+## October 2024

+### Updated articles

+- [Secure APIs used for API connectors in Azure AD B2C](secure-rest-api.md) - ROPC flow updates

+- [Application types that can be used in Active Directory B2C](application-types.md) - Implicit grant flow updates

+- [Configure authentication in a sample single-page application by using Azure AD B2C](configure-authentication-sample-spa-app.md) - Implicit grant flow updates

+- [Single-page application sign-in using the OAuth 2.0 implicit flow in Azure Active Directory B2C](implicit-flow-single-page-application.md) - Implicit grant flow updates

+- [Register a single-page application in Azure Active Directory B2C](tutorial-register-spa.md) - Implicit grant flow updates

+### Usage notes

+* The maximum number of requests enforced by API Management is lower when multiple capacity units are deployed in a region.

+1. [Create the VPN gateway and subnet](../vpn-gateway/point-to-site-certificate-gateway.md#creategw). Select a route-based VPN type.

+1. [Set the point-to-site addresses](../vpn-gateway/point-to-site-certificate-gateway.md#addresspool). If the gateway isn't in the basic SKU, then IKEV2 must be disabled in the point-to-site configuration and SSTP must be selected. The point-to-site address space must be in the RFC 1918 address blocks 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.

+Application routing defines what traffic is routed from your app and into the virtual network. We recommend that you use the `vnetRouteAllEnabled` site setting to enable routing of all traffic. Using the configuration setting allows you to audit the behavior with [a built-in policy](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff5c0bfb3-acea-47b1-b477-b0edcdf6edc1). The existing `WEBSITE_VNET_ROUTE_ALL` app setting can still be used, and you can enable all traffic routing with either setting.

+- [General networking overview](./networking-features.md)

+| **`os.getenv("myAppSetting")`** | Tries to get the application setting by key name, and returns `None` when it's unsuccessful. |

+| **`os.getenv("myAppSetting")`** | Tries to get the application setting by key name, and returns `None` when it's unsuccessful. |

+> You should review best practices for network security, including guidance for **[disabling RDP/SSH access to Virtual Machines](../security/fundamentals/network-best-practices.md#disable-rdpssh-access-to-virtual-machines)** from the Internet to mitigate brute force attacks to gain access to Azure Virtual Machines. Accessing VMs for remote management can then be accomplished via **[point-to-site VPN](../vpn-gateway/point-to-site-about.md)**, **[site-to-site VPN](../vpn-gateway/tutorial-site-to-site-portal.md)**, or **[Azure ExpressRoute](../expressroute/expressroute-howto-linkvnet-portal-resource-manager.md)**.

+- **Point-to-Site** (VPN over SSTP, OpenVPN, and IPsec) ΓÇô A secure connection is established from your individual client computer to your VNet using Secure Socket Tunneling Protocol (SSTP), OpenVPN, or IPsec. As part of the [Point-to-Site VPN](../vpn-gateway/point-to-site-certificate-gateway.md) configuration, you need to install a certificate and a VPN client configuration package, which allow the client computer to connect to any VM within the VNet. [Point-to-Site VPN](../vpn-gateway/point-to-site-about.md) connections don't require a VPN device or a public facing IP address.

+ Title: Path Layer in an Azure Maps Power BI visual

+description: This article describes the path layer in an Azure Maps Power BI visual.

+# The Path Layer in Azure Maps Power BI visual

+The Path Layer feature in the Azure Maps Power BI Visual enables the visualization of connections between multiple geographic points.

+The Path Layer feature can be used in multiple scenarios, such as:

+- **Route Visualization**: Showing vehicle, ship, or flight paths between locations.

+- **Network Analysis**: Examines connections between nodes in a network, like supply chain routes or communication networks.

+- **Movement Tracking**: Monitoring assets or individuals over time and space.

+This guide explains how to use this feature effectively.

+## Add a Path Layer

+This section describes how to add data and configure the Path Layer. Before starting, you need to open your Azure Maps Visual in Power BI. For more information on adding an Azure Maps Visual to your Power BI report, see [Use the Azure Maps Power BI visual].

+| Setting | Description |

+|-|--|

+| Apply Settings to | Path you want the settings to apply to |

+| Color | The color of the line |

+| Transparency | The transparency of the line |

+| Width | The width of the line |

+| Maximum Zoom | Maximum zoom level the layer is visible at |

+| Minimum Zoom | Minimum zoom level the layer is visible at |

+### Add Data to the Path Layer

+To draw paths, provide data for "Path ID" and "Point Order":

+1. Add the column that best identifies each path to the **Path ID** field. The Path ID is used to identify which line each geospatial data point belongs to. If there are multiple paths, each path requires a unique Path ID.

+1. Add the column that specifies the order of points along the path to the **Point Order** field. The Point Order dictates the sequence of points to form a path.

+ :::image type="content" source="media/power-bi-visual/path-layer.png" alt-text="A screenshot showing the path layer properties.":::

+### Configure a Path Layer

+After adding your data, you can adjust the Path Layer's color, line width, and opacity. Apply settings by legend or path ID, coloring paths, and locations with the same legend identically.

+After adding your data, you can configure the Path Layer according to your requirements. The style of the paths can be customized by adjusting the line color, width, and opacity. These settings can be applied based on legend or path ID. If a legend is provided, paths and locations associated with the same legend share the same color.

+### Interact with a Path Layer

+The Path Layer feature offers several interactive options:

+- **Hover and Select**: Hover over a path to select points; clicking on a path selects the nearest point. The selected point will also select other reports by legend, path ID, location, and point order.

+- **Tooltips**: Tooltips show information for the nearest point when hovering over a line.

+ :::image type="content" source="media/power-bi-visual/path-layer-map.png" alt-text="A screenshot showing a map using the path layer.":::

+### Explore and customize a Path Layer

+Examine the connections and insights revealed by the Path Layer visualization. Further customize the settings to suit your specific requirements and derive more profound insights from your geospatial data.

+#### Legends in a Path Layer

+Adding a field to the legend field well creates a higher level of grouping. Consequently, paths and locations associated with the same legend are colored identically. Here's the process:

+- **Grouping by Legend**: When a legend is provided, the paths and locations are grouped based on the legend. For instance, if visualizing flight paths with the airline as the legend, all paths and locations associated with the same airline share the same color. Moreover, if there are two rows, one with legend "Contoso" and path ID "A123", and another with legend "MSAirline" and path ID "A123", the Path Layer interprets these as two distinct paths: "Contoso-A123" and "MSAirline-A123".

+- **Styling by Legend**: Configure the style (color, line width, opacity) using the legend to visually differentiate path groups.

+- **Interaction by Legend**: When interacting with the Path Layer, selecting a path or point will also select other reports based on legend, path ID, location, and point order. This ensures all related data points are highlighted together.

+#### Handle Origin-Destination Data

+To use origin-destination data in the Path Layer, you must first transform it, as Azure Maps Visual doesn't directly support such data. Use the [Unpivot function in Power Query] to do this. HereΓÇÖs how:

+1. **Import Data**: Import your origin-destination data into Power BI.

+1. **Apply Unpivot Function**: Use the following Power Query to transform the data:

+ ```C#

+ let

+ ΓÇ» ΓÇ» // Importing the source.

+     Source = …

+ ΓÇ» ΓÇ» // Create "path_id" to set in the "Path ID" field well later in the visual.

+ // Since each row represents a line here, we can simply use the row index as path ID

+ ΓÇ» ΓÇ» #"Added Index" = Table.AddIndexColumn(Source, "path_id", 0, 1, Int64.Type),

+ ΓÇ» ΓÇ» // This is the key point of the transformation.

+ // We transform the original rows into two: one for the origin and one for the destination.

+ ΓÇ» ΓÇ» #"Unpivoted Other Columns" = Table.UnpivotOtherColumns(#"Added Index", {"path_id"}, "point_order", "city"),

+ ΓÇ» ΓÇ» // We only support timestamp and number for the point order. So, convert the "origin" as 0 and "destination" as 1

+ ΓÇ» ΓÇ» #"Replaced Values" = Table.ReplaceValue(Table.ReplaceValue(#"Unpivoted Other Columns", "origin", "0", Replacer.ReplaceText, {"point_order"}), "destination", "1", Replacer.ReplaceText, {"point_order"})

+ in

+ ΓÇ» ΓÇ» #"Replaced Values"

+ ```

+**Before Transformation**

+| origin  | destination  |

+|--||

+| New York  | Los Angeles  |

+| Chicago  | Houston  |

+| Miami  | Atlanta  |

+| Seattle  | Denver  |

+| Boston  | San Francisco |

+**After Transformation**

+| path_id  | point_order  | city  |

+|-|--||

+| 0  | 0  | New York  |

+| 0  | 1  | Los Angeles  |

+| 1  | 0  | Chicago  |

+| 1  | 1  | Houston  |

+| 2  | 0  | Miami  |

+| 2  | 1  | Atlanta  |

+| 3  | 0  | Seattle  |

+| 3  | 1  | Denver  |

+| 4  | 0  | Boston  |

+| 4  | 1  | San Francisco |

+## Current limitations

+- The path layer is only compatible with specific map data layers, including the Bubble, Reference, Traffic, and Tile layers.

+- The data-bound reference layer is not available when the path layer is enabled.

+- Location hierarchy (drill down) is disabled when a Path ID is provided.

+## Conclusion

+The Path Layer feature in Azure Maps Visual is a tool for visualizing and analyzing spatial connections. This new capability can be utilized to enhance reports.

+[Use the Azure Maps Power BI visual]: power-bi-visual-get-started.md#use-the-azure-maps-power-bi-visual

+[Unpivot function in Power Query]: /power-query/unpivot-column

+## [1.0.5] (CDN: November 4, 2024, npm: TBA)

+### Bug fixes

+- Fix an issue where DrawingManager would create an empty layer when source options were provided.

+### Bug fixes

+### Other changes

+### Bug fixes

+### [3.5.0] (CDN: November 4, 2024, npm: TBA)

+#### New features

+- Add support for fullscreen control.

+#### Bug fixes

+- Expose new type on `PolygonExtrusionLayerOptions.fillPattern` to support `DataDrivenPropertyValueSpecification<string>`.

+ "tenantId": "aaaabbbb-0000-cccc-1111-dddd2222eeee"

+ "tenantId": "aaaabbbb-0000-cccc-1111-dddd2222eeee"

+1. Create another secret named `AZURE_SUBSCRIPTION`. Add your subscription ID to the secret's value field (example: `aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e`).

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/dsDemo/providers/Microsoft.Resources/deploymentScripts/inlineCLI",

+ "containerInstanceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/dsDemo/providers/Microsoft.ContainerInstance/containerGroups/jgczqtxom5oreazscripts",

+ "storageAccountId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/dsDemo/providers/Microsoft.Storage/storageAccounts/jgczqtxom5oreazscripts"

+Id : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/dsDemo/providers/Microsoft.Resources/deploymentScripts/inlinePS

+SubscriptionId : aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e

+StorageAccountId : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/dsDemo/providers/Microsoft.Storage/storageAccounts/ee5o4rmoo6ilmazscripts

+ContainerInstanceId : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/dsDemo/providers/Microsoft.ContainerInstance/containerGroups/ee5o4rmoo6ilmazscripts

+armclient get /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/myrg/providers/microsoft.resources/deploymentScripts/myDeployementScript?api-version=2020-10-01

+ "containerInstanceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/dsDemo/providers/Microsoft.ContainerInstance/containerGroups/jgczqtxom5oreazscripts",

+ "storageAccountId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/dsDemo/providers/Microsoft.Storage/storageAccounts/jgczqtxom5oreazscripts"

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/dsDemo/providers/Microsoft.Resources/deploymentScripts/inlineCLI",

+param subnetId string = '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet'

+> [Use deployment scripts in Bicep](./deployment-script-bicep.md)

+Resources: /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Network/virtualNetworks/vnetthmimleef5fwk

+ /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Storage/storageAccounts/storethmimleef5fwk

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Network/virtualNetworks/vnetthmimleef5fwk",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Storage/storageAccounts/storethmimleef5fwk",

+ "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"

+ "deploymentId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Resources/deployments/demoStack-240517162aqmf",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Resources/deploymentStacks/demoStack",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Network/virtualNetworks/vnetthmimleef5fwk",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Storage/storageAccounts/storethmimleef5fwk",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/templateSpecRG/providers/Microsoft.Resources/templateSpecs/stackSpec/versions/1.0",

+Id : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Resources/deploymentStacks/demoStack

+CorrelationId : aaaa0000-bb11-2222-33cc-444444dddddd

+DeploymentId : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Resources/deployments/demoStack-24051715frp6o

+Resources : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Network/virtualNetworks/vnetthmimleef5fwk

+ /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Storage/storageAccounts/storethmimleef5fwk

+ "deploymentId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Resources/deployments/demoStack-240517162aqmf",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Resources/deploymentStacks/demoStack",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Network/virtualNetworks/vnetthmimleef5fwk",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Storage/storageAccounts/storethmimleef5fwk",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/templateSpecRG/providers/Microsoft.Resources/templateSpecs/stackSpec/versions/1.0",

+managed none /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Network/virtualNetworks/vnetthmimleef5fwk

+managed none /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Storage/storageAccounts/storethmimleef5fwk

+ "deploymentId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Resources/deployments/demoStack-24051714epybc",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Resources/deploymentStacks/demoStack",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Network/virtualNetworks/vnetthmimleef5fwk",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Storage/storageAccounts/storethmimleef5fwk",

+Id : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Resources/deploymentStacks/demoStack

+CorrelationId : aaaa0000-bb11-2222-33cc-444444dddddd

+DeploymentId : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Resources/deployments/demoStack-24051715b17ls

+Resources : /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Network/virtualNetworks/vnetthmimleef5fwk

+ /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Storage/storageAccounts/storethmimleef5fwk

