understand custom domains](../domain.md) on Azure Front Door.

+* Learn about [End-to-end TLS with Azure Front Door](../end-to-end-tls.md).

+Machine configuration supports the following value types for parameters:

+- String

+- Boolean

+- Double

+- Float

+- Test your policy's effectiveness

+## Test your policy's effectiveness

+how it evaluates a limited subset of existing resources, such as a test resource group. The [Azure Policy VS Code extension](../how-to/extension-for-vscode.md#on-demand-evaluation-scan) allows for isolated testing of definitions against existing Azure resources using the on demand evaluation scan.

+You may also assign the definition in a _Dev_ environment using the

+resources without impacting work flow. Check that no compliant resources show as non-compliant

+After the initial subset of resources validates as expected, slowly expand the evaluation to more

+existing resources and more scopes.

+_DeployIfNotExists_ or _Modify_.

+Policy definitions with a _DeployIfNotExist_ should leverage the [Azure Resource Manager template what if](../../../azure-resource-manager/templates/deploy-what-if.md) to validate and test the changes that happen when deploying the ARM template.

+definition supports effect parameterization, use [Audit](./effects.md#audit) or [AuditIfNotExist](./effects.md#auditifnotexists). This configuration

+that the _Audit_ or _AuditIfNotExist_ effect is correctly being triggered when expected. Be on the lookout for resource

+requests that shouldn't be affected by the new policy definition that trigger the _Audit_ or _AuditIfNotExist_ effect.

+as a resource group. You can further filter by resource type or location using the [`resourceSelectors`](./assignment-structure.md#resource-selectors-preview) property within the policy assignment.After validating initial deployment, extend the scope of the policy to broader as a resource group. After validating initial deployment, expand the impact of the policy by adjusting the resourceSelector filters to target more locations or resource types, or by removing the assignment and replacing it with a new one at broader scopes like subscriptions and management groups. Continue this gradual rollout until it's assigned to the full scope of resources intended to be covered by your new policy definition.

+each policy assignment in the Azure portal or through the various SDKs to something more manageable

+and repeatable at an enterprise scale. Two of the predominant approaches to managing systems at scale

+Before getting into the details of Azure Policy as Code workflow, it's important to understand some fundamental concepts, like how to author policy definitions and initiative definitions, and how to leverage exemptions on assignments of those definitions:

+- [Policy exemption](./exemption-structure.md)

+The file names correspond with certain portions of policy or initiative definitions and other policy resources:

+| `exemptionName.json` | The policy exemption that targets a particular resource or scope |

+[Azure Policy GitHub Repo](https://github.com/Azure/azure-policy/)

+Existing [policy and initiative definitions can be exported](../how-to/export-resources.md) different ways such as through PowerShell, CLI, or [Azure Resource Graph (ARG)](../../resource-graph/overview.md) queries. The source control management environment of choice to store these definitions can be one of many options, including a [GitHub](https://www.github.com) or [Azure DevOps](/azure/devops/user-guide/what-is-azure-devops).

+own set of files, such as the parameters, rules, and environment parameters that should be stored

+| |- exemptions.<name1>/__________ # Subfolder for exemptions on assignment 1

+ | - exemptionName.json________ # Exemption for this particular assignment

+ |- exemptions.<name2>/__________ # Subfolder for exemptions on assignment 2

+ | - exemptionName.json________ # Exemption for this particular assignment

+|

+| |- exemptions.<name1>/__________ # Subfolder for exemptions on assignment 1

+ | - exemptionName.json________ # Exemption for this particular assignment

+| |- exemptions.<name1>/__________ # Subfolder for exemptions on assignment 1

+ | - exemptionName.json________ # Exemption for this particular assignment

+ |- exemptions.<name2>/__________ # Subfolder for exemptions on assignment 2

+ | - exemptionName.json________ # Exemption for this particular assignment

+| |- exemptions.<name1>/__________ # Subfolder for exemptions on assignment 1

+ | - exemptionName.json________ # Exemption for this particular assignment

+> to your environment and that a gradual and central deployment mechanism is used. _Write_ permissions

+>[!NOTE]

+> In this step, we are conducting integration testing of the policy definition within your Azure environment, this is seperate from [verfying the functionality of the policy definition](./evaluate-impact.md#test-your-policys-effectiveness) which should occur during the definition creation process.

+production. Validate that the desired effects are applied during resource creation and resource update. Once that environment is validated as working as expected, the change should then be

+- Under how to [follow policy safe deployment practices](../how-to/policy-safe-deployment-practices.md)

+

+The high-level approach of implementing SDP with Azure Policy is to graudally rollout policy assignments

+1. Once you've selected your policy definition, assign the policy at the highest-level scope inclusive

+2. Once the assignment is deployed and the initial compliance scan has completed,

+3. Repeat by expanding the resource selector property values to include the next rings.

+4. Once you have successfully assigned the policy to all rings using `audit` mode,

+5. Once the effect is changed, automated tests should check whether enforcement is taking place as

+6. Repeat by including more rings in your resource selector configuration.

+7. Repeat this process for all production rings.

+The steps for policies using the `modify` or `deployIfNotExists` effects are similar to steps previously explained with the additional action of using _enforcement mode_ and triggering a remediation task.

+1. Once you've selected your policy definition, assign the policy at the highest-level scope inclusive

+of all deployment rings. Apply _resource selectors_ to narrow the applicability to the least

+critical ring by using the `"kind": "resource location"` property. Configure the _enforcement mode_ of the assignment to _DoNotEnforce_. Sample selector with `eastUS` location and _enforcementMode_ as _DoNotEnforce_:

+ ```json

+ "resourceSelectors": [{

+ "name": "SDPRegions",

+ "selectors": [{

+ "kind": "resourceLocation",

+ "in": [ "eastUS" ]

+ }]

+ }],

+ "enforcementMode": "DoNotEnforce"

+ ```

+2. Once the assignment is deployed and the initial compliance scan has completed,

+validate that the compliance result is as expected.

+ You should also configure automated tests that run compliance checks. A compliance check should

+ encompass the following logic:

+

+ - Gather compliance results

+ - If compliance results are as expected, the pipeline should continue

+ - If compliance results aren't as expected, the pipeline should fail and you should start debugging

+

+ You can configure the compliance check by using other tools within

+ your continuous integration/continuous deployment (CI/CD) pipeline.

+

+ At each rollout stage, the application health checks should confirm the stability of the service

+ and impact of the policy. If the results aren't as expected due to application configuration,

+ refactor the application as appropriate.

+ You may also [trigger remediation tasks](../how-to/remediate-resources.md) to remediate existing non-compliant resources. Ensure the remediation tasks are bringing resources into compliance as expected.

+3. Repeat by expanding the resource selector property values to include the next ring's

+locations and validating the expected compliance results and application health. Example selector with an added location value:

+ ```json

+ "resourceSelectors": [{

+ "name": "SDPRegions",

+ "selectors": [{

+ "kind": "resourceLocation",

+ "in": [ "eastUS", "westUS"]

+ }]

+ }]

+ ```

+4. Once you have successfully assigned the policy to all rings using _DoNotEnforce_ mode,

+the pipeline should trigger a task that changes the policy `enforcementMode` to _Default_ enablement and reset

+the resource selectors to the location associated with _Ring 0_. Example selector with one region and effect set to deny:

+ ```json

+ "resourceSelectors": [{

+ "name": "SDPRegions",

+ "selectors": [{

+ "kind": "resourceLocation",

+ "in": [ "eastUS" ]

+ }]

+ }],

+ "enforcementMode": "Default",

+ ```

+5. Once the effect is changed, automated tests should check whether enforcement is taking place as

+expected.

+6. Repeat by including more rings in your resource selector configuration.

+7. Repeat this process for all production rings.

+- Study Microsoft's guidance concerning [safe deployment practices](/devops/operate/safe-deployment-practices).

+- Review [Remediate non-compliant resources with Azure Policy](./remediate-resources.md).

+ * Non-ESP ABFS clusters restrict non-Hadoop group users from executing Hadoop commands for storage operations. This change improves cluster security posture.

+

+* In-line quota update.

+ * Now you can request quota increase directly from the My Quota page, with the direct API call it is much faster. In case the API call fails, you can create a new support request for quota increase.

+The IoT Hub team began migrating IoT hubs in February, 2023 and all IoT hubs have been migrated except for those that have already been approved for a later migration.

+After all IoT hubs have migrated, DPS will perform its migration between January 15 and February 15, 2024.

+As of August, 2023 the extension request process is closed for IoT Hub and IoT Central.

+To prepare for the migration, take the following steps:

+Devices are configured to reverify their connection at a specific interval. The default in the Azure IoT SDKs is to reverify every 45 minutes. If you've implemented a different pattern in your solution, then your experience might vary.

+Also, as part of the migration, your IoT hub might get a new IP address. If your devices use a DNS server to connect to IoT hub, it can take up to an hour for DNS servers to refresh with the new address. For more information, see [IoT Hub IP addresses](iot-hub-understand-ip-address.md).

+ Title: Mainframe and midrange integration workflows

+description: Learn about building mainframe and midrange system integration solutions in Azure Logic Apps using mainframe and midrange connectors.

+#CustomerIntent: As an integration developer, I need to learn about mainframe and midrange system integration with Standard workflows in Azure Logic Apps.

+# Mainframe and midrange modernization with Azure Logic Apps

+This guide describes how your organization can increase business value and agility by extending your mainframe and midrange system workloads to Azure using workflows in Azure Logic Apps. The current business world is experiencing an era of hyper innovation and is on a permanent quest to obtain enterprise efficiencies, cost reduction, growth, and business alignment. Organizations are looking for ways to modernize, and one effective strategy is to increase and augment business value.

+For organizations with investments in mainframe and midrange systems, this means making the best use of platforms that sent humans to the moon or helped build current financial markets and extend their value using the cloud and artificial intelligence. This scenario is where Azure Logic Apps and its native capabilities for integrating with mainframe and midrange systems come into play. Among other features, this Azure cloud service incorporates the core capabilities of Host Integration Server (HIS), which has been used at the core of Microsoft's most strategic customers for more than 30 years.

+When enterprise developers build integration workflows with Azure Logic Apps, they can more quickly deliver new applications using little to no code or less custom code. Developers who use Visual Studio Code and Visual Studio can be more productive than those who use IBM mainframe development tools and technologies because they don't require knowledge about mainframe systems and infrastructure. Azure Logic Apps empowers business analysts and decision makers to more quickly analyze and report vital legacy information. They can directly access data in mainframe data sources, which removes the need to have mainframe developers create programs that extract and convert complex mainframe structures.

+## Cloud native capabilities for mainframe and midrange system integration

+Since 1990, Microsoft has provided integration with mainframe and midrange systems through Microsoft Communications Server. Further evolution of Microsoft Communications Server created Host Integration Server (HIS) in 2000. While HIS started as a System Network Architecture (SNA) Gateway, HIS expanded to include IBM data stores (DB2, VSAM, and Informix), IBM transaction systems (CICS, IMS, and IBMi), and IBM messaging (MQ Series). Microsoft's strategic customers have used these technologies for more than 20 years. To empower customers that run applications and data on Azure to continue using these technologies, Azure Logic Apps and Visual Studio have gradually incorporated these capabilities. For example, Visual Studio includes the following designers: HIS Designer for Logic Apps and the 3270 Design Tool.

+For more information about the Microsoft's capabilities for mainframe and midrange integration, continue to the following sections.

+### HIS Designer for Logic Apps

+This tool creates mainframe and midrange system metadata artifacts for Azure Logic Apps and works with Microsoft Visual Studio by providing a graphical designer so that you can create, view, edit, and map metadata objects to mainframe artifacts. Azure Logic Apps uses these maps to mirror the programs and data in mainframe and midrange systems. For more information, see [HIS Designer for Logic Apps](/host-integration-server/core/application-integration-ladesigner-2).

+### Microsoft 3270 Design Tool

+This tool records screens, navigation paths, methods, and parameters for the tasks in your application so that you can add and run those tasks as 3270 connector actions. While the HIS Designer for Logic Apps targets transactional systems and data, the 3270 Design Tool targets 3270 applications. For more information, see [3270 Design Tool](/host-integration-server/core/application-integration-3270designer-2).

+### Azure Logic Apps connectors for IBM mainframe and midrange systems

+The following sections describe the [built-in, service provider-based connectors](custom-connector-overview.md#service-provider-interface-implementation) that you can use to access and interact with IBM mainframe and midrange systems when you create Standard workflows in Azure Logic Apps.

+> [!NOTE]

+>

+> Although some of the following connectors are available as "shared" connectors that run

+> in global Azure, this guide is focused on the built-in, service provider-based connectors,

+> which are available only when you create Standard workflows in Azure Logic Apps.

+#### IBM 3270

+This Azure Logic Apps connector for 3270 allows Standard workflows to access and run IBM mainframe applications that you usually drive by navigating through 3270 emulator screens. The connector uses the TN3270 stream. For more information, see [Integrate 3270 screen-driven apps on IBM mainframes with Azure by using Azure Logic Apps and IBM 3270 connector](../connectors/integrate-3270-apps-ibm-mainframe.md).

+#### IBM Customer Information Control System (CICS)

+This Azure Logic Apps connector for CICS provides multiple protocols, including TCP/IP and HTTP, for Standard workflows to interact and integrate with CICS programs. If you need APPC support, the connector provides access to CICS transactions using LU6.2, which is available only in Host Integration Server (HIS). For more information, see [Integrate CICS programs on IBM mainframes with Standard workflows in Azure Logic Apps using the IBM CICS connector](../connectors/integrate-cics-apps-ibm-mainframe.md).

+#### IBM DB2

+This Azure Logic Apps connector for DB2 enables connections between Standard workflows and DB2 databases that are either on premises or in Azure. The connector offers enterprise IT professionals and developers direct access to vital information stored in DB2 database management systems. For more information, see [Access and manage IBM DB2 resources using Azure Logic Apps](../connectors/connectors-create-api-db2.md).

+#### IBM Host Files

+This Azure Logic Apps "connector" for Host Files provides a thin wrapper around the "Flat File Parser" feature in Host Integration Server. This offline "connector" provides operations that parse or generate binary data to and from host files. These operations require this data to come from any trigger or another action that produces binary data. For more information, see [Parse and generate IBM host files using Azure Logic Apps](../connectors/integrate-host-files-ibm-mainframe.md).

+#### IBM Information Management System (IMS)

+This Azure Logic Apps connector for IMS uses the IBM IMS Connect component, which provides high performance access from Standard workflows to IMS transactions using TCP/IP. This model uses the IMS message queue for processing data. For more information, see [Integrate IMS programs on IBM mainframes with Standard workflows in Azure Logic Apps using the IBM IMS connector](../connectors/integrate-ims-apps-ibm-mainframe.md).

+#### IBM MQ

+This Azure Logic Apps connector for MQ enables connections between Standard workflows and an MQ server on premises or in Azure. We also provide MQ Integration capabilities with Host Integration Server and BizTalk Server. For more information, see [Connect to an IBM MQ server from a workflow in Azure Logic Apps](../connectors/connectors-create-api-mq.md).

+## How to modernize mainframe workloads with Azure Logic Apps?

+While multiple approaches for modernization exist, Microsoft recommends modernizing mainframe applications by following an iterative, agile-based model. Mainframes host multiple environments with applications and data. A successful modernization strategy includes ways to handle the following tasks:

+- Maintain the current service level indicators and objectives.

+- Manage coexistence between legacy data along with migrated data.

+- Manage application interdependencies.

+- Define the future of the scheduler and jobs.

+- Define a strategy for replacing non-Microsoft tools.

+- Conduct hybrid functional and nonfunctional testing activities.

+- Maintain external dependencies or interfaces.

+The following paths are the most common ways to modernize mainframe applications:

+- Big bang

+ This approach is largely based on the waterfall software delivery model but with iterations in phases.

+- Agile waves

+ This approach follows the Agile principles of software engineering.

+The choice between these paths depends on your organization's needs and scenarios. Each path has benefits and drawbacks to consider. The following sections provide more information about these modernization approaches.

+### Big bang or waterfall

+A big bang migration typically has the following phases:

+1. **Envisioning**: Kickoff

+1. **Planning**: Identify and prepare planning deliverables, such as scope, time, and resources.

+1. **Building**: Begins after planning deliverables are approved

+ This phase also expects that all the work for dependencies has been identified, and then migration activities can begin. Multiple iterations occur to complete the migration work.

+1. **Stabilizing or testing**: Begins when the migrated environment, dependencies, and applications are tested against the test regions in the mainframe environment.

+1. **Deploy**: After everything is approved, the migration goes live into production.

+Organizations that typically choose this approach focus on locking time, migration scope, and resources. This path sounds like a positive choice but includes the following risks:

+- Migrations can take months or even years.

+- The analysis that you perform at the start of the migration journey or during planning is no longer accurate because that information is usually outdated.

+- Organizations typically focus on having comprehensive documentation to reduce delivery risks for delivery.

+ However, the time spent on providing planning artifacts causes exactly the opposite effect. Focusing on planning more than executing tends to create execution delays, which cause increased costs in the long run.

+### Agile waves

+An Agile approach is results oriented and focused on building software and not planning deliverables. The first stages of an Agile delivery might be chaotic and complex for the organizational barriers that need to break. However, when the migration team matures after several sprints of execution, the journey becomes smoother. The goal is to frequently release features to production and to provide business value sooner than with a big bang approach.

+An Agile waves migration typically has the following sprints:

+- Sprint zero (0)

+ - Define the team, an initial work backlog, and the core dependencies.

+ - Identify the features and a Minimum Viable Product (MVP) to deliver.

+ - Kick off mainframe readiness with a selected set of work items or user stories to begin the work.

+- Sprint 1, 2, ..., *N*

+ Each sprint has a goal where the team maintains a shipping mindset, meaning that they focus on completing migration goals and releasing deliverables to production. The team can use a group of sprints to deliver a specific feature or a wave of features. Each feature includes slices of integration workloads.

+Shared elements, such as jobs and interdependencies, exist and have impact across the entire environment. A successful strategy focuses on partially enabling jobs, redesigning applications for modernization, and leaving the systems with most interdependencies until the end to first reduce the amount of migration work and then complete the scope of the modernization effort.

+## Modernization patterns

+Good design includes factors such as consistency and coherence in component design and deployment, maintainability to simplify administration and development, and reusability that allows other applications and scenarios to reuse components and subsystems. For cloud-hosted applications and services, decisions made during the design and implementation phase have a huge impact on quality and the total cost of ownership.

+The Azure Architecture Center provides tested [design and implementation patterns](/azure/architecture/patterns/category/design-implementation) that describe the problem that they address, considerations for applying the pattern, and an example based on Microsoft Azure. While multiple design and implementation patterns exist, the two most relevant patterns for mainframe modernization include the "Anti-corruption Layer" and "Strangler Fig" patterns.

+### Anti-corruption Layer pattern

+Regardless which modernization approach that you select, you need to implement an "anti-corruption layer" using Azure Logic Apps. This service becomes the façade or adapter layer between the mainframe legacy system and Azure. For an effective approach, identify the mainframe workloads to integrate or coexist as mainframe integration workloads. Create a strategy for each integration workload, which is the set of interfaces that you need to enable for migrating a mainframe application.

+For more information, see [Anti-corruption Layer](/azure/architecture/patterns/anti-corruption-layer).

+### Strangler Fig pattern

+After you implement the anti-corruption layer, modernization progressively happens. For this phase, you need to use the "Strangler Fig" pattern where you identify mainframe workloads or features that you can incrementally modernize. For example, if you choose to modernize a CICS application, you have to modernize not only the CICS programs, but most likely the 3270 applications along with their corresponding external dependencies, data, and jobs.

+Eventually, after you replace all the workloads or features in the mainframe system with your new system, you'll finish the migration process, which means that you can decommission your legacy system.

+For more information, see [Strangler Fig pattern](/azure/architecture/patterns/strangler-fig).

+## Next step

+- [Azure Architecture Center for mainframes and midrange systems](/azure/architecture/browse/?terms=mainframe)

+### Scenario: Use HuggingFace models

+If you plan to use __HuggingFace models__ with Azure Machine Learning, add outbound _FQDN_ rules to allow traffic to the following hosts:

+> [!WARNING]

+> FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are included in your billing. For more information, see [Pricing](#pricing).

+* `docker.io`

+* `*.docker.io`

+* `*.docker.com`

+* `production.cloudflare.docker.com`

+* `cdn.auth0.com`

+* `cdn-lfs.huggingface.co`

+ This article uses the example in the folder **endpoints/online/deploy-with-packages/mlflow-model**.

+ :::code language="azurecli" source="~/azureml-examples-main/cli/endpoints/online/deploy-with-packages/mlflow-model/deploy.sh" ID="register_model" :::

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/endpoints/online/deploy-with-packages/mlflow-model/sdk-deploy-and-test.ipynb?name=register_model)]

+ :::code language="yaml" source="~/azureml-examples-main/cli/endpoints/online/deploy-with-packages/mlflow-model/package-external.yml" :::

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/endpoints/online/deploy-with-packages/mlflow-model/sdk-deploy-and-test.ipynb?name=configure_package_copy)]

+ :::code language="azurecli" source="~/azureml-examples-main/cli/endpoints/online/deploy-with-packages/mlflow-model/deploy.sh" ID="build_package_copy" :::

+ [!notebook-python[] (~/azureml-examples-main/sdk/python/endpoints/online/deploy-with-packages/mlflow-model/sdk-deploy-and-test.ipynb?name=build_package_copy)]

+

+ 1. Prepare the request payload. The format for an MLflow model deployed with Azure Machine Learning inferencing server is as follows:

+

+ __sample-request.json__

+ :::code language="json" source="~/azureml-examples-main/cli/endpoints/online/deploy-with-packages/mlflow-model/sample-request.json" :::

+> [Model packages for deployment (preview)](concept-package-models.md)

+> [!NOTE]

+> Sharing a component from Azure Machine Learning workspace to Azure Machine Learning registry is not supported currently.

