+# [PowerShell](#tab/powershell)

+```powershell-interactive

+# Env: for the endpoint and key assumes that you are using environment variables.

+$openai = @{

+ api_key = $Env:AZURE_OPENAI_KEY

+ api_base = $Env:AZURE_OPENAI_ENDPOINT # your endpoint should look like the following https://YOUR_RESOURCE_NAME.openai.azure.com/

+ api_version = '2023-10-01-preview' # this may change in the future

+ name = 'YOUR-DEPLOYMENT-NAME-HERE' #This will correspond to the custom name you chose for your deployment when you deployed a model.

+}

+$prompt = 'Example prompt where a severity level of low is detected'

+ # Content that is detected at severity level medium or high is filtered,

+ # while content detected at severity level low isn't filtered by the content filters.

+$headers = [ordered]@{

+ 'api-key' = $openai.api_key

+}

+$body = [ordered]@{

+ prompt = $prompt

+ model = $openai.name

+} | ConvertTo-Json

+# Send a completion call to generate an answer

+$url = "$($openai.api_base)/openai/deployments/$($openai.name)/completions?api-version=$($openai.api_version)"

+$response = Invoke-RestMethod -Uri $url -Headers $headers -Body $body -Method Post -ContentType 'application/json'

+return $response.prompt_filter_results.content_filter_results | format-list

+```

+The `$response` object contains a property named `prompt_filter_results` that contains annotations

+about the filter results. If you prefer JSON to a .NET object, pipe the output to `ConvertTo-JSON`

+instead of `Format-List`.

+```output

+hate : @{filtered=False; severity=safe}

+self_harm : @{filtered=False; severity=safe}

+sexual : @{filtered=False; severity=safe}

+violence : @{filtered=False; severity=safe}

+```

+> Batch transcription jobs are scheduled on a best-effort basis. At peak hours it may take up to 30 minutes or longer for a transcription job to start processing. See how to check the current status of a batch transcription job in [this section](batch-transcription-get.md#get-transcription-status).

+You must have the latest aks-preview Azure CLI extension installed and register the `Microsoft.ContainerService` `AzureOverlayDualStackPreview` feature flag.

+ Title: Windows AKS customer stories

+description: Learn how customers are using Windows Containers on AKS.

+# Windows AKS customer stories

+Explore how various industries are using Windows Containers on Azure Kubernetes Service (AKS) for seamless Kubernetes integration with minimal code modifications.

+Learn directly from the customer stories listed here.

+## Customer stories

+- [Relativity](#relativity)

+- [Duck Creek](#duck-creek)

+- [Forza (Xbox Game Studios)](#forza)

+- [Microsoft Experience + Devices](#microsoft-experience--devices)

+### Relativity

+

+Relativity, transitioned from virtual machines to Windows containers on Azure Kubernetes Service (AKS) to modernize its Windows code base, streamline development, and improve scalability.

+This shift enabled faster, more cost-effective deployment of their products and services without rewriting millions of lines of code. The transition to a containerized architecture significantly reduced deployment cycles from six months to a single day, enhancing the speed and flexibility of RelativityΓÇÖs engineering teams and leading to better performance and security in their application delivery.

+For more information visit [RelativityΓÇÖs Windows AKS customer story](https://customers.microsoft.com/story/1516554049543037694-windows-containers-helps-relativity-boost-reliability-security).

+

+### Duck Creek

+

+Duck Creek Technologies modernized its insurance software solutions by adopting Windows containers on Azure Kubernetes Service (AKS), significantly enhancing operational efficiency and reducing time to market for new features. This transition to AKS enabled Duck Creek to offer scalable, reliable, and up-to-date SaaS solutions to its insurance clients, supporting rapid deployment and active delivery of updates.

+By containerizing their applications to Windows Containers, Duck Creek could maintain the flexibility and robustness of their products without extensive code rewriting, thereby ensuring high availability and scalability, especially critical during peak demand periods like natural disasters. This move represents Duck Creek's commitment to leveraging cutting-edge technology for Insurtech innovation.

+For more information visit [Duck CreekΓÇÖs Windows AKS customer story](https://customers.microsoft.com/story/1547298699206424647-duck-creek-insurance-core-systems-provide-evergreen-saas-solutions-using-windows-containers-aks).

+### Forza

+

+Forza Horizon 5, developed by Turn 10 Studios, achieved remarkable performance and scalability by transitioning to Azure Kubernetes Service (AKS) with Windows-based containers. This shift allowed the team to adapt swiftly to demand spikes, handling over 10 million concurrent players at launch, the biggest first week in Xbox Game Studios history.

+By utilizing Windows AKS, they were able to significantly reduce infrastructure management tasks, enhancing both the development process and the gaming experience. The move to containerized architecture enabled rapid scaling from 600,000 to 3 million concurrent users and reduced infrastructure costs, demonstrating the effectiveness of AKS in high-demand, low-latency environments like gaming.

+ For more information visit [ForzaΓÇÖs Windows AKS customer story](https://customers.microsoft.com/story/1498781140435260527-forza-horizon-5-crosses-finish-line-fueled-by-azure-kubernetes-service).

+### Microsoft Experience + Devices

+

+Microsoft's E+D group, responsible for supporting products such as Teams and Office modernized the Microsoft 365 infrastructure by transitioning to Windows containers on Azure Kubernetes Service (AKS), aiming for more consistent, efficient DevOps within strict security and compliance frameworks.

+The transition enabled Microsoft 365 developers to focus more on innovation and iterating quickly, leveraging the benefits of AKS like security-optimized hosting, automated compliance checks, and centralized capacity management, thereby accelerating development while optimizing resource utilization and costs.

+For more information visit [MicrosoftΓÇÖs E+D Windows AKS customer story](https://customers.microsoft.com/story/1536483517282553662-modernizing-microsoft-365-windows-containers-azure-kubernetes-service).

+Update your tools, scripts, and programs using the details in the following section.

+We also recommend setting the **Minimum API version** in your API Management instance.

+### Update your tools, scripts, and programs

+### Update Minimum API version setting on your API Management instance

+We recommend setting the **Minimum API version** for your API Management instance using the Azure portal. This setting limits control plane API calls to your instance with an API version equal to or newer than this value. Currently you can set this to **2019-12-01**.

+To set the **Minimum API version** in the portal:

+1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.

+1. In the left menu, under **Deployment + infrastructure**, select **Management API**.

+1. Select the **Management API settings** tab.

+1. Under **Prevent users with read-only permissions from accessing service secrets**, select **Yes**. The **Minimum API version** appears.

+1. Select **Save**.

+

+## More information

+## Related content

+### Permissions

+You must have at least the following role-based access control permissions on the subnet or at a higher level to configure virtual network integration:

+| Action | Description |

+|-|-|

+| Microsoft.Network/virtualNetworks/read | Read the virtual network definition |

+| Microsoft.Network/virtualNetworks/subnets/read | Read a virtual network subnet definition |

+| Microsoft.Network/virtualNetworks/subnets/join/action | Joins a virtual network |

+### Register Microsoft.Web resource provider

+Ensure that the subscription with the virtual network is registered for the `Microsoft.Web` resource provider. You can explicitly register the provider [by following this documentation](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider).

+This tutorial shows how to build, configure, and deploy a secure [Quarkus](https://quarkus.io) application in Azure App Service that's connected to a PostgreSQL database (using [Azure Database for PostgreSQL](../postgresql/index.yml)). Azure App Service is a highly scalable, self-patching, web-hosting service that can easily deploy apps on Windows or Linux. When you're finished, you'll have a Quarkus app running on [Azure App Service on Linux](overview.md).

+**To complete this tutorial, you'll need:**

+* An Azure account with an active subscription. If you don't have an Azure account, you [can create one for free](https://azure.microsoft.com/free/java/).

+* Knowledge of Java with [Quarkus](https://quarkus.io) development.

+## 1. Run the sample application

+The tutorial uses [Quarkus sample: Hibernate ORM with Panache and RESTEasy](https://github.com/Azure-Samples/msdocs-quarkus-postgresql-sample-app), which comes with a [dev container](https://docs.github.com/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers) configuration. The easiest way to run it is in a GitHub codespace.

+ :::column span="2":::

+ **Step 1:** In a new browser window:

+ 1. Sign in to your GitHub account.

+ 1. Navigate to [https://github.com/Azure-Samples/msdocs-quarkus-postgresql-sample-app](https://github.com/Azure-Samples/msdocs-quarkus-postgresql-sample-app).

+ 1. Select **Fork**.

+ 1. Select **Create fork**.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-run-sample-application-1.png" alt-text="A screenshot showing how to create a fork of the sample GitHub repository." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-run-sample-application-1.png":::

+ :::column-end:::

+ :::column span="2":::

+ **Step 2:** In the GitHub fork, select **Code** > **Create codespace on main**.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-run-sample-application-2.png" alt-text="A screenshot showing how create a codespace in GitHub." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-run-sample-application-2.png":::

+ :::column-end:::

+ :::column span="2":::

+ **Step 3:** In the codespace terminal:

+ 1. Run `mvn quarkus:dev`.

+ 1. When you see the notification `Your application running on port 8080 is available.`, select **Open in Browser**. If you see a notification with port 5005, skip it.

+ You should see the sample application in a new browser tab.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-run-sample-application-3.png" alt-text="A screenshot showing how to run the sample application inside the GitHub codespace." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-run-sample-application-3.png":::

+ :::column-end:::

+For more information on how the Quarkus sample application is created, see Quarkus documentation [Simplified Hibernate ORM with Panache](https://quarkus.io/guides/hibernate-orm-panache) and [Configure data sources in Quarkus](https://quarkus.io/guides/datasource).

+## 2. Create App Service and PostgreSQL

+First, you create the Azure resources. The steps used in this tutorial create a set of secure-by-default resources that include App Service and Azure Database for PostgreSQL. For the creation process, you'll specify:

+* The **Name** for the web app. It's the name used as part of the DNS name for your webapp in the form of `https://<app-name>.azurewebsites.net`.

+* The **Region** to run the app physically in the world.

+* The **Runtime stack** for the app. It's where you select the version of Java to use for your app.

+* The **Hosting plan** for the app. It's the pricing tier that includes the set of features and scaling capacity for your app.

+* The **Resource Group** for the app. A resource group lets you group (in a logical container) all the Azure resources needed for the application.

+Sign in to the [Azure portal](https://portal.azure.com/) and follow these steps to create your Azure App Service resources.

+ :::column span="2":::

+ **Step 1:** In the Azure portal:

+ 1. Enter "web app database" in the search bar at the top of the Azure portal.

+ 1. Select the item labeled **Web App + Database** under the **Marketplace** heading.

+ You can also navigate to the [creation wizard](https://portal.azure.com/?feature.customportal=false#create/Microsoft.AppServiceWebAppDatabaseV3) directly.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-create-app-postgres-1.png" alt-text="A screenshot showing how to use the search box in the top tool bar to find the Web App + Database creation wizard." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-create-app-postgres-1.png":::

+ :::column-end:::

+ :::column span="2":::

+ **Step 2:** In the **Create Web App + Database** page, fill out the form as follows.

+ 1. *Resource Group* &rarr; Select **Create new** and use a name of **msdocs-quarkus-postgres-tutorial**.

+ 1. *Region* &rarr; Any Azure region near you.

+ 1. *Name* &rarr; **msdocs-quarkus-postgres-XYZ** where *XYZ* is any three random characters. This name must be unique across Azure.

+ 1. *Runtime stack* &rarr; **Java 17**.

+ 1. *Java web server stack* &rarr; **Java SE (Embedded Web Server)**.

+ 1. *Database* &rarr; **PostgreSQL - Flexible Server**. The server name and database name are set by default to appropriate values.

+ 1. *Hosting plan* &rarr; **Basic**. When you're ready, you can [scale up](manage-scale-up.md) to a production pricing tier later.

+ 1. Select **Review + create**.

+ 1. After validation completes, select **Create**.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-create-app-postgres-2.png" alt-text="A screenshot showing how to configure a new app and database in the Web App + Database wizard." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-create-app-postgres-2.png":::

+ :::column-end:::

+ :::column span="2":::

+ **Step 3:** The deployment takes a few minutes to complete. Once deployment completes, select the **Go to resource** button. You're taken directly to the App Service app, but the following resources are created:

+ - **Resource group** &rarr; The container for all the created resources.

+ - **App Service plan** &rarr; Defines the compute resources for App Service. A Linux plan in the *Basic* tier is created.

+ - **App Service** &rarr; Represents your app and runs in the App Service plan.

+ - **Virtual network** &rarr; Integrated with the App Service app and isolates back-end network traffic.

+ - **Azure Database for PostgreSQL flexible server** &rarr; Accessible only from within the virtual network. A database and a user are created for you on the server.

+ - **Private DNS zone** &rarr; Enables DNS resolution of the PostgreSQL server in the virtual network.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-create-app-postgres-3.png" alt-text="A screenshot showing the deployment process completed." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-create-app-postgres-3.png":::

+ :::column-end:::

+## 3. Verify connection settings

+The creation wizard generated the connectivity variables for you already as [app settings](configure-common.md#configure-app-settings). App settings are one way to keep connection secrets out of your code repository. When you're ready to move your secrets to a more secure location, you can use [Key Vault references](app-service-key-vault-references.md) instead.

+ :::column span="2":::

+ **Step 1:** In the App Service page, in the left menu, select **Configuration**.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-get-connection-string-1.png" alt-text="A screenshot showing how to open the configuration page in App Service." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-get-connection-string-1.png":::

+ :::column-end:::

+ :::column span="2":::

+ **Step 2:** In the **Application settings** tab of the **Configuration** page, verify that `AZURE_POSTGRESQL_CONNECTIONSTRING` is present. It's injected at runtime as an environment variable.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-get-connection-string-2.png" alt-text="A screenshot showing how to see the autogenerated connection string." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-get-connection-string-2.png":::

+ :::column-end:::

+ :::column span="2":::

+ **Step 4:** In the **Application settings** tab of the **Configuration** page, select **New application setting**. Name the setting `PORT` and set its value to `8080`, which is the default port of the Quarkus application. Select **OK**.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-app-service-app-setting.png" alt-text="A screenshot showing how to set the PORT app setting in the Azure portal." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-app-service-app-setting.png":::

+ :::column-end:::

+ :::column span="2":::

+ **Step 5:** Select **Save**.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-app-service-app-setting-save.png" alt-text="A screenshot showing how to save the PORT app setting in the Azure portal." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-app-service-app-setting-save.png":::

+ :::column-end:::

+Having issues? Check the [Troubleshooting section](#troubleshooting).

+## 4. Deploy sample code

+In this step, you'll configure GitHub deployment using GitHub Actions. It's just one of many ways to deploy to App Service, but also a great way to have continuous integration in your deployment process. By default, every `git push` to your GitHub repository will kick off the build and deploy action.

+Note the following:

+- Your deployed Java package must be an [Uber-Jar](https://quarkus.io/guides/maven-tooling#uber-jar-maven).

+- For simplicity of the tutorial, you'll disable tests during the deployment process. The GitHub Actions runners don't have access to the PostgreSQL database in Azure, so any integration tests that require database access will fail, such as is the case with the Quarkus sample application.

+ :::column span="2":::

+ **Step 1:** Back in the App Service page, in the left menu, select **Deployment Center**.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-1.png" alt-text="A screenshot showing how to open the deployment center in App Service." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-1.png":::

+ :::column-end:::

+ :::column span="2":::

+ **Step 2:** In the Deployment Center page:

+ 1. In **Source**, select **GitHub**. By default, **GitHub Actions** is selected as the build provider.

+ 1. Sign in to your GitHub account and follow the prompt to authorize Azure.

+ 1. In **Organization**, select your account.

+ 1. In **Repository**, select **msdocs-quarkus-postgresql-sample-app**.

+ 1. In **Branch**, select **main**.

+ 1. In **Authentication type**, select **User-assigned identity (Preview)**.

+ 1. In the top menu, select **Save**. App Service commits a workflow file into the chosen GitHub repository, in the `.github/workflows` directory.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-2.png" alt-text="A screenshot showing how to configure CI/CD using GitHub Actions." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-2.png":::

+ :::column-end:::

+ :::column span="2":::

+ **Step 3:** Back in the GitHub codespace of your sample fork,

+ 1. Open *src/main/resources/application.properties* in the explorer. Quarkus uses this file to load Java properties.

+ 1. Add a production property `%prod.quarkus.datasource.jdbc.url=${AZURE_POSTGRESQL_CONNECTIONTRING}`.

+ This property sets the production data source URL to the app setting that the creation wizard generated for you.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-3.png" alt-text="A screenshot showing a GitHub codespace and the application.properties file opened." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-3.png":::

+ :::column-end:::

+ :::column span="2":::

+ **Step 4:**

+ 1. Open *.github/workflows/main_msdocs-quarkus-postgres-XYZ.yml* in the explorer. This file was created by the App Service create wizard.

+ 1. Under the `Build with Maven` step, change the Maven command to `mvn clean install -DskipTests -Dquarkus.package.type=uber-jar`.

+ `-DskipTests` skips the tests in your Quarkus project, and `-Dquarkus.package.type=uber-jar` creates an Uber-Jar that App Service needs.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-4.png" alt-text="A screenshot showing a GitHub codespace and a GitHub workflow YAML opened." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-4.png":::

+ :::column-end:::

+ :::column span="2":::

+ **Step 5:**

+ 1. Select the **Source Control** extension.

+ 1. In the textbox, type a commit message like `Configure DB and deployment workflow`.

+ 1. Select **Commit**, then confirm with **Yes**.

+ 1. Select **Sync changes 2**, then confirm with **OK**.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-5.png" alt-text="A screenshot showing the changes being committed and pushed to GitHub." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-5.png":::

+ :::column-end:::

+ :::column span="2":::

+ **Step 6:** Back in the Deployment Center page in the Azure portal:

+ 1. Select **Logs**. A new deployment run is already started from your committed changes.

+ 1. In the log item for the deployment run, select the **Build/Deploy Logs** entry with the latest timestamp.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-6.png" alt-text="A screenshot showing how to open deployment logs in the deployment center." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-6.png":::

+ :::column-end:::

+ :::column span="2":::

+ **Step 7:** You're taken to your GitHub repository and see that the GitHub action is running. The workflow file defines two separate stages, build and deploy. Wait for the GitHub run to show a status of **Complete**. It takes about 5 minutes.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-7.png" alt-text="A screenshot showing a GitHub run in progress." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-deploy-sample-code-7.png":::

+ :::column-end:::

+Having issues? Check the [Troubleshooting section](#troubleshooting).

+## 5. Browse to the app

+ :::column span="2":::

+ **Step 1:** In the App Service page:

+ 1. From the left menu, select **Overview**.

+ 1. Select the URL of your app. You can also navigate directly to `https://<app-name>.azurewebsites.net`.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-browse-app-1.png" alt-text="A screenshot showing how to launch an App Service from the Azure portal." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-browse-app-1.png":::

+ :::column-end:::

+ :::column span="2":::

+ **Step 2:** Add a few fruits to the list.

+ Congratulations, you're running a web app in Azure App Service, with secure connectivity to Azure Database for PostgreSQL.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-browse-app-2.png" alt-text="A screenshot of the Quarkus web app with PostgreSQL running in Azure showing a list of fruits." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-browse-app-2.png":::

+ :::column-end:::

+## 6. Stream diagnostic logs

+Azure App Service captures all messages output to the console to help you diagnose issues with your application. The sample application includes standard JBoss logging statements to demonstrate this capability as shown below.

+ :::column span="2":::

+ **Step 1:** In the App Service page:

+ 1. From the left menu, select **App Service logs**.

+ 1. Under **Application logging**, select **File System**.

+ 1. In the top menu, select **Save**.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-stream-diagnostic-logs-1.png" alt-text="A screenshot showing how to enable native logs in App Service in the Azure portal." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-stream-diagnostic-logs-1.png":::

+ :::column-end:::

+ :::column span="2":::

+ **Step 2:** From the left menu, select **Log stream**. You see the logs for your app, including platform logs and logs from inside the container.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-stream-diagnostic-logs-2.png" alt-text="A screenshot showing how to view the log stream in the Azure portal." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-stream-diagnostic-logs-2.png":::

+ :::column-end:::

+Learn more about logging in Java apps in the series on [Enable Azure Monitor OpenTelemetry for .NET, Node.js, Python and Java applications](../azure-monitor/app/opentelemetry-enable.md?tabs=java).

+## 7. Clean up resources

+When you're finished, you can delete all of the resources from your Azure subscription by deleting the resource group.

+ :::column span="2":::

+ **Step 1:** In the search bar at the top of the Azure portal:

+ 1. Enter the resource group name.

+ 1. Select the resource group.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-clean-up-resources-1.png" alt-text="A screenshot showing how to search for and navigate to a resource group in the Azure portal." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-clean-up-resources-1.png":::

+ :::column-end:::

+ :::column span="2":::

+ **Step 2:** In the resource group page, select **Delete resource group**.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-clean-up-resources-2.png" alt-text="A screenshot showing the location of the Delete Resource Group button in the Azure portal." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-clean-up-resources-2.png":::

+ :::column-end:::

+ :::column span="2":::

+ **Step 3:**

+ 1. Enter the resource group name to confirm your deletion.

+ 1. Select **Delete**.

+ 1. Confirm with **Delete** again.

+ :::column-end:::

+ :::column:::

+ :::image type="content" source="./media/tutorial-java-quarkus-postgresql-app/azure-portal-clean-up-resources-3.png" alt-text="A screenshot of the confirmation dialog for deleting a resource group in the Azure portal." lightbox="./media/tutorial-java-quarkus-postgresql-app/azure-portal-clean-up-resources-3.png"::::

+ :::column-end:::

+## Troubleshooting

+#### I see the error log "ERROR [org.acm.hib.orm.pan.ent.FruitEntityResource] (vert.x-eventloop-thread-0) Failed to handle request: jakarta.ws.rs.NotFoundException: HTTP 404 Not Found".

+This is a Vert.x error (see [Quarkus Reactive Architecture](https://quarkus.io/guides/quarkus-reactive-architecture)), indicating that the client requested an unknown path. This error happens on every app startup because App Service verifies that the app starts by sending a `GET` request to `/robots933456.txt`.