+ "deploymentId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Resources/deployments/demoStack-24051714epybc",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Resources/deploymentStacks/demoStack",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Network/virtualNetworks/vnetthmimleef5fwk",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Storage/storageAccounts/storethmimleef5fwk",

+managed none /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Network/virtualNetworks/vnetthmimleef5fwk

+managed none /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/demoRg/providers/Microsoft.Storage/storageAccounts/storethmimleef5fwk

+$id = "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/templateSpecsRG/providers/Microsoft.Resources/templateSpecs/storageSpec/versions/1.0a"

+id = "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/templateSpecsRG/providers/Microsoft.Resources/templateSpecs/storageSpec/versions/1.0a"

+Set-AzContext -SubscriptionId aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e

+ "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testRG/providers/Microsoft.ManagedIdentity/userassignedidentites/myuserassignedidentity": {}

+ "defaultValue": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testRG/providers/Microsoft.Network/networkInterfaces/existingnetworkinterface",

+ "defaultValue": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testRG/providers/Microsoft.ManagedIdentity/userassignedidentites/myuserassignedidentity",

+ "principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222",

+### <a name="load-balancer"></a>Azure Load Balancer limits

+ az private-link association create --management-group-id fc096d27-0434-4460-a3ea-110df0422a2d --name 1d7942d1-288b-48de-8d0f-2d2aa8e03ad4 --privatelink "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/PrivateLinkTestRG/providers/Microsoft.Authorization/resourceManagementPrivateLinks/newRMPL"

+ New-AzPrivateLinkAssociation -ManagementGroupId fc096d27-0434-4460-a3ea-110df0422a2d -Name 1d7942d1-288b-48de-8d0f-2d2aa8e03ad4 -PrivateLink "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/PrivateLinkTestRG/providers/Microsoft.Authorization/resourceManagementPrivateLinks/newRMPL" -PublicNetworkAccess enabled | fl

+curl --location --request GET 'https://management.azure.com/subscriptions/ffff5f5f-aa6a-bb7b-cc8c-dddddd9d9d9d/providers/microsoft.insights/metricDefinitions?api-version=2017-12-01-preview&metricnamespace=microsoft.resources/subscriptions' \

+curl --location --request GET "https://management.azure.com/subscriptions/ffff5f5f-aa6a-bb7b-cc8c-dddddd9d9d9d/providers/microsoft.insights/metrics?api-version=2021-05-01&interval=P1D&metricnames=Latency&metricnamespace=microsoft.resources/subscriptions&region=global&aggregation=average,count&timespan=2021-11-01T00:00:00Z/2021-11-03T00:00:00Z" \

+ "id": "subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/providers/Microsoft.Insights/metrics/Latency",

+curl --location --request GET 'https://management.azure.com/subscriptions/ffff5f5f-aa6a-bb7b-cc8c-dddddd9d9d9d/providers/microsoft.insights/metrics?api-version=2021-05-01&interval=P1D&metricnames=Traffic&metricnamespace=microsoft.resources/subscriptions&region=global&aggregation=count&timespan=2021-11-01T00:00:00Z/2021-11-03T00:00:00Z' \

+ "id": "subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/providers/Microsoft.Insights/metrics/Traffic",

+curl --location --request GET 'https://management.azure.com/subscriptions/ffff5f5f-aa6a-bb7b-cc8c-dddddd9d9d9d/providers/microsoft.insights/metrics?api-version=2021-05-01&interval=P1D&metricnames=Latency&metricnamespace=microsoft.resources/subscriptions&region=global&aggregation=count,average&timespan=2021-11-01T00:00:00Z/2021-11-03T00:00:00Z&$filter=StatusCode%20eq%20%27429%27' \

+curl --location --request GET 'https://management.azure.com/subscriptions/ffff5f5f-aa6a-bb7b-cc8c-dddddd9d9d9d/providers/microsoft.insights/metrics?api-version=2021-05-01&interval=P1D&metricnames=Latency&metricnamespace=microsoft.resources/subscriptions&region=global&aggregation=count,average&timespan=2021-11-01T00:00:00Z/2021-11-03T00:00:00Z&$filter=StatusCodeClass%20eq%20%275xx%27' \

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/providers/Microsoft.Features/providers/

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/providers/Microsoft.Features/providers/

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/providers/Microsoft.Features/providers/

+ subscriptionId: 'aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e'

+ subscriptionId: 'aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e'

+ "correlationId": "aaaa0000-bb11-2222-33cc-444444dddddd",

+ "correlationId": "aaaa0000-bb11-2222-33cc-444444dddddd",

+ "correlationId": "aaaa0000-bb11-2222-33cc-444444dddddd",

+ "correlationId": "aaaa0000-bb11-2222-33cc-444444dddddd",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/examplegroup/providers/Microsoft.Resources/deployments/exampledeployment/operations/1234567890ABCDEF",

+ "trackingId": "aaaa0000-bb11-2222-33cc-444444dddddd",

+ "serviceRequestId": "aaaa0000-bb11-2222-33cc-444444dddddd",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/examplegroup/providers/Microsoft.Storage/storageAccounts/storage",

+ "/subscriptions/aaaabbbb-0000-cccc-1111-dddd2222eeee/resourceGroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myID": {}

+Id : /subscriptions/aaaabbbb-0000-cccc-1111-dddd2222eeee/resourceGroups/myds0618rg/providers/Microsoft.Resources/deploymentScripts/runPowerShellInlineWithOutput

+SubscriptionId : aaaabbbb-0000-cccc-1111-dddd2222eeee

+Identity : /subscriptions/aaaabbbb-0000-cccc-1111-dddd2222eeee/resourceGroups/mydentity1008rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myuami

+StorageAccountId : /subscriptions/aaaabbbb-0000-cccc-1111-dddd2222eeee/resourceGroups/myds0618rg/providers/Microsoft.Storage/storageAccounts/ftnlvo6rlrvo2azscripts

+ContainerInstanceId : /subscriptions/aaaabbbb-0000-cccc-1111-dddd2222eeee/resourceGroups/myds0618rg/providers/Microsoft.ContainerInstance/containerGroups/ftnlvo6rlrvo2azscripts

+ "id": "/subscriptions/aaaabbbb-0000-cccc-1111-dddd2222eeee/resourceGroups/myds0624rg/providers/Microsoft.Resources/deploymentScripts/runBashWithOutputs",

+ "tenantId": "aaaabbbb-0000-cccc-1111-dddd2222eeee",

+ "/subscriptions/aaaabbbb-0000-cccc-1111-dddd2222eeee/resourcegroups/myidentity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myuami": {

+ "clientId": "00001111-aaaa-2222-bbbb-3333cccc4444",

+ "principalId": "aaaabbbb-0000-cccc-1111-dddd2222eeee"

+ "id": "/subscriptions/aaaabbbb-0000-cccc-1111-dddd2222eeee/resourceGroups/mytest/providers/Microsoft.KeyVault/vaults/mykv1027",

+ "containerInstanceId": "/subscriptions/aaaabbbb-0000-cccc-1111-dddd2222eeee/resourceGroups/mytest/providers/Microsoft.ContainerInstance/containerGroups/eg6n7wvuyxn7iazscripts",

+armclient get /subscriptions/aaaabbbb-0000-cccc-1111-dddd2222eeee/resourcegroups/myrg/providers/microsoft.resources/deploymentScripts/myDeployementScript?api-version=2020-10-01

+ "tenantId": "aaaabbbb-0000-cccc-1111-dddd2222eeee",

+ "/subscriptions/aaaabbbb-0000-cccc-1111-dddd2222eeee/resourceGroups/myidentity1008rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myuami": {

+ "principalId": "aaaabbbb-0000-cccc-1111-dddd2222eeee",

+ "clientId": "00001111-aaaa-2222-bbbb-3333cccc4444"

+ "containerInstanceId": "/subscriptions/aaaabbbb-0000-cccc-1111-dddd2222eeee/resourceGroups/myds0624rg/providers/Microsoft.ContainerInstance/containerGroups/64lxews2qfa5uazscripts",

+ "storageAccountId": "/subscriptions/aaaabbbb-0000-cccc-1111-dddd2222eeee/resourceGroups/myds0624rg/providers/Microsoft.Storage/storageAccounts/64lxews2qfa5uazscripts",

+ "id": "/subscriptions/aaaabbbb-0000-cccc-1111-dddd2222eeee/resourceGroups/myds0624rg/providers/Microsoft.Resources/deploymentScripts/runPowerShellInlineWithOutput",

+ "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"

+| differentSubOutput | String | /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/otherResourceGroup/providers/Microsoft.Storage/storageAccounts/examplestorage |

+| Data Operator for Managed Disks | Backup vault | Snapshot Resource Group | Allows Backup Vault service to move incremental snapshot data to the Vault. |

+ Cloud Shell session from a host in a network that has a private DNS Zone for the `servicebus`

+### Terminal output - Sorry, your Cloud Shell failed to provision: {"code":"TenantDisabled" ...}

+- **Details**: In rare cases, Azure might flag out-of-the-ordinary resource consumption based in

+ from Cloud Shell as fraudulent activity. When this occurs, Azure disables Cloud Shell at the

+ tenant level and you see the following error message:

+ > Sorry, your Cloud Shell failed to provision: {"code":"TenantDisabled","message":"Cloud Shell has

+ > been disabled in directory<>."} Please refresh the page.

+ There can be legitimate use cases where CPU usage in your Azure Cloud Shell instance exceeds the

+ thresholds that trigger fraud prevention and block your tenant. Large AZCopy jobs could be the

+ cause this event. The Microsoft Azure engineering team can help to figure out why the tenant was

+ disabled and re-enable it.

+- **Resolution**: To investigate the cause and re-enable Cloud Shell for your tenant, open a new

+ Azure support request. Include the following details:

+ 1. Tenant ID

+ 2. The business justification and a description of how you use Cloud Shell.

+- The latest version of .NET Core. (https://dotnet.microsoft.com/download/dotnet/).

+- [Create an Azure Bot Service resource](#create-an-azure-bot-service-resource)

+- [Get the bot's app ID and password](#get-the-bots-app-id-and-app-password)

+- [Create a web app to hold the bot app](#create-a-web-app-to-hold-the-bot-app)

+- [Create a messaging endpoint for the bot](#create-a-messaging-endpoint-for-the-bot)

+First, [use the Azure portal to create an Azure Bot Service resource](/azure/bot-service/abs-quickstart?tabs=userassigned). Communication Services Chat channel supports single-tenant bots, managed identity bots, and multitenant bots.

+- For the purposes of this quickstart we will use a `multitenant` bot.

+- To set up a `single-tenant` or `managed identity` bot, review [Bot identity information](/azure/bot-service/bot-builder-authentication?tabs=userassigned%2Caadv2%2Ccsharp#bot-identity-information).

+- For a `managed identity` bot, you might have to [update the bot service identity](/azure/bot-service/bot-builder-authentication?tabs=userassigned%2Caadv2%2Ccsharp#to-update-your-app-service).

+### Create a bot app and publish it to a web app

+To create a bot you can do one of the following:

+- Revise [Bot Builder samples](https://github.com/Microsoft/BotBuilder-Samples) for your scenario, create a web app, and then deploy your bot sample to it.

+- Use the [Bot Builder SDK](/composer/introduction) to create and publish a bot to a web app.

+For this quickstart we will use the [Echo Bot](https://github.com/microsoft/BotBuilder-Samples/tree/main/samples/csharp_dotnetcore/02.echo-bot) sample from the Bot Builder samples.

+#### Create a web app to hold the bot app

+To create the web app, either use the Azure CLI to [create an Azure App Service resource](/azure/bot-service/provision-app-service?tabs=singletenant%2Cexistingplan) or create the app in the Azure portal.

+#### Create a messaging endpoint for the bot

+Azure Bot Service typically expects the Bot Application Web App Controller to expose an endpoint in the form `/api/messages`. The endpoint handles all messages that are sent to the bot.

+#### Deploy the web app

+The final step to create a bot is to deploy the web app. For this quickstart, use the [Echo Bot](https://github.com/microsoft/BotBuilder-Samples/tree/main/samples/csharp_dotnetcore/02.echo-bot) sample. The Echo Bot functionality is limited to echoing the user input. Here's how you deploy it to your web app in Azure:

+ "MicrosoftAppType": "",

+ "MicrosoftAppPassword": "<App-password>",

+ "MicrosoftAppTenantId": ""

+ Next, use Visual Studio or VS Code for C# bots to deploy the bot.

+### Follow the 'Add Chat to your app' quickstart

+Follow the steps in the [Add Chat to your app](/azure/communication-services/quickstarts/chat/get-started?pivots=programming-language-csharp) quickstart to create a chat app.

+1. Replace <Resource_Endpoint> with the Communication Services endpoint from the [Get a Communication Service Resource](#get-a-communication-services-resource) step.

+1. Replace <Access_Token> with the user access token from the [Get a Communication Service Resource](#get-a-communication-services-resource) step.

+1. Replace <Access_ID> with the bots ACS_ID from the [Enable the Communication Services Chat channel](#enable-the-communication-services-chat-channel) step.

+### Run the C# chat application locally

+To run the chat application locally, use the `dotnet run` command:

+dotnet run

+You should receive a message from the bot in the console that says "Hello World".