+Due to data exfiltration protection, it isn't possible to share an asset from secure workspace to a public registry if the storage account containing the asset has public access disabled. To enable asset sharing from workspace to registry:

+* Go to the **Networking** blade on the storage account attached to the workspace (from where you would like to allow sharing of assets to registry)

+* Set __Public network access__ to **Enabled from selected virtual networks and IP addresses**

+* Scroll down and go to __Resource instances__ section. Select __Resource type__ to **Microsoft.MachineLearningServices/registries** and set __Instance name__ to the name of Azure Machine Learning registry resource were you would like to enable sharing to from workspace.

+* Make sure to check rest of the settings as per your network configuration.

+

+### Use assets from registry in workspace

+> Sharing a component from Azure Machine Learning workspace to Azure Machine Learning registry is not supported currently.

+Due to data exfiltration protection, it isn't possible to share an asset from secure workspace to a private registry if the storage account containing the asset has public access disabled. To enable asset sharing from workspace to registry:

+* Go to the **Networking** blade on the storage account attached to the workspace (from where you would like to allow sharing of assets to registry)

+* Set __Public network access__ to **Enabled from selected virtual networks and IP addresses**

+* Scroll down and go to __Resource instances__ section. Select __Resource type__ to **Microsoft.MachineLearningServices/registries** and set __Instance name__ to the name of Azure Machine Learning registry resource were you would like to enable sharing to from workspace.

+* Make sure to check rest of the settings as per your network configuration.

+ Title: Azure Managed Confidential Consortium Framework application scenarios

+description: An overview of the application scenarios enabled by Azure Managed CCF.

+# Azure Managed Confidential Consortium Framework application scenarios

+The Confidential Consortium Framework (CCF) is an open-source framework for building secure, highly available, and performant applications that focus on multi-party compute and data. CFF uses the power of trusted execution environments (TEE, or enclave), decentralized systems concepts, and cryptography, to enable enterprise-ready multiparty systems. CCF is based on industry standard web technologies that allows clients to interact with CCF aware applications over HTTPS.

+The framework runs exclusively on hardware-backed secure enclaves, a heavily monitored and isolated runtime environment that keeps potential attacks at bay. It also runs on a minimalistic Trusted Computing Base (TCB) and limits the operator's role.

+Following are a few example application scenarios that CCF enables.

+## Decentralized Role Based Access Control(RBAC)

+A CCF application enables its members to run a confidential system with attested components to propose and approve changes without a single party holding all the power. Organizations have invested time and resources to build and operate Line of Business (LOB) applications that are critical to the smooth operation of their business. Many organizations want to implement confidentiality and decentralized governance in the LOB applications but are at a gridlock when deciding between day-to-day operation vs. funding new research and development.

+A recommended approach is to deploy the LOB application on an Azure Confidential Compute offering like an [Azure Confidential VM](../confidential-computing/confidential-vm-overview.md) or [Azure Confidential Containers](../confidential-computing/confidential-containers.md), which requires minimal to no changes. Specific parts of the application requiring multi-party governance can be offload to Managed CCF.

+Due to several recent breaches in the supply chain industry, organizations are exploring ways to increase visibility and auditability into their manufacturing process. On the other hand, consumer awareness on unfair manufacturing processes and mistreatment of workforce has increased. In this example, we describe a scenario that tracks the life of coffee beans from the farm to the cup. Fabrikam is a coffee bean roaster and retailer. It hosts an existing LOB web application that is used by different personas like farmers, distributors, Fabrikam's procurement team and the end consumers. To improve security and auditability, Fabrikam deploys the web application to an Azure Confidential VM and uses decentralized RBAC managed in Managed CCF by a consortium of members.

+A sample [decentralized RBAC application](https://github.com/microsoft/ccf-app-samples/tree/main/decentralize-rbac-app) is published in GitHub for reference.

+## Data for Purpose

+A CCF application enables multiple participants to share data confidentially for specific purposes by trusting only the hardware (TEEs). It can selectively reveal aggregated information or selectively reveal raw data to authorized parties (for example, regulator).ΓÇïΓÇï

+A use case that requires aggregation tied with confidentiality is data reconciliation. It is a common and frequent action in the financial services, healthcare and insurance domains. In this example, we target the healthcare industry. Patient data is generated, consumed and saved across multiple providers like the physician's offices, hospitals and insurance providers. It would be prudent to reconcile the patient data from the different sources to derive useful insights that could throw light into the effectiveness of the prescribed drugs and alter course if needed. However, due to industry and governmental regulations and privacy concerns, it is hard to share data in the clear.

+A CCF application is a good fit for this scenario as it guarantees confidentiality and auditability of the transactions. A sample [data reconciliation application](https://github.com/microsoft/ccf-app-samples/tree/main/data-reconciliation-app) is published in GitHub. It ingests data from three sources, performs aggregation inside a TEE and produces a report that summarizes the similarities and the differences in the data.

+## Transparent System Operation

+CCF enables organizations to operate a system where users can independently confirm that it is run correctly.ΓÇïΓÇï Organizations can share the CCF source code for users to audit both the systemΓÇÖs governance and application code and verify that their transactions are handled according to expectations.ΓÇï

+Auditability is one of the core tenants of the financial services industry. The various government and industry standards emphasize periodic audits of the processes, practices and services to ensure that customer data is handled securely and confidentially at all times. When it comes to implementation, confidentiality and auditability are at odds. CCF applications can play a significant role in breaking this barrier. By using receipts, auditors can independently verify the integrity of transactions without accessing the online service. Refer to the [Audit](https://microsoft.github.io/CCF/main/audit/https://docsupdatetracker.net/index.html) section in the CCF documentation to learn more about offline verification.

+A sample [banking application](https://github.com/microsoft/ccf-app-samples/tree/main/banking-app) is published in GitHub to demonstrate auditability in CCF applications.

+## Next steps

+- [Quickstart: Deploy an Azure Managed CCF application](quickstart-deploy-application.md)

+- [Quickstart: Azure CLI](quickstart-python.md)

+- [FAQ](faq.yml)

+ Title: Learn about the Confidential Consortium Framework

+description: An overview of Confidential Consortium Framework.

+# Overview of Confidential Consortium Framework

+The Confidential Consortium Framework (CCF) is an open-source framework for building secure, highly available, and performant applications that focus on multi-party compute and data. CCF leverages the power of trusted execution environments (TEE, or enclave), decentralized systems concepts, and cryptography, to enable enterprise-ready multiparty systems. CCF is based on industry standard web technologies that allows clients to interact with CCF aware applications over HTTPS.

+The following diagram shows a basic CCF network made of three nodes. All nodes run the same application code inside an enclave. The effects of user (business) and member (governance) transactions are eventually committed to a replicated, encrypted ledger. A consortium of members is in charge of governing the network.

+## Core Concepts

+### Network and Nodes

+A CCF network consists of several nodes, each running on top of a Trusted Execution Environment (TEE), such as Intel SGX. A CCF network is decentralized and highly available. Nodes are run and maintained by Operators. However, nodes must be trusted by the consortium of members before participating in a CCF network.

+To learn more about the operators, refer to the [Operators](https://microsoft.github.io/CCF/main/operations/https://docsupdatetracker.net/index.html) section in the CCF documentation.

+### Application

+Each node runs the same application, written in JavaScript. An application is a collection of endpoints that can be triggered by trusted Users' HTTP commands over TLS. Each endpoint can mutate or read the in-enclave-memory Key-Value Store that is replicated across all nodes in the network. Changes to the Key-Value Store must be agreed by at least a majority of nodes before being applied.

+The Key-Value Store is a collection of maps (associating a key to a value) defined by the application. These maps can be private (encrypted in the ledger) or public (integrity-protected and visible by anyone that has access to the ledger).

+As all the nodes in the CCF network can read the content of private maps, the application logic must control the access to such maps. As every application endpoint has access to the user identity in the request, it is easy to implement an authorization policy to restrict access to the maps.

+To learn more about CCF applications and start building it, refer to the [Get Started](get-started.md) page.

+### Ledger

+All changes to the Key-Value Store are encrypted and recorded by each node of the network to disk to a decentralized auditable ledger. The integrity of the ledger is guaranteed by a Merkle Tree whose root is periodically signed by the current primary or leader node.

+Find out how to audit the CCF ledger in the [Audit]https://microsoft.github.io/CCF/main/audit/https://docsupdatetracker.net/index.html) section in the CCF documentation.

+### Governance

+A CCF network is governed by a consortium of members. The scriptable Constitution, recorded in the ledger, defines a set of rules that members must follow.

+Members can submit proposals to modify the state of the Key-Value Store. For example, members can vote to allow a new trusted user to issue requests to the application or to add a new member to the consortium.

+Proposals are executed only when the conditions defined in the constitution are met (for example, a majority of members have voted favorably for that proposal).

+To learn more about the customizable constitution and governance, refer to the [Governance](https://microsoft.github.io/CCF/main/governance/https://docsupdatetracker.net/index.html) section in the CCF documentation.

+## Next steps

+- [Quickstart: Azure portal](quickstart-portal.md)

+- [Quickstart: Azure CLI](quickstart-python.md)

+- [FAQ](faq.yml)

+ Title: Get started

+description: Learn to build and deploy a CCF JavaScript application

+# Build, test and deploy a TypeScript and JavaScript application

+This guide shows the steps to develop a TypeScript and JavaScript application targeting CCF, debug it locally and deploy it to a Managed CCF resource on the cloud.

+## Prerequisites

+- [Install CCF](https://github.com/Microsoft/CCF/releases)

+- Node.js

+- npm

+- [!INCLUDE [Prerequisites](./includes/proposal-prerequisites.md)]

+> This guide uses [Visual Studio Code](https://code.visualstudio.com/) as the IDE. But, any IDE with support for Node.js, JavaScript and TypeScript application development can be used.

+## Project set up

+1. Follow the [instructions](https://microsoft.github.io/CCF/main/build_apps/js_app_ts.html#conversion-to-an-app-bundle) in the CCF documentation to bootstrap the project and set up the required folder structure.

+## Develop the application

+1. Develop the TypeScript application by following the documentation [here](https://microsoft.github.io/CCF/main/build_apps/js_app_ts.html). Refer to the [CCF Key-Value store](https://microsoft.github.io/CCF/main/build_apps/kv/https://docsupdatetracker.net/index.html) documentation to learn about the naming standards and transaction semantics to use in the code. For examples and best practices, refer to the [sample applications](https://github.com/microsoft/ccf-app-samples) published in GitHub.

+## Build the application bundle

+1. The native format for JavaScript applications in CCF is a JavaScript application bundle, or short app bundle. A bundle can be wrapped directly into a governance proposal for deployment. Follow the instruction at [create an application bundle](https://microsoft.github.io/CCF/main/build_apps/js_app_bundle.html) in the CCF documentation to create an app bundle and prepare for deployment.

+2. Build the application. The application bundle is created in the dist folder. The application bundle is placed in a file named set_js_app.json.

+```bash

+npm run build

+> build

+> del-cli -f dist/ && rollup --config && cp app.json dist/ && node build_bundle.js dist/

+src/endpoints/all.ts → dist/src...

+created dist/src in 1.3s

+Writing bundle containing 8 modules to dist/bundle.json

+ls -ltr dist

+total 40

+drwxr-xr-x 4 settiy settiy 4096 Sep 11 10:20 src

+-rw-r--r-- 1 settiy settiy 3393 Sep 11 10:20 app.json

+-rw-r--r-- 1 settiy settiy 16146 Sep 11 10:20 set_js_app.json

+-rw-r--r-- 1 settiy settiy 16061 Sep 11 10:20 bundle.json

+```

+### Logging

+1. CCF provides macros to add your own lines to the nodeΓÇÖs output. Follow the instructions available at [add logging to an application](https://microsoft.github.io/CCF/main/build_apps/logging.html) in the CCF documentation.

+## Deploy a 1-node CCF network

+1. Run the /opt/ccf_virtual/bin/sandbox.sh script to start a 1-node CCF network and deploy the application bundle.

+```bash

+sudo /opt/ccf_virtual/bin/sandbox.sh --js-app-bundle ~/ccf-app-samples/banking-app/dist/

+Setting up Python environment...

+Python environment successfully setup

+[10:40:37.516] Virtual mode enabled

+[10:40:37.517] Starting 1 CCF node...

+[10:40:41.488] Started CCF network with the following nodes:

+[10:40:41.488] Node [0] = https://127.0.0.1:8000

+[10:40:41.489] You can now issue business transactions to the libjs_generic application

+[10:40:41.489] Loaded JS application: /home/demouser/ccf-app-samples/banking-app/dist/

+[10:40:41.489] Keys and certificates have been copied to the common folder: /home/demouser/ccf-app-samples/banking-app/workspace/sandbox_common

+[10:40:41.489] See https://microsoft.github.io/CCF/main/use_apps/issue_commands.html for more information

+[10:40:41.490] Press Ctrl+C to shutdown the network

+```

+2. The member certificate and the private key are available at /workspace/sandbox_0. The application log is available at /workspace/sandbox_0/out.

+3. At this point, we have created a local CCF network with one member and deployed the application. The network endpoint is `https://127.0.0.1:8000`. The member can participate in governance operations like updating the application or adding more members by submitting a proposal.

+```Bash

+curl -k --silent https://127.0.0.1:8000/node/version | jq

+{

+ "ccf_version": "ccf-4.0.7",

+ "quickjs_version": "2021-03-27",

+ "unsafe": false

+}

+```

+4. Download the service certificate from the network.

+```bash

+curl -k https://127.0.0.1:8000/node/network | jq -r .service_certificate > service_certificate.pem

+```

+## Update the application

+1. Application development is an iterative process. When new features are added or bugs are fixed, the application must be redeployed to the 1-node network which can be done with a set_js_app proposal.

+2. Rebuild the application to create a new set_js_app.json file in the dist folder.

+3. Create a proposal to submit the application. After the proposal is accepted, the new application is deployed to the 1-node network.

+> [!NOTE]

+> On a local 1-node network, a proposal is immediately accepted after it is submitted. There isn't a need to submit a vote to accept or reject the proposal. The rationale behind it is done to make the development process quick. However, this is different from how the governance works in Azure Managed CCF where member(s) must submit a vote to accept or reject a proposal.

+```Bash

+$ ccf_cose_sign1 --content dist/set_js_app.json --signing-cert workspace/sandbox_common/member0_cert.pem --signing-key workspace/sandbox_common/member0_privk.pem --ccf-gov-msg-type proposal --ccf-gov-msg-created_at `date -Is` | curl https://127.0.0.1:8000/gov/proposals -H 'Content-Type: application/cose' --data-binary @- --cacert service_cert.pem

+```

+## Deploy the application to a Managed CCF resource

+The next step is to [create a Managed CCF resource](quickstart-portal.md) and deploy the application by following the instructions at [deploy a JavaScript application](quickstart-deploy-application.md).

+## Next steps

+- [Azure Managed CCF overview](overview.md)

+- [Quickstart: Create an Azure Managed CCF resource using the Azure portal](quickstart-portal.md)

+- [Quickstart: Deploy a JavaScript application to Azure Managed CCF](quickstart-deploy-application.md)

+- [How to: Update the JavaScript runtime options](how-to-update-javascript-runtime-options.md)

+ Title: Activate members in an Azure Managed CCF resource

+description: Learn to activate the members in an Azure Managed CCF resource

+# Activate members in an Azure Managed CCF resource

+In this guide, you will learn how to activate the member(s) in an Azure Managed CCF (Managed CCF) resource. This tutorial builds on the Managed CCF resource created in the [Quickstart: Create an Azure Managed CCF resource using the Azure portal](quickstart-portal.md) tutorial.

+## Prerequisites

+- Python 3+.

+- Install the latest version of the [CCF Python package](https://pypi.org/project/ccf/).

+## Download the service identity

+## Activate Member(s)

+When a member is added to a Managed CCF resource, they are in the accepted state. They cannot participate in governance until they are activated. To do so, the member must acknowledge that they are satisfied with the state of the service (for example, after auditing the current constitution and the nodes currently trusted).

+1. The member must update and retrieve the latest state digest. In doing so, the new member confirms that they are satisfied with the current state of the service.

+```Bash

+curl https://confidentialbillingapp.confidential-ledger.azure.com/gov/ack/update_state_digest -X POST --cacert service_cert.pem --key member0_privk.pem --cert member0_cert.pem --silent | jq > request.json

+cat request.json

+{

+ "state_digest": <...>

+}

+```

+2. The member must sign the state digest using the ccf_cose_sign1 utility. This utility is installed along with the CCF Python package.

+```Bash

+ccf_cose_sign1 --ccf-gov-msg-type ack --ccf-gov-msg-created_at `date -Is` --signing-key member0_privk.pem --signing-cert member0_cert.pem --content request.json | \

+ curl https://confidentialbillingapp.confidential-ledger.azure.com/gov/ack --cacert service_cert.pem --data-binary @- -H "content-type: application/cose"

+```

+3. After the command completes, the member is active and can participate in governance. The members can be viewed using the following command.

+## Next steps

+- [Azure Managed CCF overview](overview.md)

+- [Quickstart: Create an Azure Managed CCF resource](quickstart-portal.md)

+- [Quickstart: Deploy an Azure Managed CCF application](quickstart-deploy-application.md)

+ Title: Backup and restore an Azure Managed CCF resource

+description: Learn to back up and restore an Azure Managed CCF resource

+#Customer intent: As a developer, I want to know how to perform a backup and restore of my Managed CCF app so that I can can access backups of my app files and restore my app in another region in the case of a disaster recovery.

+# Perform a backup and restore

+In this article, you'll learn to perform backup of an Azure Managed CCF (Managed CCF) resource and restore it to create a copy of the original Managed CCF resource. Here are some of the use cases that warrant this capability:

+- A Managed CCF resource is an append only ledger at the core. It is impossible to delete few erroneous transactions without impacting the integrity of the ledger. To keep the data clean, a business could decide to recreate the resource sans the erroneous transactions.

+- A developer could add reference data into a Managed CCF resource and create a back of it. The developer can use the copy later to create a fresh Managed CCF resource and save time.

+This article uses the commands found at the [Managed CCF's REST API Docs](/rest/api/confidentialledger/managed-ccf).

+## Prerequisites

+- Install the [Azure CLI](/cli/azure/install-azure-cli).

+- An Azure Storage Account.

+## Setup

+### Generate an access token

+An access token is required to use the Managed CCF REST API. Execute the following command to generate an access token.

+> [!NOTE]

+> An access token has a finite lifetime after which it is unusable. Generate a new token if the API request fails due to a HTTP 401 Unauthorized error.

+```bash

+az account get-access-token ΓÇôsubscription <subscription_id>

+```

+### Generate a Shared Access Signature token

+The backup is stored in an Azure Storage Fileshare that is owned and controlled by you. The backup and restore API requests require a [Shared Access Signature](../storage/common/storage-sas-overview.md) token to grant temporary read and write access to the Fileshare. Follow these steps:

+> [!NOTE]

+> A Shared Access Signature(SAS) token has a finite lifetime after which it is unusable. We recommend using short lived tokens to avoid tokens being leaked into the public and misused.

+1. Navigate to the Azure Storage Account where the backups will be stored.

+2. Navigate to the `Security + networking` -> `Shared access signature` blade.

+3. Generate a SAS token with the following configuration:

+ :::image type="content" source="./media/how-to/cedr-sas-uri.png" lightbox="./media/how-to/cedr-sas-uri.png" alt-text="Screenshot of the Azure portal in a web browser, showing the required SAS Generation configuration.":::

+4. Save the `File service SAS URL`.

+## Backup

+### Create a backup

+Creating a backup of the Managed CCF resource creates a Fileshare in the storage account. This backup can be used to restore the Managed CCF resource at a later time.

+Follow these steps to perform a backup.

+1. [Generate and save a bearer token](#generate-an-access-token) generated for the subscription that your Managed CCF resource is located in.

+1. [Generate a SAS token](#generate-a-shared-access-signature-token) for the Storage Account to store the backup.

+1. Execute the following command to trigger a backup. You must supply a few parameters:

+ - **subscription_id**: The subscription where the Managed CCF resource is deployed.

+ - **resource_group**: The resource group name of the Managed CCF resource.

+ - **app_name**: The name of the Managed CCF resource.

+ - **sas_token**: The Shared Access Signature token.

+ - **restore_region**: An optional parameter to indicate a region where the backup would be restored. It can be ignored if you expect to restore the backup in the same region as the Managed CCF resource.

+ ```bash

+ curl --request POST 'https://management.azure.com/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ConfidentialLedger/ManagedCCFs/<app_name>/backup?api-version=2023-06-28-preview' \

+ --header 'Authorization: Bearer <bearer_token>' \

+ --header 'Content-Type: application/json' \

+ --data-raw '{

+ "uri": "<sas_token>",

+ "restoreRegion": "<restore_region>"

+ }'

+ ```

+1. A Fileshare is created in the Azure Storage Account with the name `<mccf_app_name>-<timestamp>`.

+### Explore the backup files

+After the backup completes, you can view the files stored in your Azure Storage Fileshare.

+Refer to the following articles to explore the backup files.

+- [Understanding your Ledger and Snapshot Files](https://microsoft.github.io/CCF/main/operations/ledger_snapshot.html)

+- [Viewing your Ledger and Snapshot Files](https://microsoft.github.io/CCF/main/audit/python_library.html)

+## Restore

+### Create a Managed CCF resource using the backup files

+This restores the Managed CCF resource using a copy of the files in the backup Fileshare. The resource will be restored to the same state and transaction ID at the time of the backup.

+> [!IMPORTANT]

+> The restore will fail if the backup files are older than 90 days.

+> [!NOTE]

+> The original Managed CCF resource must be deleted before a restore is initiated. The restore command will fail if the original instance exists. [Delete your original Managed CCF resource](/cli/azure/confidentialledger/managedccfs?#az-confidentialledger-managedccfs-delete).

+>

+> The **app_name** should be the same as the original Managed CCF resource.

+Follow these steps to perform a restore.