+#### The app failed to start and shows the following error in log: "Model classes are defined for the default persistence unit \<default> but configured datasource \<default> not found: the default EntityManagerFactory will not be created."

+This Quarkus error is most likely because the app can't connect to the Azure database. Make sure that the app setting `AZURE_POSTGRESQL_CONNECTIONSTRING` hasn't been changed, and that *application.properties* is using the app setting properly.

+## Frequently asked questions

+- [How much does this setup cost?](#how-much-does-this-setup-cost)

+- [How do I connect to the PostgreSQL server that's secured behind the virtual network with other tools?](#how-do-i-connect-to-the-postgresql-server-thats-secured-behind-the-virtual-network-with-other-tools)

+- [How does local app development work with GitHub Actions?](#how-does-local-app-development-work-with-github-actions)

+- [What if I want to run tests with PostgreSQL during the GitHub workflow?](#what-if-i-want-to-run-tests-with-postgresql-during-the-github-workflow)

+#### How much does this setup cost?

+Pricing for the created resources is as follows:

+- The App Service plan is created in **Basic** tier and can be scaled up or down. See [App Service pricing](https://azure.microsoft.com/pricing/details/app-service/linux/).

+- The PostgreSQL flexible server is created in the lowest burstable tier **Standard_B1ms**, with the minimum storage size, which can be scaled up or down. See [Azure Database for PostgreSQL pricing](https://azure.microsoft.com/pricing/details/postgresql/flexible-server/).

+- The virtual network doesn't incur a charge unless you configure extra functionality, such as peering. See [Azure Virtual Network pricing](https://azure.microsoft.com/pricing/details/virtual-network/).

+- The private DNS zone incurs a small charge. See [Azure DNS pricing](https://azure.microsoft.com/pricing/details/dns/).

+#### How do I connect to the PostgreSQL server that's secured behind the virtual network with other tools?

+- For basic access from a command-line tool, you can run `psql` from the app's SSH terminal.

+- To connect from a desktop tool, your machine must be within the virtual network. For example, it could be an Azure VM in one of the subnets, or a machine in an on-premises network that has a [site-to-site VPN](../vpn-gateway/vpn-gateway-about-vpngateways.md) connection with the Azure virtual network.

+- You can also [integrate Azure Cloud Shell](../cloud-shell/private-vnet.md) with the virtual network.

+#### How does local app development work with GitHub Actions?

+Using the autogenerated workflow file from App Service as an example, each `git push` kicks off a new build and deployment run. From a local clone of the GitHub repository, you make the desired updates and push to GitHub. For example:

+```terminal

+git add .

+git commit -m "<some-message>"

+git push origin main

+#### What if I want to run tests with PostgreSQL during the GitHub workflow?

+The default Quarkus sample application includes tests with database connectivity. To avoid connection errors, you added the `-skipTests` property. If you want, you can run the tests against a PostgreSQL service container. For example, in the automatically generated workflow file in your GitHub fork (*.github/workflows/main_cephalin-quarkus.yml*), make the following changes:

+1. Add YAML code for the PostgreSQL container to the `build` job, as shown in the following snippet.

+ ```yml

+ ...

+ jobs:

+ build:

+ runs-on: ubuntu-latest

+

+ # BEGIN CODE ADDITION

+ container: ubuntu

+

+ # Hostname for the PostgreSQL container

+ postgresdb:

+ image: postgres

+ env:

+ POSTGRES_PASSWORD: postgres

+ POSTGRES_USER: postgres

+ POSTGRES_DB: postgres

+ # Set health checks to wait until postgres has started

+ options: >-

+ --health-cmd pg_isready

+ --health-interval 10s

+ --health-timeout 5s

+ --health-retries 5

+

+ # END CODE ADDITION

+

+ steps:

+ - uses: actions/checkout@v4

+ ...

+

+ `container: ubuntu` tells GitHub to run the `build` job in a container. This way, the connection string in your dev environment `jdbc:postgresql://postgresdb:5432/postgres` can work as-is in when the workflow runs. For more information about PostgreSQL connectivity in GitHub Actions, see [Creating PostgreSQL service containers](https://docs.github.com/en/actions/using-containerized-services/creating-postgresql-service-containers).

+1. In the `Build with Maven` step, remove `-DskipTests`. For example:

+ ```yml

+ - name: Build with Maven

+ run: mvn clean install -Dquarkus.package.type=uber-jar

+- [Azure for Java Developers](/java/azure/)

+- [Quarkus](https://quarkus.io),

+- [Getting Started with Quarkus](https://quarkus.io/get-started/)

+Learn more about running Java apps on App Service in the developer guide.

+> [Configure a Java app in Azure App Service](configure-language-java.md?pivots=platform-linux)

+ :::image type="content" source="./media/tutorial-secure-domain-certificate/configure-custom-domain.png" alt-text="A screenshot showing how to configure a new custom domain, along with a managed certificate." lightbox="./media/tutorial-secure-domain-certificate/configure-custom-domain.png" border="true":::

+## At-scale Azure Policy

+For at-scale linking of servers to an Azure Arc Extended Security Update license and locking down license modification or creation, consider the usage of the following built-in Azure policies:

+- [Enable Extended Security Updates (ESUs) license to keep Windows 2012 machines protected after their support lifecycle has ended (preview)](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4864134f-d306-4ff5-94d8-ea4553b18c97)

+- [Deny Extended Security Updates (ESUs) license creation or modification (preview)](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4c660f31-eafb-408d-a2b3-6ed2260bd26c)

+Azure policies can be specified to a targeted subscription or resource group for both auditing and management scenarios.

+In this article, you learn how to recover the Azure Arc resource bridge connection into a working state in disaster scenarios such as accidental deletion. In such cases, the connection between on-premises infrastructure and Azure is lost and any operations performed through Arc will fail.

+>[!Note]

+> This note is applicable only if you're performing this recovery operation to upgrade your Arc resource bridge.<br><br>

+> If you have VMs that are still in the older version, i.e., have *Enabled (Deprecated)* set under the *Virtual hardware operations* column in the Virtual Machines inventory of your SCVMM server in Azure, switch them to the new version by following the steps in [this article](./switch-to-the-new-version-scvmm.md#switch-to-the-new-version-existing-customer) before proceeding with the steps for resource bridge recovery.

+4. [Run the onboarding script](/azure/azure-arc/system-center-virtual-machine-manager/quickstart-connect-system-center-virtual-machine-manager-to-arc#download-the-onboarding-script) again with the `-Force` parameter.

+ ./resource-bridge-onboarding-script.ps1 -Force

+ - [Download the script](https://download.microsoft.com/download/6/b/4/6b4a5009-fed8-46c2-b22b-b24a4d0a06e3/arcvmm-appliance-dr.ps1) if you're running the script from a Windows machine

+ - [Download the script](https://download.microsoft.com/download/0/5/c/05c2bcb8-87f8-4ead-9757-a87a0759071c/arcvmm-appliance-dr.sh) if you're running the script from a Linux machine

+7. Once the script is run successfully, the old Resource Bridge is recovered and the connection is re-established to the existing Azure-enabled SCVMM resources.

+In this article, you learn how to install Arc agents on Azure-enabled SCVMM VMs using a script.

+ - Has the Arc agent installation script downloaded from [here](https://download.microsoft.com/download/7/1/6/7164490e-6d8c-450c-8511-f8191f6ec110/arcscvmm-enable-guest-management.ps1) for a Windows VM or from [here](https://download.microsoft.com/download/0/9/b/09bd9ef4-a7af-49e5-ad5f-9e8f85fae75b/arcscvmm-enable-guest-management.sh) for a Linux VM.

+1. Sign in to the target VM as an administrator.

+3. Sign in to your Azure account in Azure CLI using `az login --use-device-code`

+4. Run the downloaded script *arcscvmm-enable-guest-management.ps1* or *arcscvmm-enable-guest-management.sh*, as applicable, using the following commands. The `vmmServerId` parameter should denote your VMM ServerΓÇÖs ARM ID.

+ **For a Windows VM:**

+ ```azurecli

+ ./arcscvmm-enable-guest-management.ps1 -<vmmServerId> '/subscriptions/<subscriptionId>/resourceGroups/<rgName>/providers/Microsoft.ScVmm/vmmServers/<vmmServerName>

+ ```

+ **For a Linux VM:**

+ ```azurecli

+ ./arcscvmm-enable-guest-management.sh -<vmmServerId> '/subscriptions/<subscriptionId>/resourceGroups/<rgName>/providers/Microsoft.ScVmm/vmmServers/<vmmServerName>

+ ```

+2. Select all the virtual machines that are Azure enabled with the older version. The virtual machines in the older version will have *Enabled (Deprecated)* set under the Virtual hardware management column.

+ "fileLoggingMode": "debugOnly",

+# [Node.js v4](#tab/v4)

+In the following example, the Dapr secret input binding is paired with a Dapr invoke trigger, which is registered by the `app` object:

+```javascript

+const { app, trigger } = require('@azure/functions');

+app.generic('RetrieveSecret', {

+ trigger: trigger.generic({

+ type: 'daprServiceInvocationTrigger',

+ name: "payload"

+ }),

+ extraInputs: [daprSecretInput],

+ handler: async (request, context) => {

+ context.log("Node function processed a RetrieveSecret request from the Dapr Runtime.");

+ const daprSecretInputValue = context.extraInputs.get(daprSecretInput);

+ // print the fetched secret value

+ for (var key in daprSecretInputValue) {

+ context.log(`Stored secret: Key=${key}, Value=${daprSecretInputValue[key]}`);

+ }

+ }

+});

+```

+

+# [Node.js v3](#tab/v3)

+# [Node.js v4](#tab/v4)

+The following table explains the binding configuration properties that you set in the code.

+|Property | Description |

+|--|-|

+|**key** | The secret key value. |

+|**secretStoreName** | Name of the secret store as defined in the _local-secret-store.yaml_ component file. |

+|**metadata** | The metadata namespace. |

+

+# [Node.js v3](#tab/v3)

+The following table explains the binding configuration properties that you set in the function.json file.

+|function.json property | Description |

+|--|-|

+|**key** | The secret key value. |

+|**secretStoreName** | Name of the secret store as defined in the _local-secret-store.yaml_ component file. |

+|**metadata** | The metadata namespace. |

+# [Node.js v4](#tab/v4)

+In the following example, the Dapr invoke input binding is added as an `extraInput` and paired with an HTTP trigger, which is registered by the `app` object:

+```javascript

+const { app, trigger } = require('@azure/functions');

+app.generic('StateInputBinding', {

+ trigger: trigger.generic({

+ type: 'httpTrigger',

+ authLevel: 'anonymous',

+ methods: ['GET'],

+ route: "state/{key}",

+ name: "req"

+ }),

+ extraInputs: [daprStateInput],

+ handler: async (request, context) => {

+ context.log("Node HTTP trigger function processed a request.");

+ const daprStateInputValue = context.extraInputs.get(daprStateInput);

+ // print the fetched state value

+ context.log(daprStateInputValue);

+ return daprStateInputValue;

+ }

+});

+```

+

+# [Node.js v3](#tab/v3)

+# [Node.js v4](#tab/v4)

+The following table explains the binding configuration properties that you set in the code.

+|Property | Description |

+|--|-|

+|**stateStore** | The name of the state store. |

+|**key** | The name of the key to retrieve from the specified state store. |

+

+# [Node.js v3](#tab/v3)

+# [Node.js v4](#tab/v4)

+In the following example, the Dapr invoke output binding is paired with an HTTP trigger, which is registered by the `app` object:

+```javascript

+const { app, trigger } = require('@azure/functions');

+app.generic('InvokeOutputBinding', {

+ trigger: trigger.generic({

+ type: 'httpTrigger',

+ authLevel: 'anonymous',

+ methods: ['POST'],

+ route: "invoke/{appId}/{methodName}",

+ name: "req"

+ }),

+ return: daprInvokeOutput,

+ handler: async (request, context) => {

+ context.log("Node HTTP trigger function processed a request.");

+ const payload = await request.text();

+ context.log(JSON.stringify(payload));

+

+ return { body: payload };

+ }

+});

+```

+

+# [Node.js v3](#tab/v3)

+# [Node.js v4](#tab/v4)

+The following table explains the binding configuration properties that you set in the code.

+|Property | Description| Can be sent via Attribute | Can be sent via RequestBody |

+|--|| :: | :--: |

+|**appId** | The app ID of the application involved in the invoke binding. | :heavy_check_mark: | :heavy_check_mark: |

+|**methods** | Post or get. | :heavy_check_mark: | :heavy_check_mark: |

+| **body** | _Required._ The body of the request. | :x: | :heavy_check_mark: |

+

+# [Node.js v3](#tab/v3)

+The following table explains the binding configuration properties that you set in the function.json file.

+|function.json property | Description| Can be sent via Attribute | Can be sent via RequestBody |

+|--|| :: | :--: |

+|**appId** | The app ID of the application involved in the invoke binding. | :heavy_check_mark: | :heavy_check_mark: |

+|**methodName** | The name of the method variable. | :heavy_check_mark: | :heavy_check_mark: |

+|**httpVerb** | Post or get. | :heavy_check_mark: | :heavy_check_mark: |

+| **body** | _Required._ The body of the request. | :x: | :heavy_check_mark: |

+# [Node.js v4](#tab/v4)

+In the following example, the Dapr publish output binding is paired with an HTTP trigger, which is registered by the `app` object:

+```javascript

+const { app, trigger } = require('@azure/functions');

+app.generic('PublishOutputBinding', {

+ trigger: trigger.generic({

+ type: 'httpTrigger',

+ authLevel: 'anonymous',

+ methods: ['POST'],

+ route: "topic/{topicName}",

+ name: "req"

+ }),

+ return: daprPublishOutput,

+ handler: async (request, context) => {

+ context.log("Node HTTP trigger function processed a request.");

+ const payload = await request.text();

+ context.log(JSON.stringify(payload));

+ return { payload: payload };

+ }

+});

+```

+

+# [Node.js v3](#tab/v3)

+# [Node.js v4](#tab/v4)

+The following table explains the binding configuration properties that you set in the code.

+|Property | Description| Can be sent via Attribute | Can be sent via RequestBody |

+|--|| :: | :--: |

+|**pubsubname** | The name of the publisher component service. | :heavy_check_mark: | :heavy_check_mark: |

+|**topic** | The name/identifier of the publisher topic. | :heavy_check_mark: | :heavy_check_mark: |

+| **payload** | _Required._ The message being published. | :x: | :heavy_check_mark: |

+

+# [Node.js v3](#tab/v3)

+The following table explains the binding configuration properties that you set in the function.json file.

+|function.json property | Description| Can be sent via Attribute | Can be sent via RequestBody |

+|--|| :: | :--: |

+|**pubsubname** | The name of the publisher component service. | :heavy_check_mark: | :heavy_check_mark: |

+|**topic** | The name/identifier of the publisher topic. | :heavy_check_mark: | :heavy_check_mark: |

+| **payload** | _Required._ The message being published. | :x: | :heavy_check_mark: |

+# [Node.js v4](#tab/v4)

+In the following example, the Dapr state output binding is paired with an HTTP trigger, which is registered by the `app` object:

+```javascript

+const { app, trigger } = require('@azure/functions');

+app.generic('StateOutputBinding', {

+ trigger: trigger.generic({

+ type: 'httpTrigger',

+ authLevel: 'anonymous',

+ methods: ['POST'],

+ route: "state/{key}",

+ name: "req"

+ }),

+ return: daprStateOutput,

+ handler: async (request, context) => {

+ context.log("Node HTTP trigger function processed a request.");

+ const payload = await request.text();

+ context.log(JSON.stringify(payload));

+

+ return { value : payload };

+ }

+});

+```

+

+# [Node.js v3](#tab/v3)

+# [Node.js v4](#tab/v4)

+The following table explains the binding configuration properties that you set in the code.

+|Property | Description| Can be sent via Attribute | Can be sent via RequestBody |

+|--|| :: | :--: |

+| **stateStore** | The name of the state store to save state. | :heavy_check_mark: | :x: |

+| **key** | The name of the key to save state within the state store. | :heavy_check_mark: | :heavy_check_mark: |

+| **value** | _Required._ The value being stored. | :x: | :heavy_check_mark: |

+

+# [Node.js v3](#tab/v3)

+The following table explains the binding configuration properties that you set in the function.json file.

+|function.json property | Description| Can be sent via Attribute | Can be sent via RequestBody |

+|--|| :: | :--: |

+| **stateStore** | The name of the state store to save state. | :heavy_check_mark: | :x: |

+| **key** | The name of the key to save state within the state store. | :heavy_check_mark: | :heavy_check_mark: |

+| **value** | _Required._ The value being stored. | :x: | :heavy_check_mark: |

+# [Node.js v4](#tab/v4)

+In the following example, the Dapr output binding is paired with the Dapr invoke output trigger, which is registered by the `app` object:

+```javascript

+const { app, trigger } = require('@azure/functions');

+app.generic('SendMessageToKafka', {

+ trigger: trigger.generic({

+ type: 'daprServiceInvocationTrigger',

+ name: "payload"

+ }),

+ return: daprBindingOuput,

+ handler: async (request, context) => {

+ context.log("Node function processed a SendMessageToKafka request from the Dapr Runtime.");

+ context.log(context.triggerMetadata.payload)

+ return { "data": context.triggerMetadata.payload };

+ }

+});

+```

+

+# [Node.js v3](#tab/v3)

+# [Node.js v4](#tab/v4)

+The following table explains the binding configuration properties that you set in the code.

+|Property | Description| Can be sent via Attribute | Can be sent via RequestBody |

+|--|| :: | :--: |

+|**bindingName** | The name of the binding. | :heavy_check_mark: | :heavy_check_mark: |

+|**operation** | The binding operation. | :heavy_check_mark: | :heavy_check_mark: |

+| **metadata** | The metadata namespace. | :x: | :heavy_check_mark: |

+| **data** | _Required._ The data for the binding operation. | :x: | :heavy_check_mark: |

+

+# [Node.js v3](#tab/v3)

+The following table explains the binding configuration properties that you set in the function.json file.

+|function.json property | Description| Can be sent via Attribute | Can be sent via RequestBody |

+|--|| :: | :--: |

+|**bindingName** | The name of the binding. | :heavy_check_mark: | :heavy_check_mark: |

+|**operation** | The binding operation. | :heavy_check_mark: | :heavy_check_mark: |

+| **metadata** | The metadata namespace. | :x: | :heavy_check_mark: |

+| **data** | _Required._ The data for the binding operation. | :x: | :heavy_check_mark: |

+# [Node.js v4](#tab/v4)

+Use the `app` object to register the `daprInvokeOutput`:

+```javascript

+const { app, trigger } = require('@azure/functions');

+app.generic('InvokeOutputBinding', {

+ trigger: trigger.generic({

+ type: 'httpTrigger',

+ authLevel: 'anonymous',

+ methods: ['POST'],

+ route: "invoke/{appId}/{methodName}",

+ name: "req"

+ }),

+ return: daprInvokeOutput,

+ handler: async (request, context) => {

+ context.log("Node HTTP trigger function processed a request.");

+ const payload = await request.text();

+ context.log(JSON.stringify(payload));

+

+ return { body: payload };

+ }

+});

+```

+

+# [Node.js v3](#tab/v3)

+# [Node.js v4](#tab/v4)

+The following table explains the binding configuration properties that you set in the code.

+|Property | Description|

+|--||

+|**type** | Must be set to `daprServiceInvocationTrigger`.|

+|**name** | The name of the variable that represents the Dapr data in function code. |

+

+# [Node.js v3](#tab/v3)

+The following table explains the binding configuration properties that you set in the function.json file.

+|function.json property | Description|

+|--||

+|**type** | Must be set to `daprServiceInvocationTrigger`.|

+|**name** | The name of the variable that represents the Dapr data in function code. |

+# [Node.js v4](#tab/v4)

+Use the `app` object to register the `daprTopicTrigger`:

+```javascript

+const { app, trigger } = require('@azure/functions');

+app.generic('TransferEventBetweenTopics', {

+ trigger: trigger.generic({

+ type: 'daprTopicTrigger',

+ name: "subEvent",

+ pubsubname: "%PubSubName%",

+ topic: "A"

+ }),

+ return: daprPublishOutput,

+ handler: async (request, context) => {

+ context.log("Node function processed a TransferEventBetweenTopics request from the Dapr Runtime.");

+ context.log(context.triggerMetadata.subEvent.data);

+ return { payload: context.triggerMetadata.subEvent.data };

+ }

+});

+```

+

+# [Node.js v3](#tab/v3)

+# [Node.js v4](#tab/v4)

+The following table explains the binding configuration properties that you set in the code.

+|Property | Description|

+|--||

+|**pubsubname** | The name of the Dapr pub/sub component type. |

+|**topic** | Name of the topic. |

+

+# [Node.js v3](#tab/v3)

+The following table explains the binding configuration properties that you set in the function.json file.

+|function.json property | Description|

+|--||

+|**pubsubname** | The name of the Dapr pub/sub component type. |

+|**topic** | Name of the topic. |

+# [Node.js v4](#tab/v4)

+Use the `app` object to register the `daprBindingTrigger`:

+```javascript

+const { app, trigger } = require('@azure/functions');

+app.generic('ConsumeMessageFromKafka', {

+ trigger: trigger.generic({

+ type: 'daprBindingTrigger',

+ bindingName: "%KafkaBindingName%",

+ name: "triggerData"

+ }),

+ handler: async (request, context) => {

+ context.log("Node function processed a ConsumeMessageFromKafka request from the Dapr Runtime.");

+ context.log(context.triggerMetadata.triggerData)

+ }

+});

+```

+

+# [Node.js v3](#tab/v3)

+# [Node.js v4](#tab/v4)

+The following table explains the binding configuration properties that you set in the code.

+|Property | Description|

+|--||

+|**bindingName** | The name of the binding. |

+

+# [Node.js v3](#tab/v3)

+The following table explains the binding configuration properties that you set in the function.json file.