+Example output:

+```powershell

+1730405535010:Hello World

+| accountId | ||

+| departmentId | InvoiceSectionId ||

+| location | ResourceLocationNormalized | |

+|AccountId|EA, pay-as-you-go|Unique identifier for the EA enrollment account.|

+| AccountOwnerId┬╣ | EA, pay-as-you-go | The email ID of the EA enrollment account owner. |

+| ResourceLocationNormalized | All | Standardized format of the Azure region where the resource is deployed, also referred to as the datacenter location where the resource is running. The normalized location is used to resolve inconsistencies in region names sent by different Azure Resource Providers (RPs). |

+## Version 2024-08-01

+| Column |Fields|Description|

+| -- | -- | -- |

+| 1 |InvoiceSectionName|Name of the EA department or MCA invoice section.|

+| 2 |AccountName|Display name of the EA enrollment account or pay-as-you-go billing account.|

+| 3 |AccountOwnerId|The email ID of the EA enrollment account owner.|

+| 4 |SubscriptionId|Unique identifier for the Azure subscription.|

+| 5 |SubscriptionName|Name of the Azure subscription.|

+| 6 |ResourceGroup|Name of the resource group the resource is in. Not all charges come from resources deployed to resource groups. Charges that don't have a resource group are shown as null or empty, `Others`, or `Not applicable`.|

+| 7 |ResourceLocation|Datacenter location where the resource is running. See `Location`.|

+| 8 |Date|The usage or purchase date of the charge.|

+| 9 |ProductName|Name of the product.|

+| 10 |MeterCategory|Name of the classification category for the meter. For example, `Cloud services` and `Networking`.|

+| 11 |MeterSubCategory|Name of the meter subclassification category.|

+| 12 |MeterId|The unique identifier for the meter.|

+| 13 |MeterName|The name of the meter.|

+| 14 |MeterRegion|Name of the datacenter location for services priced based on location. See `Location`.|

+| 15 |UnitOfMeasure|The unit of measure for billing for the service. For example, compute services are billed per hour.|

+| 16 |Quantity|The number of units purchased or consumed.|

+| 17 |EffectivePrice|Blended unit price for the period. Blended prices average out any fluctuations in the unit price, like graduated tiering, which lowers the price as quantity increases over time.|

+| 18 |CostInBillingCurrency|Cost of the charge in the billing currency before credits or taxes.|

+| 19 |CostCenter|The cost center defined for the subscription for tracking costs (only available in open billing periods for MCA accounts).|

+| 20 |ConsumedService|Name of the service the charge is associated with.|

+| 21 |ResourceId|Unique identifier of the Azure Resource Manager resource.|

+| 22 |Tags|Tags assigned to the resource. Doesn't include resource group tags. Can be used to group or distribute costs for internal chargeback. For more information, see [Organize your Azure resources with tags](../../azure-resource-manager/management/tag-resources.md).|

+| 23 |OfferId|Name of the offer purchased.|

+| 24 |AdditionalInfo|Service-specific metadata. For example, an image type for a virtual machine.|

+| 25 |ServiceInfo1|Service-specific metadata.|

+| 26 |ServiceInfo2|Legacy field with optional service-specific metadata.|

+| 27 |ResourceName|Name of the resource. Not all charges come from deployed resources. Charges that don't have a resource type are shown as null or empty, `Others` , or `Not applicable`.|

+| 28 |ReservationId|Unique identifier for the purchased reservation instance.|

+| 29 |ReservationName|Name of the purchased reservation instance.|

+| 30 |UnitPrice|The price per unit for the charge.|

+| 31 |ProductOrderId|Unique identifier for the product order.|

+| 32 |ProductOrderName|Unique name for the product order.|

+| 33 |Term|Displays the term for the validity of the offer. For example: For reserved instances, it displays 12 months as the Term. For one-time purchases or recurring purchases, Term is one month (SaaS, Marketplace Support). Not applicable for Azure consumption.|

+| 34 |PublisherType|Supported values:`Microsoft`, `Azure`, `AWS`, and `Marketplace`. Values are `Microsoft` for MCA accounts and `Azure` for EA and pay-as-you-go accounts.|

+| 35 |PublisherName|Publisher for Marketplace services.|

+| 36 |ChargeType|Indicates whether the charge represents usage (Usage), a purchase (Purchase), or a refund (Refund).|

+| 37 |Frequency|Indicates whether a charge is expected to repeat. Charges can either happen once (OneTime), repeat on a monthly or yearly basis (Recurring), or be based on usage (UsageBased).|

+| 38 |PricingModel|Identifier that indicates how the meter is priced. (Values: `On Demand`, `Reservation`, and `Spot`)|

+| 39 |AvailabilityZone| .|

+| 40 |BillingAccountId|Unique identifier for the root billing account.|

+| 41 |BillingAccountName|Name of the billing account.|

+| 42 |BillingCurrencyCode|Currency associated with the billing account.|

+| 43 |BillingPeriodStartDate|The start date of the billing period.|

+| 44 |BillingPeriodEndDate|The end date of the billing period.|

+| 45 |BillingProfileId|Unique identifier of the EA enrollment, pay-as-you-go subscription, MCA billing profile, or AWS consolidated account.|

+| 46 |BillingProfileName|Name of the EA enrollment, pay-as-you-go subscription, MCA billing profile, or AWS consolidated account.|

+| 47 |InvoiceSectionId|Unique identifier for the EA department or MCA invoice section.|

+| 48 |IsAzureCreditEligible|Indicates if the charge is eligible to be paid for using Azure credits (Values: `True` or `False`).|

+| 49 |PartNumber|Identifier used to get specific meter pricing.|

+| 50 |PayGPrice|Retail price for the resource.|

+| 51 |PlanName|Marketplace plan name.|

+| 52 |ServiceFamily|Service family that the service belongs to.|

+| 53 |CostAllocationRuleName|Name of the Cost Allocation rule that's applicable to the record.|

+| 54 |benefitId| .|

+| 55 |benefitName| .|

+|56|AccountId|Unique identifier for the EA enrollment account.|

+|57|ResourceLocationNormalized|Standardized format of the datacenter location where the resource is running.|

+| 27 |ServiceInfo2|Legacy field with optional service-specific metadata.|

+ - When there's a currency change during or after an enrollment transfer, reservations paid for monthly are canceled for the source enrollment. Cancellation happens at the time of next monthly payment for an individual reservation. This cancellation is intentional and affects only the monthly reservation purchases.

+> - When there's a currency change during or after transfer, reservations paid for monthly are canceled. Cancellation happens at the time of the next monthly payment for an individual reservation. The cancellation is intentional and only affects monthly, not up front, reservation purchases. For more information, see [Transfer Azure Enterprise enrollment accounts and subscriptions](ea-transfers.md#prerequisites-1).

+When there's a currency change during or after an EA enrollment transfer, reservations paid for monthly are canceled for the source enrollment. Cancellation happens at the time of the next monthly payment for an individual reservation. The cancellation is intentional and only affects monthly, not up front, reservation purchases. For more information, see [Transfer Azure Enterprise enrollment accounts and subscriptions](ea-transfers.md#prerequisites-1).

+| EA | MCA-E | ΓÇó Transferring all enrollment products is completed as part of the MCA transition process from an EA. For more information, see [Complete Enterprise Agreement tasks in your billing account for a Microsoft Customer Agreement](mca-enterprise-operations.md).<br><br> ΓÇó If you want to transfer specific products but not all of the products in an enrollment, see [Transfer Azure subscription billing ownership for a Microsoft Customer Agreement](mca-request-billing-ownership.md). <br><br>ΓÇó Self-service reservation transfers with no currency change are supported. When there's a currency change during or after an enrollment transfer, reservations paid for monthly are canceled for the source enrollment. Cancellation happens at the time of the next monthly payment for an individual reservation. The cancellation is intentional and only affects monthly reservation purchases. For more information, see [Transfer Azure Enterprise enrollment accounts and subscriptions](../manage/ea-transfers.md#prerequisites-1).<br><br> ΓÇó You can't transfer a savings plan purchased under an Enterprise Agreement enrollment that was bought in a non-USD currency. You can [change the savings plan scope](../savings-plan/manage-savings-plan.md#change-the-savings-plan-scope) so that it applies to other subscriptions. |

+ To upload the root certificates, follow the detailed steps in [Upload the root certificate public certificate data](../vpn-gateway/point-to-site-certificate-gateway.md#uploadfile).

+2. Deploy a new Azure VPN gateway in the target region where you moved the Vnet. For more information, see [Create a virtual network gateway](../vpn-gateway/tutorial-create-gateway-portal.md).

+Developers see the display names for projects on the dev box tiles in the developer portal.

+ :::image type="content" source="./media/quickstart-create-dev-box/dev-portal-open-in-browser.png" alt-text="Screenshot of dev box card that shows the option for opening in a browser." lightbox="./media/quickstart-create-dev-box/dev-portal-open-in-browser-large.png":::

+A new tab opens with a new session through which you can use your dev box. Use a work or school account to sign in to your dev box, not a personal Microsoft account.

+- Learn how to [Connect with Windows App](/windows-app/get-started-connect-devices-desktops-apps?context=/azure/dev-box/context/context&pivots=dev-box)

+az resource update --resource-type Microsoft.EventGrid/namespaces --api-version 2024-06-01-preview --ids /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/dummy-cd-test/providers/Microsoft.EventGrid/namespaces/dummy-cd-test2 --set properties.topicSpacesConfiguration.clientAuthentication='{\"customJwtAuthentication\":{\"tokenIssuer\":\"dmpypin-issuer\",\"issuerCertificates\":[{\"certificateUrl\":\"https://dummyCert-cd-test.vault.azure.net/certificates/dummy-cd-test/4f844b284afd487e9bba0831191087br1\",\"identity\":{\"type\":\"SystemAssigned\"}}]}}'

+ "topic": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/acse2e/providers/microsoft.communication/communicationservices/{communication-services-resource-name}",

+ "correlationId": "aaaa0000-bb11-2222-33cc-444444dddddd"

+ "source": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns",

+ "source": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns",

+ "source": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns",

+ "source": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns",

+ "topic": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns",

+ "topic": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns",

+ "topic": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns",

+ "topic": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration/providers/microsoft.maintenance/applyupdates/20230509150000",

+ "source": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration",

+ "CorrelationId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration/providers/microsoft.maintenance/applyupdates/20230509150000",

+ "MaintenanceConfigurationId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration/providers/microsoft.maintenance/applyupdates/20230509150000",

+ "topic": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration",

+ "CorrelationId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration/providers/microsoft.maintenance/applyupdates/20230509150000",

+ "MaintenanceConfigurationId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration/providers/microsoft.maintenance/applyupdates/20230509150000",

+ "source": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration",

+ "CorrelationId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration/providers/microsoft.maintenance/applyupdates/20230509150000",

+ "MaintenanceConfigurationId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration",

+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration/providers/microsoft.maintenance/applyupdates/20230509150000",

+ "topic": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration",

+ "CorrelationId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration/providers/microsoft.maintenance/applyupdates/20230509150000",

+ "MaintenanceConfigurationId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/testrg/providers/Microsoft.Maintenance/maintenanceConfigurations/contosomaintenanceconfiguration",

+ "source": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns",

+ "source": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns",

+ "source": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns",

+ "source": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns",

+ "topic": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns",

+ "topic": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns",

+ "topic": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns",

+ "topic": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myrg/providers/Microsoft.EventGrid/namespaces/myns",

+ "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/{resource-group}/providers/Microsoft.EventHub/namespaces/{namespace-name}/eventhubs/{eventhub-name}"

+ "userAssignedIdentities": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/{resource-group}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-identity-name}"

+ "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/{resource-group}/providers/Microsoft.EventHub/namespaces/{namespace-name}/eventhubs/{eventhub-name}"

+ "userAssignedIdentities": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/{resource-group}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-identity-name}"

+ "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/{resource-group}/providers/Microsoft.EventHub/namespaces/{namespace-name}/eventhubs/{eventhub-name}"

+ "userAssignedIdentities": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/{resource-group}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{user-identity-name}"

+ "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-account-name}",

+ "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/{resource-group}/providers/Microsoft.EventHub/namespaces/{namespace-name}/eventhubs/{eventhub-name}",

+ "id": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "clientRequestId": "bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f",

+ "requestId": "cccc2c2c-dd3d-ee4e-ff5f-aaaaaa6a6a6a",

+ "batchId": "dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b"

+2022-11-14T22:40:46.017 [Information] Received events: [{"topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/xstoretestaccount","subject": "/blobServices/default/containers/testcontainer/blobs/testfile.txt","eventType": "Microsoft.Storage.BlobCreated","eventTime": "2017-06-26T18:41:00.9584103Z","id": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e","data": {"api": "PutBlockList","clientRequestId": "bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f","requestId": "cccc2c2c-dd3d-ee4e-ff5f-aaaaaa6a6a6a","eTag": "0x8D4BCC2E4835CD0","contentType": "text/plain","contentLength": 524288,"blobType": "BlockBlob","url": "https://example.blob.core.windows.net/testcontainer/testfile.txt","sequencer": "00000000000004420000000000028963","storageDiagnostics": {"batchId": "dddd3d3d-ee4e-ff5f-aa6a-bbbbbb7b7b7b"}},"dataVersion": "","metadataVersion": "1"}]

+ "validationCode": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "validationResponse": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"

+curl -X POST -d '[{"id": "2d1781af-3a4c-4d7c-bd0c-e34b19da4e66","topic": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","subject": "","data": {"validationCode": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"},"eventType": "Microsoft.EventGrid.SubscriptionValidationEvent","eventTime": "2018-01-25T22:12:19.4556811Z", "metadataVersion": "1","dataVersion": "1"}]' -H 'Content-Type: application/json' https://{your-webhook-url.com}

+You can add a Point-to-Site configuration to your coexisting set by following the instruction in [Configuring Point-to-Site VPN connection using Azure certificate authentication](../vpn-gateway/point-to-site-certificate-gateway.md#addresspool)

+### Azure Monitor Insights and analytics

+[Azure Monitor][13] is a suite of tools designed to enhance the performance, reliability, and quality of your applications. It offers features like application performance management, monitoring alerts, metrics analysis, diagnostic settings, and logs. With Azure Monitor Insights, you can gain valuable insights into your application's behavior, troubleshoot issues, and optimize performance.