+1. [Generate a Bearer token](#generate-an-access-token) for the subscription that the Managed CCF resource is located in.

+2. [Generate a SAS token](#generate-a-shared-access-signature-token) for the storage account that has the backup files.

+3. Execute the following command to trigger a restore. You must supply a few parameters.

+ - **subscription_id**: The subscription where the Managed CCF resource is deployed.

+ - **resource_group**: The resource group name of the Managed CCF resource.

+ - **app_name**: The name of the Managed CCF resource.

+ - **sas_token**: The Shared Access Signature token.

+ - **restore_region**: An optional parameter to indicate a region where the backup would be restored. It can be ignored if you expect to restore the backup in the same region as the Managed CCF resource.

+ - **fileshare_name**: The name of the Fileshare where the backup files are located.

+ ```bash

+ curl --request POST 'https://management.azure.com/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ConfidentialLedger/ManagedCCFs/<app_name>/restore?api-version=2023-06-28-preview' \

+ --header 'Authorization: Bearer <bearer_token>' \

+ --header 'Content-Type: application/json' \

+ --data-raw '{

+ "uri": "<sas_token>",

+ "restoreRegion": "<restore_region>",

+ "fileShareName": "<fileshare_name>"

+ }'

+ ```

+1. At the end of the command, the Managed CCF resource is restored.

+## Next steps

+- [Azure Managed CCF overview](overview.md)

+- [Quickstart: Azure portal](quickstart-portal.md)

+- [Quickstart: Azure CLI](quickstart-python.md)

+ Title: View application logs in Azure Monitor

+description: Learn to view the application logs in Azure Monitor

+# View the application logs in Azure Monitor

+In this tutorial, you will learn how to view the application logs in Azure Monitor by creating a Log Analytics workspace. This tutorial builds on the Azure Managed CCF (Managed CCF) resource created in the [Quickstart: Create an Azure Managed CCF resource using the Azure portal](quickstart-portal.md) tutorial. Logs are essential pieces of information to understand, analyze and optimize the logic and performance of an application.

+The logs from your TypeScript and JavaScript application can be viewed in Azure Monitor by creating a Log Analytics workspace.

+## Create the Log Analytics workspace

+1. Follow the instructions at [Create a workspace](../azure-monitor/logs/quick-create-workspace.md) to create a workspace.

+2. After the workspace is created, make a note of the Resource ID from the properties page.

+ :::image type="content" source="media/how-to/log-analytics-workspace-properties.png" alt-text="Screenshot that shows the properties of a Log Analytics workspace screen.":::

+1. Navigate to the Managed CCF resource and make a note of the Resource ID from the properties page.

+## Link the Log Analytics workspace to the Managed CCF resource

+1. After the workspace is created, it must be linked with the Managed CCF resource. It takes a few minutes after linking for the logs to appear in the workspace.

+ ```azurecli

+ > az login

+

+ > az monitor diagnostic-settings create --name confidentialbillingapplogs --resource <Resource Id of the Managed CCF resource> --workspace <Resource Id of the workspace> --logs [{\"category\":\"applicationlogs\",\"enabled\":true,\"retentionPolicy\":{\"enabled\":false,\"days\":0}}]

+ ```

+1. Open the Logs page. Navigate to the Queries tab and group the queries by Resource type from the drop-down. Navigate to the 'Azure Managed CCF' resource and run the 'CCF application errors' query. Remove the 'Level' filter to view all the logs.

+ :::image type="content" source="media/how-to/log-analytics-logs.png" alt-text="Screenshot that shows the Managed CCF resource query in the Log Analytics screen.":::

+## Next steps

+- [Azure Managed CCF overview](overview.md)

+- [Quickstart: Deploy an Azure Managed CCF application](quickstart-deploy-application.md)

+ Title: Quickstart ΓÇô Add and remove members from a Microsoft Azure Managed CCF resource

+description: Learn to manage the members from a Microsoft Azure Managed CCF resource

+# Add and remove members from an Azure Managed CCF resource

+Members can be added and removed from an Azure Managed CCF (Managed CCF) resource using governance operations. This tutorial builds on the Managed CCF resource created in the [Quickstart: Create an Azure Managed CCF resource using the Azure portal](quickstart-portal.md) tutorial.

+## Prerequisites

+## Download the service identity

+## Add a member

+1. Submit a proposal to add the member.

+ ```bash

+ $cat set_member.json

+ {

+ "actions": [

+ {

+ "name": "set_member",

+ "args": {

+ "cert": "--BEGIN CERTIFICATE--\nMIIBtDCCATqgAwIBAgIUV...sy93h74oqHk=\n--END CERTIFICATE--",

+ "encryption_pub_key": ""

+ }

+ }

+ ]

+ }

+

+ $ proposal_id=$( (ccf_cose_sign1 --content set_member.json --signing-cert member0_cert.pem --signing-key member0_privk.pem --ccf-gov-msg-type proposal --ccf-gov-msg-created_at `date -Is` | curl https://confidentialbillingapp.confidential-ledger.azure.com/gov/proposals -H 'Content-Type: application/cose' --data-binary @- --cacert service_cert.pem) )

+ ```

+1. Accept the proposal by submitting a vote. Repeat the step for all the members in the resource.

+ [!INCLUDE [Submit a vote](./includes/submit-vote.md)]

+1. When the command completes, the member is added in the Managed CCF resource. But, they cannot participate in the governance operations unless they are activated. Refer to the quickstart tutorial [Activate a member](how-to-activate-members.md) to activate the member.

+1. View the members in the network using the following command.

+## Remove a member

+1. Submit a proposal to remove the member. The member is identified by their public certificate.

+ ```bash

+ $cat remove_member.json

+ {

+ "actions": [

+ {

+ "name": "remove_member",

+ "args": {

+ "cert": "--BEGIN CERTIFICATE--\nMIIBtDCCATqgAwIBAgIUV...sy93h74oqHk=\n--END CERTIFICATE--",

+ }

+ }

+ ]

+ }

+

+ $ proposal_id=$( (ccf_cose_sign1 --content remove_member.json --signing-cert member0_cert.pem --signing-key member0_privk.pem --ccf-gov-msg-type proposal --ccf-gov-msg-created_at `date -Is` | curl https://confidentialbillingapp.confidential-ledger.azure.com/gov/proposals -H 'Content-Type: application/cose' --data-binary @- --cacert service_cert.pem) )

+ ```

+2. Accept the proposal by submitting a vote. Repeat the step for all the members in the resource.

+ [!INCLUDE [Submit a vote](./includes/submit-vote.md)]

+3. When the command completes, the member is removed from the Managed CCF resource and they can no longer participate in the governance operations.

+4. View the members in the network using the following command.

+## Next steps

+- [Microsoft Azure Managed CCF overview](overview.md)

+- [Quickstart: Deploy an Azure Managed CCF application](quickstart-deploy-application.md)

+- [How to: Activate members](how-to-activate-members.md)

+ Title: Quickstart ΓÇô Update the JavaScript application on a Microsoft Azure Managed CCF resource

+description: Learn to update the JavaScript application on a Microsoft Azure Managed CCF resource

+# Quickstart: Update the JavaScript application

+With Azure Managed CCF (Managed CCF), it is simple and quick to update an application when new functionality is introduced or when bugs fixes are available. This tutorial builds on the Managed CCF resource created in the [Quickstart: Create an Azure Managed CCF resource using the Azure portal](quickstart-portal.md) tutorial.

+## Prerequisites

+## Download the service identity

+## Update the application

+> [!NOTE]

+> This tutorial assumes that the updated application bundle is created using the instructions available [here](https://microsoft.github.io/CCF/main/build_apps/js_app_bundle.html) and saved to set_js_app.json.

+>

+> Updating an application does not reset the JavaScript runtime options.

+When the command completes, the application will be updated and ready to accept user transactions.

+## Next steps

+- [Microsoft Azure Managed CCF overview](overview.md)

+- [How to: View application logs in Azure Monitor](how-to-enable-azure-monitor.md)

+- [Quickstart: Deploy an Azure Managed CCF application](quickstart-deploy-application.md)

+ Title: Quickstart ΓÇô Update the JavaScript runtime options on an Azure Managed CCF resource

+description: Learn to update the JavaScript runtime options on an Azure Managed CCF resource

+# Quickstart: Update the runtime options of the JavaScript execution engine on an Azure Managed CCF resource

+Sometimes it is necessary to update the runtime options of the CCF JavaScript interpreter to extend the request execution duration or update the heap or stack allocation size. In this how to guide, you will learn to update the runtime settings. This tutorial builds on the Azure Managed CCF (Managed CCF) resource created in the [Quickstart: Create an Azure Managed CCF resource using the Azure portal](quickstart-portal.md) tutorial.

+## Prerequisites

+## Download the service identity

+## Update the runtime options

+1. Prepare a **set_js_runtime_options.json** file and submit it using this command:

+ ```Bash

+ $ cat set_js_runtime_options.json

+ {

+ "actions": [

+ {

+ "name": "set_js_runtime_options",

+ "args": {

+ "max_heap_bytes": 1024,

+ "max_stack_bytes": 1024,

+ "max_execution_time_ms": 5000, // increase the request execution time

+ "log_exception_details": false,

+ "return_exception_details": false

+ }

+ }

+ ]

+ }

+

+ $ proposal_id=$( (ccf_cose_sign1 --content set_js_runtime_options.json --signing-cert member0_cert.pem --signing-key member0_privk.pem --ccf-gov-msg-type proposal --ccf-gov-msg-created_at `date -Is` | curl https://confidentialbillingapp.confidential-ledger.azure.com/gov/proposals -H 'Content-Type: application/cose' --data-binary @- --cacert service_cert.pem | jq -r ΓÇÿ.proposal_idΓÇÖ) )

+ ```

+1. The next step is to accept the proposal by submitting a vote.

+ [!INCLUDE [Submit a vote](./includes/submit-vote.md)]

+1. Repeat the above step for every member in the Managed CCF resource.

+1. After the proposal is accepted, the runtime options will be applied to the subsequent requests.

+## Next steps

+- [Azure Managed CCF overview](overview.md)

+- [How to: View application logs in Azure Monitor](how-to-enable-azure-monitor.md)

+- [Quickstart: Deploy an Azure Managed CCF application](quickstart-deploy-application.md)

+ Title: View the members in an Azure Managed CCF resource

+description: Learn to view the members in an Azure Managed CCF resource

+# View the members in an Azure Managed CCF resource

+The members in an Azure Managed CCF(Managed CCF) resource can be viewed on the Azure portal or via CLI. This tutorial builds on the Managed CCF resource created in the [Quickstart: Create an Azure Managed CCF resource](quickstart-portal.md) tutorial.

+## Download the service identity

+## View the members

+### Azure portal

+1. Navigate to the Managed CCF resource page.

+1. Under Operations, select the Members link. This is a view only page. To manage the members, follow the instructions at [manage members](how-to-manage-members.md).

+### Command Line Interface

+```bash

+curl --cacert service_cert.pem https://confidentialbillingapp.confidential-ledger.azure.com/gov/members | jq

+{

+ "3d08a5ddcb6fe939088b3f8f55040d069ba2f73e1946739b2a30910d7c60b011": {

+ "cert": "--BEGIN CERTIFICATE--\nMIIBtjCCATyg...zWP\nGeRSybu3EpITPg==\n--END CERTIFICATE--",

+ "member_data": {

+ "group": "IT",

+ "identifier": "member0"

+ },

+ "public_encryption_key": null,

+ "status": "Active"

+ },

+ "9a403f4811f3e3a5eb21528088d6619ad7f6f839405cf737b0e8b83767c59039": {

+ "cert": "--BEGIN CERTIFICATE--\nMIIB9zCCAX2gAwIBAgIQeA...lf8wPx0uzNRc1iGM+mv\n--END CERTIFICATE--",

+ "member_data": {

+ "is_operator": true,

+ "owner": "Microsoft Azure"

+ },

+ "public_encryption_key": "--BEGIN PUBLIC KEY--\nMIIBIjANBgkqhki...DAQAB\n--END PUBLIC KEY--\n",

+ "status": "Active"

+ }

+}

+```

+The output shows two active members in the resource. One is an operator member (identified by the is_operator field) and the other was added during deployment. An active member can submit a proposal to add or remove other members. Refer to the [how-to-manage-members](how-to-manage-members.md) guide for the instructions.

+## Next steps

+- [Azure Managed CCF overview](overview.md)

+- [Quickstart: Deploy an Azure Managed CCF application](quickstart-deploy-application.md)

+- [How to: View application logs in Azure Monitor](how-to-enable-azure-monitor.md)

+- [How to: Activate members](how-to-activate-members.md)

+ Title: Overview of Azure Managed Confidential Consortium Framework

+description: An overview of Azure Managed Confidential Consortium Framework, a highly secure service for deploying confidential application.

+# Overview of Azure Managed Confidential Consortium Framework

+Azure Managed Confidential Consortium Framework (Managed CCF) is a new and highly secure service for deploying confidential applications. It enables developers to build confidential applications that require programmable confidentiality on data and information that might be needed between multiple parties. Typically, members agree on the constitution (rules that the members set up) of the network, set governance and business transaction rules, and the business transactions take place based on what was defined. If there are changes to the governance that impact the business rules, the consortium needs to approve those changes.

+In fact, the framework runs exclusively on hardware-backed secure enclaves, a heavily monitored and isolated runtime environment, which keeps potential attacks at bay. It also runs on a minimalistic Trusted Computing Base (TCB) and limits the operator's role.

+As the name suggests, Azure Managed CCF utilizes the [Azure Confidential Computing platform](../confidential-computing/index.yml) and the open-sourced [Confidential Consortium Framework](https://ccf.dev) as the underlying technology to provide a high integrity platform that is tamper-protected and evident. A Managed CCF instance spans across three or more identical machines, each of which run in a dedicated, fully attested hardware-backed enclave. The data integrity is maintained through a consensus-based blockchain.

+The following diagram shows a high-level overview of the different layers of the Managed CCF platform and where the application code fits into it.

+## Key features

+A few key features of Managed CCF are confidentiality, customizable governance, high availability, auditability and transparency.

+### Confidentiality

+The nodes run inside a hardware-based Trusted Execution Environment (TEE) which ensures that the data in use is protected and encrypted, while in RAM, and during computation. The following diagram shows how the code and data is protected while in use.

+### Customizable governance

+The participants, called members, share the responsibility for the network operationability established by a constitution. The shared governance model establishes trust and transparency among the members through a voting process that is public and auditable. The constitution is implemented as a set of JavaScript scripts, which can be customized during the network creation and later. The following diagram shows how the members participate in a governance operation to either accept or reject a proposed action enforced by the constitution.

+### High Availability and resiliency

+A Managed CCF resource is built on top of a network of distributed nodes that maintains an identical replica of the transactions. The platform is designed and built from the ground-up to be tolerant and resilient to network and infrastructure disruptions. The platform guarantees high availability and quick service healing by spreading the nodes across [Azure Availability Zones](../reliability/availability-zones-overview.md). When an unexpected disaster happens, quick recoverability and business continuity are enabled by automatic backup and restore of the ledger files.

+### Auditability and transparency

+The state of the network is auditable via receipts. A receipt is a signed proof that is associated with a transaction. The receipts are verifiable offline and by third parties, equivalent to "this transaction produced this outcome at this position in the network". Together with a copy of the ledger, or other receipts, they can be used to audit the service and hold the consortium accountable.

+The governance operations and the associated public key value maps are stored in plain text in the ledger. Customers are encouraged to download the ledger and verify its integrity using open-sourced scripts that are shipped with CCF.

+### Developer friendly

+Developers can use familiar development tools like Visual Studio Code and programming languages like TypeScript, JavaScript and C++ combined with Node.js to develop confidential applications targeting the Managed CCF platform. Open sourced sample applications are published for reference and continuously updated based on feed back.

+## Open-source CCF (IaaS) vs. Azure Managed CCF (PaaS)

+Customers can build applications that target the Confidential Consortium Framework (CCF) and host it themselves. But, like any other self-hosted applications, it requires regular maintenance and patching (both hardware and software) which consumes time and resource. Azure Managed CCF abstracts away the day-to-day operations, allowing teams to focus on the core business priorities. The following diagram compares and contrasts the differences between a self-hosted CCF network to Azure Managed CCF.

+## Next steps

+- [Quickstart: Azure portal](quickstart-portal.md)

+- [Quickstart: Azure CLI](quickstart-python.md)

+- [FAQ](faq.yml)

+ Title: Quickstart ΓÇô Create an Azure Managed Confidential Consortium Framework resource with the Azure CLI

+description: Learn to create an Azure Managed Confidential Consortium Framework resource with the Azure CLI

+# Quickstart: Create an Azure Managed CCF resource using Azure CLI

+Azure Managed CCF (Managed CCF) is a new and highly secure service for deploying confidential applications. For more information on Azure Managed CCF, see [About Azure Managed Confidential Consortium Framework](overview.md).

+Azure CLI is used to create and manage Azure resources using commands or scripts.

+- This quickstart requires version 2.51.0 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

+## Create a resource group

+## Create a member

+## Create a Managed CCF resource

+Use the Azure CLI [az confidentialledger managedccfs create](/cli/azure/confidentialledger/managedccfs#az-confidentialledger-managedccfs-create) command to create a Managed CCF resource in the resource group from the previous step. You must provide some information:

+- Managed CCF name: A string of 3 to 32 characters that can contain only numbers (0-9), letters (a-z, A-Z), and hyphens (-)

+ > [!Important]

+ > Each Managed CCF resource must have a unique name. Replace \<your-unique-managed-ccf-name\> with the name of your resource in the following examples.

+- Resource group name: **myResourceGroup**.

+- Location: southcentralus or westeurope. Default value is southcentralus.

+- Members: A collection of initial members to be added to the resource. A minimum of one member is required.

+- Node count: Then number of nodes in the resource. Default value is 3.

+```azurecli

+az confidentialledger managedccfs create --name "<your-unique-managed-ccf-name>" --resource-group "myResourceGroup" --location "southcentralus" --members "[{certificate:'c:/certs/member0_cert.pem',identifier:'it-admin',group:'IT'},{certificate:'c:/certs/member1_cert.pem',identifier:'finance-admin',group:'Finance'}]"

+```

+To view the previously created resource:

+```azurecli

+az confidentialledger managedccfs show --name "<your-unique-managed-ccf-name>" --resource-group "myResourceGroup"

+```

+To list the Managed CCF resources in the **myResourceGroup**:

+```azurecli

+az confidentialledger managedccfs list --resource-group "myResourceGroup"

+```

+To list the Managed CCF resources in a subscription:

+```azurecli

+az confidentialledger managedccfs list --subscription <subscription id or subscription name>

+```

+## Next steps

+In this quickstart, you created a Managed CCF resource by using the Azure portal. To learn more about Azure confidential ledger and how to integrate it with your applications, continue on to these articles:

+- [Azure Managed CCF overview](overview.md)

+- [Quickstart: Azure portal](quickstart-portal.md)

+- [How to: Activate members](how-to-activate-members.md)

+ Title: Quickstart ΓÇô Deploy a JavaScript application to an Azure Managed CCF resource

+description: Learn to deploy a JavaScript application to an Azure Managed CCF resource

+# Quickstart: Deploy a JavaScript application to an Azure Managed CCF resource

+In this quickstart tutorial, you will learn how to deploy an application to an Azure Managed CCF (Managed CCF) resource. This tutorial builds on the Managed CCF resource created in the [Quickstart: Create an Azure Managed CCF resource using the Azure portal](quickstart-portal.md) tutorial.

+## Prerequisites

+## Download the service identity

+## Deploy the application

+> [!NOTE]

+> This tutorial assumes that the JavaScript application bundle is created using the instructions available [here](https://microsoft.github.io/CCF/main/build_apps/js_app_bundle.html).

+When the command completes, the application is deployed to the Managed CCF resource and is ready to accept transactions.

+## Next steps

+- [Azure Managed CCF overview](overview.md)

+- [Quickstart: Update the JavaScript runtime options](how-to-update-javascript-runtime-options.md)

+- [Quickstart: Deploy an Azure Managed CCF application](quickstart-deploy-application.md)

+ Title: Quickstart ΓÇô Create an Azure Managed CCF resource using the Azure SDK for Go

+description: Learn to use the Azure SDK for Go to create an Azure Managed CCF resource

+# Quickstart: Create an Azure Managed CCF resource using the Azure SDK for Go

+Azure Managed CCF (Managed CCF) is a new and highly secure service for deploying confidential applications. For more information on Managed CCF, see [About Azure Managed Confidential Consortium Framework](overview.md).

+In this quickstart, you learn how to create a Managed CCF resource using the Azure SDK for Go library.

+[API reference documentation](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/confidentialledger/armconfidentialledger@v1.2.0-beta.1#section-documentation) | [Library source code](https://github.com/Azure/azure-sdk-for-go/tree/main/sdk/resourcemanager/confidentialledger/armconfidentialledger) | [Package (Go)](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/confidentialledger/armconfidentialledger@v1.2.0-beta.1)

+## Prerequisites

+- An Azure subscription - [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- Go 1.18 or higher.

+## Setup

+### Create a new Go application

+1. In a command shell, run the following command to create a folder named `managedccf-app`:

+```Bash

+mkdir managedccf-app && cd managedccf-app

+go mod init github.com/azure/resourcemanager/confidentialledger

+```

+### Install the modules

+1. Install the Azure Confidential Ledger module.

+```go

+go get -u github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/confidentialledger/armconfidentialledger@v1.2.0-beta.1

+```

+For this quickstart, you also need to install the [Azure Identity module for Go](/azure/developer/go/azure-sdk-authentication?tabs=bash).

+```go

+go get -u github.com/Azure/azure-sdk-for-go/sdk/azidentity

+```

+### Create a resource group

+### Register the resource provider

+### Create members

+## Create the Go application

+The management plane library allows operations on Managed CCF resources, such as creation and deletion, listing the resources associated with a subscription, and viewing the details of a specific resource. The following piece of code creates and views the properties of a Managed CCF resource.