+|function.json property | Description|

+|--||

+|**bindingName** | The name of the binding. |

+ |Automatically resolve alerts (preview) |Select to make the alert stateful. When an alert is stateful, the alert is resolved when the condition is no longer met for a specific time range. The time range differs based on the frequency of the alert:<br>**1 minute**: The alert condition isn't met for 10 minutes.<br>**5-15 minutes**: The alert condition isn't met for three frequency periods.<br>**15 minutes - 11 hours**: The alert condition isn't met for two frequency periods.<br>**11 to 12 hours**: The alert condition isn't met for one frequency period. <br><br>Note that stateful log alerts have these limitations:<br> - they can trigger up to 300 alerts per evaluation.<br> - you can have a maximum of 5000 alerts with the `fired` alert condition.|

+ Title: Creating Metric Alerts in Azure Monitor Logs

+# Create a metric alert in Azure Monitor Logs

+**Metric Alerts for Logs** allows you to leverage metric alerts capabilities on a predefined set of logs in Azure Monitor Logs. The monitored logs, which can be collected from Azure or on-premises computers, are converted to metrics, and then monitored with metric alert rules just like any other metric.

+Stateful log alerts have these limitations:

+- they can trigger up to 300 alerts per evaluation.

+- you can have a maximum of 5000 alerts with the `fired` alert condition.

+You can configure if log alerts are [stateful or stateless](alerts-overview.md#alerts-and-state). This feature is currently in preview.

+Note that stateful log alerts have these limitations:

+- they can trigger up to 300 alerts per evaluation.

+- you can have a maximum of 5000 alerts with the `fired` alert condition.

+To view these settings, select the **Condition** tab.

+You can accept the default time granularity or modify it to your requirements. **Check every** defines how often the alert rule will check if the condition is met. **Lookback period** defines the time interval over which the collected values are aggregated. For example, every 1 minute, youΓÇÖll be looking at the past 5 minutes.

+When you're done configuring the signal logic, click **Next: Actions >** or the **Actions** tab to configure actions.

+Click **Review + create** and then **Create** to create the alert rule.

+* [ASP.NET Core](opentelemetry-enable.md?tabs=aspnetcore)

+You have successfully created your first scale setting to autoscale your web app based on CPU usage. When CPU usage is greater than 70%, an additional instance is added, up to a maximum of 3 instances. When CPU usage is below 20%, an instance is removed up to a minimum of 1 instance. By default there will be 1 instance.

+Whenever your resource has any scaling event, it's logged in the activity log. You can view the history of the scale events in the **Run history** tab.

+Autoscale uses a cool-down period. This period is the amount of time to wait after a scale operation before scaling again. The cool-down period allows the metrics to stabilize and avoids scaling more than once for the same condition. Cool-down applies to both scale-in and scale-out events. For example, if the cooldown is set to 10 minutes and Autoscale has just scaled-in, Autoscale won't attempt to scale again for another 10 minutes in either direction. For more information, see [Autoscale evaluation steps](autoscale-understanding-settings.md#autoscale-evaluation).

+| scaleAction | cooldown | Cool down (minutes)|The amount of time to wait after a scale operation before scaling again. The cooldown period comes into effect after a scale-in or a scale-out event. For example, if **cooldown = "PT10M"**, autoscale doesn't attempt to scale again for another 10 minutes. The cooldown is to allow the metrics to stabilize after the addition or removal of instances. |

+Autoscale settings can have multiple profiles. Each profile can have multiple rules. Each time the autoscale job runs, it begins by choosing the applicable profile for that time. Autoscale then evaluates the minimum and maximum values, any metric rules in the profile, and decides if a scale action is necessary. The autoscale job runs every 30 to 60 seconds, depending on the resource type. After a scale action occurs, the autoscale job waits for the cooldown period before it scales again. The cooldown period applies to both scale-out and scale-in actions.

+### Access using a Grafana dashboard

+Customers can use our Syslog dashboard for Grafana to get an overview of their Syslog data. Customers who use Azure-managed Grafana will have this dashboard available in their Grafana instance by default. Once syslog collection is enabled, no other steps are needed. Other customers can [import the Syslog dashboard from Grafana marketplace](https://grafana.com/grafana/dashboards/19866-azure-monitor-container-insights-syslog/).

+You can also define your own time range by adding a time filter to the query. Adding a time filter overrides the time range selected in the [time picker](#use-the-time-picker).

+It's best to place the time filter immediately after the table name:

+Here's a video version of this tutorial:

+> [!VIDEO https://www.youtube.com/embed/-aMecR2Nrfc]

+| Save button | Save the query to a [query pack](./query-packs.md). Saved queries are available from: <ul><li> The **Other** section in the **Query Explorer** for the workspace</li><li>The **Other** section in the **Queries** tab in the [left sidebar](#left-sidebar) for the workspace</ul> |

+ Share button | Copy a link to the query, the query text, or the query results to the clipboard. |

+| New alert rule button | Open the Create an alert rule page. Use this page to [create an alert rule](../alerts/alerts-create-new-alert-rule.md?tabs=log) with an alert type of [log alert](../alerts/alerts-types.md#log-alerts). The page opens with the [Conditions tab](../alerts/alerts-create-new-alert-rule.md?tabs=log#set-the-alert-rule-conditions) selected, and your query is added to the **Search query** field. |

+| Search job mode toggle | [Run search jobs](./search-jobs.md).

+| Queries button | Open **Query Explorer**, which provides access to saved queries in the workspace. |

+The sidebar on the left lists tables in the workspace, sample queries, functions, and filter options for the current query.

+| Functions | Lists the [functions](./functions.md) in the workspace. |

+* The NFS client should be in the same virtual network or peered virtual network as the Azure NetApp Files volume. Connecting from outside the virtual network is supported; however, it will introduce additional latency and decrease overall performance.

+1. Select the **Volumes** blade from the Capacity Pools blade. Select **+ Add volume** to create a volume.

+2. In the Create a Volume window, select **Create**, and provide information for the following fields under the Basics tab:

+ Specify the Microsoft Azure Virtual Network from which you want to access the volume.

+ The Virtual Network you specify must have a subnet delegated to Azure NetApp Files. The Azure NetApp Files service can be accessed only from the same Virtual Network or from a virtual network that's in the same region as the volume through virtual network peering. You can also access the volume from your on-premises network through Express Route.

+ If you have not delegated a subnet, you can select **Create new** on the Create a Volume page. Then in the Create Subnet page, specify the subnet information, and select **Microsoft.NetApp/volumes** to delegate the subnet for Azure NetApp Files. In each Virtual Network, only one subnet can be delegated to Azure NetApp Files.

+ * If you want to apply an existing snapshot policy to the volume, select **Show advanced section** to expand it, specify whether you want to hide the snapshot path, and select a snapshot policy in the pull-down menu.

+> Ensure the address space size of the Azure NetApp Files VNet is larger than its delegated subnet.

+>

+> For example, if the delegated subnet is /24, the VNet address space containing the subnet must be /23 or larger. Noncompliance with this guideline can lead to unexpected issues in some traffic patterns: traffic traversing a hub-and-spoke topology that reaches Azure NetApp Files via a Network Virtual Appliance does not function properly. Additionally, this configuration can result in failures when creating SMB and CIFS volumes if they attempt to reach DNS through hub-and-spoke network topology.

+| Number of cross-region replication data protection volumes (destination volumes) | 50 | Yes |

+| Number of cross-zone replication data protection volumes (destination volumes) | 50 | Yes |

+* [Azure Modeling and Simulation Workbench](../modeling-simulation-workbench/index.yml)

+ * The **Quota** value must be **at least 20% greater** than the size of the backup from which the restore is triggered (minimum 100 GiB). Once the restore is complete, the volume can be resized depending on the size used.

+ We're excited to announce the addition of double encryption at rest for Azure NetApp Files volumes. This new feature provides an extra layer of protection for your critical data, ensuring maximum confidentiality and mitigating potential liabilities. Double encryption at rest is ideal for industries such as finance, military, healthcare, and government, where breaches of confidentiality can have catastrophic consequences. By combining hardware-based encryption with encrypted SSD drives and software-based encryption at the volume level, your data remains secure throughout its lifecycle. You can select **double** as the encryption type during capacity pool creation to easily enable this advanced security layer.

+ Azure NetApp Files volumes have been supported with Standard network features since [October 2021](#october-2021), but only for newly created volumes. This new *edit volumes* capability lets you change *existing* volumes that were configured with Basic network features to use Standard network features. This capability provides an enhanced, more standard, Microsoft Azure Virtual Network experience through various security and connectivity features that are available on Virtual Networks to Azure services. When you edit existing volumes to use Standard network features, you can start taking advantage of networking capabilities, such as (but not limited to):

+ * Increased number of client IPs in a virtual network (including immediately peered Virtual Networks) accessing Azure NetApp Files volumes - the [same as Azure VMs](azure-netapp-files-resource-limits.md#resource-limits)

+ Standard network features now includes Global virtual network peering.

+ * Increased IP limits for the virtual networks with Azure NetApp Files volumes at par with VMs

+ The new Azure NetApp Files **Storage service add-ons** menu option provides an Azure portal ΓÇ£launching padΓÇ¥ for available third-party, ecosystem add-ons to the Azure NetApp Files storage service. With this new portal menu option, you can enter a landing page by selecting an add-on tile to quickly access the add-on.

+ **NetApp add-ons** is the first category of add-ons introduced under **Storage service add-ons**. It provides access to NetApp Cloud Data Sense. Selecting the **Cloud Data Sense** tile opens a new browser and directs you to the add-on installation page.

+ By default, LDAP communications between client and server applications aren't encrypted. This setting means that it's possible to use a network-monitoring device or software to view the communications between an LDAP client and server computers. This scenario might be problematic in non-isolated or shared virtual networks when an LDAP simple bind is used, because the credentials (username and password) used to bind the LDAP client to the LDAP server are passed over the network unencrypted. LDAP over TLS (also known as LDAPS) is a protocol that uses TLS to secure communication between LDAP clients and LDAP servers. Azure NetApp Files now supports the secure communication between an Active Directory Domain Server (AD DS) using LDAP over TLS. Azure NetApp Files can now use LDAP over TLS for setting up authenticated sessions between the Active Directory-integrated LDAP servers. You can enable the LDAP over TLS feature for NFS, SMB, and dual-protocol volumes. By default, LDAP over TLS is disabled on Azure NetApp Files.

+ You can now enable SMB3 Protocol Encryption on Azure NetApp Files SMB and dual-protocol volumes. This feature enables encryption for in-flight SMB3 data, using the [AES-CCM algorithm on SMB 3.0, and the AES-GCM algorithm on SMB 3.1.1](/windows-server/storage/file-server/file-server-smb-overview#features-added-in-smb-311-with-windows-server-2016-and-windows-10-version-1607) connections. SMB clients not using SMB3 encryption can't access this volume. Data at rest is encrypted regardless of this setting. SMB encryption further enhances security. However, it might affect the client (CPU overhead for encrypting and decrypting messages). It might also affect storage resource utilization (reductions in throughput). You should test the encryption performance impact against your applications before deploying workloads into production.

+ Cloud promises flexibility in IT spending. You can now change the service level of an existing Azure NetApp Files volume by moving the volume to another capacity pool that uses the service level you want for the volume. This in-place service-level change for the volume doesn't require that you migrate data. It also doesn't affect the data plane access to the volume. You can change an existing volume to use a higher service level for better performance, or to use a lower service level for cost optimization. This feature is free of charge (normal [Azure NetApp Files storage cost](https://azure.microsoft.com/pricing/details/netapp/) still applies). It's currently in preview. You can register for the feature preview by following the [dynamic volume service level change documentation](dynamic-change-volume-service-level.md).

+* certificates

+One of the most important aspects of any Azure VMware Solution deployment is disaster recovery. You can create disaster recovery plans between different Azure VMware Solution regions or between Azure and an on-premises vSphere environment.

+Following our principle of giving customers the choice to apply their investments in skills and technology, we collaborated with some of the leading partners in the industry.

+You can find more information about their solutions in the following links:

+- [JetStream](https://www.jetstreamsoft.com/2020/09/28/disaster-recovery-for-avs/)

+- [Zerto](https://help.zerto.com/bundle/Install.AVS.HTML/page/Prerequisites_Zerto_AVS.htm)

+| | Cancel adding an endpoint to an existing call | ✔️ | ✔️ | ✔️ | ✔️ |

+| | Blind Transfer* a participant from group call to another endpoint | ✔️ | ✔️ | ✔️ | ✔️ |

+| CancelAddParticipantSucceeded| Your application canceled adding a participant |

+| CancelAddParticipantFailed | Your application was unable to cancel adding a participant |

+### Operation Callback Uri

+It is an optional parameter in some mid-call APIs that use events as their async responses. By default, all events are sent to the default callback Uri set by CreateCall / AnswerCall API when the user establishes a call. With the usage of Operation Callback Uri, corresponding events of this individual (one-time only) request will be sent to the new Uri.

+| Supported API | Corresponding event |

+| -- | |

+| AddParticipant | AddParticipantSucceed / AddParticipantFailed |

+| RemoveParticipant | RemoveParticipantSucceed / RemoveParticipantFailed |

+| TransferCall | CallTransferAccepted / CallTransferFailed |

+| CancelAddParticipant | CancelAddParticipantSucceeded / CancelAddParticipantFailed |

+| Play | PlayCompleted / PlayFailed / PlayCanceled |

+| PlayToAll | PlayCompleted / PlayFailed / PlayCanceled |

+| Recognize | RecognizeCompleted / RecognizeFailed / RecognizeCanceled |

+| StopContinuousDTMFRecognition | ContinuousDtmfRecognitionStopped |

+| SendDTMF | ContinuousDtmfRecognitionToneReceived / ContinuousDtmfRecognitionToneFailed |

+|Canada|

+|Japan|

+|Australia|

+|United States|

+|United Kingdom|

+|Canada|

+|Japan|

+|Australia|

+|Canada|

+|Japan|

+|Australia|

+| Toll-Free |- | - | General Availability | General Availability\* |

+|United Kingdom|

+|Canada|

+|Japan|

+|Australia|

+|Canada|

+|Japan|

+|Australia|

+|Canada|

+|Japan|

+|Australia|

+|United States|

+|United Kingdom|

+|Canada|

+|Japan|

+|Australia|

+|Canada|

+|Japan|

+|Australia|

+|Canada|

+|Japan|

+|Australia|

+|United States|

+|United Kingdom|

+|Canada|

+|Japan|

+|Australia|

+| Alphanumeric Sender ID | Modern Customer Agreement (Field Led and Customer Led), Modern Partner Agreement (CSP), Enterprise Agreement*, Pay-As-You-Go|

+* Applications from all other subscription types are reviewed and approved on a case-by-case basis. Reach out to acstns@microsoft.com for assistance with your application.

+|Canada|

+|Japan|

+|Australia|

+| Spain |

+| United States |

+| United Kingdom |

+| Canada |

+| Japan |

+| Australia |

+|Sweden|

+|United Kingdom|

+|Canada|

+|Japan|

+|Australia|

+|Canada|

+|Japan|

+|Australia|

+|Geographic |USD 1.00/mo |

+|Toll-Free |USD 8.00/mo |

+|--|--|-|

+|Geographic |Starting at USD 0.0160/min |USD 0.0100/min |

+|Toll-free |Starting at USD 0.0160/min |USD 0.1100/min |

+|Geographic |Starting at USD 0.0165/min |USD 0.0072/min |

+|Toll-free |Starting at USD 0.0165/min | USD 0.2200/min |

+## Transfer a participant in call

+var transferOption = new TransferToParticipantOptions(transferDestination) {

+ OperationContext = "<Your_context>",

+ OperationCallbackUri = new Uri("<uri_endpoint>") // Sending event to a non-default endpoint.

+};

+// adding customCallingContext

+transferOption.CustomCallingContext.AddVoip("customVoipHeader1", "customVoipHeaderValue1");

+transferOption.CustomCallingContext.AddVoip("customVoipHeader2", "customVoipHeaderValue2");

+CommunicationIdentifier transferDestination = new CommunicationUserIdentifier("<user_id>");

+TransferCallToParticipantOptions options = new TransferCallToParticipantOptions(transferDestination)

+ .setOperationContext("<operation_context>")

+ .setOperationCallbackUrl("<url_endpoint>"); // Sending event to a non-default endpoint.

+// set customCallingContext

+options.getCustomCallingContext().addVoip("voipHeaderName", "voipHeaderValue");

+const options = { operationContext: "<Your_context>", operationCallbackUrl: "<url_endpoint>" };

+// adding customCallingContext

+const customCallingContext: CustomCallingContext = [];

+customCallingContext.push({ kind: "voip", key: "customVoipHeader1", value: "customVoipHeaderValue1" })

+options.customCallingContext = customCallingContext;

+const result = await callConnection.transferCallToParticipant(transferDestination, options);

+# set custom context

+voip_headers = {"customVoipHeader1", "customVoipHeaderValue1"}

+ target_participant=transfer_destination,

+ voip_headers=voip_headers,

+ opration_context="Your context",

+ operationCallbackUrl="<url_endpoint>"

+When your application answers a group call or places an outbound group call to an endpoint or added a participant to a 1:1 call, an endpoint can be transferred from the call to another destination endpoint, except call automation endpoint. Transferring a participant in a group call removes the endpoint being transferred from the call. The call invite to the target will display the caller ID of the endpoint being transferred. Providing a custom caller ID is not supported.

+# [csharp](#tab/csharp)

+```csharp

+// Transfer User

+var transferDestination = new CommunicationUserIdentifier("<user_id>");

+var transferee = new CommunicationUserIdentifier("<transferee_user_id>");

+var transferOption = new TransferToParticipantOptions(transferDestination);

+transferOption.Transferee = transferee;

+// adding customCallingContext

+transferOption.CustomCallingContext.AddVoip("customVoipHeader1", "customVoipHeaderValue1");

+transferOption.CustomCallingContext.AddVoip("customVoipHeader2", "customVoipHeaderValue2");

+transferOption.OperationContext = "<Your_context>";

+transferOption.OperationCallbackUri = new Uri("<uri_endpoint>");

+TransferCallToParticipantResult result = await callConnection.TransferCallToParticipantAsync(transferOption);

+// Transfer PSTN User

+var transferDestination = new PhoneNumberIdentifier("<target_phoneNumber>");

+var transferee = new PhoneNumberIdentifier("<transferee_phoneNumber>");

+var transferOption = new TransferToParticipantOptions(transferDestination);

+transferOption.Transferee = transferee;

+// adding customCallingContext

+transferOption.CustomCallingContext.AddSipUui("uuivalue");

+transferOption.CustomCallingContext.AddSipX("header1", "headerValue");

+transferOption.OperationContext = "<Your_context>";

+// Sending event to a non-default endpoint.

+transferOption.OperationCallbackUri = new Uri("<uri_endpoint>");

+TransferCallToParticipantResult result = await callConnection.TransferCallToParticipantAsync(transferOption);

+```

+# [Java](#tab/java)

+```java

+// Transfer User

+CommunicationIdentifier transferDestination = new CommunicationUserIdentifier("<user_id>");

+CommunicationIdentifier transferee = new CommunicationUserIdentifier("<transferee_user_id>");

+TransferCallToParticipantOptions options = new TransferCallToParticipantOptions(transferDestination);

+options.setTransferee(transferee);

+options.setOperationContext("<Your_context>");

+options.setOperationCallbackUrl("<url_endpoint>");

+// set customCallingContext

+options.getCustomCallingContext().addVoip("voipHeaderName", "voipHeaderValue");

+Response<TransferCallResult> transferResponse = callConnectionAsync.transferToParticipantCallWithResponse(options).block();

+// Transfer Pstn User

+CommunicationIdentifier transferDestination = new PhoneNumberIdentifier("<taget_phoneNumber>");

+CommunicationIdentifier transferee = new PhoneNumberIdentifier("<transferee_phoneNumber>");

+TransferCallToParticipantOptions options = new TransferCallToParticipantOptions(transferDestination);

+options.setTransferee(transferee);

+options.setOperationContext("<Your_context>");

+options.setOperationCallbackUrl("<url_endpoint>");

+// set customCallingContext

+options.getCustomCallingContext().addSipUui("UUIvalue");

+options.getCustomCallingContext().addSipX("sipHeaderName", "value");

+Response<TransferCallResult> transferResponse = callConnectionAsync.transferToParticipantCallWithResponse(options).block();

+```

+# [JavaScript](#tab/javascript)

+```javascript

+// Transfer User

+const transferDestination = { communicationUserId: "<user_id>" };

+const transferee = { communicationUserId: "<transferee_user_id>" };

+const options = { transferee: transferee, operationContext: "<Your_context>", operationCallbackUrl: "<url_endpoint>" };

+// adding customCallingContext

+const customCallingContext: CustomCallingContext = [];

+customContext.push({ kind: "voip", key: "customVoipHeader1", value: "customVoipHeaderValue1" })

+options.customCallingContext = customCallingContext;

+const result = await callConnection.transferCallToParticipant(transferDestination, options);

+// Transfer pstn User

+const result = await callConnection.transferCallToParticipant(transferDestination, options);

+const transferDestination = { phoneNumber: "<taget_phoneNumber>" };

+const transferee = { phoneNumber: "<transferee_phoneNumber>" };

+const options = { transferee: transferee, operationContext: "<Your_context>", operationCallbackUrl: "<url_endpoint>" };

+// adding customCallingContext

+const customCallingContext: CustomCallingContext = [];

+customContext.push({ kind: "sipuui", key: "", value: "uuivalue" });

+customContext.push({ kind: "sipx", key: "headerName", value: "headerValue" })

+options.customCallingContext = customCallingContext;

+const result = await callConnection.transferCallToParticipant(transferDestination, options);

+```

+# [Python](#tab/python)

+```python

+# Transfer to user

+transfer_destination = CommunicationUserIdentifier("<user_id>")

+transferee = CommnunicationUserIdentifer("transferee_user_id")

+call_connection_client = call_automation_client.get_call_connection("<call_connection_id_from_ongoing_call>")

+# create custom context

+voip_headers = {"customVoipHeader1", "customVoipHeaderValue1"}

+result = call_connection_client.transfer_call_to_participant(

+ target_participant=transfer_destination,

+ transferee=transferee,

+ voip_headers=voip_headers,

+ opration_context="Your context",

+ operationCallbackUrl="<url_endpoint>"

+)

+# Transfer to PSTN user

+transfer_destination = PhoneNumberIdentifer("<target_phoneNumber>")

+transferee = PhoneNumberIdentifer("transferee_phoneNumber")

+# create custom context

+sip_headers={}

+sip_headers.add("X-MS-Custom-headerName", "headerValue")

+sip_headers.add("User-To-User","uuivale")

+call_connection_client = call_automation_client.get_call_connection("<call_connection_id_from_ongoing_call>")

+result = call_connection_client.transfer_call_to_participant(

+ target_participant=transfer_destination,

+ transferee=transferee,

+ sip_headers=sip_headers,

+ opration_context="Your context",

+ operationCallbackUrl="<url_endpoint>"

+)

+```

+--

+The sequence diagram shows the expected flow when your application places an outbound call and then transfers it to another endpoint.