+The Azure Monitor agent collects monitoring data from the guest operating system of Azure and hybrid VMs. The agent delivers the data to Azure Monitor for use by features, insights, and other services, such as Microsoft Sentinel and Microsoft Defender for Cloud. The Azure Monitor agent replaces all of the Azure Monitor legacy monitoring agents like the deprecated Microsoft Monitor Agent. The new Azure Monitor Agent is unsupported in Automanage but can be configured at-scale using Azure Policy. Visit [Azure Monitor Agent Built-In Policy][12] to learn more.

+[Azure Backup][14] provides independent and isolated backups to guard against unintended destruction of the data on your VMs. Backups are stored in a Recovery Services vault with built-in management of recovery points. To back up Azure VMs, Backup installs an extension on the VM agent running on the machine. Visit [Azure Backup Built-In Policy][11] to learn how to configure Backup at scale through Azure Policy. To configure Backup time and duration, create a custom Azure policy based on the properties of the Backup policy resource or by a REST API call. For more information, see [Create Recovery Services backup policies by using the REST API][02].

+[Microsoft Antimalware][10] for Azure Cloud Services and Virtual Machines offers free real-time protection that helps identify and remove viruses, spyware, and other malicious software. It generates alerts when known malicious or unwanted software tries to install itself or run on your Azure systems. The Azure Guest agent (or the Microsoft Fabric agent) opens the Microsoft Antimalware for Azure extension and applies the antimalware configuration settings that were supplied as input. This step enables the antimalware service with either default or custom configuration settings.

+[Change Tracking and Inventory][15] is a feature within Automation that monitors changes in VMs across Azure, on-premises, and in other cloud environments. It tracks modifications to installed software, files, registry keys, and services on both Windows and Linux systems. Change Tracking and Inventory uses the Log Analytics agent to collect data and then forwards it to Azure Monitor Logs for analysis. It also integrates with Microsoft Defender for Cloud File Integrity Monitoring to enhance security and operational insights.

+[Microsoft Defender for Cloud][16] (MDC) provides unified security management and advanced threat protection across hybrid cloud workloads. Visit [Configure Defender for Cloud in Azure Policy][17] to learn more about at-scale compliance and monitoring for MDC.

+[Azure Update Manager][19] (AUM) is a service included as part of your Azure subscription. Use it to assess your update status across your environment and manage your Windows and Linux server patching from a single pane of glass, both for on-premises and Azure. It provides a unified solution to help you keep your systems up to date. Update Manager oversees update compliance, deploys critical updates, and offers flexible patching options. Visit [Azure Update Manager Built-In Policy][18] to learn how to configure AUM at scale through Azure Policy.

+[Azure Automation][21] is a cloud-based service that provides consistent management across your Azure and non-Azure environments. Use it to automate repetitive tasks, enforce configuration consistency, and manage updates for VMs. By using runbooks and shared assets, you can streamline operations and reduce operational costs. Visit [Azure Automation Built-In Policy][20] to learn how to configure AUM at scale through Azure Policy.

+[10]: https://learn.microsoft.com/azure/security/fundamentals/antimalware#antimalware-deployment-scenarios

+[11]: https://learn.microsoft.com/azure/backup/policy-reference

+[12]: https://learn.microsoft.com/azure/azure-monitor/policy-reference

+[13]: https://learn.microsoft.com/azure/azure-monitor/overview

+[14]: https://learn.microsoft.com/azure/backup/backup-overview

+[15]: https://learn.microsoft.com/azure/automation/change-tracking/overview

+[16]: https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction

+[17]: https://learn.microsoft.com/azure/defender-for-cloud/policy-reference

+[18]: https://learn.microsoft.com/azure/update-manager/periodic-assessment-at-scale

+[19]: https://learn.microsoft.com/azure/update-manager/overview

+[20]: https://learn.microsoft.com/azure/automation/policy-reference

+[21]: https://learn.microsoft.com/azure/automation/overview

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F09ce66bc-1220-4153-8104-e3f51c936913) |Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See [https://aka.ms/AzureVMCentralBackupExcludeTag](https://aka.ms/AzureVMCentralBackupExcludeTag). |auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |[9.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachineBackup_DINE.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F83644c87-93dd-49fe-bf9f-6aff8fd0834e) |Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See [https://aka.ms/AzureVMAppCentricBackupIncludeTag](https://aka.ms/AzureVMAppCentricBackupIncludeTag). |auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |[9.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachineApplicationCentricBackup_DINE_WithTag.json) |

+|[Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F09ce66bc-1220-4153-8104-e3f51c936913) |Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See [https://aka.ms/AzureVMCentralBackupExcludeTag](https://aka.ms/AzureVMCentralBackupExcludeTag). |auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |[9.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachineBackup_DINE.json) |

+|[Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F345fa903-145c-4fe1-8bcd-93ec2adccde8) |Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See [https://aka.ms/AzureVMCentralBackupIncludeTag](https://aka.ms/AzureVMCentralBackupIncludeTag). |auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |[9.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachineWithTag_DINE.json) |

+|[Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86) |Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See [https://aka.ms/AzureVMAppCentricBackupExcludeTag](https://aka.ms/AzureVMAppCentricBackupExcludeTag). |auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |[9.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachineApplicationCentricBackup_DINE_WithOutTag.json) |

+|[Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F83644c87-93dd-49fe-bf9f-6aff8fd0834e) |Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See [https://aka.ms/AzureVMAppCentricBackupIncludeTag](https://aka.ms/AzureVMAppCentricBackupIncludeTag). |auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |[9.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachineApplicationCentricBackup_DINE_WithTag.json) |

+|[Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F345fa903-145c-4fe1-8bcd-93ec2adccde8) |Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See [https://aka.ms/AzureVMCentralBackupIncludeTag](https://aka.ms/AzureVMCentralBackupIncludeTag). |auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |[9.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachineWithTag_DINE.json) |

+|[Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86) |Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See [https://aka.ms/AzureVMAppCentricBackupExcludeTag](https://aka.ms/AzureVMAppCentricBackupExcludeTag). |auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |[9.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachineApplicationCentricBackup_DINE_WithOutTag.json) |

+|[Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F09ce66bc-1220-4153-8104-e3f51c936913) |Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See [https://aka.ms/AzureVMCentralBackupExcludeTag](https://aka.ms/AzureVMCentralBackupExcludeTag). |auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |[9.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachineBackup_DINE.json) |

+|[Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F83644c87-93dd-49fe-bf9f-6aff8fd0834e) |Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See [https://aka.ms/AzureVMAppCentricBackupIncludeTag](https://aka.ms/AzureVMAppCentricBackupIncludeTag). |auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |[9.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachineApplicationCentricBackup_DINE_WithTag.json) |

+|[Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F345fa903-145c-4fe1-8bcd-93ec2adccde8) |Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally include virtual machines containing a specified tag to control the scope of assignment. See [https://aka.ms/AzureVMCentralBackupIncludeTag](https://aka.ms/AzureVMCentralBackupIncludeTag). |auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |[9.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachineWithTag_DINE.json) |

+|[Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F09ce66bc-1220-4153-8104-e3f51c936913) |Enforce backup for all virtual machines by backing them up to an existing central recovery services vault in the same location and subscription as the virtual machine. Doing this is useful when there is a central team in your organization managing backups for all resources in a subscription. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See [https://aka.ms/AzureVMCentralBackupExcludeTag](https://aka.ms/AzureVMCentralBackupExcludeTag). |auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled |[9.4.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Backup/VirtualMachineBackup_DINE.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+|[App Service apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_WebApp_Audit.json) |

+|[Function apps should use the latest TLS version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version. |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/RequireLatestTls_FunctionApp_Audit.json) |

+* [Configure a Point-to-Site connection using the Azure portal](../../vpn-gateway/point-to-site-certificate-gateway.md)

+<!-- * [Allow trusted services to securely access a network-restricted container registry](/azure/container-registry/allow-access-trusted-services) This link should follow the Restric access link (currently 3rd from bottom).-->

+<!-- Removed from document per ADO131844, can be un-commented when service updates (similar for above link)

+-->

+[Deploy the FHIR service](deploy-azure-portal.md)

+Using the system-assigned managed identity is the recommended authentication method for Azure IoT Operations. Azure IoT Operations creates the managed identity automatically and assigns it to the Azure Arc-enabled Kubernetes cluster. It eliminates the need for secret management and allows for seamless authentication.

+1. In Azure portal, go to your Azure IoT Operations instance and select **Overview**.

+1. Copy the name of the extension listed after **Azure IoT Operations Arc extension**. For example, *azure-iot-operations-xxxx7*.

+1. Search for the managed identity in the Azure portal by using the name of the extension. For example, search for *azure-iot-operations-xxxx7*.

+1. Assign a role to the Azure IoT Operations Arc extension managed identity that grants permission to write to the storage account, such as *Storage Blob Data Contributor*. To learn more, see [Authorize access to blobs using Microsoft Entra ID](../../storage/blobs/authorize-access-azure-active-directory.md).

+1. Create the *DataflowEndpoint* resource and specify the managed identity authentication method.

+To learn more about secrets, see [Create and manage secrets in Azure IoT Operations Preview](../secure-iot-ops/howto-manage-secrets.md).

+Create a Kubernetes secret with the SAS token.

+```bash

+kubectl create secret generic <SAS_SECRET_NAME> -n azure-iot-operations \

+--from-literal=accessToken='sv=2022-11-02&ss=b&srt=c&sp=rwdlax&se=2023-07-22T05:47:40Z&st=2023-07-21T21:47:40Z&spr=https&sig=<signature>'

+```

+Using the system-assigned managed identity is the recommended authentication method for Azure IoT Operations. Azure IoT Operations creates the managed identity automatically and assigns it to the Azure Arc-enabled Kubernetes cluster. It eliminates the need for secret management and allows for seamless authentication.

+1. In Azure portal, go to your Azure IoT Operations instance and select **Overview**.

+1. Copy the name of the extension listed after **Azure IoT Operations Arc extension**. For example, *azure-iot-operations-xxxx7*.

+1. In the Microsoft Fabric workspace you created, select **Manage access** > **+ Add people or groups**. Search for the Azure IoT Operations Arc extension by its name and select it. Select **Contributor** as the role, then select **Add**.

+1. Create the *DataflowEndpoint* resource and specify the managed identity authentication method.

+Using the system-assigned managed identity is the recommended authentication method for Azure IoT Operations. Azure IoT Operations creates the managed identity automatically and assigns it to the Azure Arc-enabled Kubernetes cluster. It eliminates the need for secret management and allows for seamless authentication.

+To configure a dataflow endpoint for a Kafka endpoint, we recommend using the managed identity of the Azure Arc-enabled Kubernetes cluster. This approach is secure and eliminates the need for secret management.

+1. In Azure portal, go to your Azure IoT Operations instance and select **Overview**.

+1. Copy the name of the extension listed after **Azure IoT Operations Arc extension**. For example, *azure-iot-operations-xxxx7*.

+1. Search for the managed identity in the Azure portal by using the name of the extension. For example, search for *azure-iot-operations-xxxx7*.

+1. Assign the Azure IoT Operations Arc extension managed identity to the Event Hubs namespace with the `Azure Event Hubs Data Sender` or `Azure Event Hubs Data Receiver` role.

+To use connection string for authentication to Event Hubs, use the SASL authentication method and configure with SASL type as "Plain" and configure name of the secret that contains the connection string.

+First, create a Kubernetes secret that contains the connection string. The secret must be in the same namespace as the Kafka dataflow endpoint. The secret must have both the username and password as key-value pairs. For example:

+```bash

+kubectl create secret generic <SECRET_NAME> -n azure-iot-operations \

+ --from-literal=username='$ConnectionString' \

+ --from-literal=password='Endpoint=sb://<NAMESPACE>.servicebus.windows.net/;SharedAccessKeyName=<KEY-NAME>;SharedAccessKey=<KEY>'

+```

+> [!TIP]

+> Scoping the connection string to the namespace (as opposed to individual event hubs) allows a dataflow to send and receive messages from multiple different event hubs and Kafka topics.

+```bash

+kubectl create secret generic sasl-secret -n azure-iot-operations \

+ --from-literal=token='<YOUR_SASL_TOKEN>'

+```

+The secret must be in the same namespace as the Kafka dataflow endpoint. Use Kubernetes TLS secret containing the public certificate and private key. For example:

+```bash

+kubectl create secret tls my-tls-secret -n azure-iot-operations \

+ --cert=path/to/cert/file \

+ --key=path/to/key/file

+```

+To use system-assigned managed identity for authentication, assign a role to the Azure IoT Operation managed identity that grants permission to send and receive messages from Event Hubs.

+1. In Azure portal, go to your Azure IoT Operations instance and select **Overview**.

+1. Copy the name of the extension listed after **Azure IoT Operations Arc extension**. For example, *azure-iot-operations-xxxx7*.

+1. Search for the managed identity in the Azure portal by using the name of the extension. For example, search for *azure-iot-operations-xxxx7*.

+1. Assign a role to the Azure IoT Operations Arc extension managed identity that grants permission to send and receive messages such as *Azure Event Hubs Data Owner*, *Azure Event Hubs Data Sender*, or *Azure Event Hubs Data Receiver*. To learn more, see [Authenticate an application with Microsoft Entra ID to access Event Hubs resources](../../event-hubs/authenticate-application.md#built-in-roles-for-azure-event-hubs).

+1. Specify the managed identity authentication method in the Kafka settings. In most cases, you don't need to specify other settings.

+To use X.509 certificate authentication, you need to create a secret with the certificate and private key. Use the Kubernetes TLS secret containing the public certificate and private key. For example:

+```bash

+kubectl create secret tls my-tls-secret -n azure-iot-operations \

+ --cert=path/to/cert/file \

+ --key=path/to/key/file

+```

+Before you configure the endpoint, make sure that the Azure IoT Operations managed identity has the necessary permissions to connect to the MQTT broker.

+1. In Azure portal, go to your Azure IoT Operations instance and select **Overview**.