+Add the following directives to the top of *main.go*:

+```go

+package main

+import (

+ "context"

+ "log"

+

+ "github.com/Azure/azure-sdk-for-go/sdk/azcore/to"

+ "github.com/Azure/azure-sdk-for-go/sdk/azidentity"

+ "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/confidentialledger/armconfidentialledger"

+)

+```

+### Authenticate and create a client factory

+In this quickstart, logged in user is used to authenticate to Azure Managed CCF, which is the preferred method for local development. This example uses ['NewDefaultAzureCredential()'](/azure/developer/go/azure-sdk-authentication?tabs=bash#authenticate-to-azure-with-defaultazurecredential) class from [Azure Identity module](/azure/developer/go/azure-sdk-authentication?tabs=bash), which allows to use the same code across different environments with different options to provide identity.

+```go

+cred, err := azidentity.NewDefaultAzureCredential(nil)

+if err != nil {

+ log.Fatalf("Failed to obtain a credential: %v", err)

+}

+```

+Create an Azure Resource Manager client factory and authenticate using the token credential.

+```go

+ctx := context.Background()

+clientFactory, err := armconfidentialledger.NewClientFactory("0000000-0000-0000-0000-000000000001", cred, nil)

+if err != nil {

+ log.Fatalf("Failed to create client: %v", err)

+}

+```

+### Create a Managed CCF resource

+```go

+appName := "confidentialbillingapp"

+rgName := "myResourceGroup"

+// Create a new resource

+poller, err := clientFactory.NewManagedCCFClient().BeginCreate(ctx, rgName, appName, armconfidentialledger.ManagedCCF{

+ Location: to.Ptr("SouthCentralUS"),

+ Tags: map[string]*string{

+ "Department": to.Ptr("Contoso IT"),

+ },

+ Properties: &armconfidentialledger.ManagedCCFProperties{

+ DeploymentType: &armconfidentialledger.DeploymentType{

+ AppSourceURI: to.Ptr(""),

+ LanguageRuntime: to.Ptr(armconfidentialledger.LanguageRuntimeJS),

+ },

+ MemberIdentityCertificates: []*armconfidentialledger.MemberIdentityCertificate{

+ {

+ Certificate: to.Ptr("--BEGIN CERTIFICATE--\nMIIU4G0d7....1ZtULNWo\n--END CERTIFICATE--"),

+ Encryptionkey: to.Ptr(""),

+ Tags: map[string]any{

+ "owner": "IT Admin1",

+ },

+ }},

+ NodeCount: to.Ptr[int32](3),

+ },

+}, nil)

+if err != nil {

+ log.Fatalf("Failed to finish the request: %v", err)

+}

+_, err = poller.PollUntilDone(ctx, nil)

+if err != nil {

+ log.Fatalf("Failed to pull the result: %v", err)

+}

+```

+### Get the properties of the Managed CCF resource

+The following piece of code retrieves the Managed CCF resource created in the previous step.

+```go

+log.Println("Getting the Managed CCF resource.")

+// Get the resource details and print it

+getResponse, err := clientFactory.NewManagedCCFClient().Get(ctx, rgName, appName, nil)

+if err != nil {

+ log.Fatalf("Failed to get details of mccf instance: %v", err)

+}

+// Print few properties of the Managed CCF resource

+log.Println("Application name:", *getResponse.ManagedCCF.Properties.AppName)

+log.Println("Node Count:", *getResponse.ManagedCCF.Properties.NodeCount)

+```

+### List the Managed CCF resources in a Resource Group

+The following piece of code retrieves the Managed CCF resources in the resource group.

+```go

+pager := clientFactory.NewManagedCCFClient().NewListByResourceGroupPager(rgName, nil)

+for pager.More() {

+ page, err := pager.NextPage(ctx)

+ if err != nil {

+ log.Fatalf("Failed to advance page: %v", err)

+ }

+ for _, v := range page.Value {

+ log.Println("Application Name:", *v.Name)

+ }

+}

+```

+### Delete the Managed CCF resource

+The following piece of code deletes the Managed CCF resource. Other Managed CCF articles can build upon this quickstart. If you plan to continue on to work with subsequent quickstarts and tutorials, you might wish to leave these resources in place.

+```go

+deletePoller, err := clientFactory.NewManagedCCFClient().BeginDelete(ctx, rgName, appName, nil)

+if err != nil {

+ log.Fatalf("Failed to finish the delete request: %v", err)

+}

+_, err = deletePoller.PollUntilDone(ctx, nil)

+if err != nil {

+ log.Fatalf("Failed to get the delete result: %v", err)

+}

+```

+## Clean up resources

+Other Managed CCF articles can build upon this quickstart. If you plan to continue on to work with subsequent quickstarts and tutorials, you might wish to leave these resources in place.

+Otherwise, when you're finished with the resources created in this article, use the Azure CLI [az group delete](/cli/azure/group?#az-group-delete) command to delete the resource group and all its contained resources.

+```azurecli

+az group delete --resource-group contoso-rg

+```

+## Next steps

+In this quickstart, you created a Managed CCF resource by using the Azure Python SDK for Confidential Ledger. To learn more about Azure Managed CCF and how to integrate it with your applications, continue on to these articles:

+- [Azure Managed CCF overview](overview.md)

+- [Quickstart: Deploy an Azure Managed CCF application](quickstart-deploy-application.md)

+- [Quickstart: Azure CLI](quickstart-cli.md)

+- [How to: Activate members](how-to-activate-members.md)

+ Title: Quickstart ΓÇô Azure SDK for Java for Azure Managed Confidential Consortium Framework

+description: Learn to use the Azure SDK for Java library for Azure Managed Confidential Consortium Framework

+# Quickstart: Create an Azure Managed CCF resource using the Azure SDK for Java

+Azure Managed CCF (Managed CCF) is a new and highly secure service for deploying confidential applications. For more information on Azure Managed CCF, see [About Azure Managed Confidential Consortium Framework](overview.md).

+[API reference documentation](/java/api/com.azure.resourcemanager.confidentialledger) | [Library source code](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/confidentialledger) | [Package (maven central repository)](https://central.sonatype.com/artifact/com.azure.resourcemanager/azure-resourcemanager-confidentialledger/1.0.0-beta.3)

+## Prerequisites

+- An Azure subscription - [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- Java Development Kit (KDK) versions that are [supported by the Azure SDK for Java](https://github.com/Azure/azure-sdk-for-jav).

+## Setup

+This quickstart uses the Azure Identity library, along with Azure CLI or Azure PowerShell, to authenticate user to Azure Services. Developers can also use Visual Studio or Visual Studio Code to authenticate their calls. For more information, see [Authenticate the client with Azure Identity client library](/python/api/overview/azure/identity-readme).

+### Sign in to Azure

+### Install the dependencies

+```Java

+<dependency>

+ <groupId>com.azure.resourcemanager</groupId>

+ <artifactId>azure-resourcemanager-confidentialledger</artifactId>

+ <version>1.0.0-beta.3</version>

+</dependency>

+```

+### Create a resource group

+### Register the resource provider

+### Create members

+## Create the Java application

+The Azure SDK for Java library (azure-resourcemanager-confidentialledger) allows operations on Managed CCF resources, such as creation and deletion, listing the resources associated with a subscription, and viewing the details of a specific resource. The following piece of code creates and views the properties of a Managed CCF resource.

+```java

+import com.azure.core.management.AzureEnvironment;

+import com.azure.core.management.exception.ManagementException;

+import com.azure.core.management.profile.AzureProfile;

+import com.azure.identity.DefaultAzureCredentialBuilder;

+import com.azure.resourcemanager.confidentialledger.ConfidentialLedgerManager;

+import com.azure.resourcemanager.confidentialledger.fluent.models.ManagedCcfInner;

+import com.azure.resourcemanager.confidentialledger.models.DeploymentType;

+import com.azure.resourcemanager.confidentialledger.models.LanguageRuntime;

+import com.azure.resourcemanager.confidentialledger.models.ManagedCcfProperties;

+import com.azure.resourcemanager.confidentialledger.models.MemberIdentityCertificate;

+import java.util.*;

+public class AzureJavaSdkClient {

+ public static void main(String[] args) {

+ try {

+ AzureProfile profile = new AzureProfile("<tenant id>","<subscription id>", AzureEnvironment.AZURE);

+ ConfidentialLedgerManager manager = ConfidentialLedgerManager.authenticate(new DefaultAzureCredentialBuilder().build(), profile);

+ MemberIdentityCertificate member0 = new MemberIdentityCertificate()

+ .withCertificate("--BEGIN CERTIFICATE--\nMIIBvjCCAUSgAwIBAgIUA0YHcPpUCtd...0Yet/xU4G0d71ZtULNWo\n--END CERTIFICATE--")

+ .withTags(Map.of("Dept", "IT"));

+ List<MemberIdentityCertificate> members = new ArrayList<MemberIdentityCertificate>();

+ members.add(member0);

+ DeploymentType deployment = new DeploymentType().withAppSourceUri("").withLanguageRuntime(LanguageRuntime.JS);

+ ManagedCcfProperties properties = new ManagedCcfProperties()

+ .withDeploymentType(deployment)

+ .withNodeCount(5)

+ .withMemberIdentityCertificates(members);

+ ManagedCcfInner inner = new ManagedCcfInner().withProperties(properties).withLocation("southcentralus");

+ // Send Create request

+ manager.serviceClient().getManagedCcfs().create("myResourceGroup", "confidentialbillingapp", inner);

+ // Print the Managed CCF resource properties

+ ManagedCcfInner app = manager.serviceClient().getManagedCcfs().getByResourceGroup("myResourceGroup", "confidentialbillingapp");

+ printAppInfo(app);

+ // Delete the resource

+ manager.serviceClient().getManagedCcfs().delete("myResourceGroup", "confidentialbillingapp");

+ } catch (ManagementException ex) {

+ // The x-ms-correlation-request-id is located in the Header

+ System.out.println(ex.getResponse().getHeaders().toString());

+ System.out.println(ex);

+ }

+ }

+ private static void printAppInfo(ManagedCcfInner app) {

+ System.out.println("App Name: " + app.name());

+ System.out.println("App Id: " + app.id());

+ System.out.println("App Location: " + app.location());

+ System.out.println("App type: " + app.type());

+ System.out.println("App Properties Uri: " + app.properties().appUri());

+ System.out.println("App Properties Language Runtime: " + app.properties().deploymentType().languageRuntime());

+ System.out.println("App Properties Source Uri: " + app.properties().deploymentType().appSourceUri());

+ System.out.println("App Properties NodeCount: " + app.properties().nodeCount());

+ System.out.println("App Properties Identity Uri: " + app.properties().identityServiceUri());

+ System.out.println("App Properties Cert 0: " + app.properties().memberIdentityCertificates().get(0).certificate());

+ System.out.println("App Properties Cert tags: " + app.properties().memberIdentityCertificates().get(0).tags());

+ }

+}

+```

+## Clean up resources

+Other Managed CCF articles can build upon this quickstart. If you plan to continue on to work with subsequent quickstarts and tutorials, you might wish to leave these resources in place.

+Otherwise, when you're finished with the resources created in this article, use the Azure CLI [az group delete](/cli/azure/group?#az-group-delete) command to delete the resource group and all its contained resources.

+```azurecli

+az group delete --resource-group myResourceGroup

+```

+## Next steps

+In this quickstart, you created a Managed CCF resource by using the Azure Python SDK for Confidential Ledger. To learn more about Azure Managed CCF and how to integrate it with your applications, continue on to these articles:

+- [Azure Managed CCF overview](overview.md)

+- [Quickstart: Azure portal](quickstart-portal.md)

+- [Quickstart: Azure CLI](quickstart-cli.md)

+- [How to: Activate members](how-to-activate-members.md)

+ Title: Quickstart ΓÇô Azure SDK for .NET for Azure Managed Confidential Consortium Framework

+description: Learn to use the Azure SDK for .NET for Azure Managed Confidential Consortium Framework

+# Quickstart: Create an Azure Managed CCF resource using the Azure SDK for .NET

+Azure Managed CCF (Managed CCF) is a new and highly secure service for deploying confidential applications. For more information on Managed CCF, and for examples use cases, see [About Azure Managed Confidential Consortium Framework](overview.md).

+In this quickstart, you learn how to create a Managed CCF resource using the .NET client management library.

+[API reference documentation](/dotnet/api/overview/azure/resourcemanager.confidentialledger-readme) | [Library source code](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/confidentialledger/Azure.ResourceManager.ConfidentialLedger) | [Package (NuGet)](https://www.nuget.org/packages/Azure.ResourceManager.ConfidentialLedger/1.1.0-beta.2)

+## Prerequisites

+- An Azure subscription - [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- .NET versions [supported by the Azure SDK for .NET](https://www.nuget.org/packages/Azure.ResourceManager.ConfidentialLedger/1.1.0-beta.2#dependencies-body-tab).

+## Setup

+### Create new .NET console app

+1. In a command shell, run the following command to create a project named `managedccf-app`:

+ ```dotnetcli

+ dotnet new console --name managedccf-app

+ ```

+1. Change to the newly created *managedccf-app* directory, and run the following command to build the project:

+ ```dotnetcli

+ dotnet build

+ ```

+ The build output should contain no warnings or errors.

+ ```console

+ Build succeeded.

+ 0 Warning(s)

+ 0 Error(s)

+ ```

+### Install the package

+Install the Azure Managed CCF client library for .NET with [NuGet](/nuget/install-nuget-client-tools):

+```dotnetcli

+dotnet add package Azure.ResourceManager.ConfidentialLedger --version 1.1.0-beta.2

+```

+For this quickstart, you also need to install the Azure SDK client library for Azure Identity:

+```dotnetcli

+dotnet add package Azure.Identity

+```

+### Create a resource group

+### Register the resource provider

+### Create members

+## Create the .NET application

+### Use the Management plane client library

+The Azure SDK for .NET (azure/arm-confidentialledger) allows operations on Managed CCF resources, such as creation and deletion, listing the resources associated with a subscription, and viewing the details of a specific resource. The following piece of code creates and views the properties of a Managed CCF resource.

+Add the following directives to the top of *Program.cs*:

+```csharp

+using System;

+using System.Collections.Generic;

+using System.Threading.Tasks;

+using Azure;

+using Azure.Core;

+using Azure.Identity;

+using Azure.ResourceManager;

+using Azure.ResourceManager.ConfidentialLedger;

+using Azure.ResourceManager.ConfidentialLedger.Models;

+using Azure.ResourceManager.Resources;

+```

+### Authenticate and create a client

+In this quickstart, logged in user is used to authenticate to Azure Managed CCF, which is the preferred method for local development. This example uses ['DefaultAzureCredential()'](/dotnet/api/azure.identity.defaultazurecredential) class from [Azure Identity Library](/dotnet/api/overview/azure/identity-readme), which allows to use the same code across different environments with different options to provide identity.

+```csharp

+// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line

+TokenCredential cred = new DefaultAzureCredential();

+```

+Create an Azure Resource Manager client and authenticate using the token credential.

+```csharp

+// authenticate your client

+ArmClient client = new ArmClient(cred);

+```

+### Create a Managed CCF resource

+```csharp

+// this example assumes you already have this ResourceGroupResource created on azure

+// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource

+string subscriptionId = "0000000-0000-0000-0000-000000000001";

+string resourceGroupName = "myResourceGroup";

+ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);

+ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);

+// get the collection of this ManagedCcfResource

+ManagedCcfCollection collection = resourceGroupResource.GetManagedCcfs();

+// invoke the operation

+string appName = "confidentialbillingapp";

+ManagedCcfData data = new ManagedCcfData(new AzureLocation("SouthCentralUS"))

+{

+ Properties = new ManagedCcfProperties()

+ {

+ MemberIdentityCertificates =

+ {

+ new ConfidentialLedgerMemberIdentityCertificate()

+ {

+ Certificate = "--BEGIN CERTIFICATE--MIIBsjCCATigA...LjYAGDSGi7NJnSkA--END CERTIFICATE--",

+ Encryptionkey = "",

+ Tags = BinaryData.FromObjectAsJson(new Dictionary<string, object>()

+ {

+ ["additionalProps1"] = "additional properties"

+ }),

+ }

+ },

+ DeploymentType = new ConfidentialLedgerDeploymentType()

+ {

+ LanguageRuntime = ConfidentialLedgerLanguageRuntime.JS,

+ AppSourceUri = new Uri(""),

+ },

+ NodeCount = 3,

+ },

+ Tags =

+ {

+ ["additionalProps1"] = "additional properties",

+ },

+};

+ArmOperation<ManagedCcfResource> lro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, appName, data);

+ManagedCcfResource result = lro.Value;

+// the variable result is a resource, you could call other operations on this instance as well

+// but just for demo, we get its data from this resource instance

+ManagedCcfData resourceData = result.Data;

+// for demo we just print out the id

+Console.WriteLine($"Succeeded on id: {resourceData.Id}");

+```

+### View the properties of a Managed CCF resource

+The following piece of code retrieves the Managed CCF resource and prints its properties.

+```csharp

+// this example assumes you already have this ResourceGroupResource created on azure

+// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource

+string subscriptionId = "0000000-0000-0000-0000-000000000001";

+string resourceGroupName = "myResourceGroup";

+ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);

+ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);

+// get the collection of this ManagedCcfResource

+ManagedCcfCollection collection = resourceGroupResource.GetManagedCcfs();

+// invoke the operation

+string appName = "confidentialbillingapp";

+ManagedCcfResource result = await collection.GetAsync(appName);

+// the variable result is a resource, you could call other operations on this instance as well

+// but just for demo, we get its data from this resource instance

+ManagedCcfData resourceData = result.Data;

+// for demo we just print out the id

+Console.WriteLine($"Succeeded on id: {resourceData.Id}");

+```

+### List the Managed CCF resources in a Resource Group

+The following piece of code retrieves the Managed CCF resources in a resource group.

+```csharp

+// this example assumes you already have this ResourceGroupResource created on azure

+// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource

+string subscriptionId = "0000000-0000-0000-0000-000000000001";

+string resourceGroupName = "myResourceGroup";

+ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);

+ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);

+// get the collection of this ManagedCcfResource

+ManagedCcfCollection collection = resourceGroupResource.GetManagedCcfs();

+// invoke the operation and iterate over the result

+await foreach (ManagedCcfResource item in collection.GetAllAsync())

+{

+ // the variable item is a resource, you could call other operations on this instance as well

+ // but just for demo, we get its data from this resource instance

+ ManagedCcfData resourceData = item.Data;

+ // for demo we just print out the id

+ Console.WriteLine($"Succeeded on id: {resourceData.Id}");

+}

+Console.WriteLine($"Succeeded");

+```

+### List the Managed CCF resources in a subscription

+The following piece of code retrieves the Managed CCF resources in a subscription.

+```csharp

+// this example assumes you already have this SubscriptionResource created on azure

+// for more information of creating SubscriptionResource, please refer to the document of SubscriptionResource

+string subscriptionId = "0000000-0000-0000-0000-000000000001";

+ResourceIdentifier subscriptionResourceId = SubscriptionResource.CreateResourceIdentifier(subscriptionId);

+SubscriptionResource subscriptionResource = client.GetSubscriptionResource(subscriptionResourceId);

+// invoke the operation and iterate over the result

+await foreach (ManagedCcfResource item in subscriptionResource.GetManagedCcfsAsync())

+{

+ // the variable item is a resource, you could call other operations on this instance as well

+ // but just for demo, we get its data from this resource instance

+ ManagedCcfData resourceData = item.Data;

+ // for demo we just print out the id

+ Console.WriteLine($"Succeeded on id: {resourceData.Id}");

+}

+Console.WriteLine($"Succeeded");

+```

+## Clean up resources

+Other Managed CCF articles can build upon this quickstart. If you plan to continue on to work with subsequent quickstarts and tutorials, you might wish to leave these resources in place.

+Otherwise, when you're finished with the resources created in this article, use the Azure CLI [az group delete](/cli/azure/group?#az-group-delete) command to delete the resource group and all its contained resources.

+```azurecli

+az group delete --resource-group myResourceGroup

+```

+## Next steps

+In this quickstart, you created a Managed CCF resource by using the Azure Python SDK for Confidential Ledger. To learn more about Azure Managed CCF and how to integrate it with your applications, continue on to these articles:

+- [Azure Managed CCF overview](overview.md)

+- [Quickstart: Azure portal](quickstart-portal.md)

+- [Quickstart: Azure CLI](quickstart-cli.md)

+- [How to: Activate members](how-to-activate-members.md)

+ Title: Quickstart ΓÇô Microsoft Azure Managed Confidential Consortium Framework with the Azure portal

+description: Learn to deploy a Microsoft Azure Managed Confidential Consortium Framework resource through the Azure portal

+# Quickstart: Create an Azure Managed CCF resource using the Azure portal

+Azure Managed CCF (Managed CCF) is a new and highly secure service for deploying confidential applications. For more information on Managed CCF, see [About Azure Managed Confidential Consortium Framework](overview.md).

+In this quickstart, you create a Managed CCF resource with the [Azure portal](https://portal.azure.com).

+## Prerequisites

+- Install [CCF](https://microsoft.github.io/CCF/main/build_apps/install_bin.html).

+## Sign in to Azure

+Sign in to the [Azure portal](https://portal.azure.com).

+### Register the provider

+Register the resource provider in your subscription using the following commands.

+### Create a resource group

+### Create members

+### Create a Managed CCF resource

+1. From the Azure portal menu, or from the Home page, select **Create a resource**.

+2. In the Search box, enter "Confidential Ledger", select said application, and then choose **Create**.

+> [!NOTE]

+> The portal URL should contain the query string ΓÇÿfeature.Microsoft_Azure_ConfidentialLedger_managedccf=trueΓÇÖ to turn on the Managed CCF feature.

+1. On the Create confidential ledger section, provide the following information:

+ - **Subscription**: Choose the desired subscription.

+ - **Resource Group**: Choose the resource group created in the previous step.

+ - **Region**: In the pull-down menu, choose a region.

+ - **Name**: Provide a unique name.

+ - **Account Type**: Choose Custom CCF Application.