+// Add user

+var addThisPerson = new CallInvite(new CommunicationUserIdentifier("<user_id>"));

+// add custom calling context

+addThisPerson.CustomCallingContext.AddVoip("myHeader", "myValue");

+AddParticipantsResult result = await callConnection.AddParticipantAsync(addThisPerson);

+// Add PSTN user

+// add custom calling context

+addThisPerson.CustomCallingContext.AddSipUui("value");

+addThisPerson.CustomCallingContext.AddSipX("header1", "customSipHeaderValue1");

+// Use option bag to set optional parameters

+var addParticipantOptions = new AddParticipantOptions(new CallInvite(addThisPerson))

+{

+ InvitationTimeoutInSeconds = 60,

+ OperationContext = "operationContext",

+ OperationCallbackUri = new Uri("uri_endpoint"); // Sending event to a non-default endpoint.

+};

+AddParticipantsResult result = await callConnection.AddParticipantAsync(addParticipantOptions);

+// Add user

+CallInvite callInvite = new CallInvite(new CommunicationUserIdentifier("<user_id>"));

+// add custom calling context

+callInvite.getCustomCallingContext().addVoip("voipHeaderName", "voipHeaderValue");

+AddParticipantOptions addParticipantOptions = new AddParticipantOptions(callInvite)

+ .setOperationContext("<operation_context>")

+ .setOperationCallbackUrl("<url_endpoint>");

+Response<AddParticipantResult> addParticipantResultResponse = callConnectionAsync.addParticipantWithResponse(addParticipantOptions).block();

+// Add PSTN user

+CallInvite callInvite = new CallInvite(new PhoneNumberIdentifier("+16041234567"), callerIdNumber);

+// add custom calling context

+callInvite.getCustomCallingContext().addSipUui("value");

+callInvite.getCustomCallingContext().addSipX("header1", "customSipHeaderValue1");

+AddParticipantOptions addParticipantOptions = new AddParticipantOptions(callInvite)

+ .setOperationContext("<operation_context>")

+ .setOperationCallbackUrl("<url_endpoint>");

+// Add user

+// add custom calling context

+const customCallingContext: CustomCallingContext = [];

+customContext.push({ kind: "voip", key: "voipHeaderName", value: "voipHeaderValue" })

+const addThisPerson = {

+ targetParticipant: { communicationUserId: "<acs_user_id>" },

+ customCallingContext: customCallingContext,

+};

+const addParticipantResult = await callConnection.addParticipant(addThisPerson, {

+ operationCallbackUrl: "<url_endpoint>",

+ operationContext: "<operation_context>"

+});

+// Add PSTN user

+// add custom calling context

+const customCallingContext: CustomCallingContext = [];

+customContext.push({ kind: "sipuui", key: "", value: "value" });

+customContext.push({ kind: "sipx", key: "headerName", value: "headerValue" })

+ customCallingContext: customCallingContext,

+const addParticipantResult = await callConnection.addParticipant(addThisPerson, {

+ operationCallbackUrl: "<url_endpoint>",

+ operationContext: "<operation_context>"

+});

+# Add user

+voip_headers = {"voipHeaderName", "voipHeaderValue"}

+target = CommunicationUserIdentifier("<acs_user_id>")

+call_connection_client = call_automation_client.get_call_connection(

+ "<call_connection_id_from_ongoing_call>"

+)

+result = call_connection_client.add_participant(

+ target,

+ voip_headers=voip_headers,

+ opration_context="Your context",

+ operationCallbackUrl="<url_endpoint>"

+)

+# Add PSTN user

+sip_headers = {}

+sip_headers.add("User-To-User", "value")

+sip_headers.add("X-MS-Custom-headerName", "headerValue")

+target = PhoneNumberIdentifier("+18008008800"),

+result = call_connection_client.add_participant(

+ target,

+ sip_headers=sip_headers,

+ opration_context="Your context",

+ operationCallbackUrl="<url_endpoint>",

+ source_caller_id_number=caller_id_number

+)

+## Cancel an add participant request

+# [csharp](#tab/csharp)

+```csharp

+// add a participant

+var addThisPerson = new CallInvite(new CommunicationUserIdentifier("<user_id>"));

+var addParticipantResponse = await callConnection.AddParticipantAsync(addThisPerson);

+// cancel the request with optional parameters

+var cancelAddParticipantOperationOptions = new CancelAddParticipantOperationOptions(addParticipantResponse.Value.InvitationId)

+{

+ OperationContext = "operationContext",

+ OperationCallbackUri = new Uri("uri_endpoint"); // Sending event to a non-default endpoint.

+}

+await callConnection.CancelAddParticipantOperationAsync(cancelAddParticipantOperationOptions);

+```

+# [Java](#tab/java)

+```java

+// Add user

+CallInvite callInvite = new CallInvite(new CommunicationUserIdentifier("<user_id>"));

+AddParticipantOperationOptions addParticipantOperationOptions = new AddParticipantOptions(callInvite);

+Response<AddParticipantResult> addParticipantOperationResultResponse = callConnectionAsync.addParticipantWithResponse(addParticipantOptions).block();

+// cancel the request

+CancelAddParticipantOperationOptions cancelAddParticipantOperationOptions = new CancelAddParticipantOperationOptions(addParticipantResultResponse.invitationId)

+ .setOperationContext("<operation_context>")

+ .setOperationCallbackUrl("<url_endpoint>");

+callConnectionAsync.cancelAddParticipantOperationWithResponse(cancelAddParticipantOperationOptions).block();

+```

+# [JavaScript](#tab/javascript)

+```javascript

+// Add user

+const addThisPerson = {

+ targetParticipant: { communicationUserId: "<acs_user_id>" },

+};

+const { invitationId } = await callConnection.addParticipant(addThisPerson, {

+ operationCallbackUrl: "<url_endpoint>",

+ operationContext: "<operation_context>"

+});

+// cancel the request

+await callConnection.cancelAddParticipantOperation(invitationId, {

+ operationCallbackUrl: "<url_endpoint>",

+ operationContext: "<operation_context>"

+});

+```

+# [Python](#tab/python)

+```python

+# Add user

+target = CommunicationUserIdentifier("<acs_user_id>")

+call_connection_client = call_automation_client.get_call_connection(

+ "<call_connection_id_from_ongoing_call>"

+)

+result = call_connection_client.add_participant(target)

+# cancel the request

+call_connection_client.cancel_add_participant_operation(result.invitation_id, opration_context="Your context", operationCallbackUrl="<url_endpoint>")

+```

+--

+// remove a participant from the call with optional parameters

+var removeParticipantOptions = new RemoveParticipantOptions(removeThisUser)

+{

+ OperationContext = "operationContext",

+ OperationCallbackUri = new Uri("uri_endpoint"); // Sending event to a non-default endpoint.

+}

+RemoveParticipantsResult result = await callConnection.RemoveParticipantAsync(removeParticipantOptions);

+RemoveParticipantOptions removeParticipantOptions = new RemoveParticipantOptions(removeThisUser)

+ .setOperationContext("<operation_context>")

+ .setOperationCallbackUrl("<url_endpoint>");

+Response<RemoveParticipantResult> removeParticipantResultResponse = callConnectionAsync.removeParticipantWithResponse(removeParticipantOptions).block();

+const removeParticipantResult = await callConnection.removeParticipant(removeThisUser, {

+ operationCallbackUrl: "<url_endpoint>",

+ operationContext: "<operation_context>"

+});

+result = call_connection_client.remove_participant(remove_this_user, opration_context="Your context", operationCallbackUrl="<url_endpoint>")

+This document provides information about registering a WhatsApp Business Account with Azure Communication Services. The following video demonstrates this process.

+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=04c63978-6f27-4289-93d6-625d8569ee28]

+- Changes can be synchronized "from the beginningΓÇ¥ or ΓÇ£from a given timestampΓÇ¥ or ΓÇ£from nowΓÇ¥

+When the `Start from beginning` option is selected, the initial load includes a full snapshot of container data in the first run, and changed or incremental data is captured in subsequent runs. This is limited by the `analytical TTL` property and documents TTL-removed from analytical store are not included in the change feed. Example: Imagine a container with `analytical TTL` set to 31536000 seconds, which is equivalent to 1 year. If you create a CDC process for this container, only documents newer than 1 year will be included in the initial load.

+Operations on Cosmos DB analytical store don't consume the provisioned RUs and so don't affect your transactional workloads. Change data capture with analytical store also has lower latency and lower TCO. The lower latency is attributed to analytical store enabling better parallelism for data processing and reduces the overall TCO enabling you to drive cost efficiencies in these rapidly shifting economic conditions.

+In the interface for a new NoSQL linked service, select **Enter Manually** to provide the Azure Cosmos DB account information. Here, use the account's NoSQL document endpoint (Example: `https://<account-name>.documents.azure.com:443/`) instead of the Mongo DB endpoint (Example: `mongodb://<account-name>.mongo.cosmos.azure.com:10255/`)

+> - When there's is a currency change during or after an EA enrollment transfer, reservations paid for monthly are canceled for the source enrollment. Cancellation happens at the time of the next monthly payment for an individual reservation. The cancellation is intentional and only affects monthly, not up front, reservation purchases. For more information, see [Transfer Azure Enterprise enrollment accounts and subscriptions](ea-transfers.md#prerequisites-1).

+ Title: APIs throttling guidance for customers using Azure Data Manager for Agriculture

+description: Provides information on APIs throttling limits to plan usage.

+# APIs throttling guidance for Azure Data Manager for Agriculture

+The REST APIs throttling in Azure Data Manager for Agriculture allows more consistent performance within a time span for customers calling our service APIs.

+- Throttling limits, the number of requests to our service in a time span to prevent overuse of resources.

+- Azure Data Manager for Agriculture is designed to handle a high volume of requests, if an overwhelming number of requests occur by few customers, throttling helps maintain optimal performance and reliability for all customers.

+- Throttling limits are contingent on selected version and the specific capabilities of the product being used. Now, we support two distinct versions: **Standard** (recommended) and **Basic** (suitable for prototyping requirements). These limits operate within three different time windows (per 1 minute, per 5 minutes, and per one month) to safeguard against sudden surges in traffic.

+This article shows you how to track the number of requests that remain before reaching the limit, and how to respond when you reach the limit. These [APIs](/rest/api/data-manager-for-agri/#data-plane-rest-apis), falling under the purview of the throttling limits.

+

+## Classification of APIs

+We categorize all our APIs into three main parts for better understanding:

+- **Write operations** - Comprising APIs utilizing REST API methods like `PATCH`, `POST`, and `DELETE` for altering data.

+- **Read operations** - Encompassing APIs that use REST API method type `GET` to retrieve data including search APIs of method type `POST`.

+- **Long running job operations** - Involving Long running asynchronous job APIs using the REST API method type `PUT`.

+The overall available quota units as explained in the following table, are shared among these categories. For instance, using up the entire quota on write operations means no remaining quota for other operations. Each operation consumes a specific unit of quota, detailed in the table, helping tracking the remaining quota for further use.

+Operation | Units cost for each request|

+-| -- |

+Write | 5 |

+Read| 1 ¹|

+Long running job [Solution inference](/rest/api/data-manager-for-agri/#solution-and-model-inferences) | 5 |

+Long running job [Farm operation](/rest/api/data-manager-for-agri/#farm-operation-job) | 5 |

+Long running job [Image rasterize](/rest/api/data-manager-for-agri/#image-rasterize-job) | 2 |

+Long running job (Cascade delete of an entity) | 2 |

+Long running job [Weather ingestion](/rest/api/data-manager-for-agri/#weather) | 1 |

+Long running job [Satellite ingestion](/rest/api/data-manager-for-agri/#satellite-data-ingestion-job) | 1 |

+¹An extra unit cost is taken into account for each item returned in the response when more than one item is being retrieved.

+

+## Basic version API limits

+

+### Total available units per category

+Operation | Throttling time window | Units reset after each time window.|

+-| -- | |

+Write/Read| per 1 Minute | 25,000 |

+Write/Read| per 5 Minutes| 100,000|

+Write/Read| per one Month| 5,000,000 |

+Long running job| per 5 Minutes| 1000|

+Long running job| per one Month| 100,000 |

+## Standard version API limits

+Standard version offers a five times increase in API quota per month compared to the Basic version, while all other quota limits remain unchanged.

+### Total available units per category

+Operation | Throttling time window | Units reset after each time window.|

+-| -- | |

+Write/Read| per 1 Minute | 25,000 |

+Write/Read| per 5 Minutes| 100,000|

+Write/Read| per one Month| 25,000,000 ¹

+Long running job| per 5 Minutes| 1000|

+Long running job| per one Month| 500,000 ²|

+¹This limit is five times the Basic version limit.

+²This limit is five times the Basic version limit.

+

+## Error code

+When you reach the limit, you receive the HTTP status code **429 Too many requests**. The response includes a **Retry-After** value, which specifies the number of seconds your application should wait (or sleep) before sending the next request. If you send a request before the retry value elapses, your request isn't processed and a new retry value is returned.

+After the specified time elapses, you can make requests again to the Azure Data Manager for Agriculture. Attempting to establish a TCP connection or using different user authentication methods doesn't bypass these limits, as they're specific to each tenant.

+## Frequently asked questions (FAQs)

+### 1. If I exhaust the allocated API quota entirely for write operations within a per-minute time window, can I successfully make requests for read operations within the same time window?

+The quota limits are shared among the listed operation categories. Using the entire quota for write operations implies no remaining quota for other operations. The specific quota units consumed for each operation are detailed in this article.

+### 2. How can I calculate the total number of successful requests allowed for a particular time window?

+The total allowed number of successful API requests depends on the specific version provisioned and the time window in which requests are made. For instance, with the Standard version, you can make 25,000 (Units reset after each time window) / 5 (Units cost for each request) = 5,000 write operation APIs within a 1-minute time window. Or combination of 4000 write operations & 5000 read operations which results in total 4000 * 5 + 5000 * 1 = 25000 total units consumption. Similarly, for the Basic version, you can perform 5,000,000 (Units reset after each time window) / 1 (Units cost for each request) = 5,000,000 read operation APIs within a one month time window.

+### 3. How many sensor events can a customer ingest as the maximum number?

+The system allows a maximum limit of 100,000 event ingestions per hour. While new events are continually accepted, there might be a delay in processing, resulting in these events not being immediately available for real-time egress scenarios alongside the ingestion.

+

+* Also look at common API [response headers](/rest/api/data-manager-for-agri/common-rest-response-headers).

+Microsoft Defender for Cloud is now integrated with Microsoft 365 Defender (Preview). This integration allows security teams to access Defender for Cloud alerts and incidents within the Microsoft 365 Defender portal. This integration provides richer context to investigations that span cloud resources, devices, and identities.

+The partnership with Microsoft 365 Defender allows security teams to get the complete picture of an attack, including suspicious and malicious events that happen in their cloud environment. Security teams can accomplish this goal through immediate correlations of alerts and incidents.

+Microsoft 365 Defender offers a comprehensive solution that combines protection, detection, investigation, and response capabilities. The solution protects against attacks on devices, email, collaboration, identity, and cloud apps. Our detection and investigation capabilities are now extended to cloud entities, offering security operations teams a single pane of glass to significantly improve their operational efficiency.

+| Alerts | All Defender for Cloud alerts, including multicloud, internal and external providersΓÇÖ alerts, are integrated to Microsoft 365 Defender. Defenders for Cloud alerts show on the Microsoft 365 Defender [alert queue](/microsoft-365/security/defender-endpoint/alerts-queue-endpoint-detection-response?view=o365-worldwide). <br>Microsoft 365 Defender <br> The `cloud resource` asset shows up in the Asset tab of an alert. Resources are clearly identified as an Azure, Amazon, or a Google Cloud resource. <br> <br> Defenders for Cloud alerts are automatically be associated with a tenant. <br> <br> There are no duplications of alerts from other Defender workloads.|

+## Sentinel customers

+Microsoft Sentinel customers can [benefit from the Defender for Cloud integration with Microsoft 365 Defender](../sentinel/ingest-defender-for-cloud-incidents.md) in their workspaces using the Microsoft 365 Defender incidents and alerts connector.

+First you need to [enabled incident integration in your Microsoft 365 Defender connector](../sentinel/connect-microsoft-365-defender.md).

+Then, enable the `Tenant-based Microsoft Defender for Cloud (Preview)` connector to synchronize your subscriptions with your tenant-based Defender for Cloud incidents to stream through the Microsoft 365 Defender incidents connector.

+The connector is available through the Microsoft Defender for Cloud solution, version 3.0.0, in the Content Hub. If you have an earlier version of this solution, you can upgrade it in the Content Hub.

+If you have the legacy subscription-based Microsoft Defender for Cloud alerts connector enabled (which is displayed as `Subscription-based Microsoft Defender for Cloud (Legacy)`), we recommend you disconnect the connector in order to prevent duplicating alerts in your logs.

+We recommend you disable analytic rules that are enabled (either scheduled or through Microsoft creation rules), from creating incidents from your Defender for Cloud alerts.

+You can use automation rules to close incidents immediately and prevent specific types of Defender for Cloud alerts from becoming incidents. You can also use the built-in tuning capabilities in the Microsoft 365 Defender portal to prevent alerts from becoming incidents.

+Customers who integrated their Microsoft 365 Defender incidents into Sentinel and want to keep their subscription-based settings and avoid tenant-based syncing can [opt out of syncing incidents and alerts](/microsoft-365/security/defender/microsoft-365-security-center-defender-cloud?view=o365-worldwide) through the Microsoft 365 Defender connector.

+Learn how [Defender for Cloud and Microsoft 365 Defender handle your data's privacy](data-security.md#defender-for-cloud-and-microsoft-defender-365-defender-integration).

+| [Classic connectors for multicloud will be retired](#classic-connectors-for-multicloud-will-be-retired) | | November 2023 |

+**Estimated date for change: November, 2023**

+The classic multicloud connectors will be retired and no data will be streamed to them after this date. These classic connectors were used to connect AWS Security Hub and GCP Security Command Center recommendations to Defender for Cloud and onboard AWS EC2s to Defender for Servers.

+If you're currently using the classic multicloud connectors, we strongly recommend that you migrate to the native security connectors as soon as possible.

+You can use the Azure portal to delegate a DNS subdomain. For example, if you own the *adatum.com* domain, you can delegate a subdomain called *engineering.adatum.com* to another separate zone that you can administer separately from the adatum.com zone.

+You can also delegate a subdomain using [Azure PowerShell](delegate-subdomain-ps.md).

+To delegate an Azure DNS subdomain, the parent public domain must first be delegated to Azure DNS. See [Delegate a domain to Azure DNS](./dns-delegate-domain-azure-dns.md) for instructions on how to configure your name servers for delegation. Once your domain is delegated to Azure DNS, you can delegate a subdomain.

+> The `adatum.com` zone is used as an example of a parent DNS zone and `engineering.adatum.com` is used for the subdomain. Substitute your own domain names for these domains.

+## Delegate a subdomain

+The **engineering.adatum.com** subdomain can already exist. If it doesn't exist, it is created.

+To delegate the **engineering** subdomain under **adatum.com**:

+1. From the Azure portal, search for **DNS zones** and select the **adatum.com** parent zone.

+2. Select **+ Child zone** and enter **engineering** next to **Name**. The **Create DNS zone** window opens.

+ 

+3. If desired, change the **Subscription** and **Resource group**. In this example, we use the same subscription and resource group as the parent zone.

+4. Select **Review create**, and then select **Create**.

+5. When deployment is complete, select **Go to resource** to view the new delegated zone: **engineering.adatum.com**.

+ [  ](./media/delegate-subdomain/child-zone-contents.png#lightbox)

+6. Select the parent **adatum.com** zone again and notice that an **NS** record has been added with the name **engineering** and contents the same as NS records in the child zone. You might need to refresh the page. These are the Azure DNS nameservers that are authoritative for the subdomain (child zone).

+ [  ](./media/delegate-subdomain/parent-zone-contents.png#lightbox)

+## Manual entry of NS records (optional)

+If desired, you can also create your subdomain and add the subdomain NS record manually.

+To create a new subdomain zone, use **Create a resource > DNS zone** and create a zone named **engineering.adatum.com**.

+To create a subdomain delegation manually, add a new NS record set (**+ Record set** option) to the parent zone **adatum.com** with the name: **engineering** and specify each of the nameserver entries that are listed in the subdomain (child) zone.

+<br><img src="./media/delegate-subdomain/add-ns-record-set.png" alt="A screenshot showing how to add an NS record set." width="50%">

+This method doesn't use the **+ Child zone** option, but both methods result in the same delegation.

+## Create a test record

+Next, create an **A** record in the **engineering.adatum.com** zone to use for testing. For example, create a **www** A record and configure it with a **10.10.10.10** IP address.

+1. Open a command prompt.

+2. At command prompt, type `nslookup www.engineering.adatum.com.`

+3. You should receive a non-authoritative answer showing the address **10.10.10.10**.

+1. In the Azure portal, go to the **DNS zones** overview page.

+1. Select your DNS zone. The current record sets are displayed.

+## Refresh Auth Token

+You can refresh the authorization token using the steps outlined in [Generate a refresh token](how-to-generate-refresh-token.md).

+If you haven't yet created entitlements groups, follow the directions as outlined in [How to manage users](how-to-manage-users.md). If you would like to see what groups you have, use [Get entitlements groups for a given user](how-to-manage-users.md#get-osdu-groups-for-a-given-user-in-a-data-partition). Data access isolation is achieved with this dedicated ACL (access control list) per object within a given data partition.