+1. Copy the name of the extension listed after **Azure IoT Operations Arc extension**. For example, *azure-iot-operations-xxxx7*.

+1. Search for the managed identity in the Azure portal by using the name of the extension. For example, search for *azure-iot-operations-xxxx7*.

+1. Assign a role to the Azure IoT Operations Arc extension managed identity that grants permission to connect to the MQTT broker. For example, with Azure Event Grid MQTT broker, assign the managed identity to the Event Grid namespace or topic space with [an appropriate role](../../event-grid/mqtt-client-microsoft-entra-token-and-rbac.md#authorization-to-grant-access-permissions).

+1. Configure the endpoint with system-assigned managed identity settings.

+ If you followed the optional prerequisite to set up your own certificate authority issuer, add the `--user-trust` flag to the `init` command.

+ * If you followed the optional prerequisites to prepare your cluster for observability, add the following parameters to the `create` command:

+ | Parameter | Value | Description |

+ | | -- | -- |

+ | `--ops-config` | `observability.metrics.openTelemetryCollectorAddress=<FULLNAMEOVERRIDE>.azure-iot-operations.svc.cluster.local:<GRPC_ENDPOINT>` | Provide the OpenTelemetry (OTel) collector address you configured in the otel-collector-values.yaml file.<br><br>The sample values used in [Configure observability](../configure-observability-monitoring/howto-configure-observability.md) are **fullnameOverride=aio-otel-collector** and **grpc.enpoint=4317**. |

+ | `--ops-config` | `observability.metrics.exportInternalSeconds=<CHECK_INTERVAL>` | Provide the **check_interval** value you configured in the otel-collector-values.yaml file.<br><br>The sample value used in [Configure observability](../configure-observability-monitoring/howto-configure-observability.md) is **check_interval=60**. |

+

+ * If you followed the optional prerequisites to set up your own certificate authority issuer, add the `--trust-settings` parameters to the `create` command:

+ ```bash

+ --trust-settings configMapName=<CONFIGMAP_NAME> configMapKey=<CONFIGMAP_KEY_WITH_PUBLICKEY_VALUE> issuerKind=<CLUSTERISSUER_OR_ISSUER> issuerName=<ISSUER_NAME>

+ ```

+The `check` command displays a warning about missing dataflows, which is normal and expected until you create a dataflow. For more information, see [Process and route data with dataflows](../connect-to-cloud/overview-dataflow.md).

+You can check the configurations of topic maps, QoS, and message routes by adding the `--detail-level 2` parameter to the `check` command for a verbose view.

+Secrets Management for Azure IoT Operations uses Secret Store extension to sync the secrets from an Azure Key Vault and store them on the edge as Kubernetes secrets. Secret Store extension requires a user assigned managed identity with access to the Azure Key Vault where secrets are stored. To learn more, see [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview).

+Follow these steps to set up Secrets Management:

+1. [Create an Azure Key Vault](/azure/key-vault/secrets/quick-create-cli#create-a-key-vault) that is used to store secrets, and [give your user account permissions to manage secrets](/azure/key-vault/secrets/quick-create-cli#give-your-user-account-permissions-to-manage-secrets-in-key-vault) with the `Key Vaults Secrets Officer` role.

+1. [Create a user-assigned managed identity](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp#create-a-user-assigned-managed-identity) for Secret Store extension.

+1. Use the [az iot ops secretsync enable](/cli/azure/iot/ops/secretsync#az-iot-ops-secretsync-enable) command to set up the Azure IoT Operations instance for secret synchronization. This command:

+ - Creates a federated identity credential using the user-assigned managed identity.

+ - Adds a role assignment to the user-assigned managed identity for access to the Azure Key Vault.

+ - Adds a minimum secret provider class associated with the Azure IoT Operations instance.

+ # [Bash](#tab/bash)

+

+ ```azurecli

+ # Variable block

+ INSTANCE_NAME="<INSTANCE_NAME>"

+ RESOURCE_GROUP="<RESOURCE_GROUP>"

+ USER_ASSIGNED_MI_NAME="<USER_ASSIGNED_MI_NAME>"

+ KEYVAULT_NAME="<KEYVAULT_NAME>"

+

+ #Get the resource ID of the user-assigned managed identity

+ USER_ASSIGNED_MI_RESOURCE_ID=$(az identity show --name $USER_ASSIGNED_MI_NAME --resource-group $RESOURCE_GROUP --query id --output tsv)

+

+ #Get the resource ID of the key vault

+ KEYVAULT_RESOURCE_ID=$(az keyvault show --name $KEYVAULT_NAME --resource-group $RESOURCE_GROUP --query id --output tsv)

+

+ #Enable secret synchronization

+ az iot ops secretsync enable --name $INSTANCE_NAME \

+ --resource-group $RESOURCE_GROUP \

+ --mi-user-assigned $USER_ASSIGNED_MI_RESOURCE_ID \

+ --kv-resource-id $KEYVAULT_RESOURCE_ID

+ ```

+

+ # [PowerShell](#tab/powershell)

+

+ ```azurecli

+ # Variable block

+ INSTANCE_NAME="<INSTANCE_NAME>"

+ $RESOURCE_GROUP="<RESOURCE_GROUP>"

+ $USER_ASSIGNED_MI_NAME="<USER_ASSIGNED_MI_NAME>"

+ $KEYVAULT_NAME="<KEYVAULT_NAME>"

+

+ # Get the resource ID of the user-assigned managed identity

+ $USER_ASSIGNED_MI_RESOURCE_ID=$(az identity show --name $USER_ASSIGNED_MI_NAME --resource-group $RESOURCE_GROUP --query id --output tsv)

+

+ # Get the resource ID of the key vault

+ $KEYVAULT_RESOURCE_ID=$(az keyvault show --name $KEYVAULT_NAME --resource-group $RESOURCE_GROUP --query id --output tsv)

+

+ # Enable secret synchronization

+ az iot ops secretsync enable --name $INSTANCE_NAME `

+ --resource-group $RESOURCE_GROUP `

+ --mi-user-assigned $USER_ASSIGNED_MI_RESOURCE_ID `

+ --kv-resource-id $KEYVAULT_RESOURCE_ID

+ ```

+

+

+1. [Create a user-assigned managed identity](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp#create-a-user-assigned-managed-identity) which is used for cloud connections.

+ INSTANCE_NAME="<INSTANCE_NAME>"

+ $INSTANCE_NAME="<INSTANCE_NAME>"

+* If you want to enable observability features on the cluster, follow the steps in [Deploy observability resources and set up logs](../configure-observability-monitoring/howto-configure-observability.md).

+* If you want to configure your own certificate issuer on the cluster, follow the steps in [Certificate management > Bring your own issuer](../secure-iot-ops/concept-default-root-ca.md#bring-your-own-issuer).

+| Enable resource sync rules on an Azure IoT Operations instance | **Microsoft.Authorization/roleAssignments/write** permissions at the resource group level. | Resource sync rules are disabled by default, but can be enabled as part of the [az iot ops create](/cli/azure/iot/ops#az-iot-ops-create) command. |

+ az iot ops create --cluster $CLUSTER_NAME --resource-group $RESOURCE_GROUP --name ${CLUSTER_NAME}-instance --sr-resource-id $(az iot ops schema registry show --name $SCHEMA_REGISTRY --resource-group $RESOURCE_GROUP -o tsv --query id) --broker-frontend-replicas 1 --broker-frontend-workers 1 --broker-backend-part 1 --broker-backend-workers 1 --broker-backend-rf 2 --broker-mem-profile Low

+ 1. Get the public key portion of your CA certificate. The steps to acquire the public key depend on the issuer you choose.

+ az iot ops create --subscription <SUBSCRIPTION_ID> -g <RESOURCE_GROUP> --cluster <CLUSTER_NAME> --custom-location <CUSTOM_LOCATION> -n <INSTANCE_NAME> --sr-resource-id <SCHEMAREGISTRY_RESOURCE_ID> --trust-settings configMapName=<CONFIGMAP_NAME> configMapKey=<CONFIGMAP_KEY_WITH_PUBLICKEY_VALUE> issuerKind=<CLUSTERISSUER_OR_ISSUER> issuerName=<ISSUER_NAME>

+> [Upgrading a Basic Public IP to Standard Public IP - Guidance](../virtual-network/ip-services/public-ip-basic-upgrade-guidance.md)

+* Learn about [Azure Load Balancer limits](../azure-resource-manager/management/azure-subscription-service-limits.md#load-balancer)

+- Review [Outbound connections](load-balancer-outbound-connections.md) to understand the effect of multiple frontends on outbound connection behavior.

+The Bicep file used in this quickstart is from the [Azure Quickstart Templates](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.network/internal-loadbalancer-create/main.bicep).

+| **Backend pool endpoints** | Any virtual machines or virtual machine scale sets in a single virtual network | Virtual machines in a single availability set or virtual machine scale set |

+- Learn more about [Network Security Groups](../virtual-network/network-security-groups-overview.md).

+For scenarios where you need to use, control, and manage your own infrastructure, you can create Standard logic app workflows using the hybrid deployment model in Azure Logic Apps. This model provides capabilities for you to build and host integration solutions for partially connected environments that require local processing, storage, and network access. Your infrastructure can include on-premises systems, private clouds, and public clouds. With the hybrid model, your Standard logic app workflow is powered by the Azure Logic Apps runtime, which is hosted on premises as part of an Azure Container Apps extension.

+ - Managed identity authentication

+ - C# custom code with .NET Framework and the built-in action named **Call local function in this logic app**

+ Azure Arc-enabled Kubernetes clusters currently don't support managed identity authentication for managed API connections. Instead, you must create your own app registration using Microsoft Entra ID. For more information, [follow these steps later in this guide](#authenticate-managed-api-connections).

+ >

+## Create your Standard logic app

+### [Portal](#tab/azure-portal)

+ :::image type="content" source="media/create-standard-workflows-hybrid-deployment/logic-app-hybrid-portal.png" alt-text="Screenshot shows Azure portal with Standard logic app for hybrid deployment created as a container app.":::

+ > Several known issues exist in the portal around Standard logic apps that use the hybrid hosting option.

+ > These logic apps appear with the **Container App** label, which differs from Standard logic apps that

+ > use either the Workflow Service Plan or App Service Environment V3 hosting option. For more information,

+ > see [Known issues and troubleshooting - Azure portal](#known-issues-portal).

+1. In the Azure portal, on the resource menu, under **Workflows**, select **Workflows**.

+1. On the **Workflows** page toolbar, select **Add** to add an empty stateful or stateless workflow.

+1. After the designer opens, build your workflow by adding a trigger and actions.

+ For more information, see [Build a workflow with a trigger and actions](create-workflow-with-trigger-or-action.md).

+ > [!NOTE]

+ >

+ > A Standard logic app with the hybrid hosting option automatically creates a new *revision*,

+ > which is a [versioning concept from Azure Container Apps](../container-apps/revisions.md),

+ > whenever you save changes to a child workflow. This revision might take a little time to

+ > activate, which means that after you save any changes, you might want to wait several

+ > moments before you test your workflow.

+ >

+ > If your changes still haven't appeared in the workflow, you can check whether the revision exists:

+ >

+ > 1. On the resource menu, under **Revisions**, and select **Revisions and replicas**.

+ >

+ > 1. On the **Revisions and replicas** page, on the **Active revisions** tab, check whether

+ > a new revision appears on the list.

+ >

+ > For more information, see the following resources:

+ >

+ > - [Update and deploy changes in Azure Container Apps](../container-apps/revisions.md)

+ > - [Manage revisions in Azure Container Apps](../container-apps/revisions-manage.md)

+### [Visual Studio Code](#tab/visual-studio-code)

+#### Create your logic app

+#### Deploy your logic app

+After you finish building your workflow, you can deploy your logic app to your Azure Container Apps connected environment.

+1. In the Visual Studio Code **Explorer** window, open the shortcut menu for the workflow node, which is **my-stateful-workflow** in this example, and select **Deploy to logic app**.

+1. From the subscription list, select your Azure subscription.

+1. From the available logic apps list, select **Create new Logic App (Standard) in Azure**. Provide a globally unique logic app name that uses only lowercase alphanumeric characters or hyphens.

+ This example uses **my-logic-app-hybrid**.

+1. From the location list that appears, select the same Azure region where you have your connected environment.

+ This example uses **East US**.

+1. From the hosting plan list, select **Hybrid**.

+1. From the resource group list, select **Create new resource group**. Provide a name for your resource group.

+ This example uses **Hybrid-RG**.

+1. From the connected environment list, select your environment.

+1. Provide your previously saved values for the host name, SMB file share path, username, and password for your artifacts storage.

+1. Provide the connection string for the SQL database that you set up for runtime storage.

+ Visual Studio Code starts the deployment process for your Standard logic app.

+1. To monitor deployment status and Azure activity logs, from the **View** menu, select **Output**. In the window that opens, select **Azure**.

+ After deployment completes, you can go to the Azure portal to view your deployed Standard logic app and workflow.

+> [!NOTE]

+>

+> Several known issues exist in the portal around Standard logic apps that use the hybrid hosting option.

+> These logic apps appear with the **Container App** label, which differs from Standard logic apps that

+> use either the Workflow Service Plan or App Service Environment V3 hosting option. For more information,

+> see [Known issues and troubleshooting - Azure portal](#known-issues-portal).

+>

+> A Standard logic app with the hybrid hosting option automatically creates a new *revision*,

+> which is a [versioning concept from Azure Container Apps](../container-apps/revisions.md),

+> whenever you save changes to a child workflow. This revision might take a little time to

+> activate, which means that after you save any changes, you might want to wait several

+> moments before you test your workflow.

+>

+> If your changes still haven't appeared in the workflow, you can check whether the revision exists:

+>

+> 1. In the [Azure portal](https://portal.azure.com), open your On the resource menu,

+> under **Revisions**, and select **Revisions and replicas**.