+ - **Application Type**: Choose Custom JavaScript Application.

+ - **Network Node Count**: Choose the desired node count.

+1. Select the **Security** tab.

+1. You must add one or more members to the Managed CCF resource. Select **+ Add Member Identity**.

+ - **Member Identifier**: A unique member name.

+ - **Member Group**: An optional group name.

+ - **Certificate**: Paste the contents of the member0_cert.pem file.

+1. Select **Review + Create**. After validation has passed, select **Create**.1.

+When the deployment is complete, select **Go to resource**.

+Make a note of the following properties as it is required to activate the member(s).

+- **Application endpoint**: In the example, this endpoint is `https://confidentialbillingapp.confidential-ledger.azure.com`.

+- **Identity Service endpoint**: In the example, this endpoint is `https://identity.confidential-ledger.core.azure.com/ledgerIdentity/confidentialbillingapp`.

+You will need these values to transact with the confidential ledger from the data plane.

+### Clean up resources

+Other Azure Managed CCF articles build upon this quickstart. If you plan to continue on to work with subsequent articles, you might wish to leave these resources in place.

+When no longer needed, delete the resource group, which deletes the Managed CCF and related resources. To delete the resource group through the portal:

+1. Enter the name of your resource group in the Search box at the top of the portal. When you see the resource group used in this quickstart in the search results, select it.

+1. Select **Delete resource group**.

+1. In the **TYPE THE RESOURCE GROUP NAME:** box, enter the name of the resource group, and select **Delete**.

+## Next steps

+In this quickstart, you created a Managed CCF resource by using the Azure portal. To learn more about Azure Managed CCF and how to integrate it with your applications, continue on to these articles:

+- [Azure Managed CCF overview](overview.md)

+- [Quickstart: Azure CLI](quickstart-cli.md)

+- [How to: Activate members](how-to-activate-members.md)

+ Title: Quickstart ΓÇô Azure libraries (SDK) for Python for Azure Managed Confidential Consortium Framework

+description: Learn to use the Azure libraries for Python for Azure Managed Confidential Consortium Framework

+# Quickstart: Create an Azure Managed CCF resource using the Azure SDK for Python

+Azure Managed CCF (Managed CCF) is a new and highly secure service for deploying confidential applications. For more information on Azure Managed CCF, see [About Azure Managed Confidential Consortium Framework](overview.md).

+[API reference documentation](https://azuresdkdocs.blob.core.windows.net/$web/python/azure-confidentialledger/latest/azure.confidentialledger.html) | [Library source code](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/confidentialledger) | [Package (Python Package Index) Management Library](https://pypi.org/project/azure-mgmt-confidentialledger/)

+## Prerequisites

+- An Azure subscription - [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- Python versions supported by the [Azure SDK for Python](https://github.com/Azure/azure-sdk-for-python#prerequisites).

+## Setup

+This quickstart uses the Azure Identity library, along with Azure CLI or Azure PowerShell, to authenticate user to Azure Services. Developers can also use Visual Studio or Visual Studio Code to authenticate their calls. For more information, see [Authenticate the client with Azure Identity client library](/python/api/overview/azure/identity-readme).

+### Sign in to Azure

+### Install the packages

+In a terminal or command prompt, create a suitable project folder, and then create and activate a Python virtual environment as described on [Use Python virtual environments](/azure/developer/python/configure-local-development-environment?tabs=cmd#use-python-virtual-environments).

+Install the Azure Active Directory identity client library:

+```terminal

+pip install azure-identity

+```

+Install the Azure confidential ledger management plane client library.

+```terminal

+pip install azure.mgmt.confidentialledger

+```

+### Create a resource group

+### Register the resource provider

+### Create members

+## Create the Python application

+### Use the Management plane client library

+The management plane library (azure.mgmt.confidentialledger) allows operations on Managed CCF resources, such as creation and deletion, listing the resources associated with a subscription, and viewing the details of a specific resource. The following piece of code creates and views the properties of a Managed CCF resource.

+```python

+from azure.identity import DefaultAzureCredential

+# Import the Azure Managed CCF management plane library

+from azure.mgmt.confidentialledger import ConfidentialLedger

+import os

+sub_id = "0000000-0000-0000-0000-000000000001"

+client = ConfidentialLedger(credential=DefaultAzureCredential(), subscription_id=sub_id)

+# ********** Create a Managed CCF app **********

+app_properties = {

+ "location": "southcentralus",

+ "properties": {

+ "deploymentType": {

+ "appSourceUri": "",

+ "languageRuntime": "JS"

+ },

+ "memberIdentityCertificates": [ # Multiple members can be supplied

+ {

+ "certificate": "--BEGIN CERTIFICATE--\nMIIBvzC...f0ZoeNw==\n--END CERTIFICATE--",

+ "tags": { "owner": "ITAdmin1" }

+ }

+ ],

+ "nodeCount": 3 # Maximum allowed value is 9

+ },

+ "tags": { "costcenter": "12345" }

+}

+result = client.managed_ccf.begin_create("myResourceGroup", "confidentialbillingapp", app_properties).result()

+# ********** Retrieve the Managed CCF app details **********

+confidential_billing_app = client.managed_ccf.get("myResourceGroup", "confidentialbillingapp")

+# ********** Delete the Managed CCF app **********

+result = client.managed_ccf.begin_delete("myResourceGroup", "confidentialbillingapp").result()

+```

+## Clean up resources

+Other Managed CCF articles can build upon this quickstart. If you plan to continue on to work with subsequent quickstarts and tutorials, you might wish to leave these resources in place.

+Otherwise, when you're finished with the resources created in this article, use the Azure CLI [az group delete](/cli/azure/group?#az-group-delete) command to delete the resource group and all its contained resources.

+```azurecli

+az group delete --resource-group myResourceGroup

+```

+## Next steps

+In this quickstart, you created a Managed CCF resource by using the Azure Python SDK for Confidential Ledger. To learn more about Azure Managed CCF and how to integrate it with your applications, continue on to these articles:

+- [Azure Managed CCF overview](overview.md)

+- [Quickstart: Azure portal](quickstart-portal.md)

+- [Quickstart: Azure CLI](quickstart-cli.md)

+- [How to: Activate members](how-to-activate-members.md)

+ Title: Quickstart ΓÇô Azure SDK for JavaScript and TypeScript for Azure Managed Confidential Consortium Framework

+description: Learn to use the Azure SDK for JavaScript and TypeScript library for Azure Managed Confidential Consortium Framework

+# Quickstart: Create an Azure Managed CCF resource using the Azure SDK for JavaScript and TypeScript

+Microsoft Azure Managed CCF (Managed CCF) is a new and highly secure service for deploying confidential applications. For more information on Azure Managed CCF, see [About Azure Managed Confidential Consortium Framework](overview.md).

+[API reference documentation](/javascript/api/overview/azure/confidential-ledger) | [Library source code](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/confidentialledger/arm-confidentialledger) | [Package (npm)](https://www.npmjs.com/package/@azure/arm-confidentialledger)

+## Prerequisites

+- An Azure subscription - [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- Node.js versions supported by the [Azure SDK for JavaScript](/javascript/api/overview/azure/arm-confidentialledger-readme#currently-supported-environments).

+## Setup

+This quickstart uses the Azure Identity library, along with Azure CLI or Azure PowerShell, to authenticate user to Azure Services. Developers can also use Visual Studio or Visual Studio Code to authenticate their calls. For more information, see [Authenticate the client with Azure Identity client library](/python/api/overview/azure/identity-readme).

+### Sign in to Azure

+### Install the packages

+In a terminal or command prompt, create a suitable project folder, and then create and activate a Python virtual environment as described on [Use Python virtual environments](/azure/developer/python/configure-local-development-environment?tabs=cmd#use-python-virtual-environments).

+Install the Azure Active Directory identity client library.

+```terminal

+npm install @azure/identity

+```

+Install the Azure Confidential Ledger management plane client library.

+```terminal

+npm install @azure/arm-confidentialledger@1.3.0-beta.1

+```

+### Create a resource group

+### Register the resource provider

+### Create members

+## Create the JavaScript application

+### Use the Management plane client library

+The Azure SDK for JavaScript and TypeScript library (azure/arm-confidentialledger) allows operations on Managed CCF resources, such as creation and deletion, listing the resources associated with a subscription, and viewing the details of a specific resource. The following piece of code creates and views the properties of a Managed CCF resource.

+```JavaScript

+import { ConfidentialLedgerClient, ManagedCCFProperties, ManagedCCF, KnownLanguageRuntime, DeploymentType, MemberIdentityCertificate } from "@azure/arm-confidentialledger";

+import { DefaultAzureCredential } from "@azure/identity";

+import { Console } from "console";

+const subscriptionId = "0000000-0000-0000-0000-000000000001"; // replace

+const rgName = "myResourceGroup";

+const ledgerId = "confidentialbillingapp";

+let client: ConfidentialLedgerClient;

+export async function main() {

+ console.log("Creating a new instance.")

+ client = new ConfidentialLedgerClient(new DefaultAzureCredential(), subscriptionId);

+ let properties = <ManagedCCFProperties> {

+ deploymentType: <DeploymentType> {

+ appSourceUri: "",

+ languageRuntime: KnownLanguageRuntime.JS

+ },

+ memberIdentityCertificates: [

+ <MemberIdentityCertificate>{

+ certificate: "--BEGIN CERTIFICATE--\nMIIBvjCCAUSgAwIBAg...0d71ZtULNWo\n--END CERTIFICATE--",

+ encryptionkey: "",

+ tags: {

+ "owner":"member0"

+ }

+ },

+ <MemberIdentityCertificate>{

+ certificate: "--BEGIN CERTIFICATE--\nMIIBwDCCAUagAwIBAgI...2FSyKIC+vY=\n--END CERTIFICATE--",

+ encryptionkey: "",

+ tags: {

+ "owner":"member1"

+ }

+ },

+ ],

+ nodeCount: 3,

+ };

+ let mccf = <ManagedCCF> {

+ location: "SouthCentralUS",

+ properties: properties,

+ }

+ let createResponse = await client.managedCCFOperations.beginCreateAndWait(rgName, ledgerId, mccf);

+ console.log("Created. Instance id: " + createResponse.id);

+ // Get details of the instance

+ console.log("Getting instance details.");

+ let getResponse = await client.managedCCFOperations.get(rgName, ledgerId);

+ console.log(getResponse.properties?.identityServiceUri);

+ console.log(getResponse.properties?.nodeCount);

+ // List mccf instances in the RG

+ console.log("Listing the instances in the resource group.");

+ let instancePages = await client.managedCCFOperations.listByResourceGroup(rgName).byPage();

+ for await(const page of instancePages){

+ for(const instance of page)

+ {

+ console.log(instance.name + "\t" + instance.location + "\t" + instance.properties?.nodeCount);

+ }

+ }

+ console.log("Delete the instance.");

+ await client.managedCCFOperations.beginDeleteAndWait(rgName, ledgerId);

+ console.log("Deleted.");

+}

+main().catch((err) => {

+ console.error(err);

+});

+```

+## Clean up resources

+Other Managed CCF articles can build upon this quickstart. If you plan to continue on to work with subsequent quickstarts and tutorials, you might wish to leave these resources in place.

+Otherwise, when you're finished with the resources created in this article, use the Azure CLI [az group delete](/cli/azure/group?#az-group-delete) command to delete the resource group and all its contained resources.

+```azurecli

+az group delete --resource-group myResourceGroup

+```

+## Next steps

+In this quickstart, you created a Managed CCF resource by using the Azure Python SDK for Confidential Ledger. To learn more about Azure Managed CCF and how to integrate it with your applications, continue on to these articles:

+- [Azure Managed CCF overview](overview.md)

+- [Quickstart: Azure portal](quickstart-portal.md)

+- [Quickstart: Azure CLI](quickstart-cli.md)

+- [How to: Activate members](how-to-activate-members.md)

+Configure [VNet-to-VNet VPN gateway connection](../vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal.md) to establish connectivity to an Azure Database for MariaDB from an Azure VM in a different region or subscription.

+ c. You might also navigate to the private endpoint resource and review if the virtual network matches the Migrate project private endpoint virtual network.

+The on-premises appliance (or replication provider) will access the Azure Migrate resources using their fully qualified private link domain names (FQDNs). You might require additional DNS settings to resolve the private IP address of the private endpoints from the source environment. [See this article](../private-link/private-endpoint-dns.md#on-premises-workloads-using-a-dns-forwarder) to understand the DNS configuration scenarios that can help troubleshoot any network connectivity issues.

+If the DNS resolution isn't working as described in the previous section, there might be an issue with your Private DNS Zone.

+By default, Azure Migrate also creates a private DNS zone corresponding to the *privatelink* subdomain for each resource type. The private DNS zone is created in the same Azure resource group as the private endpoint resource group. The Azure resource group should contain private DNS zone resources with the following format:

+If the DNS zone isn't present (as shown below), [create a new Private DNS Zone resource.](../dns/private-dns-getstarted-portal.md)

+The private DNS zone should be linked to the virtual network that contains the private endpoint for the DNS query to resolve the private IP address of the resource endpoint. If the private DNS zone isn't linked to the correct Virtual Network, any DNS resolution from that virtual network will ignore the private DNS zone.

+This shows a list of links, each with the name of a virtual network in your subscription. The virtual network that contains the Private Endpoint resource must be listed here. Else, [follow this article](../dns/private-dns-getstarted-portal.md#link-the-virtual-network) to link the private DNS zone to a virtual network.

+Once the private DNS zone is linked to the virtual network, DNS requests originating from the virtual network looks for DNS records in the private DNS zone. This is required for correct address resolution to the virtual network where the private endpoint was created.

+> When you remove or modify an A record, the machine might still resolve to the old IP address because the TTL (Time To Live) value might not have expired yet.

+### Items that might affect private link connectivity

+- Network peering, which might impact which DNS servers are used and how traffic is routed.

+- Custom gateway (NAT) solutions might impact how traffic is routed, including traffic from DNS queries.

+In this section, we'll list some of the commonly occurring issues and suggest do-it-yourself troubleshooting steps to remediate the problem.

+- Ensure that the appliance is either hosted in the same virtual network or is connected to the target Azure virtual network (where the Key Vault private endpoint has been created) over a private link. The Key Vault private endpoint is created in the virtual network selected during the project creation experience. You can verify the virtual network details in the **Azure Migrate > Properties** page.

+1. **Proxy server considerations**: If the appliance uses a proxy server for outbound connectivity, you might need to validate your network settings and configurations to ensure the private link URLs are reachable and can be routed as expected.

+ - If the proxy server is for internet connectivity, you might need to add traffic forwarders or rules to bypass the proxy server for the private link FQDNs. [Learn more](./discover-and-assess-using-private-endpoints.md#set-up-prerequisites) on how to add proxy bypass rules.

+### Validate private endpoint network connectivity

+You can use the Test-NetConnection command in PowerShell to check if the port is reachable from the appliance to the private endpoint. Ensure that you can resolve the Storage Account and the Key Vault for the Azure migrate project using the private IP address.

+

+

+1. **Proxy server considerations**: If the appliance uses a proxy server for outbound connectivity, you might need to validate your network settings and configurations to ensure the private link URLs are reachable and can be routed as expected.

+ - If the proxy server is for internet connectivity, you might need to add traffic forwarders or rules to bypass the proxy server for the private link FQDNs. [Learn more](./discover-and-assess-using-private-endpoints.md#set-up-prerequisites) on how to add proxy bypass rules.

+This error might occur if the export/import/download request was not initiated from an authorized network. This can happen if the import/export/download request was initiated from a client that is not connected to the Azure Migrate service (Azure virtual network) over a private network.

+description: Learn about Azure Network Watcher traffic analytics and the insights it can provide in different usage scenarios.

+# Usage scenarios of traffic analytics

+In this article, you learn how to get insights about your traffic after configuring traffic analytics in different scenarios.

+ :::image type="content" source="./media/traffic-analytics/dashboard-showcasing-host-with-most-traffic-details.png" alt-text="Screenshot of dashboard showcasing host with most traffic details.":::

+ :::image type="content" source="./media/traffic-analytics/top-five-most-talking-host-trend.png" alt-text="Screenshot of top five most-talking host trends.":::

+ :::image type="content" source="./media/traffic-analytics/dashboard-showcasing-most-frequent-conversation.png" alt-text="Screenshot of dashboard showcasing most frequent conversations.":::

+ :::image type="content" source="./media/traffic-analytics/top-five-chatty-conversation-details-and-trend.png" alt-text="Screenshot of top five chatty conversation details and trends.":::

+ :::image type="content" source="./media/traffic-analytics/dashboard-showcasing-top-application-protocols.png" alt-text="Screenshot of dashboard showcasing top application protocols.":::

+ :::image type="content" source="./media/traffic-analytics/top-five-layer-seven-protocols-details-and-trend.png" alt-text="Screenshot of top five layer 7 protocols details and trends.":::

+ :::image type="content" source="./media/traffic-analytics/flow-details-for-application-protocol-in-log-search.png" alt-text="Screenshot of the flow details for application protocol in log search.":::

+ :::image type="content" source="./media/traffic-analytics/dashboard-showcasing-top-active-vpn-connections.png" alt-text="Screenshot of dashboard showcasing top active VPN connections.":::

+ :::image type="content" source="./media/traffic-analytics/vpn-gateway-utilization-trend-and-flow-details.png" alt-text="Screenshot of VPN gateway utilization trend and flow details.":::

+ :::image type="content" source="./media/traffic-analytics/dashboard-showcasing-traffic-distribution.png" alt-text="Screenshot of dashboard showcasing traffic distribution.":::

+ :::image type="content" source="./media/traffic-analytics/geo-map-view-showcasing-active-deployment.png" alt-text="Screenshot of geo map view showcasing active deployment.":::

+ :::image type="content" source="./media/traffic-analytics/geo-map-view-showcasing-traffic-distribution-to-countries-and-continents.png" alt-text="Screenshot of geo map view showcasing traffic distribution to countries/regions and continents.":::

+ :::image type="content" source="./media/traffic-analytics/flow-details-for-traffic-distribution-in-log-search.png" alt-text="Screenshot of flow details for traffic distribution in log search.":::

+ :::image type="content" source="./media/traffic-analytics/inter-zone-and-intra-region-traffic.png" alt-text="Screenshot of Inter Zone and Intra region traffic.":::

+ - Knowing which virtual network is conversing to which virtual network. If the conversation isn't expected, it can be corrected.

+ :::image type="content" source="./media/traffic-analytics/dashboard-showcasing-virtual-network-distribution.png" alt-text="Screenshot of dashboard showcasing virtual network distribution.":::

+ :::image type="content" source="./media/traffic-analytics/virtual-network-topology-showcasing-traffic-distribution-and-flow-details.png" alt-text="Screenshot of virtual network topology showcasing traffic distribution and flow details.":::

+ :::image type="content" source="./media/traffic-analytics/virtual-network-filters.png" alt-text="Screenshot of virtual network topology showcasing top level and more filters.":::

+ :::image type="content" source="./media/traffic-analytics/flow-details-for-virtual-network-traffic-distribution-in-log-search.png" alt-text="Screenshot of flow details for virtual network traffic distribution in log search.":::

+ - If rogue networks are conversing with a subnet, you're able to correct it by configuring NSG rules to block the rogue networks.

+ :::image type="content" source="./media/traffic-analytics/subnet-topology-showcasing-traffic-distribution-to-a-virtual-subnet-with-regards-to-flows.png" alt-text="Screenshot of subnet topology showcasing traffic distribution to a virtual network subnet with regards to flows.":::

+ - If rogue networks are conversing with an Application gateway or Load Balancer, you're able to correct it by configuring NSG rules to block the rogue networks.

+ :::image type="content" source="./media/traffic-analytics/subnet-topology-showcasing-traffic-distribution-to-a-application-gateway-subnet-with-regards-to-flows.png" alt-text="Screenshot shows a subnet topology with traffic distribution to an application gateway subnet regarding flows.":::

+ :::image type="content" source="./media/traffic-analytics/dashboard-showcasing-ports-receiving-and-sending-traffic-to-the-internet.png" alt-text="Screenshot of dashboard showcasing ports receiving and sending traffic to the internet.":::

+ :::image type="content" source="./media/traffic-analytics/details-of-azure-destination-ports-and-hosts.png" alt-text="Screenshot of Azure destination ports and hosts details.":::

+ :::image type="content" source="./media/traffic-analytics/public-ip-information.png" alt-text="Screenshot that displays the public IP information." lightbox="./media/traffic-analytics/public-ip-information.png":::

+ - On the traffic analytics dashboard, select any IP to view its information

+ :::image type="content" source="./media/traffic-analytics/external-public-ip-details.png" alt-text="Screenshot that displays the external IP information in tool tip." lightbox="./media/traffic-analytics/external-public-ip-details.png":::

+ :::image type="content" source="./media/traffic-analytics/malicious-ip-details.png" alt-text="Screenshot that displays the malicious IP information in tool tip." lightbox="./media/traffic-analytics/malicious-ip-details.png":::

+ :::image type="content" source="./media/traffic-analytics/dashboard-showcasing-nsg-hits-statistics.png" alt-text="Screenshot of dashboard showcasing NSG hits statistics.":::

+ :::image type="content" source="./media/traffic-analytics/showcasing-time-trending-for-nsg-rule-hits-and-top-nsg-rules.png" alt-text="Screenshot showcasing time trending for NSG rule hits and top NSG rules.":::

+ :::image type="content" source="./media/traffic-analytics/top-nsg-rules-statistics-details-in-log-search.png" alt-text="Screenshot of top N S G rules statistics details in log search.":::

+## Incident management

+An incident is an event that results in a degradation or outage Azure Red Hat OpenShift services. An incident can be raised by a customer or Customer Experience and Engagement (CEE) member through a [support case](openshift-service-definitions.md#support), directly by the centralized monitoring and alerting system, or directly by a member of the ARO Site Reliability Engineer (SRE) team.

+Depending on the impact on the service and customer, the incident is categorized in terms of severity.