+If you haven't yet created entitlements groups, follow the directions as outlined in [How to manage users](how-to-manage-users.md). If you would like to see what groups you have, use [Get entitlements groups for a given user](how-to-manage-users.md#get-osdu-groups-for-a-given-user-in-a-data-partition). Data access isolation is achieved with this dedicated ACL (access control list) per object within a given data partition.

+## Generate service principal access token

+1. In order to add entitlements to a new data partition of Azure Data Manager for Energy instance, use the access token of the app that was used to provision the instance.

+2. Get the service principal access token using [Generate service principal access token](how-to-manage-users.md#generate-service-principal-access-token).

+3. If you try to directly use user tokens for adding entitlements, it results in 401 error. The service principal access token must be used to add initial users in the system and those users (with admin access) can then manage more users.

+4. Use the service principal access token to do these three steps using the commands outlined in the following sections.

+5. Add the users to the `users@<data-partition-id>.<domain>` OSDU group.

+6. Get the OSDU group such as `service.legal.editor@<data-partition-id>.<domain>` you want to add the user to.

+7. Add the users to that group.

+## Add users to an OSDU group in a data partition

+ curl --location --request POST 'https://<URI>/api/entitlements/v2/groups/<group-name>@<data-partition-id>.dataservices.energy/members' \

+**Sample request for `users` OSDU group**

+**Sample request for `legal service editor` OSDU group**

+ curl --location --request POST 'https://medstest.energy.azure.com/api/entitlements/v2/groups/service.legal.editor@medstest-dp1.dataservices.energy/members' \

+ "email": "90e0d063-2f8e-4244-860a-XXXXXXXXXX",

+ "role": "MEMBER"

+ }'

+> [!IMPORTANT]

+> The app-id is the default OWNER of all the groups.

+## Get OSDU groups for a given user in a data partition

+## Delete OSDU groups of a given user in a data partition

+2. **DO NOT** delete the OWNER of a group unless you have another OWNER who can manage users in that group.

+ Title: Configure IP firewall for Azure Event Grid namespaces (MQTT)

+# Configure IP firewall for Azure Event Grid namespaces (MQTT)

+ Title: Configure IP firewall for Azure Event Grid namespaces

+description: This article describes how to configure firewall settings for Azure Event Grid namespaces.

+# Configure IP firewall for Azure Event Grid namespaces

+By default, Event Grid namespaces and entities are accessible from internet as long as the request comes with valid authentication (access key) and authorization. With IP firewall, you can restrict it further to only a set of IPv4 addresses or IPv4 address ranges in [CIDR (Classless Inter-Domain Routing)](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) notation. Only the clients that fall into the allowed IP range can connect to publish and subscribe (pull-based clients only). Clients originating from any other IP address are rejected and receive a 403 (Forbidden) response. For more information about network security features supported by Event Grid, see [Network security for Event Grid](network-security.md).

+This article describes how to configure IP firewall settings for an Event Grid namespace. For complete steps for creating a namespace, see [Create and manage namespaces](create-view-manage-namespaces.md).

+## Create a namespace with IP firewall settings

+1. On the **Networking** page, if you want to allow clients to connect to the namespace endpoint via a public IP address, select **Public access** for **Connectivity method** if it's not already selected.

+2. You can restrict access to the topic from specific IP addresses by specifying values for the **Address range** field. Specify a single IPv4 address or a range of IP addresses in Classless inter-domain routing (CIDR) notation.

+ :::image type="content" source="./media/configure-firewall-namespace-topics/ip-firewall-settings.png" alt-text="Screenshot that shows IP firewall settings on the Networking page of the Create namespace wizard.":::

+## Update a namespace with IP firewall settings

+1. Sign-in to the [Azure portal](https://portal.azure.com).

+1. In the **search box**, enter **Event Grid Namespaces** and select **Event Grid Namespaces** from the results.

+ :::image type="content" source="./media/create-view-manage-namespaces/portal-search-box-namespaces.png" alt-text="Screenshot showing Event Grid Namespaces in the search results.":::

+1. Select your Event Grid namespace in the list to open the **Event Grid Namespace** page for your namespace.

+1. On the **Event Grid Namespace** page, select **Networking** on the left menu.

+1. Specify values for the **Address range** field. Specify a single IPv4 address or a range of IP addresses in Classless inter-domain routing (CIDR) notation.

+ :::image type="content" source="./media/configure-firewall-namespace-topics/namespace-ip-firewall-settings.png" alt-text="Screenshot that shows IP firewall settings on the Networking page of an existing namespace.":::

+## Next steps

+See [Allow access via private endpoints](configure-private-endpoints-pull.md).

+> - Although it is possible to connect up to 16 circuits to your virtual network, the outgoing traffic from your virtual network will be load-balanced using Equal-Cost Multipath (ECMP) across a maximum of 4 circuits.

+> - Equal-Cost Multipath (ECMP) in ExpressRoute uses the Per-Flow (based on 5-tuple) load balancing method. Accordingly, traffic flow between a given source and destination host pair are guaranteed to take the same path, even if multiple ECMP paths are available.

+> [!IMPORTANT]

+> Azure FarmBeats is retired. You can see the public announcement [**here**](https://azure.microsoft.com/updates/project-azure-farmbeats-will-be-retired-on-30-sep-2023-transition-to-azure-data-manager-for-agriculture/).

+>

+>We have built a new agriculture focused service, it's name is Azure Data Manager for Agriculture and it's now available as a preview service. For more information see public documentation [**here**](../../data-manager-for-agri/overview-azure-data-manager-for-agriculture.md) or write to us at madma@microsoft.com.

+> [!IMPORTANT]

+> Azure FarmBeats is retired. You can see the public announcement [**here**](https://azure.microsoft.com/updates/project-azure-farmbeats-will-be-retired-on-30-sep-2023-transition-to-azure-data-manager-for-agriculture/).

+>

+> We have built a new agriculture focused service, it's name is Azure Data Manager for Agriculture and it's now available as a preview service. For more information see public documentation [**here**](../../data-manager-for-agri/overview-azure-data-manager-for-agriculture.md) or write to us at madma@microsoft.com.

+> [!IMPORTANT]

+> Azure FarmBeats is retired. You can see the public announcement [**here**](https://azure.microsoft.com/updates/project-azure-farmbeats-will-be-retired-on-30-sep-2023-transition-to-azure-data-manager-for-agriculture/).

+>

+> We have built a new agriculture focused service, it's name is Azure Data Manager for Agriculture and it's now available as a preview service. For more information see public documentation [**here**](../../data-manager-for-agri/overview-azure-data-manager-for-agriculture.md) or write to us at madma@microsoft.com.

+> [!IMPORTANT]

+> Azure FarmBeats is retired. You can see the public announcement [**here**](https://azure.microsoft.com/updates/project-azure-farmbeats-will-be-retired-on-30-sep-2023-transition-to-azure-data-manager-for-agriculture/).

+>

+> We have built a new agriculture focused service, it's name is Azure Data Manager for Agriculture and it's now available as a preview service. For more information see public documentation [**here**](../../data-manager-for-agri/overview-azure-data-manager-for-agriculture.md) or write to us at madma@microsoft.com.

+> [!IMPORTANT]

+> Azure FarmBeats is retired. You can see the public announcement [**here**](https://azure.microsoft.com/updates/project-azure-farmbeats-will-be-retired-on-30-sep-2023-transition-to-azure-data-manager-for-agriculture/).

+>

+> We have built a new agriculture focused service, it's name is Azure Data Manager for Agriculture and it's now available as a preview service. For more information see public documentation [**here**](../../data-manager-for-agri/overview-azure-data-manager-for-agriculture.md) or write to us at madma@microsoft.com.

+> [!IMPORTANT]

+> Azure FarmBeats is retired. You can see the public announcement [**here**](https://azure.microsoft.com/updates/project-azure-farmbeats-will-be-retired-on-30-sep-2023-transition-to-azure-data-manager-for-agriculture/).

+>

+> We have built a new agriculture focused service, it's name is Azure Data Manager for Agriculture and it's now available as a preview service. For more information, see public documentation [**here**](../../data-manager-for-agri/overview-azure-data-manager-for-agriculture.md) or write to us at madma@microsoft.com.

+To start sensor data streaming, ensure the following steps:

+ b. Select the **App Registration** that was created as part of your FarmBeats deployment. It has the same name as your FarmBeats datahub.

+ c. Select **Expose an API** > select **Add a client application** and enter **04b07795-8ddb-461a-bbee-02f9e1bf7b46** and check **Authorize Scope**. This gives access to the Azure CLI (Cloud Shell) to perform the below steps:

+4. Ensure the environment is set to **PowerShell**. By default, it is set to Bash.

+6. Run the following command to connect an authenticated account to use for Microsoft Entra ID requests

+7. Run the following command. This downloads a script to your home directory.

+You need to provide this to your device partner for linking FarmBeats. Go to the device partner portal for doing the same. For example, in case you're using devices from Davis Instruments, Teralytic or Pessl Instruments (Metos.at) go to the corresponding pages as mentioned below:

+ The **Devices** page displays the device type, model, status, the farm it is placed in, and the last updated date for metadata. By default, the farm column is set to *NULL*. You can choose to assign a device to a farm. For more information, see [Assign devices](#assign-devices).

+ The **Sensors** page displays details about the type of sensor, the farm it is connected to, parent device, port name, port type, and the last updated status.

+> [!IMPORTANT]

+> Azure FarmBeats is retired. You can see the public announcement [**here**](https://azure.microsoft.com/updates/project-azure-farmbeats-will-be-retired-on-30-sep-2023-transition-to-azure-data-manager-for-agriculture/).

+>

+> We have built a new agriculture focused service, it's name is Azure Data Manager for Agriculture and it's now available as a preview service. For more information see public documentation [**here**](../../data-manager-for-agri/overview-azure-data-manager-for-agriculture.md) or write to us at madma@microsoft.com.

+> [!IMPORTANT]

+> Azure FarmBeats is retired. You can see the public announcement [**here**](https://azure.microsoft.com/updates/project-azure-farmbeats-will-be-retired-on-30-sep-2023-transition-to-azure-data-manager-for-agriculture/).

+>

+> We have built a new agriculture focused service, it's name is Azure Data Manager for Agriculture and it's now available as a preview service. For more information see public documentation [**here**](../../data-manager-for-agri/overview-azure-data-manager-for-agriculture.md) or write to us at madma@microsoft.com.

+> [!IMPORTANT]

+> Azure FarmBeats is retired. You can see the public announcement [**here**](https://azure.microsoft.com/updates/project-azure-farmbeats-will-be-retired-on-30-sep-2023-transition-to-azure-data-manager-for-agriculture/).

+>

+> We have built a new agriculture focused service, it's name is Azure Data Manager for Agriculture and it's now available as a preview service. For more information, see public documentation [**here**](../../data-manager-for-agri/overview-azure-data-manager-for-agriculture.md) or write to us at madma@microsoft.com.

+You need to enable partner integration to your Azure FarmBeats instance. Doing so creates a client that has access to your Azure FarmBeats instance as your device partner and provides you with the following values that are required in the subsequent steps:

+ b. Select the **App Registration** that was created as part of your FarmBeats deployment. It has the same name as your FarmBeats datahub.

+ c. Select **Expose an API** > select **Add a client application** and enter **04b07795-8ddb-461a-bbee-02f9e1bf7b46** and check **Authorize Scope**. This gives access to the Azure CLI (Cloud Shell) to perform the below steps:

+7. Run the following command. This downloads a script to your home directory.

+- /**Sensor**: Sensor corresponds to a physical sensor that record values. A sensor is typically connected to a device with a device ID.

+| Properties | other properties from the manufacturer. |

+| Properties | other properties from the manufacturer. |

+| Properties | other properties from the manufacturer. |

+| Properties | other properties from the manufacturer. |

+Now that devices and sensors are created in FarmBeats, you can send the associated telemetry messages.

+**Symptom**: Devices or sensors are deployed, and you have created the devices/sensors on FarmBeats and ingested telemetry to the EventHub, but you can't get or view telemetry data on FarmBeats.

+> [!IMPORTANT]

+> Azure FarmBeats is retired. You can see the public announcement [**here**](https://azure.microsoft.com/updates/project-azure-farmbeats-will-be-retired-on-30-sep-2023-transition-to-azure-data-manager-for-agriculture/).

+>

+> We have built a new agriculture focused service, it's name is Azure Data Manager for Agriculture and it's now available as a preview service. For more information see public documentation [**here**](../../data-manager-for-agri/overview-azure-data-manager-for-agriculture.md) or write to us at madma@microsoft.com.

+> [!IMPORTANT]

+> Azure FarmBeats is retired. You can see the public announcement [**here**](https://azure.microsoft.com/updates/project-azure-farmbeats-will-be-retired-on-30-sep-2023-transition-to-azure-data-manager-for-agriculture/).

+>

+> We have built a new agriculture focused service, it's name is Azure Data Manager for Agriculture and it's now available as a preview service. For more information see public documentation [**here**](../../data-manager-for-agri/overview-azure-data-manager-for-agriculture.md) or write to us at madma@microsoft.com.

+You can manage your farms in Azure FarmBeats. This article provides the information about how to create farms, install devices, sensors, and drones that help you manage your farms.

+> [!IMPORTANT]

+> Azure FarmBeats is retired. You can see the public announcement [**here**](https://azure.microsoft.com/updates/project-azure-farmbeats-will-be-retired-on-30-sep-2023-transition-to-azure-data-manager-for-agriculture/).

+>

+> We have built a new agriculture focused service, it's name is Azure Data Manager for Agriculture and it's now available as a preview service. For more information, see public documentation [**here**](../../data-manager-for-agri/overview-azure-data-manager-for-agriculture.md) or write to us at madma@microsoft.com.

+1. Sign-in to the Farm Accelerator, the **Farms** page displays.

+ The **Farms** page displays the list of farms in case they're created in subscription.

+ Here's the sample image:

+3. In the **Define Farm Boundary** (mandatory field) select either **Mark on Map** or **Paste GeoJSON code**.

+ - **Device countΓÇödisplays the number and status of devices deployed within the farm.

+ - **MapΓÇömap of the farm with the devices deployed in the farm.

+ - **TelemetryΓÇödisplays the telemetry from the sensors deployed in the farm.

+ - **Latest Precision MapsΓÇödisplays the latest Satellite Indices map (EVI, NDWI), Soil Moisture Heatmap and Sensor Placement map.

+Now that your farm is created, learn how to [get sensor data](get-sensor-data-from-sensor-partner.md) flowing into your farm.

+> [!IMPORTANT]

+> Azure FarmBeats is retired. You can see the public announcement [**here**](https://azure.microsoft.com/updates/project-azure-farmbeats-will-be-retired-on-30-sep-2023-transition-to-azure-data-manager-for-agriculture/).

+>

+> We have built a new agriculture focused service, it's name is Azure Data Manager for Agriculture and it's now available as a preview service. For more information see public documentation [**here**](../../data-manager-for-agri/overview-azure-data-manager-for-agriculture.md) or write to us at madma@microsoft.com.

+> [!IMPORTANT]

+> Azure FarmBeats is retired. You can see the public announcement [**here**](https://azure.microsoft.com/updates/project-azure-farmbeats-will-be-retired-on-30-sep-2023-transition-to-azure-data-manager-for-agriculture/).

+>

+> We have built a new agriculture focused service, it's name is Azure Data Manager for Agriculture and it's now available as a preview service. For more information see public documentation [**here**](../../data-manager-for-agri/overview-azure-data-manager-for-agriculture.md) or write to us at madma@microsoft.com.

+> [!IMPORTANT]

+> Azure FarmBeats is retired. You can see the public announcement [**here**](https://azure.microsoft.com/updates/project-azure-farmbeats-will-be-retired-on-30-sep-2023-transition-to-azure-data-manager-for-agriculture/).

+>

+> We have built a new agriculture focused service, it's name is Azure Data Manager for Agriculture and it's now available as a preview service. For more information, see public documentation [**here**](../../data-manager-for-agri/overview-azure-data-manager-for-agriculture.md) or write to us at madma@microsoft.com.

+Before you proceed with this article, ensure that FarmBeats is installed and sensor telemetry data from your IoT devices is ingested to FarmBeats.

+Before you proceed, you also need to ensure you're familiar with FarmBeats REST APIs as you query ingested telemetry using the APIs. For more information on FarmBeats APIs, see [FarmBeats REST APIs](rest-api-in-azure-farmbeats.md). **Ensure that you are able to make API requests to your FarmBeats Datahub endpoint**.

+1. Identify the sensor you're interested in. You can do so by making a GET request on /Sensor API.

+4. The response from the /Telemetry API looks something like this:

+In the above example response, the queried sensor telemetry gives data for two timestamps along with the measure name ("moist_soil_last") and values of the reported telemetry in the two timestamps. You need to refer to the associated Sensor Model (as described in step 2) to interpret the type and unit of the reported values.

+FarmBeats uses [Azure Time Series Insights (TSI)](https://azure.microsoft.com/services/time-series-insights/) to ingest, store, query, and visualize data at IoT scale, data that is highly contextualized and optimized for time series.

+2. Go to the **Overview** page of **Time Series Insights** environment (tsi-xxxx) and select the **Time Series Insights Explorer URL**. You can now visualize the ingested telemetry.

+After querying sensor data from your Azure FarmBeats instance, learn how to [generate maps](generate-maps-in-azure-farmbeats.md#generate-maps) for your farms.

+> [!IMPORTANT]

+> Azure FarmBeats is retired. You can see the public announcement [**here**](https://azure.microsoft.com/updates/project-azure-farmbeats-will-be-retired-on-30-sep-2023-transition-to-azure-data-manager-for-agriculture/).

+>

+> We have built a new agriculture focused service, it's name is Azure Data Manager for Agriculture and it's now available as a preview service. For more information see public documentation [**here**](../../data-manager-for-agri/overview-azure-data-manager-for-agriculture.md) or write to us at madma@microsoft.com.

+> [!IMPORTANT]

+> Azure FarmBeats is retired. You can see the public announcement [**here**](https://azure.microsoft.com/updates/project-azure-farmbeats-will-be-retired-on-30-sep-2023-transition-to-azure-data-manager-for-agriculture/).

+>

+> We have built a new agriculture focused service, it's name is Azure Data Manager for Agriculture and it's now available as a preview service. For more information see public documentation [**here**](../../data-manager-for-agri/overview-azure-data-manager-for-agriculture.md) or write to us at madma@microsoft.com.

+This article provides solutions to common Azure FarmBeats issues. For extra help, contact our [Q&A Support Forum](/answers/topics/azure-farmbeats.html).

+> [!IMPORTANT]

+> Azure FarmBeats is retired. You can see the public announcement [**here**](https://azure.microsoft.com/updates/project-azure-farmbeats-will-be-retired-on-30-sep-2023-transition-to-azure-data-manager-for-agriculture/).

+>

+> We have built a new agriculture focused service, it's name is Azure Data Manager for Agriculture and it's now available as a preview service. For more information, see public documentation [**here**](../../data-manager-for-agri/overview-azure-data-manager-for-agriculture.md) or write to us at madma@microsoft.com.

+If you're restarting the install because of an error, ensure to delete the **Resource Group** or delete all resources from the Resource Group before retriggering the installation.

+### The regional account quota of Batch Accounts for the specified subscription is reached

+**Symptom**: Devices or sensors are deployed, and device partner is linked to FarmBeats, but you can't get or view telemetry data on FarmBeats.

+2. Select the **Event Hub** namespace ("sensor-partner-eh-namespace-xxxx"), select on "Event Hubs" and then check for the number of incoming messages in the event hub that is assigned to the partner

+3. Do either of the following steps:

+**Symptom**: Devices or sensors are deployed, created on FarmBeats and ingested telemetry to the EventHub, but you can't get or view telemetry data on FarmBeats.

+1. Ensure partner registration is done correctly - you can check this by going to your datahub swagger, navigate to /Partner API, Do a Get and check if the partner is registered. If not, follow these [steps](get-sensor-data-from-sensor-partner.md#enable-device-integration-with-farmbeats) to add partner.

+2. Ensure that you used the correct Telemetry message format:

+**Symptoms**: Devices are installed, and FarmBeats is linked with your device partner. The devices are online and sending telemetry data, but they appear offline.

+### Unable to sign-in to Accelerator

+**Message**: "Error: You aren't authorized to call the service. Contact the administrator for authorization."

+Ask the administrator to authorize you to access the FarmBeats deployment by doing a POST of the RoleAssignment APIs or through the Access Control in the **Settings** pane in Accelerator.

+If you have access and facing this error, try again by refreshing the page. If the error persists, contact us with the error message/logs.

+**Issue**: You get an Accelerator error of undetermined cause.

+**Issue**: FarmBeats Accelerator isn't showing the latest version, even after you upgraded FarmBeatsDeployment.

+This error occurs because of service worker persistence in the browser. Do the following steps:

+**Corrective action**: Do one of the following steps:

+2. If the website isn't accessible, check whether any firewall, company network, or other blocking software is preventing access to the website. After checking, take the necessary steps to allow the Sentinel URL. 

+**Job failure message**: "The Copernicus Open Access Hub is back soon! Sorry for the inconvenience, we're performing some maintenance at the moment. We will be back online shortly!" 

+**Meaning**: If a job fails because the maximum number of connections are reached, the same Sentinel account is being used in multiple jobs.

+**Corrective action**: Try either of the following options:

+* Wait for the other jobs to finish before rerunning the failed job.

+**Corrective action**: This issue can occur if the satellite indices generated for the time for which the map was requested has NDVI values that are less than 0.3. For more information, visit [Technical Guide from Sentinel](https://sentinel.esa.int/web/sentinel/technical-guides/sentinel-2-msi).

+2. Select on the Data Factory service that is part of the resource group. The service has a tag "sku: Datahub"

+3. On the Overview page of the Data factory, select on **Author and Monitor**. A new tab opens on your browser. Select on **Monitor**

+4. You see a list of pipeline runs that are part of the weather job execution. Select on the Job that you want to collect logs for

+5. On the pipeline overview page, you see the list of activity runs. Make a note of the Run IDs of the activities that you want to collect logs for

+6. Go back to your FarmBeats resource group in Azure portal and select on the Storage Account with the name **datahublogs-XXXX**

+7. Select on **Containers** -> **adfjobs**. In the Search box, enter the job Run ID that you noted in step 5 above.