+>

+> 1. On the **Revisions and replicas** page, on the **Active revisions** tab, check whether

+> a new revision appears on the list.

+<a name="change-cpu-memory"></a>

+## Change CPU and memory allocation in the Azure portal

+To edit the CPU and memory settings for your Standard logic app resource, follow these steps:

+1. In the [Azure portal](https://portal.azure.com), open your Standard logic app resource.

+1. On the resource menu, under **Settings**, select **Containers**.

+1. On the **Containers** page toolbar, select **Edit and deploy**, which opens the **Edit a container** pane.

+1. On the **Properties** tab, under **Container resource allocation**, change the following values to fit your scenario:

+ | Property | Value | Description |

+ |-|-|-|

+ | **CPU cores** | - Default: 1 <br>- Minimum: 0.25 <br>- Maximum: 2 | Determines the CPU cores to assign to your container instance. You can increase this value by 0.25 cores up to the maximum value. The total number across all container instances for this logic app is limited to 2 cores. |

+ | **Memory** | - Default: 2 <br>- Minimum: 0.1 <br>- Maximum: 4 | Determines the memory capacity in gibibytes (Gi) to assign to your container instance. You can increase this value by 0.1 Gi up to the maximum value. The total capacity across all container instances for this logic app is limited to 4 Gi. |

+1. When you finish, select **Save**.

+<a name="change-scaling"></a>

+## Change replica scaling in Azure portal

+You can control the automatic scaling for the range of replicas that deploy in response to a trigger event. A *replica* is a new instance of a logic app resource revision or version. To change the minimum and maximum values for this range, you can modify the scale rules to determine the event types that trigger scaling. For more information, see [Set scaling rules in Azure Container Apps](../container-apps/scale-app.md).

+1. In the [Azure portal](https://portal.azure.com), open your Standard logic app resource.

+1. On the resource menu, under **Settings**, select **Scale**.

+1. On the **Scale** page, under **Scale rule setting**, change the following values to fit your scenario:

+ | Property | Value | Description |

+ |-|-|-|

+ | **Min replicas** | - Default: 1 <br>- Minimum: 0 <br>- Maximum: 1000 | Determines the minimum number of replicas allowed for the revision at any given time. This value overrides scale rules and must be less than the maximum number of replicas. |

+ | **Max replicas** | - Default: 30 <br>- Minimum: 0 <br>- Maximum: 1000 | Determines the maximum number of replicas allowed for the revision at any given time. This value overrides scale rules. |

+1. When you finish, select **Save**.

+<a name="inbound-traffic"></a>

+## Control inbound traffic to your logic app in Azure portal

+You can expose your logic app to the public web, your virtual network, and other logic apps in your environment by enabling ingress. Azure enforces ingress settings through a set of rules that control the routing of external and internal traffic to your logic app. When you enable ingress, you don't need to create an Azure Load Balancer, public IP address, or any other Azure resources to enable incoming HTTP requests or TCP traffic. For more information, see [Ingress in Container Apps](../container-apps/ingress-overview.md).

+> [!NOTE]

+>

+> When you enable ingress, all of the traffic will be directed to your latest revision by default. Go to Revision management page to change traffic settings.壬

+1. On the resource menu, under **Settings**, select **Ingress**.

+1. On the **Ingress** page, next to **Ingress**, select the **Enabled** box.

+1. Based on your scenario, configure the remaining options.

+ For more information, see the following documentation:

+ - [Configure ingress for your app in Azure Container Apps](../container-apps/ingress-how-to.md?pivots=azure-portal)

+ - [Set up IP ingress restrictions in Azure Container Apps](../container-apps/ip-restrictions.md?pivots=azure-portal)

+#### Azure portal

+1. Now, [add the saved values as environment variables](#add-app-registration-values-environment-variables) to your Standard logic app resource.

+#### Azure CLI

+1. Now, [add the saved values as environment variables](#add-app-registration-values-environment-variables) to your Standard logic app resource.

+<a name="add-app-registration-values-environment-variables"></a>

+### Add app registration values to your Standard logic app

+ For more information about app settings and host settings, see [Edit app settings and host settings](edit-app-settings-host-settings.md).

+<a name="store-client-id-secret-for-reference"></a>

+1. In the Azure portal, go to your logic app resource.

+- Your Standard logic app is deployed and appears as a [Azure Container Apps resource](/azure/container-apps/overview), but the type appears as **Logic App (Hybrid)**.

+- Azure includes your Standard logic app in the **Container Apps** resource list, not the **Logic apps** resource list.

+- Your Azure Container Apps connected environment lists your Standard logic app as having an **App Type** named **Hybrid Logic App**.

+1. On the resource menu, select **Overview**.

+1. On the **Overview** page, next to the **Application Url** field, select the resource URL.

+>

+> The **Hybrid** hosting option is currently in preview. For information, see

+> [Set up your own infrastructure for Standard logic apps using hybrid deployment](set-up-standard-workflows-hybrid-deployment-requirements.md#how-billing-works).

+>

+| [Loop actions](logic-apps-control-flow-loops.md) | A loop action, such as the **For each** or **Until** loop, can include other actions that run during each loop cycle. | Except for the initial number of included built-in operations, the loop action and each action in the loop are metered each time the loop cycle runs. If an action processes any items in a collection, such as a list or array, the number of items is also used in the metering calculation. <p><p>For example, suppose you have a **For each** loop with actions that process a list. The service multiplies the number of list items against the number of actions in the loop, and adds the action that starts the loop. So, the calculation for a 10-item list is (10 * 1) + 1, which results in 11 action executions. <p><p>Pricing is based on whether the operation types are built in, Standard, or Enterprise. | Except for the included built-in operations, same as the Consumption model. |

+| [Retry policies](logic-apps-exception-handling.md#retry-policies) | On supported operations, you can implement basic exception and error handling by setting up a [retry policy](logic-apps-exception-handling.md#retry-policies). | Except for the initial number of built-in operations, the original execution plus each retried execution are metered. For example, an action that executes with 5 retries is metered and billed as 6 executions. <p><p>Pricing is based on whether the operation types are built in, Standard, or Enterprise. | Except for the built-in included operations, same as the Consumption model. |

+Sometimes you have to set up and manage your own infrastructure to meet specific needs for regulatory compliance, data privacy, or network restrictions. Azure Logic Apps offers a *hybrid deployment model* so that you can deploy and host Standard logic app workflows in on-premises, private cloud, or public cloud scenarios. This model gives you the capabilities to host integration solutions in partially connected environments when you need to use local processing, data storage, and network access. With the hybrid option, you have the freedom and flexibility to choose the best environment for your workflows.

+## How hybrid deployment works

+Standard logic app workflows with the hybrid deployment option are powered by an Azure Logic Apps runtime that is hosted in an Azure Container Apps extension. In your workflow, any [built-in operations](../connectors/built-in.md) run locally with the runtime so that you get higher throughput for access to local data sources. If you need access to non-local data resources, for example, cloud-based services such as Microsoft Office 365, Microsoft Teams, Salesforce, GitHub, LinkedIn, or ServiceNow, you can choose operations from [1,000+ connectors hosted in Azure](/connectors/connector-reference/connector-reference-logicapps-connectors) to include in your workflows. For more information, see [Managed (shared) connectors](../connectors/managed.md). Although you need to have internet connectivity to manage your logic app in the Azure portal, the semi-connected nature of this platform lets you absorb any temporary internet connectivity issues.

+For example, if you have an on-premises scenario, the following architectural overview shows where Standard logic app workflows are hosted and run in the hybrid model. The partially connected environment includes the following resources for hosting and working with your Standard logic apps, which deploy as Azure Container Apps resources:

+- Azure Arc-enabled Azure Kubernetes Service (AKS) clusters

+For hosting, you can also set up and use [Azure Arc-enabled Kubernetes clusters on Azure Stack *hyperconverged* infrastructure (HCI)](/azure-stack/hci/overview) or [Azure Arc-enabled Kubernetes clusters on Windows Server](/azure/aks/hybrid/kubernetes-walkthrough-powershell).

+## How billing works

+With the hybrid option, you're responsible for the following items:

+- Your Azure Arc-enabled Kubernetes infrastructure

+- Your SQL Server license

+- A billing charge of $0.18 USD per vCPU/hour to support Standard logic app workloads

+In this billing model, you pay only for what you need and scale resources for dynamic workloads without having to buy for peak usage. For workflows that use Azure-hosted connector operations, such as Microsoft Teams or Microsoft Office 365, [existing Standard (single-tenant) pricing](https://azure.microsoft.com/pricing/details/logic-apps/#pricing) applies to these operation executions.

+- Hybrid deployment is currently available and supported only for the following Azure Arc-enabled Kubernetes clusters:

+ - Azure Arc-enabled Kubernetes clusters

+ - Azure Arc-enabled Kubernetes clusters on Azure Stack HCI

+ - Azure Arc-enabled Kubernetes clusters on Windows Server

+> or [Kubernetes cluster on Windows Server](/azure/aks/hybrid/overview) and apply the steps in this guide

+> to connect your cluster to Azure Arc and set up your connected environment. For more information about

+> Azure Stack HCI and AKS on Windows Server, see the following resources:

+> - [Set up an Azure Kubernetes Service host on Azure Stack HCI and Windows Server and deploy a workload cluster using PowerShell](/azure/aks/hybrid/kubernetes-walkthrough-powershell)

+To store artifacts such as maps, schemas, and assemblies for your logic app (container app) resource, you need to have a file share that uses the [Server Message Block (SMB) protocol](/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview).

+- Don't use the same exact file share path for multiple logic apps.

+- You can use separate SMB file shares for each logic app, or you can use different folders in the same SMB file share as long as those folders aren't nested. For example, don't have a logic app use the root path, and then have another logic app use a subfolder.

+You need these saved values to provide your SMB file share information when you deploy your logic app resource.

+Windows server access | Guest user account

+Windows server access | Guest user account

+* To perform software inventory and agentless dependency analysis, create a guest user account (local or domain) on the servers. To perform web app discovery, you need an account with administrative permissions on the servers. To discover SQL Server instances and databases, the Windows or SQL Server account must be a member of the sysadmin server role or have [these permissions](./migrate-support-matrix-vmware.md#configure-the-custom-login-for-sql-server-discovery) for each SQL Server instance. Learn how to [assign the required role to the user account](/sql/relational-databases/security/authentication-access/server-level-roles).

+- Create a guest user account on the servers. This account can be used to pull configuration and performance data through CIM connection and perform software inventory (discovery of installed applications) and enable agentless dependency analysis using PowerShell remoting.

+Windows server access | Guest user account

+* To perform software inventory and agentless dependency analysis, create a guest user account (local or domain) on the servers. To perform web app discovery, you need an account with administrative permissions on the servers. To discover SQL Server instances and databases, the Windows or SQL Server account must be a member of the sysadmin server role or have [these permissions](./migrate-support-matrix-vmware.md#configure-the-custom-login-for-sql-server-discovery) for each SQL Server instance. Learn how to [assign the required role to the user account](/sql/relational-databases/security/authentication-access/server-level-roles).

+## Considerations for virtual network flow logs

+### Storage account

+### Private endpoint traffic

+Traffic can't be recorded at the private endpoint itself. You can capture traffic to a private endpoint at the source VM. The traffic is recorded with source IP address of the VM and destination IP address of the private endpoint. You can use `PrivateEndpointResourceId` field to identify traffic flowing to a private endpoint. For more information, see [Traffic analytics schema](traffic-analytics-schema.md?tabs=vnet#traffic-analytics-schema).

+- Connect your computer to a virtual network by completing the steps in the [Configure a point-to-site connection article](../../vpn-gateway/point-to-site-certificate-gateway.md?toc=%2fazure%2fnetworking%2ftoc.json).

+ Title: Deploy Confidential Containers in an Azure Red Hat OpenShift (ARO) cluster (Preview)

+description: Discover how to deploy Confidential Containers in Azure Red Hat OpenShift (ARO)

+keywords: confidential containers, aro, deploy, openshift, red hat

+# Deploy Confidential Containers in an Azure Red Hat OpenShift (ARO) cluster

+This article describes the steps required to deploy Confidential Containers for an ARO cluster. This process involves two main parts and multiple steps:

+First, deploy OpenShift Sandboxed Containers, including the following steps:

+1. Install the OpenShift Sandboxed Containers Operator.

+

+1. Create the peer pods secret.

+1. Create the peer pods config map.

+1. Create the Azure secret.

+After deploying OpenShift Sandboxed Containers, deploy Confidential Containers. This involves the following steps:

+1. Install the Trustee Operator.

+1. Create the route for the Trustee.

+1. Enable the Confidential Containers feature gate.

+1. Update the peer pods config map.

+1. Create the KataConfig custom resource.

+1. Create the Trustee authentication secret.

+

+1. Create the Trustee config map.

+1. Configure attestation policies (optional).

+1. Create the KbsConfig custom resource.

+1. Verify the attestation process.

+

+## Before you begin

+Before beginning the deployment process, make sure the following prerequisites are met:

+- An existing ARO cluster (version 4.15 or later) with at least one worker node

+- Access to the cluster with the `cluster-admin` role

+- The [OpenShift CLI installed](howto-create-private-cluster-4x.md#install-the-openshift-cli)

+> [!IMPORTANT]

+> For each pod in an application, there is a one-to-one mapping with a corresponding Confidential Virtual Machine (CVM). This means that every new pod requires a separate CVM, ensuring isolation between pods.

+>

+## Part 1: Deploy OpenShift sandboxed containers

+### Install the OpenShift sandboxed containers Operator

+The OpenShift sandboxed containers operator can be installed through the CLI or the OpenShift web console.