+The general workflow of how a new incident is managed is described below:

+1. An SRE first responder is alerted to a new incident and begins an initial investigation.

+1. After the initial investigation, the incident is assigned an incident lead, who coordinates the recovery efforts.

+1. The incident lead manages all communication and coordination around recovery, including any relevant notifications or support case updates.

+1. The incident is recovered.

+1. The incident is documented and a root cause analysis (RCA) is performed within 5 business days of the incident.

+1. An RCA draft document is shared with the customer within 7 business days of the incident.

+ Title: Create and configure MCC EDR Ingestion Agents

+description: Learn how to create and configure MCC EDR Ingestion Agents for Azure Operator Insights

+# Create and configure MCC EDR Ingestion Agents for Azure Operator Insights

+The MCC EDR agent is a software package that is installed onto a Linux Virtual Machine (VM) owned and managed by you. The agent receives EDRs from an Affirmed MCC, and forwards them to Azure Operator Insights. 

+## Prerequisites

+- You must have an Affirmed Networks MCC deployment that generates EDRs.

+- You must have an Azure Operator Insights MCC Data product deployment.

+- You must provide VMs with the following specifications to run the agent:

+ - OS - Red Hat Enterprise Linux 8.6 or later

+ - Minimum hardware - 4 vCPU,  8-GB RAM, 30-GB disk

+ - Network - connectivity from MCCs and to Azure

+ - Software - systemd and logrotate installed

+ - SSH or alternative access to run shell commands

+ - (Preferable) Ability to resolve public DNS.  If not, you need to perform additional manual steps to resolve Azure locations. Refer to [Running without public DNS](#running-without-public-dns) for instructions.

+The number of VMs needed depends on the scale and redundancy characteristics of your deployment. Each agent instance must run on its own VM. Talk to the Affirmed Support Team to determine your requirements.

+## Deploy the agent on your VMs

+To deploy the agent on your VMs, follow the procedures outlined in the following sections.

+### Authentication

+You must have a service principal with a certificate credential that can access the Azure Key Vault created by the Data Product to retrieve storage credentials. Each agent must also have a copy of a valid certificate and private key for the service principal stored on this virtual machine.

+#### Create a service principal

+> [!IMPORTANT]

+> You may need a Microsoft Entra tenant administrator in your organization to perform this set up for you.

+1. Create or obtain a Microsoft Entra ID service principal. Follow the instructions detailed in [Create a Microsoft Entra app and service principal in the portal](/entra/identity-platform/howto-create-service-principal-portal).

+1. Note the Application (client) ID, and your Microsoft Entra Directory (tenant) ID (these IDs are UUIDs of the form xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, where each character is a hexadecimal digit).

+#### Prepare certificates

+It's up to you whether you use the same certificate and key for each VM, or use a unique certificate and key for each.  Using a certificate per VM provides better security and has a smaller impact if a key is leaked or the certificate expires. However, this method adds a higher maintainability and operational complexity.

+1. Obtain a certificate. We strongly recommend using trusted certificate(s) from a certificate authority.

+1. Add the certificate(s) as credential(s) to your service principal, following [Create a Microsoft Entra app and service principal in the portal](/entra/identity-platform/howto-create-service-principal-portal).

+1. We **strongly recommend** additionally storing the certificates in a secure location such as Azure Key vault.  Doing so allows you to configure expiry alerting and gives you time to regenerate new certificates and apply them to your ingestion agents before they expire.  Once a certificate has expired, the agent is unable to authenticate to Azure and no longer uploads data.  For details of this approach see [Renew your Azure Key Vault certificates Azure portal](../key-vault/certificates/overview-renew-certificate.md).

+1. Ensure the certificate(s) are available in pkcs12 format, with no passphrase protecting them. On Linux, you can convert a certificate and key from PEM format using openssl:

+ `openssl pkcs12 -nodes -export -in $certificate\_pem\_filename -inkey $key\_pem\_filename -out $pkcs12\_filename`

+5. Ensure the certificate(s) are base64 encoded. On Linux, you can based64 encode a pkcs12-formatted certificate by using the command:

+ `base64 -w 0 $pkcs12\_filename &gt; $base64filename`

+#### Permissions

+1. Find the Azure Key Vault that holds the storage credentials for the input storage account. This key vault is in a resource group named *\<data-product-name\>-HostedResources-\<unique-id\>*.

+1. Grant your service principal the Key Vault Secrets User role on this Key Vault.  You need Owner level permissions on your Azure subscription.  See [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md) for details of how to assign roles in Azure.

+1. Note the name of the Key Vault.

+### Prepare the VMs

+Repeat these steps for each VM onto which you want to install the agent:

+1. Ensure you have an SSH session open to the VM, and that you have `sudo` permissions.

+1. Verify that the VM has the following ports open:

+ - Port 36001/TCP inbound from the MCCs

+ - Port 443/TCP outbound to Azure

+

+ These ports must be open both in cloud network security groups and in any firewall running on the VM itself (such as firewalld or iptables).

+1. Install systemd, logrotate and zip on the VM, if not already present.

+1. Obtain the ingestion agent RPM and copy it to the VM.

+1. Copy the pkcs12-formatted base64-encoded certificate (created in the [Prepare certificates](#prepare-certificates) step) to an accessible location on the VM (such as /etc/az-mcc-edr-uploader).

+### Running without public DNS

+If your agent VMs don't have access to public DNS, then you need to add entries on each agent VM to map the Azure host names to IP addresses.

+This process assumes that you're connecting to Azure over ExpressRoute and are using Private Links and/or Service Endpoints. If you're connecting over public IP addressing, you **cannot** use this workaround and must use public DNS.

+Create the following from a virtual network that is peered to your ingestion agents:

+- A Service Endpoint to Azure Storage

+- A Private Link  or Service Endpoint to the Key Vault created by your Data Product.  The Key Vault is the same one you found in step 5 of [Prepare the certificates](#prepare-certificates).

+Steps:

+1. Note the IPs of these two connections.

+1. Note the domain of your Azure Operator Insights Input Storage Account.  You can find the domain on your Data Product overview page in the Azure portal, in the form of *\<account name\>.blob.core.windows.net*

+1. Note the domain of the Key Vault.  The domain appears as *\<vault name\>.vault. azure.net*

+1. Add a line to */etc/hosts* on the VM linking the two values in this format, for each of the storage and Key Vault:

+ *\<Storage private IP\>*   *\<Storage hostname\>*

+ *\<Key Vault private IP\>*  *\<Key Vault hostname\>*

+### Install agent software

+Repeat these steps for each VM onto which you want to install the agent:

+1. In an SSH session, change to the directory where the RPM was copied.

+1. Install the RPM:  `sudo dnf install \*.rpm`.  Answer 'y' when prompted.  If there are any missing dependencies, the RPM isn't installed.

+1. Change to the configuration directory: cd /etc/az-mcc-edr-uploader

+1. Make a copy of the default configuration file:  `sudo cp example\_config.yaml config.yaml`

+1. Edit the *config.yaml* and fill out the fields.  Most of them are set to default values and do not require input.  The full reference for each parameter is described in [MCC EDR Ingestion Agents configuration reference](mcc-edr-agent-configuration.md). The following parameters must be set:

+ 1. **site\_id** should be changed to a unique identifier for your on-premises site – for example, the name of the city or state for this site.  This name becomes searchable metadata in Operator Insights for all EDRs from this agent. 

+ 1. **agent\_id** should be a unique identifier for this agent ΓÇô for example, the VM hostname.

+ 1. **secret\_providers\[0\].provider.vault\_name** must be the name of the key vault for your Data Product  

+ 1. **secret\_providers\[0\].provider.auth** must be filled out with:

+ 1. **tenant\_id** as your Microsoft Entra ID tenant.

+ 2. **identity\_name** as the application ID of your service principal

+ 3. **cert\_path** as the path on disk to the location of the base64-encoded certificate and private key for the service principal to authenticate with.

+ 1. **sink.container\_name** *must be left as "edr".*

+1. Start the agent: `sudo systemctl start az-mcc-edr-uploader`

+1. Check that the agent is running: `sudo systemctl status az-mcc-edr-uploader`

+ 1. If you see any status other than "active (running)", look at the logs as described in the [Monitor and troubleshoot MCC EDR Ingestion Agents for Azure Operator Insights](troubleshoot-mcc-edr-agent.md) article to understand the error.  It's likely that some configuration is incorrect.

+ 2. Once you resolve the issue,  attempt to start the agent again.

+ 3. If issues persist, raise a support ticket.

+1. Once the agent is running, ensure it will automatically start on a reboot: `sudo systemctl enable az-mcc-edr-uploader.service`

+1. Save a copy of the delivered RPM ΓÇô you'll need it to reinstall or to back out any future upgrades.

+### Configure affirmed MCCs

+Once the agents are installed and running, configure the MCCs to send EDRs to them.

+1. Follow the steps under "Generating SESSION, BEARER, FLOW, and HTTP Transaction EDRs" in the [Affirmed Networks Active Intelligent vProbe System Administration Guide](https://manuals.metaswitch.com/vProbe/13.1/vProbe_System_Admin/Content/02%20AI-vProbe%20Configuration/Generating_SESSION__BEARER__FLOW__and_HTTP_Transac.htm) (1), making the following changes:

+ - Replace the IP addresses of the MSFs in MCC configuration with the IP addresses of the VMs running the ingestion agents.

+ - Confirm that the following EDR server parameters are set:

+ - port: 36001

+ - encoding: protobuf

+ - keep-alive: 2 seconds

+## Important considerations

+### Security

+The VM used for the MCC EDR agent should be set up following best practice for security. For example:

+- Networking - Only allow network traffic on the ports that are required to run the agent and maintain the VM.

+- OS version - Keep the OS version up-to-date to avoid known vulnerabilities.

+- Access - Limit access to the VM to a minimal set of users, and set up audit logging for their actions. For the MCC EDR agent, we recommend that the following are restricted:

+ - Admin access to the VM (for example, to stop/start/install the MCC EDR software)

+ - Access to the directory where the logs are stored *(/var/log/az-mcc-edr-uploader/)*

+ - Access to the certificate and private key for the service principal

+### Deploying for fault tolerance

+The MCC EDR agent is designed to be highly reliable and resilient to low levels of network disruption. If an unexpected error occurs, the agent restarts and provides service again as soon as it's running.

+The agent doesn't buffer data, so if a persistent error or extended connectivity problems occur, EDRs are dropped.

+For additional fault tolerance, you can deploy multiple instances of the MCC EDR agent and configure the MCC to switch to a different instance if the original instance becomes unresponsive, or to shared EDR traffic across a pool of agents. For more information, refer to the [Affirmed Networks Active Intelligent vProbe System Administration Guide](https://manuals.metaswitch.com/vProbe/13.1/vProbe_System_Admin/Content/02%20AI-vProbe%20Configuration/Generating_SESSION__BEARER__FLOW__and_HTTP_Transac.htm)(2) or speak to the Affirmed Networks Support Team.

+## Related content

+[Manage MCC EDR Ingestion Agents for Azure Operator Insights](how-to-manage-mcc-edr-agent.md)

+[Monitor and troubleshoot MCC EDR Ingestion Agents for Azure Operator Insights](troubleshoot-mcc-edr-agent.md)

+[1] Only accessible for customers with Affirmed Support

+[2] Only accessible for customers with Affirmed support

+ Title: Manage MCC EDR Ingestion Agents for Azure Operator Insights

+description: Learn how to upgrade, update, roll back and manage MCC EDR Ingestion agents for AOI

+# Manage MCC EDR Ingestion Agents for Azure Operator Insights

+> [!WARNING]

+> When the agent is restarted, a small number of EDRs being handled may be dropped.  It is not possible to gracefully restart without dropping any data.  For safety, update agents one at a time, only updating the next when you are sure the previous was successful.

+## Agent software upgrade

+To upgrade to a new release of the agent, repeat the following steps on each VM that has the old agent.

+> [!WARNING]

+> When the agent restarts, a small number of EDRs being handled may be dropped.  It is not possible to gracefully upgrade without dropping any data.  For safety, upgrade agents one at a time, only upgrading the next when you are sure the previous was successful.

+1. Copy the RPM to the VM.  In an SSH session, change to the directory where the RPM was copied.

+1. Save a copy of the existing */etc/az-mcc-edr-uploader/config.yaml* configuration file.

+1. Upgrade the RPM: `sudo dnf install \*.rpm`.  Answer 'y' when prompted.  

+1. Create a new config file based on the new sample, keeping values from the original. Follow specific instructions in the release notes for the upgrade to ensure the new configuration is generated correctly.

+1. Restart the agent: `sudo systemctl restart az-mcc-edr-uploader.service`

+1. Once the agent is running, make sure it will automatically start on a reboot: `sudo systemctl enable az-mcc-edr-uploader.service`

+1. Verify that the agent is running and that EDRs are being routed to it as described in [Monitor and troubleshoot MCC EDR Ingestion Agents for Azure Operator Insights](troubleshoot-mcc-edr-agent.md).

+### Agent configuration update

+> [!WARNING]

+> Changing the configuration requires restarting the agent, whereupon a small number of EDRs being handled may be dropped.  It is not possible to gracefully restart without dropping any data.  For safety, update agents one at a time, only updating the next when you are sure the previous was successful.

+If you need to change the agent's configuration, perform the following steps:

+1. Save a copy of the original configuration file */etc/az-mcc-edr-uploader/config.yaml*

+1. Edit the configuration file to change the config values.  

+1. Restart the agent: `sudo systemctl restart az-mcc-edr-uploader.service`

+### Rollback

+If an upgrade or configuration change fails:

+1. Copy the backed-up configuration file from before the change to the */etc/az-mcc-edr-uploader/config.yaml* file.

+1. If a software upgrade failed, downgrade back to the original RPM.

+1. Restart the agent: `sudo systemctl restart az-mcc-edr-uploader.service`

+1. If this was software upgrade, make sure it will automatically start on a reboot: `sudo systemctl enable az-mcc-edr-uploader.service`

+## Certificate rotation

+You must refresh your service principal credentials before they expire.

+To do so:

+1. Create a new certificate, and add it to the service principal. For instructions, refer to [Upload a trusted certificate issued by a certificate authority](/entra/identity-platform/howto-create-service-principal-portal).

+1. Obtain the new certificate and private key in the base64-encoded PKCS12 format, as described in [Create and configure MCC EDR Ingestion Agents for Azure Operator Insights](how-to-install-mcc-edr-agent.md).

+1. Copy the certificate to the ingestion agent VM.

+1. Save the existing certificate file and replace with the new certificate file.

+1. Restart the agent: `sudo systemctl restart az-mcc-edr-uploader.service`

+ Title: MCC EDR Ingestion Agents configuration reference for Azure Operator Insights

+description: This article documents the complete set of configuration for the agent, listing all fields with examples and explanatory comments.

+# MCC EDR Ingestion Agents configuration reference

+This reference provides the complete set of configuration for the agent, listing all fields with examples and explanatory comments.

+```

+# The name of the site this agent lives in

+site_id: london-lab01

+# The identifier for this agent

+agent_id: mcc-edr-agent01

+# Config for secrets providers. We currently support reading secrets from Azure Key Vault and from the local filesystem.

+# Multiple secret providers can be defined and each must be given

+# a unique name.

+# The name can then be referenced for secrets later in the config.

+secret_providers:

+ΓÇ» - name: dp_keyvault

+ΓÇ» ΓÇ» provider:

+ΓÇ» ΓÇ» ΓÇ» type: key_vault

+ΓÇ» ΓÇ» ΓÇ» vault_name: contoso-dp-kv

+ΓÇ» ΓÇ» ΓÇ» auth:

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» tenant_id: ad5421f5-99e4-44a9-8a46-cc30f34e8dc7

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» identity_name: 98f3263d-218e-4adf-b939-eacce6a590d2

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» cert_path: /path/to/local/certkey.pkcs

+# Source configuration. This controls how EDRs are ingested from

+# MCC.

+source:

+ # The TCP port to listen on. Must match the port MCC is

+ # configured to send to.

+ listen_port: 36001

+ # The maximum amount of data to buffer in memory before uploading.

+ message_queue_capacity_in_bytes: 33554432

+ # The maximum size of a single blob (file) to store in the input

+ # storage account in Azure.

+ maximum_blob_size_in_bytes: 134217728

+ # Quick check on the maximum RAM that the agent should use.

+ # This is a guide to check the other tuning parameters, rather

+ # than a hard limit.

+ maximum_overall_capacity_in_bytes: 1275068416

+ # The maximum time to wait when no data is received before

+ # uploading pending batched data to Azure.

+ blob_rollover_period_in_seconds: 300

+sink:

+ # The container within the ingestion account. This *must* be in

+ # the format Azure Operator Insights expects. Do not adjust

+ # without consulting your support representative.

+ container_name: edrs

+ auth:

+ type: sas_token

+ # This must reference a secret provider configured above.

+ secret_provider: dp_keyvault

+ # How often to check for a new ADLS token

+ cache_period_hours: 12

+ # The name of a secret in the corresponding provider.

+ # This will be the name of a secret in the Key Vault.

+ # This is created by the Data Product and should not be changed.

+ secret_name: adls-sas-token

+# The maximum size of each block that is uploaded to Azure.

+# Each blob is composed of one or more blocks.

+ block_size_in_bytes : 33554432

+```

+Provide your User-Assigned-Managed-Identity (UAMI) with necessary roles in the Microsoft Purview compliance portal. The UAMI you enter is the one that was set up when creating an AOI Data Product. For information on how to set up this UAMI, refer to [Set up user-assigned managed identity](data-product-create.md#set-up-user-assigned-managed-identity). At the desired collection, assign this UAMI to the **Collection admin**, **Data source admin**, and **Data curator** roles. Alternately, you can apply the UAMI at the root collection/account level. All collections would inherit these role assignments by default.

+## Related content

+ Title: Monitor and troubleshoot MCC EDR Ingestion Agents for Azure Operator Insights

+description: Learn how to monitor MCC EDR Ingestion Agents and troubleshoot common issues

+# Monitor and troubleshoot MCC EDR Ingestion Agents for Azure Operator Insights

+## Agent diagnostics overview

+Because the ingestion bus agents are software packages, their diagnostics are limited to the functioning of the application. Microsoft doesn't provide OS or resource monitoring. You're encouraged to use standard tooling such as snmpd, Prometheus node exporter, or others to send OS-level data and telemetry to your on-premises monitoring systems.

+The diagnostics provided by the MCCs, or by Azure Operator Insights itself in Azure Monitor, are expected to be sufficient for most other use cases.

+The agent writes logs and metrics to files under */var/log/az-mcc-edr-uploader/*. If the agent is failing to start for any reason, such as misconfiguration, the stdout.log file contains human-readable logs explaining the issue.

+Metrics are reported in a simple human-friendly form. They're provided primarily for Microsoft support to have telemetry for debugging unexpected issues. The diagnostics provided by the MCCs, or by Azure Operator Insights itself in Azure Monitor, are expected to be sufficient for most other use cases.

+## Collecting diagnostics

+Microsoft Support may request diagnostic packages when investigating an issue.

+To collect a diagnostics package, SSH to the Virtual Machine and run the command `/usr/bin/microsoft/az-ingestion-gather-diags`. This command generates a date-stamped zip file in the current directory that you can copy from the system.

+> [!NOTE]

+> Diagnostics packages don't contain any customer data or the value of the Azure Storage connection string.

+## Troubleshooting common issues

+For most of these troubleshooting techniques, you need an SSH connection to the VM running the agent.

+If none of these suggested remediation steps help, or you're unsure how to proceed, collect a diagnostics package and contact your support representative.

+### Agent fails to start

+Symptoms: `sudo systemctl status az-mcc-edr-uploader` shows that the service is in failed state.

+Steps to remediate:

+- Ensure the service is running: `sudo systemctl start az-mcc-edr-uploader`.

+- Look at the */var/log/az-mcc-edr-uploader/stdout.log* file and check for any reported errors.  Fix any issues with the configuration file and start the agent again.

+### MCC cannot connect

+Symptoms: MCC reports alarms about MSFs being unavailable.

+Steps to remediate:

+- Check that the agent is running.

+- Ensure that MCC is configured with the correct IP and port.

+- Check the logs from the agent and see if it's reporting connections.  If not, check the network connectivity to the agent VM and verify that the firewalls aren't blocking traffic to port 36001.

+- Collect a packet capture to see where the connection is failing.

+### No EDRs appearing in AOI

+Symptoms: no data appears in Azure Data Explorer.

+Steps to remediate:

+- Check that the MCC is healthy and ingestion bus agents are running.

+- Check the logs from the ingestion agent for errors uploading to Azure. If the logs point to an invalid connection string, or connectivity issues, fix the configuration/connection string and restart the agent.

+- Check the network connectivity and firewall configuration on the storage account.

+### Data missing or incomplete

+Symptoms: Azure Monitor shows a lower incoming EDR rate in ADX than expected.

+Steps to remediate:

+- Check that the agent is running on all VMs and isn't reporting errors in logs.

+- Verify that the agent VMs aren't being sent more than the rated load.  

+- Check agent metrics for dropped bytes/dropped EDRs.  If the metrics don't show any dropped data, then MCC isn't sending the data to the agent. Check the "received bytes" metrics to see how much data is being received from MCC.

+- Check that the agent VM isn't overloaded – monitor CPU and memory usage.   In particular, ensure no other process is taking resources from the VM.

+### Access to cluster nodes via Azure Arc for Kubernetes

+Once you are connected to a cluster via Arc for Kuberentes, you can connect to individual Kubernetes Node using the `kubectl debug` command to run a privileged container on your node.