+8. The search result contains the folder that has the logs pertaining to the job. Download the logs and send it to farmbeatssupport@microsoft.com for assistance in debugging the issue.

+> [!IMPORTANT]

+> Azure FarmBeats is retired. You can see the public announcement [**here**](https://azure.microsoft.com/updates/project-azure-farmbeats-will-be-retired-on-30-sep-2023-transition-to-azure-data-manager-for-agriculture/).

+>

+> We have built a new agriculture focused service, it's name is Azure Data Manager for Agriculture and it's now available as a preview service. For more information see public documentation [**here**](../../data-manager-for-agri/overview-azure-data-manager-for-agriculture.md) or write to us at madma@microsoft.com.

+[Microsoft Entra multifactor authentication](/entra/identity/authentication/concept-mfa-howitworks) (also known as two-step verification) helps prevent attackers from gaining access to an account by requiring multiple authentication steps. You should require Microsoft Entra multifactor authentication for all users in your managing tenant, including users who will have access to delegated customer resources.

+> [!IMPORTANT]

+> Conditional access policies that are set on a customer's tenant don't apply to users who access that customer's resources through Azure Lighthouse. Only policies set on the managing tenant apply to those users. We strongly recommend requiring Microsoft Entra multifactor authentication for both the managing tenant and the managed (customer) tenant.

+> In order to add permissions for a Microsoft Entra group, the **Group type** must be set to **Security**. This option is selected when the group is created. For more information, see [Create a basic group and add members](/entra/fundamentals/how-to-manage-groups#create-a-basic-group-and-add-members).

+- [Deploy Microsoft Entra multifactor authentication](/entra/identity/authentication/howto-mfa-getstarted).

+# Tutorial: Load balance multiple IP configurations using the Azure portal

+> [!div class="op_single_selector"]

+> * [Portal](load-balancer-multiple-ip.md)

+> * [CLI](load-balancer-multiple-ip-cli.md)

+> * [PowerShell](load-balancer-multiple-ip-powershell.md)

+In this section, you create two virtual machines to host the IIS websites.

+ | Resource Group | Select **load-balancer-rg** |

+ | Region | Select **(US) East US** |

+ | Subnet | Select **backend-subnet(10.1.0.0/24)** |

+In this section, you change the private IP address of the existing NIC of each virtual machine to **Static**. Next, you add a new NIC resource to each virtual machine with a **Static** private IP address configuration.

+5. In **Networking**, select the name of the network interface next to **Network interface**. The network interface begins with the name of the VM and has a random number assigned. In this example, **myVM1266**.

+ | Resource group | Select **load-balancer-rg**. |

+ | Subnet | Select **backend-subnet (10.1.0.0/24)**. |

+You connect to **myVM1** and **myVM2** with Azure Bastion and configure the secondary network configuration in this section. You add a route for the gateway for the secondary network configuration. Then you install IIS on each virtual machine and customize the websites to display the hostname of the virtual machine.

+You create a zone redundant load balancer that load balances virtual machines in this section.

+During the creation of the load balancer, you configure:

+ | Resource group | Select **load-balancer-rg**. |

+ | Region | Select **East US**. |

+In this section, you discover the public IP address for each website. You enter the IP into a browser to test the websites you created earlier.

+2. Select **load-balancer-rg** in **Resource groups**.

+4. Enter **load-balancer-rg** in **TYPE THE RESOURCE GROUP NAME:**. Select **Delete**.

+To use the SAP connector, you have to install the SAP Connector NCo client library for Microsoft .NET 3.1. The following list describes the prerequisites for the SAP NCo client library, based on the workflow where you're using the SAP connector:

+ * For Consumption logic app workflows that use the on-premises data gateway, make sure that you install the latest 64-bit version, [SAP Connector for Microsoft .NET 3.1.3.0 for Windows 64bit (x64)](https://support.sap.com/en/product/connectors/msnet.html). The data gateway runs only on 64-bit systems. Installing the unsupported 32-bit version results in a **"bad image"** error.

+

+ * For Standard logic app workflows, you can install the latest 64-bit or 32-bit version for [SAP Connector (NCo 3.1) for Microsoft .NET 3.1.3.0 compiled with .NET Framework 4.6.2](https://support.sap.com/en/product/connectors/msnet.html). However, make sure that you install the version that matches the configuration in your Standard logic app resource. To check the version used by your logic app, follow these steps:

+ 1. Make sure to install the version of the [SAP Connector (NCo 3.1) for Microsoft .NET 3.1.3.0 compiled with .NET Framework 4.6.2](https://support.sap.com/en/product/connectors/msnet.html) that matches your platform configuration.

+ image="mcr.microsoft.com/azureml/openmpi4.1.0-ubuntu22.04:latest",

+ 1. On __Container registry image path__, enter `mcr.microsoft.com/azureml/openmpi4.1.0-ubuntu22.04`.

+ image: mcr.microsoft.com/azureml/openmpi4.1.0-ubuntu22.04

+* FQDN outbound rules - FQDN outbound rules are implemented using Azure Firewall. If you use outbound FQDN rules, charges for Azure Firewall are included in your billing. The Azure Firewall (standard SKU) is provisioned by Azure Machine Learning.

+ > The firewall isn't created until you add an outbound FQDN rule. If you don't use FQDN rules, you will not be charged for Azure Firewall. For more information on pricing, see [Azure Firewall pricing](https://azure.microsoft.com/pricing/details/azure-firewall/) and view prices for the _standard_ version.

+* [Configure your development environment](how-to-configure-environment.md) or use an [Azure Machine Learning compute instance](how-to-create-compute-instance.md) and install the [Azure Machine Learning SDK v2](https://aka.ms/sdk-v2-install).

+To update multiple server parameters like **slow\_query\_log** and **audit\_log\_enabled** of server **mydemoserver.mysql.database.azure.com** under resource group **myresourcegroup.**

+```azurecli-interactive

+az mysql flexible-server parameter set-batch -resource-group myresourcegroup --server-name mydemoserver --source "user-override" --args slow_query_log="ON" audit_log_enabled="ON"

+```

+- **Modify multiple server parameters using Azure CLI**

+ You can now conveniently update multiple server parameters for your Azure Database for MySQL - Flexible Server using Azure CLI. [Learn more](./how-to-configure-server-parameters-cli.md#modify-a-server-parameter-value)

+ We're excited to announce preview of the accelerated logs feature for Azure Database for MySQL ΓÇô Flexible Server. This feature is available within the Business Critical service tier. Accelerated logs significantly enhances the performance of MySQL flexible servers, offering a dynamic solution that is designed for high throughput needs that also reduces latency and optimizes cost efficiency.[Learn more](./concepts-accelerated-logs.md).

+ Universal Geo Restore feature will allow you to restore a source server instance to an alternate region from the list of Azure supported regions where flexible server is [available](./overview.md#azure-regions). If a large-scale incident in a region results in unavailability of database application, then you can use this feature as a disaster recovery option to restore the server to an Azure supported target region, which is different than the source server region. [Learn more](concepts-backup-restore.md#restore)

+ We are excited to inform you that we have introduced new 20 vCores options under the Business Critical Service tier for our Azure Database for MySQL - Flexible Server. Please find more information under [Compute Option for Azure Database for MySQL - Flexible Server](./concepts-service-tiers-storage.md#service-tiers-size-and-server-types).

+ "Host Memory Percent" metric will provide more accurate calculations of memory usage. It will now reflect the actual memory consumed by the server, excluding re-usable memory from the calculation. This improvement ensures that you have a more precise understanding of your server's memory utilization. After the completion of the [scheduled maintenance window](./concepts-maintenance.md), existing servers will benefit from this enhancement.

+ Flexible Maintenance for Azure Database for MySQL - Flexible Server enables a tailored maintenance schedule to suit your operational rhythm. This feature allows you to reschedule maintenance tasks within a maximum 14-day window and initiate on-demand maintenance, granting you unprecedented control over server upkeep timing. Stay tuned for more customizable experiences in the future. [Learn more](concepts-maintenance.md).

+ Azure Database for MySQL - Flexible server now supports Universal Read Replicas in Public regions. The feature allows you to replicate your data from an instance of Azure Database for MySQL Flexible Server to a read-only server in Universal region which could be any region from the list of Azure supported region where flexible server is available. [Learn more](concepts-read-replicas.md)

+ You can now enable private endpoints to provide a secure means to access Azure Database for MySQL Flexible Server via a Private Link, allowing both public and private access simultaneously. If necessary, you have the choice to restrict public access, ensuring that connections are exclusively routed through private endpoints for heightened network security. It's also possible to configure or update Private Link settings either during or after the creation of the server. [Learn more](./concepts-networking-private-link.md).

+ You can now migrate an Azure Database for MySQL Single Server to an Azure Database for MySQL Flexible Server by running a single CLI command with minimal inputs as the command leverages smart defaults for target Flexible Server provisioning based on the source server SKU and properties! [Learn more](../migrate/migrate-single-flexible-mysql-import-cli.md)

+ If you own an Azure DB for MySQL Single Server workload with Basic or GP SKU, data storage used < 10 GiB and no complex features (CMK, Microsoft Entra ID, Read Replica, Private Link) enabled, you can now nominate yourself (if not already scheduled by the service) for in-place automigration to Flexible Server by submitting your server details through this [form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR4lhLelkCklCuumNujnaQ-ZUQzRKSVBBV0VXTFRMSDFKSUtLUDlaNTA5Wi4u)

+ Universal Geo Restore feature will allow you to restore a source server instance to an alternate region from the list of Azure supported regions where flexible server is [available](./overview.md#azure-regions). If a large-scale incident in a region results in unavailability of database application, then you can use this feature as a disaster recovery option to restore the server to an Azure supported target region, which is different than the source server region. [Learn more](concepts-backup-restore.md#restore)

+ Azure Database for MySQL Flexible Server now supports [generated invisible primary key (GIPK)](https://dev.mysql.com/doc/refman/8.0/en/create-table-gipks.html) for MySQL version 8.0. With this change, by default, the value of the server system variable "[sql_generate_invisible_primary_key](https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_sql_generate_invisible_primary_key) " is ON for all MySQL - Flexible Server on MySQL 8.0. With GIPK mode ON, MySQL generates an invisible primary key to any InnoDB table which is new created without an explicit primary key. Learn more about the GIPK mode: [Generated Invisible Primary Keys](./concepts-limitations.md#generated-invisible-primary-keys)

+1. In **Create connection**, enter or select the following values in the **Basics** tab:

+ | **Project details** | |

+ | Subscription | Select your Azure subscription. |

+ | Resource Group | Select **myResourceGroup**. |

+ | **Instance details** | |

+ | Name | Enter ***to-VNet2***. |

+ | Region | Select **East US**. |

+1. Select the **Settings** tab or select **Next: Settings** button.

+1. In **Settings** tab, enter or select the following values:

+ | Setting | Value |

+ | | |

+ | **Virtual network gateway** | |

+ | First virtual network gateway | Select **VNet1GW**. |

+1. Select **Review + create**.

+1. Review the settings, and then select **Create**.

+ | First virtual network gateway | **VNet2GW** |

+1. Under **Settings**, select **Authentication Type**.

+#CustomerIntent: As an Azure administrator, I want to learn about NSG flow logs so that I can monitor my network and optimize its performance.

+- **Location**: The storage account must be in the same region as the network security group.

+- **Subscription**: The storage account must be in a subscription associated with the same Microsoft Entra tenant as the network security group's subscription.

+- **Performance tier**: The storage account must be standard. Premium storage accounts aren't supported.

+#CustomerIntent: As an Azure administrator, I want to learn about VNet flow logs so that I can log my network traffic to analyze and optimize the network performance.

+- **Location**: The storage account must be in the same region as the virtual network.

+- **Subscription**: The storage account must be in a subscription associated with the same Microsoft Entra tenant as the virtual network's subscription.

+- **Performance tier**: The storage account must be standard. Premium storage accounts aren't supported.

+[Azure Front Door](../frontdoor/front-door-overview.md), for example, sits at the edge, supports WAF, and additionally includes application acceleration capabilities. Azure Front Door can be used in combination with [Application Gateway](../application-gateway/overview.md) for more layers of protection and more granular rules per application. If you aren't distributed, then an Application Gateway also works with WAF and can be used to manage web based traffic with TLS inspection. Finally, if you have media based workloads then the Verizon Media Streaming service delivered via Azure is the best option you.

+- [Choose a secure network topology](secure-network-topology.md)

+- [Learn more about Azure network security](security/index.yml)

+[Azure Virtual WAN](../virtual-wan/virtual-wan-about.md) is a networking service that brings many networking, security, and routing functionalities together to provide a single operational interface.

+[Azure Virtual Network Manager](../virtual-network-manager/overview.md) is a management service that enables you to group, configure, deploy, and manage virtual networks globally across subscriptions. [Security admin rules](../virtual-network-manager/concept-security-admins.md) can be applied to the virtual network to control access to the network and the resources within the network.

+- [Choose a secure application delivery service](secure-application-delivery.md)

+- [Learn more about Azure network security](security/index.yml)

+## Exceeding Azure storage limits

+If requests are being throttled due to Azure storage limits being exceeded, it might be due to one of the following reasons:

+- There's a maximum of approximately 50 clusters per subscription ID + region. Create fewer than 50 clusters per subscription + region. For example: 25 clusters in subscription + eastus and 25 clusters in subscription + eastus2.

+- Avoid creating multiple clusters within a single subscription + region at the same time. If you need to create multiple clusters in a short period of time, federate over multiple subscriptions or regions.

+If the issue persists please create a support ticket for investigation.

+--runtime-protection enforcement-level="Disabled"

+>As you have noted, the argument `--runtime-protection enforcement-level="<enforcement level>"` serves two purposes: enabling/disabling MDE service and updating the enforcement level.

+The `az networkcloud cluster update` allows you to update of the settings for Cluster runtime protection *enforcement level* by using the argument `--runtime-protection enforcement-level="<enforcement level>"`.

+--runtime-protection enforcement-level="<enforcement level>"

+content_well_notification:

+ - AI-contribution

+Azure Orbital Ground Station offers a common data plane and API to access all antenna in the global network. An active contract with the partner network(s) you wish to integrate with Azure Orbital Ground Station is required to onboard with a partner. Once you have the proper contract(s) and regulatory approval(s) in place, your subscription is approved to access partner ground station sites by the Azure Orbital Ground Station team. Learn how to [request authorization of a spacecraft](register-spacecraft.md#request-authorization-of-the-new-spacecraft-resource) and [configure a contact profile](concepts-contact-profile.md#configuring-a-contact-profile-for-applicable-partner-ground-stations) for partner ground stations.

+1. [Create and deploy an Azure OpenAI service resource and a model](../../ai-services/openai/how-to/create-resource.md), for example deploy the embeddings model [text-embedding-ada-002](../../ai-services/openai/concepts/models.md#embeddings-models). Copy the deployment name as it is needed to create embeddings.

+- [Virtual network workloads without Azure Private Resolver](#virtual-network-workloads-without-azure-private-resolver)

+- [Peered virtual network workloads without Azure Private Resolver](#virtual-network-workloads-without-custom-dns-server)

+

+- [Azure Private Resolver for on-premises workloads](#azure-private-resolver-for-on-premises-workloads)

+- [Azure Private Resolver with on-premises DNS forwarder](#on-premises-workloads-using-a-dns-forwarder)

+

+- [Azure Private Resolver for virtual network and on-premises workloads](#virtual-network-and-on-premises-workloads-using-a-dns-forwarder)

+## Virtual network workloads without Azure Private Resolver

+- Private DNS zone [privatelink.database.windows.net](../dns/private-dns-privatednszone.md) with [type A record](../dns/dns-zones-records.md#record-types)

+## <a name="virtual-network-workloads-without-custom-dns-server"></a> Peered virtual network workloads without Azure Private Resolver

+You can extend this model to peered virtual networks associated to the same private endpoint. [Add new virtual network links](../dns/private-dns-virtual-network-links.md) to the private DNS zone for all peered virtual networks.

+> - A single private DNS zone is required for this configuration. Creating multiple zones with the same name for different virtual networks would need manual operations to merge the DNS records.

+>

+> - If you're using a private endpoint in a hub-and-spoke model from a different subscription or even within the same subscription, link the same private DNS zones to all spokes and hub virtual networks that contain clients that need DNS resolution from the zones.

+## Azure Private Resolver for on-premises workloads

+For on-premises workloads to resolve the FQDN of a private endpoint, use Azure Private Resolver to resolve the Azure service public DNS zone in Azure. Azure Private Resolver is an Azure managed service that can resolve DNS queries without the need for a virtual machine acting as a DNS forwarder.

+The following scenario is for an on-premises network configured to use an Azure Private Resolver. The private resolver forwards the request for the private endpoint to Azure DNS.

+> This scenario uses the Azure SQL Database-recommended private DNS zone. For other services, you can adjust the model using the following reference: [Azure services DNS zone values](private-endpoint-dns.md).

+The following resources are required for a proper configuration:

+- On-premises network

+- Virtual network [connected to on-premises](/azure/architecture/reference-architectures/hybrid-networking/)

+- [Azure Private Resolver](/azure/dns/dns-private-resolver-overview)

+- Private DNS zones [privatelink.database.windows.net](../dns/private-dns-privatednszone.md) with [type A record](../dns/dns-zones-records.md#record-types)

+- Private endpoint information (FQDN record name and private IP address)

+The following diagram illustrates the DNS resolution sequence from an on-premises network. The configuration uses a Private Resolver deployed in Azure. The resolution is made by a private DNS zone [linked to a virtual network](../dns/private-dns-virtual-network-links.md):

+## <a name="on-premises-workloads-using-a-dns-forwarder"></a> Azure Private Resolver with on-premises DNS forwarder

+This configuration can be extended for an on-premises network that already has a DNS solution in place.

+The on-premises DNS solution is configured to forward DNS traffic to Azure DNS via a [conditional forwarder](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server). The conditional forwarder references the Private Resolver deployed in Azure.

+> This scenario uses the Azure SQL Database-recommended private DNS zone. For other services, you can adjust the model using the following reference: [Azure services DNS zone values](private-endpoint-dns.md)

+To configure properly, you need the following resources:

+- On-premises network with a custom DNS solution in place

+- Virtual network [connected to on-premises](/azure/architecture/reference-architectures/hybrid-networking/)

+- [Azure Private Resolver](/azure/dns/dns-private-resolver-overview)

+- Private DNS zones [privatelink.database.windows.net](../dns/private-dns-privatednszone.md) with [type A record](../dns/dns-zones-records.md#record-types)

+- Private endpoint information (FQDN record name and private IP address)

+The following diagram illustrates the DNS resolution from an on-premises network. DNS resolution is conditionally forwarded to Azure. The resolution is made by a private DNS zone [linked to a virtual network](../dns/private-dns-virtual-network-links.md).

+> The conditional forwarding must be made to the recommended [public DNS zone forwarder](private-endpoint-dns.md). For example: `database.windows.net` instead of **privatelink**.database.windows.net.

+## <a name="virtual-network-and-on-premises-workloads-using-a-dns-forwarder"></a> Azure Private Resolver for virtual network and on-premises workloads

+For workloads accessing a private endpoint from virtual and on-premises networks, use Azure Private Resolver to resolve the Azure service [public DNS zone](private-endpoint-dns.md) deployed in Azure.

+The private resolver is responsible for resolving all the DNS queries via the Azure-provided DNS service [168.63.129.16](../virtual-network/what-is-ip-address-168-63-129-16.md).

+> A single private DNS zone is required for this configuration. All client connections made from on-premises and [peered virtual networks](../virtual-network/virtual-network-peering-overview.md) must also use the same private DNS zone.

+- Azure Private Resolver

+The following diagram shows the DNS resolution for both networks, on-premises and virtual networks. The resolution is using Azure Private Resolver.

+The resolution is made by a private DNS zone [linked to a virtual network](../dns/private-dns-virtual-network-links.md):

+Previously, the DNS records for the private endpoint were created via scripting (retrieving certain information about the private endpoint and then adding it on the DNS zone). With the DNS zone group, there's no need to write any extra CLI/PowerShell lines for every DNS zone. Also, when you delete the private endpoint, all the DNS records within the DNS zone group are deleted.

+In a hub-and-spoke topology, a common scenario allows the creation of private DNS zones only once in the hub. This setup permits the spokes to register to it, instead of creating different zones in each spoke.

+> - Each DNS zone group can support up to 5 DNS zones.

+> - Adding multiple DNS zone groups to a single Private Endpoint is not supported.

+> - Delete and update operations for DNS records can be seen performed by **Azure Traffic Manager and DNS.** This is a normal platform operation necessary for managing your DNS Records.

+ Title: Create alerts for quotas

+# Create alerts for quotas

+You can create alerts for quotas and manage them.

+## Create an alert rule

+### Prerequisites

+Users must have the necessary [permissions to create alerts](../azure-monitor/alerts/alerts-overview.md#azure-role-based-access-control-for-alerts).

+The [managed identity](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp) must have the **Reader** role (or another role that includes read access) on the subscription.

+### Create alerts in the Azure portal

+The simplest way to create a quota alert is to use the Azure portal. Follow these steps to create an alert rule for your quota.

+1. Sign in to the [Azure portal](https://portal.azure.com) and enter **"quotas"** in the search box, then select **Quotas**. In Quotas page, select **My quotas** and choose **Compute** Resource Provider. Once the page loads, select **Quota Name** to create a new alert rule.

+1. When the **Create usage alert rule** page appears, populate the fields with data as shown in the table. Make sure you have the [permissions to create alerts](../azure-monitor/alerts/alerts-overview.md#azure-role-based-access-control-for-alerts).