+### [CLI](#tab/cli)

+1. Create an `osc-namespace.yaml` manifest file:

+ ```

+ apiVersion: v1

+ kind: Namespace

+ metadata:

+ name: openshift-sandboxed-containers-operator

+ ```

+

+1. Create the namespace by running the following command:

+ `$ oc apply -f osc-namespace.yaml`

+1. Create an `osc-operatorgroup.yaml` manifest file:

+ ```

+ apiVersion: operators.coreos.com/v1

+ kind: OperatorGroup

+ metadata:

+ name: sandboxed-containers-operator-group

+ namespace: openshift-sandboxed-containers-operator

+ spec:

+ targetNamespaces:

+ - openshift-sandboxed-containers-operator

+ ```

+

+1. Create the operator group by running the following command

+ `$ oc apply -f osc-operatorgroup.yaml`

+1. Create an `osc-subscription.yaml` manifest file:

+ ```

+ apiVersion: operators.coreos.com/v1alpha1

+ kind: Subscription

+ metadata:

+ name: sandboxed-containers-operator

+ namespace: openshift-sandboxed-containers-operator

+ spec:

+ channel: stable

+ installPlanApproval: Automatic

+ name: sandboxed-containers-operator

+ source: redhat-operators

+ sourceNamespace: openshift-marketplace

+ startingCSV: sandboxed-containers-operator.v1.7.0

+ ```

+

+1. Create the subscription by running the following command:

+ `$ oc apply -f osc-subscription.yaml`

+1. Verify that the Operator is correctly installed by running the following command:

+ `$ oc get csv -n openshift-sandboxed-containers-operator`

+ > [!NOTE]

+ > This command can take several minutes to complete.

+1. Watch the process by running the following command:

+ `$ watch oc get csv -n openshift-sandboxed-containers-operator`

+ **Example Output**

+ ```

+ NAME DISPLAY VERSION REPLACES PHASE

+ openshift-sandboxed-containers openshift-sandboxed-containers-operator 1.7.0 1.6.0 Succeeded

+ ```

+### [Console](#tab/console)

+1. In the web console, navigate to **Operators → OperatorHub**.

+1. In the **Filter by keyword** field, type OpenShift sandboxed containers.

+1. Select the **OpenShift sandboxed containers Operator** tile and select **Install**.

+1. On the **Install Operator** page, select **stable** from the list of available **Update Channel** options.

+1. Verify that **Operator recommended Namespace** is selected for **Installed Namespace**. This installs the Operator in the mandatory `openshift-sandboxed-containers-operator` namespace. If this namespace doesn't yet exist, it's automatically created.

+ > [!NOTE]

+ > Attempting to install the OpenShift sandboxed containers Operator in a namespace other than openshift-sandboxed-containers-operator causes the installation to fail.

+ >

+1. Verify that **Automatic** is selected for **Approval Strategy**. **Automatic** is the default value, and enables automatic updates to OpenShift sandboxed containers when a new z-stream release is available.

+1. Select **Install**.

+1. Navigate to **Operators → Installed Operators** to verify that the Operator is installed.

+### Create the peer pods secret

+You must create the peer pods secret for OpenShift sandboxed containers. The secret stores credentials for creating the pod virtual machine (VM) image and peer pod instances.

+By default, the OpenShift sandboxed containers operator creates the secret based on the credentials used to create the cluster. However, you can manually create a secret that uses different credentials.

+1. Retrieve the Azure subscription ID by running the following command:

+ ```

+ $ AZURE_SUBSCRIPTION_ID=$(az account list --query "[?isDefault].id" \

+ -o tsv) && echo "AZURE_SUBSCRIPTION_ID: \"$AZURE_SUBSCRIPTION_ID\""

+ ```

+1. Generate the role-based access control (RBAC) content by running the following command:

+

+ ```

+ $ az ad sp create-for-rbac --role Contributor --scopes /subscriptions/$AZURE_SUBSCRIPTION_ID \

+ --query "{ client_id: appId, client_secret: password, tenant_id: tenant }"

+ ```

+

+ **Example output**

+ ```

+ {

+ "client_id": `AZURE_CLIENT_ID`,

+ "client_secret": `AZURE_CLIENT_SECRET`,

+ "tenant_id": `AZURE_TENANT_ID`

+ }

+ ```

+

+1. Record the RBAC output to use in the secret object.

+1. Create a peer-pods-secret.yaml manifest file according to the following example:

+ ```

+ apiVersion: v1

+ kind: Secret

+ metadata:

+ name: peer-pods-secret

+ namespace: openshift-sandboxed-containers-operator

+ type: Opaque

+ stringData:

+ AZURE_CLIENT_ID: "<azure_client_id>"

+ AZURE_CLIENT_SECRET: "<azure_client_secret>"

+ AZURE_TENANT_ID: "<azure_tenant_id>"

+ AZURE_SUBSCRIPTION_ID: "<azure_subscription_id>"

+ ```

+ - Specify the `AZURE_CLIENT_ID value`.

+ - Specify the `AZURE_CLIENT_SECRET value`.

+ - Specify the `AZURE_TENANT_ID value`.

+ - Specify the `AZURE_SUBSCRIPTION_ID value`.

+1. Create the secret by running the following command:

+ `$ oc apply -f peer-pods-secret.yaml`

+### Create the peer pods config map

+1. Obtain the following values from Azure:

+ 1. Retrieve and record the Azure resource group:

+

+ `$ AZURE_RESOURCE_GROUP=$(oc get infrastructure/cluster -o jsonpath='{.status.platformStatus.azure.resourceGroupName}') && echo "AZURE_RESOURCE_GROUP: \"$AZURE_RESOURCE_GROUP\""`

+

+ 1. Retrieve and record the Azure VNet name:

+

+ ```

+ $ AZURE_VNET_NAME=$(az network vnet list --resource-group ${AZURE_RESOURCE_GROUP} --query "[].{Name:name}" --output tsv)

+ ```

+

+ This value is used to retrieve the Azure subnet ID.

+

+ 1. Retrieve and record the Azure subnet ID:

+

+ ```

+ $ AZURE_SUBNET_ID=$(az network vnet subnet list --resource-group ${AZURE_RESOURCE_GROUP} --vnet-name $AZURE_VNET_NAME --query "[].{Id:id} | [? contains(Id, 'worker')]" --output tsv) && echo "AZURE_SUBNET_ID: \"$AZURE_SUBNET_ID\""

+ ```

+

+ 1. Retrieve and record the Azure network security group (NSG) ID:

+

+ ```

+ $ AZURE_NSG_ID=$(az network nsg list --resource-group ${AZURE_RESOURCE_GROUP} --query "[].{Id:id}" --output tsv) && echo "AZURE_NSG_ID: \"$AZURE_NSG_ID\""

+ ```

+

+ 1. Retrieve and record the Azure region:

+

+ `$ AZURE_REGION=$(az group show --resource-group ${AZURE_RESOURCE_GROUP} --query "{Location:location}" --output tsv) && echo "AZURE_REGION: \"$AZURE_REGION\""`

+

+2. Create a peer-pods-cm.yaml manifest file according to the following example:

+ ```

+ apiVersion: v1

+ kind: ConfigMap

+ metadata:

+ name: peer-pods-cm

+ namespace: openshift-sandboxed-containers-operator

+ data:

+ CLOUD_PROVIDER: "azure"

+ VXLAN_PORT: "9000"

+ AZURE_INSTANCE_SIZE: "Standard_B2als_v2"

+ AZURE_INSTANCE_SIZES: "Standard_B2als_v2,Standard_D2as_v5,Standard_D4as_v5,Standard_D2ads_v5"

+ AZURE_SUBNET_ID: "<azure_subnet_id>"

+ AZURE_NSG_ID: "<azure_nsg_id>"

+ PROXY_TIMEOUT: "5m"

+ AZURE_IMAGE_ID: "<azure_image_id>"

+ AZURE_REGION: "<azure_region>"

+ AZURE_RESOURCE_GROUP: "<azure_resource_group>"

+ DISABLECVM: "true"

+ ```

+ - `AZURE_INSTANCE_SIZE` is the default if an instance size isn't defined in the workload.

+ - `AZURE_INSTANCE_SIZES` lists all of the instance sizes you can specify when creating the pod. This allows you to define smaller instance sizes for workloads that need less memory and fewer CPUs or larger instance sizes for larger workloads.

+ - Specify the `AZURE_SUBNET_ID` value that you retrieved.

+ - Specify the `AZURE_NSG_ID` value that you retrieved.

+ - `AZURE_IMAGE_ID` is optional. By default, this value is populated when you run the KataConfig custom resource, using an Azure image ID based on your cluster credentials. If you create your own Azure image, specify the correct image ID.

+ - Specify the `AZURE_REGION` value you retrieved.

+ - Specify the `AZURE_RESOURCE_GROUP` value you retrieved.

+

+3. Create the config map by running the following command:

+ `$ oc apply -f peer-pods-cm.yaml`

+### Create the Azure secret

+You must create an SSH key secret, which Azure uses to create virtual machines.

+1. Generate an SSH key pair by running the following command:

+ `$ ssh-keygen -f ./id_rsa -N ""`

+1. Create the secret object by running the following command:

+

+ ```

+ $ oc create secret generic ssh-key-secret \

+ -n openshift-sandboxed-containers-operator \

+ --from-file=id_rsa.pub=./id_rsa.pub

+ ```

+

+1. Delete the SSH keys you created:

+ `$ shred --remove id_rsa.pub id_rsa`

+## Part 2: Deploy Confidential Containers

+### Install the Trustee Operator

+1. Create a trustee-namespace.yaml manifest file:

+ ```

+ apiVersion: v1

+ kind: Namespace

+ metadata:

+ name: trustee-operator-system

+ ```

+1. Create the trustee-operator-system namespace by running the following command:

+ `$ oc apply -f trustee-namespace.yaml`

+1. Create a trustee-operatorgroup.yaml manifest file:

+ ```

+ apiVersion: operators.coreos.com/v1

+ kind: OperatorGroup

+ metadata:

+ name: trustee-operator-group

+ namespace: trustee-operator-system

+ spec:

+ targetNamespaces:

+ - trustee-operator-system

+ ```

+1. Create the Operator group by running the following command:

+ `$ oc apply -f trustee-operatorgroup.yaml`

+1. Create a trustee-subscription.yaml manifest file:

+ ```

+ apiVersion: operators.coreos.com/v1alpha1

+ kind: Subscription

+ metadata:

+ name: trustee-operator

+ namespace: trustee-operator-system

+ spec:

+ channel: stable

+ installPlanApproval: Automatic

+ name: trustee-operator

+ source: redhat-operators

+ sourceNamespace: openshift-marketplace

+ startingCSV: trustee-operator.v0.1.0

+ ```

+1. Create the subscription by running the following command:

+ `$ oc apply -f trustee-subscription.yaml`

+1. Verify that the Operator is correctly installed by running the following command:

+ `$ oc get csv -n trustee-operator-system`

+ This command can take several minutes to complete.

+1. Watch the process by running the following command:

+ `$ watch oc get csv -n trustee-operator-system`

+ **Example output**

+ ```

+ NAME DISPLAY PHASE

+ trustee-operator.v0.1.0 Trustee Operator 0.1.0 Succeeded

+ ```

+### Create the route for the Trustee

+Create a secure route with edge TLS termination for Trustee. External ingress traffic reaches the router pods as HTTPS and passes on to the Trustee pods as HTTP.

+1. Create an edge route by running the following command:

+

+ ```

+ $ oc create route edge --service=kbs-service --port kbs-port \

+ -n trustee-operator-system

+ ```

+

+ > [!NOTE]

+ > Currently, only a route with a valid CA-signed certificate is supported. You cannot use a route with self-signed certificate.

+ >

+1. Set the TRUSTEE_HOST variable by running the following command:

+ ```

+ $ TRUSTEE_HOST=$(oc get route -n trustee-operator-system kbs-service \

+ -o jsonpath={.spec.host})

+ ```

+1. Verify the route by running the following command:

+ `$ echo $TRUSTEE_HOST`

+ **Example output**

+ `kbs-service-trustee-operator-system.apps.memvjias.eastus.aroapp.io`

+

+ Record this value for the peer pods config map.

+### Enable the Confidential Containers feature gate

+1. Create a `cc-feature-gate.yaml` manifest file:

+ ```

+ apiVersion: v1

+ kind: ConfigMap

+ metadata:

+ name: osc-feature-gates

+ namespace: openshift-sandboxed-containers-operator

+ data:

+ confidential: "true"

+ ```

+1. Create the config map by running the following command:

+ `$ oc apply -f cc-feature-gate.yaml`

+### Update the peer pods config map

+1. Obtain the following values from your Azure instance:

+ i. Retrieve and record the Azure resource group:

+

+ `$ AZURE_RESOURCE_GROUP=$(oc get infrastructure/cluster -o jsonpath='{.status.platformStatus.azure.resourceGroupName}') && echo "AZURE_RESOURCE_GROUP: \"$AZURE_RESOURCE_GROUP\""`

+

+ ii. Retrieve and record the Azure VNet name:

+

+ `$ AZURE_VNET_NAME=$(az network vnet list --resource-group ${AZURE_RESOURCE_GROUP} --query "[].{Name:name}" --output tsv)`

+

+ This value is used to retrieve the Azure subnet ID.