+1. List the nodes in your Nexus Kubernetes cluster:

+ ```console

+ $> kubectl get nodes

+ NAME STATUS ROLES AGE VERSION

+ cluster-01-627e99ee-agentpool1-md-chfwd Ready <none> 125m v1.27.1

+ cluster-01-627e99ee-agentpool1-md-kfw4t Ready <none> 125m v1.27.1

+ cluster-01-627e99ee-agentpool1-md-z2n8n Ready <none> 124m v1.27.1

+ cluster-01-627e99ee-control-plane-5scjz Ready control-plane 129m v1.27.1

+ ```

+2. Start a privileged container on your node and connect to it:

+ ```console

+ $> kubectl debug node/cluster-01-627e99ee-agentpool1-md-chfwd -it --image=mcr.microsoft.com/cbl-mariner/base/core:2.0

+ Creating debugging pod node-debugger-cluster-01-627e99ee-agentpool1-md-chfwd-694gg with container debugger on node cluster-01-627e99ee-agentpool1-md-chfwd.

+ If you don't see a command prompt, try pressing enter.

+ root [ / ]#

+ ```

+ This privileged container gives access to the node. Execute commands on the baremetal host machine by running `chroot /host` at the command line.

+3. When you are done with a debugging pod, enter the `exit` command to end the interactive shell session. After exiting the shell, make sure to delete the pod:

+ ```bash

+ kubectl delete pod node-debugger-cluster-01-627e99ee-agentpool1-md-chfwd-694gg

+ ```

+A Tenant refers to an organization or entity that owns and manages a Microsoft Entra ID instance. It serves as a secure container for Azure resources, allowing organizations to control and manage access. Tenants enable organizations to efficiently allocate resources, enforce access policies, and integrate with Azure services, providing a centralized and secure environment for managing their cloud infrastructure.

+ "managedIdentity": "<managed-identity-resource-id>"

+You have successfully created a Site Network Service for a Nginx Container as a CNF in Azure. You can now manage and monitor your CNF through the Azure portal.

+Before you begin using the Azure Operator Service Manager, execute the following commands to register the required resource provider. This registration process can take up to 5 minutes.

+- [Quickstart: Publish Nginx container as Containerized Network Function (CNF)](quickstart-publish-containerized-network-function-definition.md)

+ "path_to_chart": "nginxdemo-0.1.0.tgz",

+|Directory/File |Description |

+- [Quickstart: Design a Containerized Network Function (CNF) Network Service Design with Nginx](quickstart-containerized-network-function-network-design.md)

+ "managedIdentity": "<managed-identity-resource-id>"

+Congratulations! You have successfully created a Site Network Service for Ubuntu Virtual Machine (VM) as a Virtual Network Function (VNF) in Azure. You can now manage and monitor your Virtual Network Function (VNF) through the Azure portal.

+1. **Locate the Managed Identity**: In the list of managed identities, find and select the one named **identity-for-ubuntu-vm-sns** within your resource group. You should now be on the overview page for that managed identity.

+- [Quickstart: Create a Virtualized Network Functions (VNF) Site](quickstart-virtualized-network-function-create-site.md).

+Our antennas are 6.1 meters in diameter and support the following frequency bands for commercial satellites:

+| Ground Station | X-band Downlink (MHz) | S-band Downlink (MHz) | S-band Uplink (MHz) |

+|-|--|--||

+| Quincy, WA, USA | 8025-8400 | | 2025-2110 |

+| Longovilo, Chile | 8025-8400 | 2200-2290 | 2025-2110 |

+| Singapore | 8025-8400 | 2200-2290 | 2025-2110 |

+| Johannesburg, South Africa | 8025-8400 | 2200-2290 | 2025-2110 |

+| Gavle, Sweden | 8025-8400 | 2200-2290 | 2025-2110 |

+In addition, we support public satellites for downlink-only operations that utilize frequencies between 7800-8025 MHz.

+## Next Steps

+- [Support all mission phases](mission-phases.md)

+ Title: Azure Orbital Ground Station - Initiate ground station licensing

+Both satellites and ground stations require authorizations from federal regulators and other government agencies to operate.

+Azure Orbital Ground Station consists of five first-party, Microsoft-owned ground stations and networks of third-party Partner ground stations. Except in South Africa, adding a new satellite point of communication to licensed Microsoft ground stations requires an authorization from the respective federal regulator. While the specifics of obtaining authorization vary by geography, coordination with incumbent users is always required.

+- If you're interested in contacting [select **public** satellites supported by Azure Orbital Ground Station](https://learn.microsoft.com/azure/orbital/modem-chain#named-modem-configuration), Microsoft has already completed all regulatory requirements to add these satellite points of communication to all Microsoft ground stations.

+- If you're interested in having your **existing** satellite space station or constellation communicate with one or more Microsoft ground stations, you must modify your authorization for the US market to add each ground station.

+- If you're interested in having your **planned** satellite space station or constellation communicate with one or more Microsoft ground stations, each ground station must be referenced in the technical exhibits accompanying your US license (or market access) application. As the US application process can be lengthy due to the required coordination with federal users in the X- and S-bands, we recommend you start at least one year ahead of launch if possible.

+If you are seeking a new or modified satellite license, Azure Orbital Ground Station provides your in-house or outside counsel with geo-coordinates and technical information for each Microsoft ground station. Similarly, we require information from your satellite space station or constellation license application in order to complete our applications to modify our first-party ground station licenses and add new satellite points of communication. If you plan to use Partner network ground stations, work with the Partner's regulatory team to ensure their ground station authorizations are updated for use with your spacecrafts.

+## Coordination during the authorization process

+During the process of licensing new satellite space stations, applications sometimes need to be amended or modified. It's important that the satellite operator keeps Microsoft and Partner ground station operators informed of these changes as soon as possible. Delays in the regulatory review process are more likely if the information in the satellite operatorΓÇÖs license application regarding Microsoft and Partner ground stations don't match the information in the respective ground station licenses. Likewise, delays can occur if the information in an application to add a new satellite point of communication to Microsoft or Partner ground stations does not match the information in the current satellite license application.

+Satellite operators are responsible for all costs associated with obtaining satellite space station or constellation licenses.

+The costs associated with ground station license are defined in your agreement with Azure Orbital Ground Station and/or the Partner ground station network.

+Satellite operators are responsible for complying with the conditions and restrictions in their satellite licenses.

+ Title: Azure Orbital Ground Station - Overview

+# Azure Orbital Ground Station overview

+With Azure Orbital Ground Station, your space data is delivered with near-zero latency to your Azure region over the secure and highly available Microsoft network. Azure Orbital Ground Station supports both Microsoft and industry leading Partner ground station networks, ensuring access to the best sites and networks to support your space missions. Deploying and operating a large, globally distributed ground station solution for your space mission can now be done with the reliability and flexibility of the cloud&mdash;at any classification level.

+## Product highlights

+- Self-service scheduling of spacecraft contacts to ingest data, monitor satellite health and status, or transmit commands to satellites.

+- The managed data path provides one-click access to a global network of ground stations and direct data ingestion into your private Azure virtual network.

+- Take advantage of integrated software modems from Kratos for X and S bands, or leverage virtual RF and GNU radio for unrestricted modem implementations.

+- Avoid building and managing ground station infrastructure and instead pay-as-you-go with any antenna in the global Azure Orbital network.

+- Space data are transmitted and managed securely, according to stringent compliance requirements.

+- Integrate command and control software with the Azure Orbital Ground Station API to manage fleet operations.

+- [Pricing](https://azure.microsoft.com/pricing/details/orbital/) and [SLA](https://azure.microsoft.com/support/legal/sla/orbital/)

+- [Azure Space tech blog](https://techcommunity.microsoft.com/t5/azure-space-blog/bg-p/AzureSpaceBlog)

+- [About Microsoft and Partner ground stations](about-ground-stations.md)

+- [Get started with Azure Orbital Ground Station](get-started.md)

+- [Support all mission phases](mission-phases.md)

+1. Open Pgadmin and click **Register** from left hand menu and select **Server**

+2. In **General** Tab provide a connection name and clear the **Connect now** option.

+3. Click the **Connection** tab and provide your Flexible Server details for **Hostname/address** and **username** and save.

+4. From the browser menu, select your Azure Database for PostgreSQL - Flexible Server connection and click **Connect Server**

+5. Enter the your Active Directory token password when you're prompted.

+| Azure Data Factory (Microsoft.DataFactory/factories) | dataFactory | privatelink.datafactory.azure.us | datafactory.azure.us |

+| Azure Data Factory (Microsoft.DataFactory/factories) | portal | privatelink.adf.azure.us | adf.azure.us |

+[Azure Database for PostgreSQL - Flexible Server](./reliability-postgresql-flexible-server.md)|

+[Azure Data Manager for Energy](./reliability-energy-data-services.md) |

+## Next steps

+- [Reliability in Azure](/azure/reliability/availability-zones-overview)

+!pip install openai==0.28.1

+| deviceExternalId | deviceExternalId | A name that uniquely identifies the device generating the event. |

+In some cases, your CloudWatch logs may not match the format accepted by Microsoft Sentinel - .csv file in a GZIP format without a header. In this article, you use a [lambda function](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AWS-S3/CloudWatchLambdaFunction.py) within the Amazon Web Services (AWS) environment to send [CloudWatch events to an S3 bucket](connect-aws.md), and convert the format to the accepted format.

+- [Use workbooks](monitor-your-data.md) to monitor your data.

+ The installation script configures the `rsyslog` or `syslog-ng` daemon to use the required protocol and restarts the daemon. The script opens port 514 to listen to incoming messages in both UDP and TCP protocols. To change this setting, refer to the

+ Syslog daemon configuration file according to the daemon type running on the machine:

+ - Rsyslog: `/etc/rsyslog.conf`

+ - Syslog-ng: `/etc/syslog-ng/syslog-ng.conf`

+ The installation script configures the `rsyslog` or `syslog-ng` daemon to use the required protocol and restarts the daemon. The script opens port 514 to listen to incoming messages in both UDP and TCP protocols. To change this setting, refer to the

+ Syslog daemon configuration file according to the daemon type running on the machine:

+ - Rsyslog: `/etc/rsyslog.conf`

+ - Syslog-ng: `/etc/syslog-ng/syslog-ng.conf`

+- [Set up GCP environment manually](#set-up-the-gcp-environment-manually-via-the-gcp-portal) via the GCP console.

+| Source Service Type | Source services are services you can connect to target services. They are usually Azure compute services and they include Azure App Service, Azure Container Apps and Azure Spring Apps. |

+Service Connector manages connections in the properties of the source instance. Creating, getting, updating and deleting connections is done directly by opening the source service instance in the Azure portal, or by using the CLI commands of the source service.

+- Configuring the network and firewall settings.

+ [Learn more](#service-network-solution) about network solutions.

+- Configuring connection information.

+ [Learn more](#connection-configurations) about connection configurations.

+- Configuring authentication information.

+ Service Connector supports all available authentication types between source services and target services.

+ - **System assigned managed identity**. Service Connector enables system assigned managed identity on source services if not enabled yet, then grants RBAC roles of target services to the managed identity. The user can specify the roles to be granted.

+ - **User assigned managed identity**. Service Connector enables user assigned managed identity on source services if not enabled yet, then grants RBAC roles of target services to the managed identity. The user can specify the roles to be granted.

+ - **Connection String**. Service Connector retrieves connection strings from target services such as Storage, Redis Cache etc., or constructs connection strings based on user input, such as Azure database for SQL, PostgreSQL etc.

+ - **Service principal**. Service Connector grants RBAC roles of target services to the managed identity. The user can specify the roles to be granted.

+

+ Service Connector saves corresponding authentication configurations to source services, for example, saving AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_STORAGEACCOUNT_ENDPOINT for Storage with authentication type user assigned managed identity.

+Service Connector sets the connection configuration when creating a connection. The environment variable key-value pairs are determined based on your client type and authentication type. For example, using the Azure SDK with a managed identity requires a client ID, client secret, etc. Using a JDBC driver requires a database connection string. Follow these conventions to name the configurations:

+1. **Firewall**: This solution allows connection through public network and compute resource accessing target resource with public IP address. When selecting this option, Service Connector verifies the target resource's firewall settings and adds a rule to allow connections from the source resource's public IP address. If the resource's firewall supports allowing all Azure resources accessing, Service Connector enables this setting. However, if the target resource denies all public network traffic by default, Service Connector doesn't modify this setting. In this case, you should choose another option or update the network settings manually before trying again.

+2. **Service Endpoint**: This solution enables compute resource to connect to target resources via a virtual network, ensuring that connection traffic doesn't pass through the public network. It's only available if certain preconditions are met:

+ - The compute resource must have virtual network integration enabled. For Azure App Service, it can be configured in its networking settings; for Azure Spring Apps, users must set Virtual Network injection during the resource creation stage.

+ When selecting this option, Service Connector adds the private IP address of the compute resource in the virtual network to the target resource's Virtual Network rules, and enables the service endpoint in the source resource's subnet configuration. If the user lacks sufficient permissions or the resource's SKU or region doesn't support service endpoints, connection creation fails.

+- The compute resource must have virtual network integration enabled. For Azure App Service, it can be configured in its networking settings; for Azure Spring Apps, users must set VNet injection during the resource creation stage.

+ When selecting this option, Service Connector doesn't perform any more configurations in the compute or target resources. Instead, it verifies the existence of a valid private endpoint and fails the connection if not found. For convenience, users can select the "New Private Endpoint" checkbox in the Azure Portal when creating a connection. With it, Service Connector automatically creates all related resources for the private endpoint in the proper sequence, simplifying the connection creation process.

+- You can't use blob APIs, NFS 3.0, and Data Lake Storage APIs to write to the same instance of a file. If you write to a file by using Data Lake Storage Gen2 APIs or NFS 3.0, then that file's blocks won't be visible to calls to the [Get Block List](/rest/api/storageservices/get-block-list) blob API. The only exception is when you're overwriting. You can overwrite a file/blob using either API or with NFS 3.0 by using the zero-truncate option.

+

+ Blobs that are created by using a Data Lake Storage Gen2 operation such the [Path - Create](/rest/api/storageservices/datalakestoragegen2/path/create) operation, can't be overwritten by using [PutBlock](/rest/api/storageservices/put-block) or [PutBlockList](/rest/api/storageservices/put-block-list) operations, but they can be overwritten by using a [PutBlob](/rest/api/storageservices/put-block) operation subject to the maximum permitted blob size imposed by the corresponding api-version that PutBlob uses.

+1. Select **Create replication rules**.

+1. In the **Container pair details** section, select a source container from the source account, and a destination container from the destination account. You can create up to 10 container pairs per replication policy from the Azure portal. To configure more than 10 container pairs (up to 1000), see [Configure object replication using a JSON file](#configure-object-replication-using-a-json-file).

+Soft delete is not supported for blobs that are uploaded by using Data Lake Storage Gen2 APIs on Blob Storage accounts.

+| FileShareProvisionedBandwidthMiBps | The baseline number of provisioned bandwidth in MiB/s for the premium file share in the premium file storage account. This number is calculated based on the provisioned size (quota) of the share capacity. <br/><br/> Unit: BytesPerSecond <br/> Aggregation Type: Average |

+| Kafka topic | A named, ordered, and partitioned stream of data that allows for the publish-subscribe and event-driven processing of messages. |

+> [!IMPORTANT]

+> You must use Azure CLI to upload the certificate as a secret to your key vault. You cannot use Azure Portal to upload a certificate that has multiline secrets to key vault.

+ | Certificate | name of the certificate uploaded to KeyVault downloaded from LetΓÇÖs Encrypt (Download the ISRG Root X1 certificate in PEM format). Note: you must upload the certificate as a secret using Azure CLI. Refer to the **Key vault integration** guide below |

+> [!NOTE]

+> Depending on how your confluent cloud kafka cluster is configured, you may need a certificate different from the standard certificate confluent cloud uses for server authentication. Confirm with the admin of the confluent cloud kafka cluster to verify what certificate to use.

+>

+> Your Azure Stream Analytics job will fail when the certificate used for authentication expires. To resolve this, you must update/replace the certificate in your key vault and restart your Azure Stream Analytics job.

+Below are some steps you can follow to upload your certificate as a secret to Azure CLI using your PowerShell:

+Make sure you have Azure CLI configured locally with PowerShell.

+Below are some steps you can follow to upload your certificate as a secret to Azure CLI using your PowerShell

+```PowerShell

+```PowerShell

+The `<your key vault>` is the name of the key vault you want to upload the certificate to. `<name of the secret>` is any name you want to give to your secret and how it will show up in the keyvault. Note the name, you will use it to configure your kafka output in your ASA job. `<file path to certificate>` is the path to where you have downloaded your certificate.

+```PowerShell

+az keyvault secret set --vault-name <your key vault> --name <name of the secret> --file <file path to certificate>

+> Azure Stream Analytics supports only numerical decimal format.

+| Kafka topic | A named, ordered, and partitioned stream of data that allows for the publish-subscribe and event-driven processing of messages.|

+Confluent uses TLS certificates from LetΓÇÖs Encrypt, an open certificate authority (CA). You can download the ISRG Root X1 certificate in PEM format on the site of [LetsEncrypt](https://letsencrypt.org/certificates/).

+> [!IMPORTANT]

+> You must use Azure CLI to upload the certificate as a secret to your key vault. You cannot use Azure Portal to upload a certificate that has multiline secrets to key vault.

+> The default timestamp type for a topic in a confluent cloud kafka cluster is **CreateTime**, make sure you update it to **LogAppendTime**.

+> Azure Stream Analytics supports only numerical decimal format.

+ | Certificate | name of the certificate uploaded to KeyVault downloaded from LetΓÇÖs Encrypt (Download the ISRG Root X1 certificate in PEM format). Note: you must upload the certificate as a secret using Azure CLI. Refer to the **Key vault integration** guide below |

+> [!NOTE]

+> Depending on how your confluent cloud kafka cluster is configured, you may need a certificate different from the standard certificate confluent cloud uses for server authentication. Confirm with the admin of the confluent cloud kafka cluster to verify what certificate to use.

+>

+To upload certificates, you must have "**Key Vault Administrator**" access to your Key vault.

+Follow the following to grant admin access:

+> Your Azure Stream Analytics job will fail when the certificate used for authentication expires. To resolve this, you must update/replace the certificate in your key vault and restart your Azure Stream Analytics job.

+Make sure you have Azure CLI configured locally with PowerShell.

+```PowerShell

+```PowerShell

+The `<your key vault>` is the name of the key vault you want to upload the certificate to. `<name of the secret>` is any name you want to give to your secret and how it will show up in the key vault. Note the name; you will use it to configure your kafka output in your ASA job. `<file path to certificate>` is the path to where you have downloaded your certificate.

+```PowerShell

+az keyvault secret set --vault-name <your key vault> --name <name of the secret> --file <file path to certificate>

+This article walks you through the process of configuring single sign-on (SSO) using Microsoft Entra authentication for Azure Virtual Desktop (preview). When you enable SSO, users will authenticate to Windows using a Microsoft Entra ID token, obtained for the *Microsoft Remote Desktop* resource application (changing to *Windows Cloud Login* beginning in 2024). This enables them to use passwordless authentication and third-party Identity Providers that federate with Microsoft Entra ID to sign in to your Azure Virtual Desktop resources. When enabled, this feature provides a single sign-on experience when authenticating to the session host and configures the session to provide single sign-on to Microsoft Entra ID-based resources inside the session.

+In environments with an Active Directory (AD) and hybrid user accounts, the default Password Replication Policy on Read-only Domain Controllers denies password replication for members of Domain Admins and Administrators security groups. This will prevent these admin accounts from signing in to Microsoft Entra hybrid joined hosts and might keep prompting them to enter their credentials. It will also prevent admin accounts from accessing on-premises resources that leverage Kerberos authentication from Microsoft Entra joined hosts.

+To enable single sign-on in your environment, you must:

+1. Enable Microsoft Entra authentication for Remote Desktop Protocol (RDP).

+1. Configure the target device groups.

+1. Create a Kerberos Server object.

+1. Review your conditional access policies.

+1. Configure your host pool to enable single sign-on.

+### Enable Microsoft Entra authentication for RDP

+> [!IMPORTANT]

+> Due to an upcoming change, the steps below should be completed for the following Microsoft Entra Apps:

+>

+> - Microsoft Remote Desktop (App ID a4a365df-50f1-4397-bc59-1a1564b8bb9c).

+> - Windows Cloud Login (App ID 270efc09-cd0d-444b-a71f-39af4910ec45)

+Before enabling the single sign-on feature, you must first allow Microsoft Entra authentication for Windows in your Microsoft Entra tenant. This will enable issuing RDP access tokens allowing users to sign in to Azure Virtual Desktop session hosts. This is done by enabling the isRemoteDesktopProtocolEnabled property on the service principal's remoteDesktopSecurityConfiguration object for the apps listed above.

+Use the [Microsoft Graph API](/graph/use-the-api) to [create remoteDesktopSecurityConfiguration](/graph/api/serviceprincipal-post-remotedesktopsecurityconfiguration) and set the property **isRemoteDesktopProtocolEnabled** to **true** to enable Microsoft Entra authentication.

+### Configure the target device groups

+> [!IMPORTANT]

+> Due to an upcoming change, the steps below should be completed for the following Microsoft Entra Apps:

+>

+> - Microsoft Remote Desktop (App ID a4a365df-50f1-4397-bc59-1a1564b8bb9c).

+> - Windows Cloud Login (App ID 270efc09-cd0d-444b-a71f-39af4910ec45)

+By default when enabling single sign-on, users are prompted to authenticate to Microsoft Entra ID and allow the Remote Desktop connection when launching a connection to a new session host. Microsoft Entra remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select **Yes** to connect.

+To provide single sign-on for all connections, you can hide this dialog by configuring a list of trusted devices. This is done by adding one or more Device Groups containing Azure Virtual Desktop session hosts to a property on the service principals for the apps listed above in your Microsoft Entra tenant.

+Follow these steps to hide the dialog:

+1. [Create a Dynamic Device Group](/entra/identity/users/groups-create-rule) in Microsoft Entra containing the devices to hide the dialog for. Remember the device group ID for the next step.

+ > [!TIP]

+ > It's recommended to use a dynamic device group and configure the dynamic membership rules to includes all your Azure Virtual Desktop session hosts. This can be done using the device names or for a more secure option, you can set and use [device extension attributes](/graph/extensibility-overview) using [Microsoft Graph API](/graph/api/resources/device).