+ | Alert rule name | The alert rule name must be distinct and can't be duplicated, even across different resource groups. |

+ | Alert me when the usage % reaches | Adjust the slider to select your desired usage percentage for triggering alerts. For example, at the default 80%, you receive an alert when your quota reaches 80% capacity.|

+ | Severity | Select the severity of the alert when the ruleΓÇÖs condition is met.|

+ | [Frequency of evaluation](../azure-monitor/alerts/alerts-overview.md#stateful-alerts) | Choose how **often** the alert rule should **run**, by selecting 5, 10, or 15 minutes. If the frequency is smaller than the aggregation granularity, the frequency of evaluation results in sliding window evaluation. |

+ | [Resource group](../azure-resource-manager/management/manage-resource-groups-portal.md) | Select a resource group similar to other quotas in your subscription, or create a new resource group. |

+ | [Log Analytics workspace](../azure-monitor/logs/quick-create-workspace.md?tabs=azure-portal) | A workspace within the subscription that is being monitored and is used as the scope for rule execution. Select from the dropdown or create a new workspace. If you create a new workspace, use it for all alerts in your subscription. |

+ | [Managed identity](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp) | Select from the dropdown, or create a new managed identity. This managed identity must have **Reader** access to the subscription (to read usage data) and to the selected Log Analytics workspace (to read the log alerts). |

+ | Notify me by | Select one or more of the three check boxes, depending on your notification preferences. |

+ | [Use an existing action group](../azure-monitor/alerts/action-groups.md) | Check the box to use an existing action group. An action group **invokes** a defined set of **notifications** and actions when an alert is triggered. You can create an action group to automatically increase the quota whenever possible. |

+ | [Dimensions](../azure-monitor/alerts/alerts-types.md#dimensions-in-log-alert-rules) | Options for selecting **multiple Quotas** and **regions** within a single alert rule. Adding dimensions is a cost-effective approach compared to creating a new alert for each quota or region.|

+ | [Estimated cost](https://azure.microsoft.com/pricing/details/monitor/) |The estimated cost is automatically calculated, based on running this **new alert rule** against your quota. Each alert creation costs $0.50 USD, and each additional dimension adds $0.05 USD to the cost. |

+ > [!TIP]

+ > Within the same subscription, we advise using the same **Resource group**, **Log Analytics workspace,** and **Managed identity** values for all alert rules.

+1. After you've made your selections, select **Create Alert**. You'll see a confirmation if the rule was successfully created, or a message if any problems occurred.

+### Create alerts using API

+Alerts can be created programmatically using the [**Monitoring API**](/rest/api/monitor/scheduledqueryrule-2018-04-16/scheduled-query-rules/create-or-update?tabs=HTTP). This API can be used to create or update a log search rule.

+For a sample request body, see the [API documentation](/rest/api/monitor/scheduledqueryrule-2018-04-16/scheduled-query-rules/create-or-update?tabs=HTTP)

+### Create alerts using Azure Resource Graph query

+You can use the **Azure Monitor Alerts** blade to [create alerts using a query](../azure-monitor/alerts/alerts-create-new-alert-rule.md?tabs=log). Resource Graph Explorer lets you run and test queries before using them to create an alert. To learn more, see the [Configure Azure alerts](/training/modules/configure-azure-alerts/) training module.

+For quota alerts, make sure the **Scope** is your Log analytics workspace and the **Signal type** is the customer query log. Add a sample query for quota usages. Follow the remaining steps as described in the [Create or edit an alert rule](../azure-monitor/alerts/alerts-create-new-alert-rule.md?tabs=log).

+The following example shows a query that creates quota alerts.

+## Manage quota alerts

+Once you've created your alert rule, you can view and edit the alerts.

+### View alert rules

+Select **Quotas > Alert rules** to see all quota alert rules that have been created for a given subscription. You can edit, enable, or disable rules from this page.

+ :::image type="content" source="media/monitoring-alerting/view-alert-rules-inline.png" alt-text="Screenshot showing how the quota alert rule screen in the Azure portal." lightbox="media/monitoring-alerting/view-alert-rules-expanded.png":::

+Select **Quotas > Fired Alert Rules** to see all the alerts that have been triggered for a given subscription. Select an alert to view its details, including the history of how many times it was triggered and the status of each occurrence.

+ :::image type="content" source="media/monitoring-alerting/view-fired-alerts-inline.png" alt-text="Screenshot showing the Fired Alert screen in the Azure portal." lightbox="media/monitoring-alerting/view-fired-alerts-expanded.png":::

+### Edit, update, enable, or disable alerts

+You can make changes from within an alert rule by expanding the options below the dots, then selecting an action.

+When you select **Edit**, you can add multiple quotas or locations for the same alert rule.

+ :::image type="content" source="media/monitoring-alerting/edit-dimension-inline.png" alt-text="Screenshot showing how to add dimensions while editing a quota rule in the Azure portal." lightbox="media/monitoring-alerting/edit-dimension-expanded.png":::

+You can also make changes by navigating to the **Alert rules** page, then select the specific alert rule you want to change.

+ :::image type="content" source="media/monitoring-alerting/alert-rule-edit-inline.png" alt-text="Screenshot showing how to edit rules from the Alert rule screen in the Azure portal." lightbox="media/monitoring-alerting/alert-rule-edit-expanded.png":::

+## Respond to alerts

+For created alerts, an action group can be established to automate quota increases. By using an existing action group, you can invoke the Quota API to automatically increase quotas wherever possible, eliminating the need for manual intervention.

+You can use functions to call the Quota API and request for more quota. Use `Test_SetQuota()` code to write an Azure function to set the quota. For more information, see this [example on GitHub](https://github.com/allison-inman/azure-sdk-for-net/blob/main/sdk/quota/Microsoft.Azure.Management.Quota/tests/ScenarioTests/QuotaTests.cs).

+Using [Azure Resource Graph](../governance/resource-graph/overview.md), alerts can be [managed programatically](../azure-monitor/alerts/alerts-manage-alert-instances.md#manage-your-alerts-programmatically). This allows you to query your alert instances and analyze your alerts to identify patterns and trends.

+The **QuotaResources** table in [Azure Resource Graph](../governance/resource-graph/overview.md) explorer provides usage and limit/quota data for a given resource, region, and/or subscription. You can also query usage and quota data across multiple subscriptions with Azure Resource Graph queries.

+You must have at least the **Reader** role for the subscription to query this data using Resource Graph Explorer.

+### Sample queries

+Query to view current usages, quota/limit, and usage percentage for a subscription, region, and VCM family:

+Query to summarize total vCPUs (On-demand, Low Priority/Spot) per subscription per region:

+## Provide feedback

+We encourage you to use the **Feedback** button on every Azure Quotas page to share your thoughts, questions, or concerns with our team.

+If you encounter problems while creating alert rules for quotas, [open a support request](/azure/azure-portal/supportability/how-to-create-azure-support-request).

+- Learn about [quota monitoring and alerting](monitoring-alerting.md)

+- Learn more about [quotas](quotas-overview.md) and [Azure subscription and service limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md).

+description: Learn about monitoring and alerting for quota usage.

+# Quota monitoring and alerting

+Monitoring and alerting in Azure provides real-time insights into resource utilization, enabling proactive issue resolution and resource optimization. Use monitoring and alerting to help detect anomalies and potential issues before they impact services.

+> When monitoring and alerting is enabled for your account, the Quotas in **MyQuotas** will be highlighted and clickable.

+## Monitoring

+Monitoring for quotas lets you proactively manage your Azure resources. Azure sets predefined limits, or quotas, for various resources like **Compute**, **Azure Machine Learning**, and **HPC Cache**. This monitoring involves continuous tracking of resource usage to ensure it remains within allocated limits, including notifications when these limits are approached or reached.

+## Alerting

+Quota alerts in Azure are notifications triggered when the usage of a specific Azure resource nears the **predefined quota limit**. These alerts are crucial for informing Azure users and administrators about resource consumption, facilitating proactive resource management. AzureΓÇÖs alert rule capabilities allow you to create multiple alert rules for a given quota or across quotas in your subscription.

+For more information, see [Create alerts for quotas](how-to-guide-monitoring-alerting.md).

+- Learn [how to create quota alerts](how-to-guide-monitoring-alerting.md).

+- Learn more about [alerts](../azure-monitor/alerts/alerts-overview.md)

+| [Azure Spring Apps](reliability-spring-apps.md) |  |

+###  Strategic services

+| **Products** |

+|--|

+| [Azure Spring Apps](reliability-spring-apps.md) |

+This video provides an overview of delegating role assignments with conditions.

+>[!VIDEO https://www.youtube.com/embed/3eDf2thqeO4]

+Start by importing the SAP Deployment Automation Framework Bootstrap GitHub repository into Azure Repos.

+If you're unable to import a repository, you can create the repository manually. Then you can import the content from the SAP Deployment Automation Framework GitHub Bootstrap repository to it.

+- **Name of configuration repository**: `Same as the DevOps Project name`. Source is `https://github.com/Azure/sap-automation-bootstrap.git`.

+## Create Azure Pipelines

+Azure Pipelines are implemented as YAML files. They're stored in the *deploy/pipelines* folder in the repository.

+| Repo | "Root repo" (same as project name) |

+| Path | `pipelines/01-deploy-control-plane.yml` |

+| Repo | "Root repo" (same as project name) |

+| Path | `pipelines/02-sap-workload-zone.yml` |

+| Repo | "Root repo" (same as project name) |

+| Path | `pipelines/03-sap-system-deployment.yml` |

+| Repo | "Root repo" (same as project name) |

+| Repo | "Root repo" (same as project name) |

+| Path | `pipelines/05-DB-and-SAP-installation.yml` |

+| Repo | "Root repo" (same as project name) |

+| Path | `pipelines/10-remover-terraform.yml` |

+| Repo | "Root repo" (same as project name) |

+| Path | `pipelines/12-remove-control-plane.yml` |

+| Repo | "Root repo" (same as project name) |

+| Path | `pipelines/11-remover-arm-fallback.yml` |

+| Name | Deployment removal using Azure Resource Manager |

+| Repo | "Root repo" (same as project name) |

+| Path | `pipelines/20-update-ado-repository.yml` |

+| `tf_version` | 1.6.0 | The Terraform version to use. See [Terraform download](https://www.terraform.io/downloads). |

+| CP_ARM_CLIENT_ID | `Service principal application ID` | |

+| CP_ARM_OBJECT_ID | `Service principal object ID` | |

+| CP_ARM_CLIENT_SECRET | `Service principal password` | Change the variable type to secret by selecting the lock icon. |

+| CP_ARM_SUBSCRIPTION_ID | `Target subscription ID` | |

+| CP_ARM_TENANT_ID | `Tenant ID` for the service principal | |

+Most of the pipelines add files to the Azure Repos and therefore require pull permissions. On **Project Settings**, under the **Repositories** section, select the **Security** tab of the source code repository and assign Contribute permissions to the `Build Service`.

+As a result of running the control plane pipeline, part of the web app URL that is needed is stored in a variable named `WEBAPP_URL_BASE` in your environment-specific variable group. At any time, you can update the URLs of the registered application web app by using the following command.

+You also need to grant reader permissions to the app service system-assigned managed identity. Go to the app service resource. On the left side, select **Identity**. On the **System assigned** tab, select **Azure role assignments** > **Add role assignment**. Select **Subscription** as the scope and **Reader** as the role. Then select **Save**. Without this step, the web app dropdown functionality will not work.

+ systemctl start pmproxy

+ "vectorFilterMode": "preFilter",

+ ]n

+> * Show how analyzers work

+ The script updates the OS components, installs the Azure CLI and Docker software and other required utilities (jq, netcat, curl). You can supply additional parameters to the script to customize the container deployment. For more information on available command line options, see [Kickstart script reference](reference-kickstart.md).

+

+Service Bus topics and subscriptions support a *publish/subscribe* messaging communication model. When you use topics and subscriptions, components of a distributed application don't communicate directly with each other; instead they exchange messages via a topic, which acts as an intermediary.

+In contrast with Service Bus queues, in which each message is processed by a single consumer, topics and subscriptions provide a one-to-many form of communication, using a publish/subscribe pattern. It's possible to register multiple subscriptions to a topic. When a message is sent to a topic, it's then made available to each subscription to handle/process independently. A subscription to a topic resembles a virtual queue that receives copies of the messages that were sent to the topic. You can optionally register filter rules for a topic on subscriptions, which allows you to filter or restrict which messages to a topic are received by which topic subscriptions.

+This article discusses *Shared Access Signatures* (SAS), how they work, and how to use them in a platform-agnostic way with Azure Service Bus.

+Shared Access Signatures are a claims-based authorization mechanism using simple tokens. When you use SAS, keys are never passed on the wire. Keys are used to cryptographically sign information that can later be verified by the service. SAS can be used similar to a username and password scheme where the client is in immediate possession of an authorization rule name and a matching key. SAS can also be used similar to a federated security model, where the client receives a time-limited and signed access token from a security token service without ever coming into possession of the signing key.

+SAS authentication in Service Bus is configured with named [shared access authorization policies](#shared-access-authorization-policies) having associated access rights, and a pair of primary and secondary cryptographic keys. The keys are 256-bit values in Base 64 representation. You can configure rules at the namespace level, on Service Bus [queues](service-bus-messaging-overview.md#queues) and [topics](service-bus-messaging-overview.md#topics).

+> These keys are plain text strings using a Base 64 representation, and must not be decoded before they are used.

+## Shared access authorization policies

+Each Service Bus namespace and each Service Bus entity has a shared access authorization policy made up of rules. The policy at the namespace level applies to all entities in the namespace, irrespective of their individual policy configuration.

+* Send - Grants the right to send messages to the entity

+* Listen - Grants the right to receive (queue, subscriptions) and all related message handling

+* Manage - Grants the right to manage the topology of the namespace, including creating and deleting entities

+The **Manage** right includes the Send and Listen rights.

+A namespace or entity policy can hold up to 12 Shared Access Authorization rules, providing room for three sets of rules, each covering the basic rights, and the combination of Send and Listen. This limit is per entity, meaning the namespace and each entity can have up to 12 Shared Access Authorization rules. This limit underlines that the SAS policy store isn't intended to be a user or service account store. If your application needs to grant access to Service Bus based on user or service identities, it should implement a security token service that issues SAS tokens after an authentication and access check.

+An authorization rule is assigned a *Primary Key* and a *Secondary Key*. These keys are cryptographically strong keys. Don't lose them or leak them - they'll always be available in the [Azure portal]. You can use either of the generated keys, and you can regenerate them at any time. If you regenerate or change a key in the policy, all previously issued tokens based on that key become instantly invalid. However, ongoing connections created based on such tokens continue to work until the token expires.

+When you create a Service Bus namespace, a policy rule named **RootManageSharedAccessKey** is automatically created for the namespace. This policy has Manage permissions for the entire namespace. It's recommended that you treat this rule like an administrative **root** account and don't use it in your application. You can create more policy rules in the **Shared access policies** tab for the namespace in the portal, via PowerShell or Azure CLI.

+We recommend that you periodically regenerate the keys used in the [SharedAccessAuthorizationRule](/dotnet/api/azure.messaging.servicebus.administration.sharedaccessauthorizationrule) object. The primary and secondary key slots exist so that you can rotate keys gradually. If your application generally uses the primary key, you can copy the primary key into the secondary key slot, and only then regenerate the primary key. The new primary key value can then be configured into the client applications, which have continued access using the old primary key in the secondary slot. Once all clients are updated, you can regenerate the secondary key to finally retire the old primary key.

+- If a SAS provided to a client application expires and the application is unable to retrieve a new SAS from your service, then applicationΓÇÖs functionality might be hindered.

+- **Have clients automatically renew the SAS if necessary**: Clients should renew the SAS well before expiration, to allow time for retries if the service providing the SAS is unavailable. If your SAS is meant to be used for a few immediate, short-lived operations that are expected to be completed within the expiration period, then it might be unnecessary as the SAS isn't expected to be renewed. However, if you have client that is routinely making requests via SAS, then the possibility of expiration comes into play. The key consideration is to balance the need for the SAS to be short-lived (as previously stated) with the need to ensure that client is requesting renewal early enough (to avoid disruption due to the SAS expiring prior to a successful renewal).

+- **Be careful with the SAS start time**: If you set the start time for SAS to **now**, then due to clock skew (differences in current time according to different machines), you might see failures intermittently for the first few minutes. In general, set the start time to be at least 15 minutes in the past. Or, donΓÇÖt set it at all, which will make it valid immediately in all cases. The same generally applies to the expiry time as well. Remember that you might observe up to 15 minutes of clock skew in either direction on any request.

+We recommend that you periodically regenerate the keys used in the Shared Access Authorization Policy. The primary and secondary key slots exist so that you can rotate keys gradually. If your application generally uses the primary key, you can copy the primary key into the secondary key slot, and only then regenerate the primary key. The new primary key value can then be configured into the client applications, which have continued access using the old primary key in the secondary slot. Once all clients are updated, you can regenerate the secondary key to finally retire the old primary key.

+1. Select **Shared Access Policies** on the left menu.

+1. Select the policy from the list. In the following example, **RootManageSharedAccessKey** is selected.

+1. To regenerate the primary key, on the **SAS Policy: RootManageSharedAccessKey** page, select **Regenerate primary key** on the command bar.

+ :::image type="content" source="./media/service-bus-sas/regenerate-primary-key.png" alt-text="Screenshot that shows how to regenerate a primary key.":::

+1. To regenerate the secondary key, on the **SAS Policy: RootManageSharedAccessKey** page, select **...** from the command bar, and then select **Regenerate secondary key**.

+If you're using **Azure PowerShell**, use the [`New-AzServiceBusKey`](/powershell/module/az.servicebus/new-azservicebuskey) cmdlet to regenerate primary and secondary keys for a Service Bus namespace. You can also specify values for primary and secondary keys that are being generated, by using the `-KeyValue` parameter.

+If you're using **Azure CLI**, use the [`az servicebus namespace authorization-rule keys renew`](/cli/azure/servicebus/namespace/authorization-rule/keys#az-servicebus-namespace-authorization-rule-keys-renew) command to regenerate primary and secondary keys for a Service Bus namespace. You can also specify values for primary and secondary keys that are being generated, by using the `--key-value` parameter.

+Applications using any of the Service Bus SDK in any of the officially supported languages like .NET, Java, JavaScript, and Python can make use of SAS authorization through the connection strings passed to the client constructor.

+The following steps show how to send the SAS token with AMQP protocol using the [AMQP.NET Lite](https://github.com/Azure/amqpnetlite) library. It's useful if you can't use the official Service Bus SDK (for example, on WinRT, .NET Compact Framework, .NET Micro Framework, and Mono) developing in C#. This library is useful to help understand how claims-based security works at the AMQP level, as you saw how it works at the HTTP level (with an HTTP POST request and the SAS token sent inside the "Authorization" header). If you don't need such deep knowledge about AMQP, you can use the official Service Bus SDK in any of the supported languages like .NET, Java, JavaScript, Python, and Go, which will do it for you.

+ // the sender/receiver might be kept open for refreshing tokens

+2. In the vault > **Replicated items**, select the VM. Right-click the VM > **Failover**.

+- Copy the installer corresponding to the source machineΓÇÖs operating system and place it on your source machine in a local folder, such as C:\Program Files (x86)\Microsoft Azure Site Recovery.

+> * If you view your API from a brower and your browser requires you to enter login credentials to view the page, use [URL decode](https://www.urldecoder.org/) to decode your test endpoint. URL decode returns a URL in the form "https://\<username>:\<password>@\<cluster-name>.test.azuremicroservices.io/\<app-name>/\<deployment-name>". Use this form to access your endpoint.

+The following image shows the resources given to the Tanzu Build Service Agent Pool after you successfully provision the service instance. You can also update the configured agent pool size here after you create the service instance.

+ :::image type="content" source="media/how-to-enterprise-build-service/enable-build-service-with-default-acr.png" alt-text="Screenshot of the Azure portal that shows the V M ware Tanzu Settings for the Azure Spring Apps Create page with default Build Service settings highlighted." lightbox="media/how-to-enterprise-build-service/enable-build-service-with-default-acr.png":::

+ :::image type="content" source="media/how-to-enterprise-build-service/enable-build-service-with-user-acr.png" alt-text="Screenshot of the Azure portal that shows V M ware Tanzu Settings for the Azure Spring Apps Create page with use your own container registry highlighted." lightbox="media/how-to-enterprise-build-service/enable-build-service-with-user-acr.png":::

+ :::image type="content" source="media/how-to-enterprise-build-service/disable-build-service.png" alt-text="Screenshot of the Azure portal that shows V M ware Tanzu Settings for the Azure Spring Apps Create page with the Enable Build Service not selected." lightbox="media/how-to-enterprise-build-service/disable-build-service.png":::

+1. Use the following command to accept the legal terms and privacy statements for the Azure Spring Apps Enterprise plan. This step is necessary only if you never used your subscription to create an Enterprise plan instance.

+## Build history

+You can see all the build resources in the **Builds** section of the Azure Spring Apps Build Service page.

+The table in the **Builds** section contains the following columns:

+- **Build Name**: The name of the build.

+- **Provisioning State**: The provisioning state of the build. The values are `Succeeded`, `Failed`, `Updating`, and `Creating`. Provisioning states `Updating` and `Creating` mean the build can't be updated until the current build finishes. Provisioning state `Failed` means your latest source code build has failed to generate a new build result.

+- **Resource Quota**: The resource quota in build pod of the build.

+- **Builder**: The builder used in the build.

+- **Latest Build Result**: The latest build result image tag of the build.

+- **Latest Build Result Provisioning State**: The latest build result provisioning state of the build. The values are `Queuing`, `Building`, `Succeeded`, and `Failed`.

+- **Latest Build Result Last Transition Time**: The last transition time for the latest build result of the build.

+- **Latest Build Result Last Transition Reason**: The last transition reason for the latest build result of the build. The values are `CONFIG`, `STACK`, and `BUILDPACK`. `CONFIG` means the build result is changed by builder updates or by a new source code deploy operation. `STACK` means the build result is changed by a stack upgrade. `BUILDPACK` means the build result is changed by a buildpack upgrade.

+- **Latest Build Result Last Transition Status**: The last transition status for the latest build result of the build. The values are `True` and `False`.

+For **Provisioning State**, when the value is `Failed`, deploy the source code again. If the error persists, create a support ticket.

+For **Latest Build Result Provisioning State**, when the value is `Failed`, check the build logs. For more information, see [Troubleshoot common build issues in Azure Spring Apps](troubleshoot-build-exit-code.md).

+For **Latest Build Result Last Transition Status**, when the value is `Failed`, see the **Latest Build Result Last Transition Reason** column. If the reason is `BUILDPACK` or `STACK`, no action is necessary. If the reason is `CONFIG`, deploy the source code again. If the error persists, create a support ticket.