+1. Use the [Microsoft Graph API](/graph/use-the-api) to [create a new targetDeviceGroup object](/graph/api/remotedesktopsecurityconfiguration-post-targetdevicegroups) to suppress the prompt from these devices.

+### Review your conditional access policies

+When single sign-on is enabled, a new Microsoft Entra ID app is introduced to authenticate users to the session host. If you have conditional access policies that apply when accessing Azure Virtual Desktop, review the recommendations on setting up [multifactor authentication](set-up-mfa.md) to ensure users have the desired experience.

+ Title: Auto-shutdown a VM

+# Auto-shutdown a virtual machine

+In this tutorial, you learn how to automatically shut down virtual machines (VMs) in Azure. The auto-shutdown feature for Azure VMs can help reduce costs by shutting down the VMs during off hours when they aren't needed and automatically restarting them when they're needed again.

+The remaining VMs with these specific sizes on your subscription will be set to a deallocated state. These VMs will be stopped and removed from the host. These VMs will no longer be billed in the deallocated state.

+| Standard_B2as_v2 | 2 | 8 | 40% | 60 | 48 | 1152 | 3750/85 | 10,000/960 | 4 | 6.25 | 2 |

+| Size | vCPU | Memory: GiB | Temp storage (SSD) GiB | Max data disks | Max cached and temp storage throughput: IOPS/MBps (cache size in GiB)^* | Max NICs |Max network egress bandwidth (Mbps) |

+| Size | vCPU | Memory: GiB | Temp storage (SSD) GiB | Max data disks | Max cached and temp storage throughput: IOPS/MBps (cache size in GiB)^* | Max uncached disk throughput: IOPS/MBps | Max burst uncached disk throughput: IOPS/MBps | Max NICs | Max network egress bandwidth (Mbps) |

+ Title: Troubleshoot VM hibernation

+description: Learn how to troubleshoot VM hibernation.

+# Troubleshooting VM hibernation

+> [!IMPORTANT]

+> Azure Virtual Machines - Hibernation is currently in PREVIEW.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+Hibernating a virtual machine allows you to persist the VM state to the OS disk. This article describes how to troubleshoot issues with the hibernation feature, issues creating hibernation enabled VMs, and issues with hibernating a VM.

+## Subscription not registered to use hibernation

+If you receive the error "Your subscription isn't registered to use Hibernate" and the box is greyed out in the Azure portal, make sure you have [register for the Hibernation preview.](hibernate-resume.md)

+

+## Unable to create a VM with hibernation enabled

+If you're unable to create a VM with hibernation enabled, ensure that you're using a VM size, OS version that supports Hibernation. Refer to the supported VM sizes, OS versions section in the user guide and the limitations section for more details. Here are some common error codes that you might observe:

+| ResultCode | Error Message | Action |

+|--|--|--|

+| OperationNotAllowed | The referenced os disk should support hibernation for a VM with hibernation capability. | Validate that the OS disk has hibernation support enabled. |

+| OperationNotAllowed | The referenced platform image should support hibernation for a VM with hibernation capability. | Use a platform image that supports hibernation. |

+| OperationNotAllowed | The referenced shared gallery image should support hibernation for a VM with hibernation capability. | Validate that the Shared Gallery Image Definition has hibernation support enabled |

+| OperationNotAllowed | Hibernation capability isn't supported for Spot VMs. | |

+| OperationNotAllowed | User VM Image isn't supported for a VM with Hibernation capability. | Use a platform image or Shared Gallery Image if you want to use the hibernation feature |

+| OperationNotAllowed | Referencing a Dedicated Host isn't supported for a VM with Hibernation capability. | |

+| OperationNotAllowed | Referencing a Capacity Reservation Group isn't supported for a VM with Hibernation capability. | |

+| OperationNotAllowed | Enabling/disabling hibernation on an existing VM requires the VM to be stopped (deallocated) first. | Stop-deallocate the VM, patch with VM to enable hibernation and then start the VM |

+| OperationNotAllowed | Hibernation can't be enabled on Virtual Machine since the OS Disk Size ({0} bytes) should at least be greater than the VM memory ({1} bytes). | Ensure the OS disk has enough space to be able to persist the RAM contents once the VM is hibernated |

+| OperationNotAllowed | Hibernation can't be enabled on Virtual Machines created in an Availability Set. | Hibernation is only supported for standalone VMs & Virtual Machine Scale Sets Flex VMs |

+## Unable to hibernate a VM

+If you're unable to hibernate a VM, first check whether hibernation is enabled on the VM. For example, using the GET VM API, you can check if hibernation is enabled on the VM

+```

+ "properties": {

+ "vmId": "XXX",

+ "hardwareProfile": {

+ "vmSize": "Standard_D4s_v5"

+ },

+ "additionalCapabilities": {

+ "hibernationEnabled": true

+ },

+```

+If hibernation is enabled on the VM, check if hibernation is successfully enabled in the guest OS.

+### [Linux](#tab/troubleshootLinuxCantHiber)

+On Linux, you can check the extension status if you used the extension to enable hibernation in the guest OS.

+### [Windows](#tab/troubleshootWindowsCantHiber)

+On Windows, you can check the status of the Hibernation extension to see if the extension was able to successfully configure the guest OS for hibernation.

+The VM instance view would have the final output of the extension:

+```

+"extensions": [

+ {

+ "name": "AzureHibernateExtension",

+ "type": "Microsoft.CPlat.Core.WindowsHibernateExtension",

+ "typeHandlerVersion": "1.0.2",

+ "statuses": [

+ {

+ "code": "ProvisioningState/succeeded",

+ "level": "Info",

+ "displayStatus": "Provisioning succeeded",

+ "message": "Enabling hibernate succeeded. Response from the powercfg command: \tThe hiberfile size has been set to: 17178693632 bytes.\r\n"

+ }

+ ]

+ },

+```

+Additionally, confirm that hibernate is enabled as a sleep state inside the guest. The expected output for the guest should look like this.

+```

+C:\Users\vmadmin>powercfg /a

+ The following sleep states are available on this system:

+ Hibernate

+ Fast Startup

+ The following sleep states are not available on this system:

+ Standby (S1)

+ The system firmware does not support this standby state.

+ Standby (S2)

+ The system firmware does not support this standby state.

+ Standby (S3)

+ The system firmware does not support this standby state.

+ Standby (S0 Low Power Idle)

+ The system firmware does not support this standby state.

+ Hybrid Sleep

+ Standby (S3) isn't available.

+```

+If 'Hibernate' isn't listed as a supported sleep state, there should be a reason associated with it, which should help determine why hibernate isn't supported. This occurs if guest hibernate hasn't been configured for the VM.

+```

+C:\Users\vmadmin>powercfg /a

+ The following sleep states are not available on this system:

+ Standby (S1)

+ The system firmware does not support this standby state.

+ Standby (S2)

+ The system firmware does not support this standby state.

+ Standby (S3)

+ The system firmware does not support this standby state.

+ Hibernate

+ Hibernation hasn't been enabled.

+ Standby (S0 Low Power Idle)

+ The system firmware does not support this standby state.

+ Hybrid Sleep

+ Standby (S3) is not available.

+ Hibernation is not available.

+ Fast Startup

+ Hibernation is not available.

+```

+If the extension or the guest sleep state reports an error, you'd need to update the guest configurations as per the error descriptions to resolve the issue. After fixing all the issues, you can validate that hibernation has been enabled successfully inside the guest by running the 'powercfg /a' command - which should return Hibernate as one of the sleep states.

+Also validate that the AzureHibernateExtension returns to a Succeeded state. If the extension is still in a failed state, then update the extension state by triggering [reapply VM API](/rest/api/compute/virtual-machines/reapply?tabs=HTTP)

+>[!NOTE]

+>If the extension remains in a failed state, you can't hibernate the VM

+Commonly seen issues where the extension fails

+| Issue | Action |

+|--|--|

+| Page file is in temp disk. Move it to OS disk to enable hibernation. | Move page file to the C: drive and trigger reapply on the VM to rerun the extension |

+| Windows failed to configure hibernation due to insufficient space for the hiberfile | Ensure that C: drive has sufficient space. You can try expanding your OS disk, your C: partition size to overcome this issue. Once you have sufficient space, trigger the Reapply operation so that the extension can retry enabling hibernation in the guest and succeeds. |

+| Extension error message: ΓÇ£A device attached to the system isn't functioningΓÇ¥ | Ensure that C: drive has sufficient space. You can try expanding your OS disk, your C: partition size to overcome this issue. Once you have sufficient space, trigger the Reapply operation so that the extension can retry enabling hibernation in the guest and succeeds. |

+| Hibernation is no longer supported after Virtualization Based Security (VBS) was enabled inside the guest | Enable Virtualization in the guest to get VBS capabilities along with the ability to hibernate the guest. [Enable virtualization in the guest OS.](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v#enable-hyper-v-using-powershell) |

+| Enabling hibernate failed. Response from the powercfg command. Exit Code: 1. Error message: Hibernation failed with the following error: The request isn't supported. The following items are preventing hibernation on this system. The current Device Guard configuration disables hibernation. An internal system component disabled hibernation. Hypervisor | Enable Virtualization in the guest to get VBS capabilities along with the ability to hibernate the guest. To enable virtualization in the guest, refer to [this document](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v#enable-hyper-v-using-powershell) |

+## Guest VMs unable to hibernate

+### [Windows](#tab/troubleshootWindowsGuestCantHiber)

+If a hibernate operation succeeds, the following events are seen in the guest:

+```

+Guest responds to the hibernate operation (note that the following event is logged on the guest on resume)

+ Log Name: System

+ Source: Kernel-Power

+ Event ID: 42

+ Level: Information

+ Description:

+ The system is entering sleep

+```

+If the guest fails to hibernate, then all or some of these events are missing.

+Commonly seen issues:

+| Issue | Action |

+|--|--|

+| Guest fails to hibernate because Hyper-V Guest Shutdown Service is disabled. | [Ensure that Hyper-V Guest Shutdown Service isn't disabled.](/virtualization/hyper-v-on-windows/reference/integration-services#hyper-v-guest-shutdown-service) Enabling this service should resolve the issue. |

+| Guest fails to hibernate because HVCI (Memory integrity) is enabled. | Hibernation isn't supported with HVCI. Disabling HVCI should resolve the issue. |

+Logs needed for troubleshooting:

+If you encounter an issue outside of these known scenarios, the following logs can help Azure troubleshoot the issue:

+1. Event logs on the guest: Microsoft-Windows-Kernel-Power, Microsoft-Windows-Kernel-General, Microsoft-Windows-Kernel-Boot.

+1. On bug check, a guest crash dump is helpful.

+### [Linux](#tab/troubleshootLinuxGuestCantHiber)

+on Linux, you can check the extension status if you used the extension to enable hibernation in the guest OS.

+If you used the hibernation-setup-tool to configure the guest for hibernation, you can check if the tool executed successfully through this command:

+```

+systemctl status hibernation-setup-tool

+```

+A successful status should return "Inactive (dead)ΓÇ¥, and the log messages should say "Swap file for VM hibernation set up successfully"

+Example:

+```

+azureuser@:~$ systemctl status hibernation-setup-tool

+ΓùÅ hibernation-setup-tool.service - Hibernation Setup Tool

+ Loaded: loaded (/lib/systemd/system/hibernation-setup-tool.service; enabled; vendor preset: enabled)

+ Active: inactive (dead) since Wed 2021-08-25 22:44:29 UTC; 17min ago

+ Process: 1131 ExecStart=/usr/sbin/hibernation-setup-tool (code=exited, status=0/SUCCESS)

+ Main PID: 1131 (code=exited, status=0/SUCCESS)

+linuxhib2 hibernation-setup-tool[1131]: INFO: update-grub2 finished successfully.

+linuxhib2 hibernation-setup-tool[1131]: INFO: udev rule to hibernate with systemd set up in /etc/udev/rules.d/99-vm-hibernation.rules. Telling udev about it.

+…

+…

+linuxhib2 hibernation-setup-tool[1131]: INFO: systemctl finished successfully.

+linuxhib2 hibernation-setup-tool[1131]: INFO: Swap file for VM hibernation set up successfully

+```

+If the guest OS isn't configured for hibernation, take the appropriate action to resolve the issue. For example, if the guest failed to configure hibernation due to insufficient space, resize the OS disk to resolve the issue.

+## Common error codes

+| ResultCode | errorDetails | Action |

+|--|--|--|

+| InternalOperationError | The fabric operation failed. | This is usually a transient issue. Retry the Hibernate operation after 5mins. |

+| OperationNotAllowed | Operation 'HibernateAndDeallocate' isn't allowed on VM 'Z0000ZYH000' since VM has extension 'AzureHibernateExtension' in failed state | Customer issue. Confirm that VM creation with hibernation enabled succeeded, and that the extension is in a healthy state |

+| OperationNotAllowed | The Hibernate-Deallocate Operation can only be triggered on a VM that is successfully provisioned and is running. | Customer error. Ensure that the VM is successfully running before attempting to Hibernate-Deallocate the VM. |

+| OperationNotAllowed | The Hibernate-Deallocate Operation can only be triggered on a VM that is enabled for hibernation. Enable the property additionalCapabilities.hibernationEnabled during VM creation, or after stopping and deallocating the VM. | Customer error. |

+| VMHibernateFailed | Hibernating the VM 'hiber_vm_res_5' failed due to an internal error. Retry later. | Retry after 5mins. If it continues to fail after multiple retries, check if the guest is correctly configured to support hibernation or contact Azure support. |

+| VMHibernateNotSupported | The VM 'Z0000ZYJ000' doesn't support hibernation. Ensure that the VM is correctly configured to support hibernation. | Hibernating a VM immediately after boot isn't supported. Retry hibernating the VM after a few minutes. |

+## Unable to resume a VM

+Starting a hibernated VM is similar to starting a stopped VM. For errors and troubleshooting steps related to starting a VM, refer to this guide

+In addition to commonly seen issues while starting VMs, certain issues are specific to starting a hibernated VM. These are described below-

+| ResultCode | errorDetails |

+|--|--|--|

+| OverconstrainedResumeFromHibernatedStateAllocationRequest | Allocation failed. VM(s) with the following constraints can't be allocated, because the condition is too restrictive. Remove some constraints and try again. Constraints applied are: Networking Constraints (such as Accelerated Networking or IPv6), Resuming from hibernated state (retry starting the VM after some time or alternatively stop-deallocate the VM and try starting the VM again). |

+| AllocationFailed | VM allocation failed from hibernated state due to insufficient capacity. Try again later or alternatively stop-deallocate the VM and try starting the VM. |

+## Windows guest resume status through VM instance view

+For Windows VMs, when you start a VM from a hibernated state, you can use the VM instance view to get more details on whether the guest successfully resumed from its previous hibernated state or if it failed to resume and instead did a cold boot.

+VM instance view output when the guest successfully resumes:

+```

+{

+ "computerName": "myVM",

+ "osName": "Windows 11 Enterprise",

+ "osVersion": "10.0.22000.1817",

+ "vmAgent": {

+ "vmAgentVersion": "2.7.41491.1083",

+ "statuses": [

+ {

+ "code": "ProvisioningState/succeeded",

+ "level": "Info",

+ "displayStatus": "Ready",

+ "message": "GuestAgent is running and processing the extensions.",

+ "time": "2023-04-25T04:41:17.296+00:00"

+ }

+ ],

+ "extensionHandlers": [

+ {

+ "type": "Microsoft.CPlat.Core.RunCommandWindows",

+ "typeHandlerVersion": "1.1.15",

+ "status": {

+ "code": "ProvisioningState/succeeded",

+ "level": "Info",

+ "displayStatus": "Ready"

+ }

+ },

+ {

+ "type": "Microsoft.CPlat.Core.WindowsHibernateExtension",

+ "typeHandlerVersion": "1.0.3",

+ "status": {

+ "code": "ProvisioningState/succeeded",

+ "level": "Info",

+ "displayStatus": "Ready"

+ }

+ }

+ ]

+ },

+ "extensions": [

+ {

+ "name": "AzureHibernateExtension",

+ "type": "Microsoft.CPlat.Core.WindowsHibernateExtension",

+ "typeHandlerVersion": "1.0.3",

+ "substatuses": [

+ {

+ "code": "ComponentStatus/VMBootState/Resume/succeeded",

+ "level": "Info",

+ "displayStatus": "Provisioning succeeded",

+ "message": "Last guest resume was successful."

+ }

+ ],

+ "statuses": [

+ {

+ "code": "ProvisioningState/succeeded",

+ "level": "Info",

+ "displayStatus": "Provisioning succeeded",

+ "message": "Enabling hibernate succeeded. Response from the powercfg command: \tThe hiberfile size has been set to: XX bytes.\r\n"

+ }

+ ]

+ }

+ ],

+ "statuses": [

+ {

+ "code": "ProvisioningState/succeeded",

+ "level": "Info",

+ "displayStatus": "Provisioning succeeded",

+ "time": "2023-04-25T04:41:17.8996086+00:00"

+ },

+ {

+ "code": "PowerState/running",

+ "level": "Info",

+ "displayStatus": "VM running"

+ }

+ ]

+}

+```

+If the Windows guest fails to resume from its previous state and cold boots, then the VM instance view response is:

+```

+ "extensions": [

+ {

+ "name": "AzureHibernateExtension",

+ "type": "Microsoft.CPlat.Core.WindowsHibernateExtension",

+ "typeHandlerVersion": "1.0.3",

+ "substatuses": [

+ {

+ "code": "ComponentStatus/VMBootState/Start/succeeded",

+ "level": "Info",

+ "displayStatus": "Provisioning succeeded",

+ "message": "VM booted."

+ }

+ ],

+ "statuses": [

+ {

+ "code": "ProvisioningState/succeeded",

+ "level": "Info",

+ "displayStatus": "Provisioning succeeded",

+ "message": "Enabling hibernate succeeded. Response from the powercfg command: \tThe hiberfile size has been set to: XX bytes.\r\n"

+ }

+ ]

+ }

+ ],

+ "statuses": [

+ {

+ "code": "ProvisioningState/succeeded",

+ "level": "Info",

+ "displayStatus": "Provisioning succeeded",

+ "time": "2023-04-19T17:18:18.7774088+00:00"

+ },

+ {

+ "code": "PowerState/running",

+ "level": "Info",

+ "displayStatus": "VM running"

+ }

+ ]

+}

+```

+## Windows guest events while resuming

+If a guest successfully resumes, the following guest events are available:

+```

+Log Name: System

+ Source: Kernel-Power

+ Event ID: 107

+ Level: Information

+ Description:

+ The system has resumed from sleep.

+```

+If the guest fails to resume, all or some of these events are missing. To troubleshoot why the guest failed to resume, the following logs are needed:

+- Event logs on the guest: Microsoft-Windows-Kernel-Power, Microsoft-Windows-Kernel-General, Microsoft-Windows-Kernel-Boot.

+- On bugcheck, a guest crash dump is needed.

+ Title: Learn about hibernating your VM

+description: Learn how to hibernate a VM.

+# Hibernating virtual machines

+**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Windows VMs

+> [!IMPORTANT]

+> Azure Virtual Machines - Hibernation is currently in PREVIEW.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+Hibernation allows you to pause VMs that aren't being used and save on compute costs. It's an effective cost management feature for scenarios such as:

+- Virtual desktops, dev/test, and other scenarios where the VMs don't need to run 24/7.

+- Systems with long boot times due to memory intensive applications. These applications can be initialized on VMs and hibernated. These ΓÇ£prewarmedΓÇ¥ VMs can then be quickly started when needed, with the applications already up and running in the desired state.

+## How hibernation works

+When you hibernate a VM, Azure signals the VM's operating system to perform a suspend-to-disk action. Azure stores the memory contents of the VM in the OS disk, then deallocates the VM. When the VM is started again, the memory contents are transferred from the OS disk back into memory. Applications and processes that were previously running in your VM resume from the state prior to hibernation.

+Once a VM is in a hibernated state, you aren't billed for the VM usage. Your account is only billed for the storage (OS disk, data disks) and networking resources (IPs, etc.) attached to the VM.

+When hibernating a VM:

+- Hibernation is triggered on a VM using the Azure portal, CLI, PowerShell, SDKs, or APIs. Azure then signals the guest operating system to perform suspend-to-disk (S4).

+- The VM's memory contents are stored on the OS disk. The VM is then deallocated, releases the lease on the underlying hardware, and is powered off. Refer to VM [states and billing](states-billing.md) for more details on the VM deallocated state.

+- Data in the temporary disk isn't persisted.

+- The OS disk, data disks, and NICs remain attached to your VM. Any static IPs remain unchanged.

+- You aren't billed for the VM usage for a hibernated VM.

+- You continue to be billed for the storage and networking resources associated with the hibernated VM.

+## Supported configurations

+Hibernation support is limited to certain VM sizes and OS versions. Make sure you have a supported configuration before using hibernation.

+### Supported VM sizes

+VM sizes with up to 32-GB RAM from the following VM series support hibernation.

+- [Dasv5-series](dasv5-dadsv5-series.md)

+- [Dadsv5-series](dasv5-dadsv5-series.md)

+- [Dsv5-series](../virtual-machines/dv5-dsv5-series.md)

+- [Ddsv5-series](ddv5-ddsv5-series.md)

+### Operating system support and limitations

+#### [Linux](#tab/osLimitsLinux)

+##### Supported Linux versions

+The following Linux operating systems support hibernation:

+- Ubuntu 22.04 LTS

+- Ubuntu 20.04 LTS

+- Ubuntu 18.04 LTS

+- Debian 11

+- Debian 10 (with backports kernel)

+##### Linux Limitations

+- Hibernation isn't supported with Trusted Launch for Linux VMs

+#### [Windows](#tab/osLimitsWindows)

+##### Supported Windows versions

+The following Windows operating systems support hibernation:

+- Windows Server 2022

+- Windows Server 2019

+- Windows 11 Pro

+- Windows 11 Enterprise

+- Windows 11 Enterprise multi-session

+- Windows 10 Pro