+| Feature | Java | Python | Node | .NET Core | Go | [Static Files](how-to-enterprise-deploy-static-file.md) | Java Native Image | PHP |

+|--||--||--|-||-|--|

+| App lifecycle management | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |

+| Assign endpoint | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |

+| Azure Monitor | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | | ✔️ |

+| Out of box APM integration | ✔️ | | | | | | | |

+| Blue/green deployment | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |

+| Custom domain | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |

+| Scaling - auto scaling | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | | ✔️ |

+| Scaling - manual scaling (in/out, up/down) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |

+| Managed Identity | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ️ | ✔️ |

+| API portal for VMware Tanzu | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |

+| Spring Cloud Gateway for VMware Tanzu | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |

+| Application Configuration Service for VMware Tanzu | ✔️ | | | | | | ✔️ | |

+| VMware Tanzu Service Registry | ✔️ | | | | | | ✔️ | |

+| App Live View for VMware Tanzu | ✔️ | | | | | | ✔️ | |

+| Virtual network | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |

+| Outgoing IP Address | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |

+| E2E TLS | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |

+| Advanced troubleshooting - thread/heap/JFR dump | ✔️ | | | | | | | |

+| Bring your own storage | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |

+| Integrate service binding with Resource Connector | ✔️ | | | | | | ✔️ | |

+| Availability Zone | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |

+| App Lifecycle events | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |

+| Reduced app size - 0.5 vCPU and 512 MB | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |

+| Automate app deployments with Terraform and Azure Pipeline Task | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |

+| Soft Deletion | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |

+| Interactive diagnostic experience (AppLens-based) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |

+| SLA | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |

+| Customize health probes | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |

+| Web shell connect for troubleshooting | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ | ️ ✔️ | ✔️ |

+| Remote debugging | ✔️ | | | | ️ | ️ | ️ | |

+| Enable configuration of labels on the created image. | Configures both OCI-specified labels with short environment variable names and arbitrary labels using a space-delimited syntax in a single environment variable. | `BP_IMAGE_LABELS` <br> `BP_OCI_AUTHORS` <br> See more environment variables [here](https://github.com/paketo-buildpacks/image-labels). | `--build-env BP_OCI_AUTHORS=<value>` |

+> Confirm that your test endpoint ends with a slash (/) to ensure that the CSS file is loaded correctly. If your browser requires you to enter login credentials to view the page, use [URL decode](https://www.urldecoder.org/) to decode your test endpoint. URL decode returns a URL in the format `https://\<username>:\<password>@\<cluster-name>.test.azuremicroservices.io/demo/green`. Use this format to access your endpoint.

+> Configuration server settings apply to both your staging environment and your production environment. For example, if you set the context path (*server.servlet.context-path*) for your app demo in the configuration server as *somepath*, the path to your green deployment changes to `https://\<username>:\<password>@\<cluster-name>.test.azuremicroservices.io/demo/green/somepath/...`.

+The name of the Azure Spring Apps service instance is used for requesting a subdomain name under `azuremicroservices.io`, so the setup fails if the name conflicts with an existing one. You might find more details in the activity logs.

+To learn about managing properties and metadata using asynchronous APIs, see [Set blob metadata asynchronously](#set-blob-metadata-asynchronously).

+## Set blob metadata asynchronously

+The Azure Blob Storage client library for Python supports managing blob properties and metadata asynchronously. To learn more about project setup requirements, see [Asynchronous programming](storage-blob-python-get-started.md#asynchronous-programming).

+Follow these steps to set blob metadata using asynchronous APIs:

+1. Add the following import statements:

+ ```python

+ import asyncio

+ from azure.identity.aio import DefaultAzureCredential

+ from azure.storage.blob.aio import BlobServiceClient

+ ```

+1. Add code to run the program using `asyncio.run`. This function runs the passed coroutine, `main()` in our example, and manages the `asyncio` event loop. Coroutines are declared with the async/await syntax. In this example, the `main()` coroutine first creates the top level `BlobServiceClient` using `async with`, then calls the method that sets the blob metadata. Note that only the top level client needs to use `async with`, as other clients created from it share the same connection pool.

+ ```python

+ async def main():

+ sample = BlobSamples()

+ # TODO: Replace <storage-account-name> with your actual storage account name

+ account_url = "https://<storage-account-name>.blob.core.windows.net"

+ credential = DefaultAzureCredential()

+ async with BlobServiceClient(account_url, credential=credential) as blob_service_client:

+ await sample.set_metadata(blob_service_client, "sample-container")

+ if __name__ == '__main__':

+ asyncio.run(main())

+ ```

+1. Add code to set the blob metadata. The code is the same as the synchronous example, except that the method is declared with the `async` keyword and the `await` keyword is used when calling the `get_blob_properties` and `set_blob_metadata` methods.

+ :::code language="python" source="~/azure-storage-snippets/blobs/howto/python/blob-devguide-py/blob-devguide-blobs-properties-metadata-tags-async.py" id="Snippet_set_blob_metadata":::

+With this basic setup in place, you can implement other examples in this article as coroutines using async/await syntax.

+- View [synchronous](https://github.com/Azure-Samples/AzureStorageSnippets/blob/master/blobs/howto/python/blob-devguide-py/blob-devguide-blobs-properties-metadata-tags.py) or [asynchronous](https://github.com/Azure-Samples/AzureStorageSnippets/blob/master/blobs/howto/python/blob-devguide-py/blob-devguide-blobs-properties-metadata-tags-async.py) code samples from this article (GitHub)

+To learn about setting blob index tags using asynchronous APIs, see [Set blob index tags asynchronously](#set-blob-index-tags-asynchronously).

+## Set blob index tags asynchronously

+The Azure Blob Storage client library for Python supports working with blob index tags asynchronously. To learn more about project setup requirements, see [Asynchronous programming](storage-blob-python-get-started.md#asynchronous-programming).

+Follow these steps to set blob index tags using asynchronous APIs:

+1. Add the following import statements:

+ ```python

+ import asyncio

+ from azure.identity.aio import DefaultAzureCredential

+ from azure.storage.blob.aio import BlobServiceClient

+ ```

+1. Add code to run the program using `asyncio.run`. This function runs the passed coroutine, `main()` in our example, and manages the `asyncio` event loop. Coroutines are declared with the async/await syntax. In this example, the `main()` coroutine first creates the top level `BlobServiceClient` using `async with`, then calls the method that sets the blob index tags. Note that only the top level client needs to use `async with`, as other clients created from it share the same connection pool.

+ ```python

+ async def main():

+ sample = BlobSamples()

+ # TODO: Replace <storage-account-name> with your actual storage account name

+ account_url = "https://<storage-account-name>.blob.core.windows.net"

+ credential = DefaultAzureCredential()

+ async with BlobServiceClient(account_url, credential=credential) as blob_service_client:

+ await sample.set_blob_tags(blob_service_client, "sample-container")

+ if __name__ == '__main__':

+ asyncio.run(main())

+ ```

+1. Add code to set the blob index tags. The code is the same as the synchronous example, except that the method is declared with the `async` keyword and the `await` keyword is used when calling the `get_blob_tags` and `set_blob_tags` methods.

+ :::code language="python" source="~/azure-storage-snippets/blobs/howto/python/blob-devguide-py/blob-devguide-blobs-properties-metadata-tags-async.py" id="Snippet_set_blob_tags":::

+With this basic setup in place, you can implement other examples in this article as coroutines using async/await syntax.

+- View [synchronous](https://github.com/Azure-Samples/AzureStorageSnippets/blob/master/blobs/howto/python/blob-devguide-py/blob-devguide-blobs-properties-metadata-tags.py) or [asynchronous](https://github.com/Azure-Samples/AzureStorageSnippets/blob/master/blobs/howto/python/blob-devguide-py/blob-devguide-blobs-properties-metadata-tags-async.py) code samples from this article (GitHub)

+You can enable public network access when you create an elastic SAN, or enable it for an existing SAN using the Azure PowerShell module or the Azure CLI.

+Use the Azure PowerShell module or the Azure CLI to enable public network access.

+ PublicNetworkAccess = "Enabled"

+ string shareName = "test-share";

+ ShareClientOptions clientOptions = new ShareClientOptions(ShareClientOptions.ServiceVersion.V2023_05_03);

+ clientOptions.AllowSourceTrailingDot = true;

+| Number of dynamic scopes per schedule | 30 |

+| Total number of subscriptions attached to all dynamic scopes per schedule | 30 |

+ Title: Use Azure Alert Rules to monitor changes in Automatic Instance Repairs ServiceState

+description: Learn how to use Azure Alert Rules to get notified of changes to Automatic Instance Repairs ServiceState.

+# Use Azure Alert Rules to monitor changes in Automatic Instance Repairs ServiceState

+This article shows you how to use [Alert Rules from Azure Monitor](../azure-monitor/alerts/alerts-overview.md) to receive custom notifications every time the ServiceState for Automatic Repairs is updated on your scale set. This will help track if Automatic Repairs become _Suspended_ due to VM instances remaining unhealthy after multiple repair operations. To learn more about Azure Monitor alerts, see the [alerts overview](../azure-monitor/alerts/alerts-overview.md).

+To follow this tutorial, ensure that you have a Virtual Machine scale set with [Automatic Repairs](./virtual-machine-scale-sets-automatic-instance-repairs.md) enabled.

+## Azure portal

+1. In the [portal](https://portal.azure.com/), navigate to your VM scale set resource

+2. Select **Alerts** from the left pane, and then select **+ Create > Alert rule**. :::image type="content" source="media/alert-rules-automatic-repairs-service-state/picture-1.png" alt-text="Create monitoring alert in the Azure portal":::

+3. Under the **Condition** tab, select **See all signals** and choose the signal name called ΓÇ£Sets the state of an orchestration service in a Virtual Machine Scale setΓÇ¥. Select **Apply**. :::image type="content" source="media/alert-rules-automatic-repairs-service-state/picture-2.png" alt-text="Select alert signal to monitor scale set orchestration service state":::

+4. Set **Event Level** to ΓÇ£InformationalΓÇ¥ and **Status** to ΓÇ£SucceededΓÇ¥. :::image type="content" source="media/alert-rules-automatic-repairs-service-state/picture-3.png" alt-text="Configure event level and status for alert rule":::

+5. Under the **Actions** tab, select an existing action group or see [Create action group](#creating-an-action-group)

+6. Under the **Details** tab > **Alert rule name**, set a name for your alert. Then select **Review + create** > **Create** to create your alert.

+Once the alert is created and enabled on your scale set, you'll receive a notification every time a change to the ServiceState is detected on your scale set.

+### Sample email notification from alert rule

+Below is an example of an email notification created from a configured alert rule.

+## Creating an action group

+1. Under the **Actions** tab, select **Create action group**.

+2. In the **Basics** tab, provide an **Action group name** and **Display name**.

+3. Under the **Notifications** tab **> Notification type**, select ΓÇ£Email/SMS message/Push/VoiceΓÇ¥. Select the **edit** button to configure how youΓÇÖd like to be notified.

+4. Select **Review + Create > Create**

+The automatic instance repairs process goes as follows:

+1. [Application Health extension](./virtual-machine-scale-sets-health-extension.md) or [Load balancer health probes](../load-balancer/load-balancer-custom-probe-overview.md) ping the application endpoint inside each virtual machine in the scale set to get application health status for each instance.

+2. If the endpoint responds with a status 200 (OK), then the instance is marked as "Healthy". In all the other cases (including if the endpoint is unreachable), the instance is marked "Unhealthy".

+3. When an instance is found to be unhealthy, the scale set applies the configured repair action (default is *Replace*) to the unhealthy instance.

+4. Instance repairs are performed in batches. At any given time, no more than 5% of the total instances in the scale set are repaired. If a scale set has fewer than 20 instances, the repairs are done for one unhealthy instance at a time.

+5. The above process continues until all unhealthy instance in the scale set are repaired.

+You can also set up Azure Alert Rules to monitor *serviceState* changes and get notified if automatic repairs becomes suspended on your scale set. For details, see [Use Azure alert rules to monitor changes in automatic instance repairs service state](./alert-rules-automatic-repairs-service-state.md).

+ - NC-series,v3 and newer

+ - NV-series,v2 and newer

+> [!NOTE]

+> CIS-hardened images (Linux or Windows) on Azure marketplace, managed by CIS, can cause build failures with Azure Image Builder service due to their configurations. For instance:

+> - CIS-Hardened Windows images might disrupt WinRM connectivity, a prerequisite for AIB build.

+> - CIS Linux images can fail due to `chmod +x` permission issues.

+| Number of dynamic scopes per schedule | 30 |

+| Total number of subscriptions attached to all dynamic scopes per schedule | 30 |

+The following sections show what sizes are in the same size series group when you buy a reserved VM instance optimized for instance size flexibility. SKUs that have same ratio and are in same size series group, would have no additional cost if you purchase reservation for any of those SKUs for same number of VMs running.

+Support for EUS RHEL7 ended in August 30, 2021. For more information, see [Red Hat Enterprise Linux Extended Maintenance](https://access.redhat.com/support/policy/updates/errata/#Long_Support).

+- RHEL 7.4 EUS support ended August 31, 2019

+- RHEL 7.5 EUS support ended April 30, 2020

+- RHEL 7.6 EUS support ended May 31, 2021

+- RHEL 7.7 EUS support ended August 30, 2021

+- RHEL 8.4 EUS support ended May 31, 2023

+### Switch a RHEL Server to EUS Repositories.

+#### [Switching to EUS repositories on RHEL7](#tab/rhel7)

+>[!NOTE]

+>Support for RHEL7 EUS ended in August 30, 2021. It is not recommended to switch to EUS repositories in RHEL7 anymore.

+

+#### [Switching to EUS repositories on RHEL8](#tab/rhel8)

+> This procedure only applies for RHEL 8.x versions for which EUS is available. This includes RHEL 8.1, 8.2, 8.4, 8.6, and 8.8. For more information, see [Red Hat Enterprise Linux Life Cycle](https://access.redhat.com/support/policy/updates/errata).

+ sudo dnf --disablerepo='*' remove 'rhui-azure-rhel8'

+1. Add EUS repositories.

+ sudo dnf --config='https://rhelimage.blob.core.windows.net/repositories/rhui-microsoft-azure-rhel8-eus.config' install rhui-azure-rhel8-eus

+ ```

+

+1. Lock the `releasever` level, it has to be one of 8.1, 8.2, 8.4, 8.6 or 8.8.

+ ```bash

+ sudo sh -c 'echo 8.8 > /etc/dnf/vars/releasever'

+ ```

+ If there are permission issues to access the `releasever`, you can edit the file using a text editor, add the image version details, and save the file.

+ > [!NOTE]

+ > This instruction locks the RHEL minor release to the current minor release. Enter a specific minor release if you are looking to upgrade and lock to a later minor release that is not the latest. For example, `echo 8.1 > /etc/yum/vars/releasever` locks your RHEL version to RHEL 8.1.

+1. Update your RHEL VM.

+ ```bash

+ sudo dnf update

+ ```

+#### [Switching to EUS repositories on RHEL9](#tab/rhel9)

+Use the following procedure to lock a RHEL 9.x VM to a particular minor release. Run the commands as `root`:

+>[!NOTE]

+> This procedure only applies for RHEL 9.x versions for which EUS is available. Currently, this includes RHEL 9.0 and 9.2. For more information, see [Red Hat Enterprise Linux Life Cycle](https://access.redhat.com/support/policy/updates/errata).

+1. Disable non-EUS repositories.

+ ```bash

+ sudo dnf --disablerepo='*' remove 'rhui-azure-rhel9'

+ sudo dnf --config='https://rhelimage.blob.core.windows.net/repositories/rhui-microsoft-azure-rhel9-eus.config' install rhui-azure-rhel9-eus

+

+1. Lock the `releasever` level, currently it has to be one of 9.0 and 9.2.

+ sudo sh -c 'echo 9.2 > /etc/dnf/vars/releasever'

+ > This instruction locks the RHEL minor release to the current minor release. Enter a specific minor release if you are looking to upgrade and lock to a later minor release that is not the latest. For example, `echo 9.2 > /etc/yum/vars/releasever` locks your RHEL version to RHEL 9.2.

+ sudo dnf update

+### Switch a RHEL Server to non-EUS Repositories.

+#### [Switching to non-EUS repositories on RHEL7](#tab/rhel7)

+ ```

+ sudo yum --disablerepo='*' remove 'rhui-azure-rhel7-eus'

+ ```

+1. Add non-EUS repository.

+ ```bash

+ sudo yum --config='https://rhelimage.blob.core.windows.net/repositories/rhui-microsoft-azure-rhel7.config' install rhui-azure-rhel7

+ ```

+1. Update your RHEL VM.

+ ```bash

+ sudo yum update

+#### [Switching to non-EUS repositories on RHEL8](#tab/rhel8)

+To remove the version lock, use the following commands. Run the commands as `root`.

+1. Remove the `releasever` file.

+ ```bash

+ sudo rm /etc/dnf/vars/releasever

+ ```

+1. Disable EUS repositories.

+ ```bash

+ sudo dnf --disablerepo='*' remove 'rhui-azure-rhel8-eus'

+ ```

+ sudo dnf --config='https://rhelimage.blob.core.windows.net/repositories/rhui-microsoft-azure-rhel8.config' install rhui-azure-rhel8

+ sudo dnf update

+#### [Switching to non-EUS repositories on RHEL9](#tab/rhel9)

+To remove the version lock, use the following commands. Run the commands as `root`.

+1. Remove the `releasever` file.

+ ```bash

+ sudo rm /etc/dnf/vars/releasever

+ ```

+1. Disable EUS repositories.

+ ```bash

+ sudo dnf --disablerepo='*' remove 'rhui-azure-rhel9-eus'

+ ```

+1. Add non-EUS repository.

+ ```bash

+ sudo dnf --config='https://rhelimage.blob.core.windows.net/repositories/rhui-microsoft-azure-rhel9.config' install rhui-azure-rhel8

+ ```

+1. Update your RHEL VM.

+ ```bash

+ sudo dnf update

+> - Also, Azure Germany is deprecated in favor of public Germany regions. We recommend for Azure Germany customers to start pointing to public RHUI by using the steps in [Manual update procedure to use the Azure RHUI servers](#manual-update-procedure-to-use-the-azure-rhui-servers).

+ - Check whether the `/etc/yum.repos.d/rh-cloud.repo` file contains a reference to `rhui-[1-4].microsoft.com` in the `baseurl` of the `[rhui-microsoft-azure-rhel*]` section of the file. If it does, you're using the new Azure RHUI.

+The synthetic interface always has a name in the form `eth\<n\>`. Depending on the Linux distribution, the VF interface might have a name in the form `eth\<n\>`. Or it might have a different name in the form of `enP\<n\>` because of a udev rule that does renaming.

+ * **Address Prefix:** 0.0.0.0/0

+This article helps you resize a VPN Gateway virtual network gateway SKU. Resizing a gateway SKU is a relatively fast process. You don't need to delete and recreate your existing VPN gateway to resize. However, there are certain limitations and restrictions for resizing and not all SKUs are available to resize.

+The following steps apply to current Resource Manager deployments and not to legacy classic (service management) deployments. Resizing a SKU takes about 45 minutes to complete.

+ Title: VPN Gateway legacy SKUs

+# Working with VPN Gateway legacy SKUs

+## <a name="gwsku"></a>Legacy gateway SKUs

+You can view legacy gateway pricing in the **Virtual Network Gateways** section, which is located on the [ExpressRoute pricing page](https://azure.microsoft.com/pricing/details/expressroute).

+When the migration path becomes available, you can migrate your legacy SKUs to the following SKUs:

+* **Standard SKU:** -> **VpnGw1**

+* **High Performance SKU:** -> **VpnGw2**

+* **Standard SKU:** 6.5x

+* **High Performance SKU:** 5x

+If you don't migrate your gateway SKUs by September 30, 2025, your gateway will be automatically migrated and upgraded to an AZ gateway SKU:

+* **Standard SKU:** -> **VpnGw1AZ**

+* **High Performance SKU:** -> **VpnGw2AZ**

+## Resize, migrate, and change SKUs

+### <a name="resize"></a>Resize a gateway SKU

+Resizing a gateway SKU incurs less downtime and fewer configuration changes than the process to change to a new SKU. However, there are limitations. You can only resize your gateway to a gateway SKU within the same SKU family (except for the Basic SKU).

+For example, if you have a Standard SKU, you can resize to a High Performance SKU. However, you can't resize your VPN gateway between the old SKUs and the new SKU families. You can't go from a Standard SKU to a VpnGw2 SKU, or from a Basic SKU to VpnGw1 by resizing. For more information, see [Resize a gateway SKU](gateway-sku-resize.md).

+**Resource Manager**

+**Classic**

+### <a name="migrate"></a>Migrate a gateway SKU

+A gateway SKU migration process is similar to a resize. It requires fewer steps and configuration changes than changing to a new gateway SKU. At this time, gateway SKU migration isn't available. You can migrate a deprecated legacy gateway SKU December 2024 through September 30, 2025. We'll make a migration path available along with detailed documentation.

+### <a name="change"></a>Change to the new gateway SKUs

+Standard and High Performance SKUs will be deprecated September 30, 2025. The product team will make a migration path available for legacy SKUs. See the [Legacy SKU deprecation](#sku-deprecation) section for more information. You can choose to change from a legacy SKU to one of the new SKUs at any point. However, changing to a new SKU requires more steps than migrating and incurs more downtime.

+For more information about configuration settings, see [About VPN Gateway configuration settings](vpn-gateway-about-vpn-gateway-settings.md).

+* If you already have a VPN gateway, verify that it doesn't use the Basic SKU. The Basic SKU isn't supported for OpenVPN. For more information about SKUs, see [VPN Gateway configuration settings](vpn-gateway-about-vpn-gateway-settings.md). To resize a Basic SKU, see [Resize a legacy gateway](vpn-gateway-about-skus-legacy.md).

+## <a name="changesku"></a>How to resize a gateway SKU

+To resize a gateway for the [classic deployment model](../azure-resource-manager/management/deployment-models.md), you must use the Service Management PowerShell cmdlets. Use the following command:

+```powershell

+Resize-AzureVirtualNetworkGateway -GatewayId <Gateway ID> -GatewaySKU HighPerformance

+```