+

+ iii. Retrieve and record the Azure subnet ID:

+

+ `$ AZURE_SUBNET_ID=$(az network vnet subnet list --resource-group ${AZURE_RESOURCE_GROUP} --vnet-name $AZURE_VNET_NAME --query "[].{Id:id} | [? contains(Id, 'worker')]" --output tsv) && echo "AZURE_SUBNET_ID: \"$AZURE_SUBNET_ID\""`

+

+ iv. Retrieve and record the Azure network security group (NSG) ID:

+

+ `$ AZURE_NSG_ID=$(az network nsg list --resource-group ${AZURE_RESOURCE_GROUP} --query "[].{Id:id}" --output tsv) && echo "AZURE_NSG_ID: \"$AZURE_NSG_ID\""`

+

+ v. Retrieve and record the Azure region:

+

+ `$ AZURE_REGION=$(az group show --resource-group ${AZURE_RESOURCE_GROUP} --query "{Location:location}" --output tsv) && echo "AZURE_REGION: \"$AZURE_REGION\""`

+1. Create a `peer-pods-cm.yaml` manifest file according to the following example:

+ ```

+ apiVersion: v1

+ kind: ConfigMap

+ metadata:

+ name: peer-pods-cm

+ namespace: openshift-sandboxed-containers-operator

+ data:

+ CLOUD_PROVIDER: "azure"

+ VXLAN_PORT: "9000"

+ AZURE_INSTANCE_SIZE: "Standard_DC2as_v5"

+ AZURE_INSTANCE_SIZES: "Standard_DC2as_v5,Standard_DC4as_v5,Standard_DC8as_v5,Standard_DC16as_v5"

+ AZURE_SUBNET_ID: "<azure_subnet_id>"

+ AZURE_NSG_ID: "<azure_nsg_id>"

+ PROXY_TIMEOUT: "5m"

+ AZURE_IMAGE_ID: "<azure_image_id>"

+ AZURE_REGION: "<azure_region>"

+ AZURE_RESOURCE_GROUP: "<azure_resource_group>"

+ DISABLECVM: "false"

+ AA_KBC_PARAMS: "cc_kbc::https://${TRUSTEE_HOST}"

+ ```

+ - `AZURE_INSTANCE_SIZE` is the default if an instance size isn't defined in the workload.

+ - `AZURE_INSTANCE_SIZES` lists all of the instance sizes you can specify when creating the pod. This allows you to define smaller instance sizes for workloads that need less memory and fewer CPUs or larger instance sizes for larger workloads.

+ - Specify the `AZURE_SUBNET_ID` value that you retrieved.

+ - Specify the `AZURE_NSG_ID` value that you retrieved.

+ - `AZURE_IMAGE_ID` (Optional): By default, this value is populated when you run the KataConfig custom resource, using an Azure image ID based on your cluster credentials. If you create your own Azure image, specify the correct image ID.

+ - Specify the `AZURE_REGION` value you retrieved.

+ - Specify the `AZURE_RESOURCE_GROUP` value you retrieved.

+ - `AA_KBC_PARAMS` specifies the host name of the Trustee route.

+1. Create the config map by running the following command:

+ `$ oc apply -f peer-pods-cm.yaml`

+1. Restart the `peerpodconfig-ctrl-caa-daemon` daemon set by running the following command:

+ ```

+ $ oc set env ds/peerpodconfig-ctrl-caa-daemon \

+ -n openshift-sandboxed-containers-operator REBOOT="$(date)"

+ ```

+### Create the KataConfig custom resource

+1. Create an `example-kataconfig.yaml` manifest file according to the following example:

+ ```

+ apiVersion: kataconfiguration.openshift.io/v1

+ kind: KataConfig

+ metadata:

+ name: example-kataconfig

+ spec:

+ enablePeerPods: true

+ logLevel: info

+ # kataConfigPoolSelector:

+ # matchLabels:

+ # <label_key>: '<label_value>'

+ ```

+ Optional: If you have applied node labels to install kata-remote on specific nodes, specify the key and value, for example, cc: 'true'.

+1. Create the KataConfig custom resource by running the following command:

+ `$ oc apply -f example-kataconfig.yaml`

+

+ The new KataConfig custom resource is created and installs kata-remote as a runtime class on the worker nodes.

+

+ > [!NOTE]

+ > Wait for the kata-remote installation to complete and the worker nodes to reboot before verifying the installation.

+ >

+1. Monitor the installation progress by running the following command:

+ `$ watch "oc describe kataconfig | sed -n /^Status:/,/^Events/p"`

+

+ When the status of all workers under kataNodes is installed and the condition InProgress is False without specifying a reason, the kata-remote is installed on the cluster.

+1. Verify the daemon set by running the following command:

+ `$ oc get -n openshift-sandboxed-containers-operator ds/peerpodconfig-ctrl-caa-daemon`

+1. Verify the runtime classes by running the following command:

+ $ oc get runtimeclass

+

+ **Example output**

+ ```

+ NAME HANDLER AGE

+ kata-remote kata-remote 152m

+ ```

+### Create the Trustee authentication secret

+1. Create a private key by running the following command:

+ `$ openssl genpkey -algorithm ed25519 > privateKey`

+1. Create a public key by running the following command:

+ `$ openssl pkey -in privateKey -pubout -out publicKey`

+1. Create a secret by running the following command:

+ `$ oc create secret generic kbs-auth-public-key --from-file=publicKey -n trustee-operator-system`

+1. Verify the secret by running the following command:

+ `$ oc get secret -n trustee-operator-system`

+### Create the Trustee config map

+1. Create a `kbs-config-cm.yaml` manifest file:

+ ```

+ apiVersion: v1

+ kind: ConfigMap

+ metadata:

+ name: kbs-config-cm

+ namespace: trustee-operator-system

+ data:

+ kbs-config.json: |

+ {

+ "insecure_http" : true,

+ "sockets": ["0.0.0.0:8080"],

+ "auth_public_key": "/etc/auth-secret/publicKey",

+ "attestation_token_config": {

+ "attestation_token_type": "CoCo"

+ },

+ "repository_config": {

+ "type": "LocalFs",

+ "dir_path": "/opt/confidential-containers/kbs/repository"

+ },

+ "as_config": {

+ "work_dir": "/opt/confidential-containers/attestation-service",

+ "policy_engine": "opa",

+ "attestation_token_broker": "Simple",

+ "attestation_token_config": {

+ "duration_min": 5

+ },

+ "rvps_config": {

+ "store_type": "LocalJson",

+ "store_config": {

+ "file_path": "/opt/confidential-containers/rvps/reference-values/reference-values.json"

+ }

+ }

+ },

+ "policy_engine_config": {

+ "policy_path": "/opt/confidential-containers/opa/policy.rego"

+ }

+ }

+ ```

+

+1. Create the config map by running the following command:

+ `$ oc apply -f kbs-config-cm.yaml`

+### Configure attestation policies

+You can configure the following attestation policy settings:

+**Reference values**

+You can configure reference values for the Reference Value Provider Service (RVPS) by specifying the trusted digests of your hardware platform.

+The client collects measurements from the running software, the Trusted Execution Environment (TEE) hardware and firmware and it submits a quote with the claims to the Attestation Server. These measurements must match the trusted digests registered to the Trustee. This process ensures that the confidential VM (CVM) is running the expected software stack and hasn't been tampered with.

+**Secrets for clients**

+You must create one or more secrets to share with attested clients.

+**Resource access policy**

+You must configure a policy for the Trustee policy engine to determine which resources to access.

+Don't confuse the Trustee policy engine with the Attestation Service policy engine, which determines the validity of TEE evidence.

+**Attestation policy**

+Optional: You can overwrite the default attestation policy by creating your own attestation policy.

+**Provisioning Certificate Caching Service for TDX**

+If your TEE is Intel Trust Domain Extensions (TDX), you must configure the Provisioning Certificate Caching Service (PCCS). The PCCS retrieves Provisioning Certification Key (PCK) certificates and caches them in a local database.

+1. Create an `rvps-configmap.yaml` manifest file:

+ ```

+ apiVersion: v1

+ kind: ConfigMap

+ metadata:

+ name: rvps-reference-values

+ namespace: trustee-operator-system

+ data:

+ reference-values.json: |

+ [

+ ]

+ ```

+

+ For `reference-values.json` specify the trusted digests for your hardware platform if required. Otherwise, leave it empty.

+1. Create the RVPS config map by running the following command:

+ `$ oc apply -f rvps-configmap.yaml`

+1. Create one or more secrets to share with attested clients according to the following example:

+ ```

+ $ oc create secret generic kbsres1 --from-literal key1=<res1val1> \

+ --from-literal key2=<res1val2> -n trustee-operator-system

+ ```

+ In this example, the `kbsres1` secret has two entries (key1, key2), which the Trustee clients retrieve. You can add more secrets according to your requirements.

+1. Create a resourcepolicy-configmap.yaml manifest file:

+ ```

+ apiVersion: v1

+ kind: ConfigMap

+ metadata:

+ name: resource-policy

+ namespace: trustee-operator-system

+ data:

+ policy.rego:

+ package policy

+ default allow = false

+ allow {

+ input["tee"] != "sample"

+ }

+ ```

+ - The name of the resource policy, `policy.rego`, must match the resource policy defined in the Trustee config map.

+ - The resource package policy follows the Open Policy Agent specification. This example allows the retrieval of all resources when the TEE isn't the sample attester.

+1. Create the resource policy config map by running the following command:

+ `$ oc apply -f resourcepolicy-configmap.yaml`

+1. Optional: Create an attestation-policy.yaml manifest file according to the following example:

+

+ ```

+ apiVersion: v1

+ kind: ConfigMap

+ metadata:

+ name: attestation-policy

+ namespace: trustee-operator-system

+ data:

+ default.rego: |

+ package policy

+ import future.keywords.every

+

+ default allow = false

+

+ allow {

+ every k, v in input {

+ judge_field(k, v)

+ }

+ }

+

+ judge_field(input_key, input_value) {

+ has_key(data.reference, input_key)

+ reference_value := data.reference[input_key]

+ match_value(reference_value, input_value)

+ }

+

+ judge_field(input_key, input_value) {

+ not has_key(data.reference, input_key)

+ }

+

+ match_value(reference_value, input_value) {

+ not is_array(reference_value)

+ input_value == reference_value

+ }

+

+ match_value(reference_value, input_value) {

+ is_array(reference_value)

+ array_include(reference_value, input_value)

+ }

+

+ array_include(reference_value_array, input_value) {

+ reference_value_array == []

+ }

+

+ array_include(reference_value_array, input_value) {

+ reference_value_array != []

+ some i

+ reference_value_array[i] == input_value

+ }

+

+ has_key(m, k) {

+ _ = m[k]

+ }

+ ```

+ For `package policy`, The attestation policy follows the Open Policy Agent specification. In this example, the attestation policy compares the claims provided in the attestation report to the reference values registered in the RVPS database. The attestation process is successful only if all the values match.

+1. Create the attestation policy config map by running the following command:

+ `$ oc apply -f attestation-policy.yaml`

+1. If your TEE is Intel TDX, create a tdx-config.yaml manifest file:

+ ```

+ apiVersion: v1

+ kind: ConfigMap

+ metadata:

+ name: tdx-config

+ namespace: trustee-operator-system

+ data:

+ sgx_default_qcnl.conf: | \

+ {

+ "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/",

+ "pccs_url": "<pccs_url>"

+ }

+ ```

+ For `pccs_url`, specify the PCCS URL, for example, https://localhost:8081/sgx/certification/v4/.

+1. Create the TDX config map by running the following command:

+ `$ oc apply -f tdx-config.yaml`

+### Create the KbsConfig custom resource

+You must create the KbsConfig custom resource to launch Trustee. Then, you check the Trustee pods and pod logs to verify the configuration.

+1. Create a `kbsconfig-cr.yaml` manifest file:

+ ```

+ apiVersion: confidentialcontainers.org/v1alpha1

+ kind: KbsConfig

+ metadata:

+ labels:

+ app.kubernetes.io/name: kbsconfig

+ app.kubernetes.io/instance: kbsconfig

+ app.kubernetes.io/part-of: trustee-operator

+ app.kubernetes.io/managed-by: kustomize

+ app.kubernetes.io/created-by: trustee-operator

+ name: kbsconfig

+ namespace: trustee-operator-system

+ spec:

+ kbsConfigMapName: kbs-config-cm

+ kbsAuthSecretName: kbs-auth-public-key

+ kbsDeploymentType: AllInOneDeployment

+ kbsRvpsRefValuesConfigMapName: rvps-reference-values

+ kbsSecretResources: ["kbsres1"]

+ kbsResourcePolicyConfigMapName: resource-policy

+ ```

+

+1. Create the KbsConfig custom resource by running the following command:

+ `$ oc apply -f kbsconfig-cr.yaml`

+#### Verification

+1. Set the default project by running the following command:

+ `$ oc project trustee-operator-system`

+1. Check the pods by running the following command:

+ `$ oc get pods -n trustee-operator-system`

+ **Example output**

+ ```

+ NAME READY STATUS RESTARTS AGE

+ trustee-deployment-8585f98449-9bbgl 1/1 Running 0 22m

+ trustee-operator-controller-manager-5fbd44cd97-55dlh 2/2 Running 0 59m

+ ```

+

+1. Set the POD_NAME environmental variable by running the following command:

+ `$ POD_NAME=$(oc get pods -l app=kbs -o jsonpath='{.items[0].metadata.name}' -n trustee-operator-system)`

+1. Check the pod logs by running the following command:

+ `$ oc logs -n trustee-operator-system $POD_NAME`

+ **Example output**

+ ```

+ [2024-05-30T13:44:24Z INFO kbs] Using config file /etc/kbs-config/kbs-config.json

+ [2024-05-30T13:44:24Z WARN attestation_service::rvps] No RVPS address provided and will launch a built-in rvps

+ [2024-05-30T13:44:24Z INFO attestation_service::token::simple] No Token Signer key in config file, create an ephemeral key and without CA pubkey cert

+ [2024-05-30T13:44:24Z INFO api_server] Starting HTTPS server at [0.0.0.0:8080]

+ [2024-05-30T13:44:24Z INFO actix_server::builder] starting 12 workers

+ [2024-05-30T13:44:24Z INFO actix_server::server] Tokio runtime found; starting in existing Tokio runtime

+ ```

+

+### Verify the attestation process

+You can verify the attestation process by creating a test pod and retrieving its secret.

+Important: This procedure is an example to verify that attestation is working. Don't write sensitive data to standard I/O because the data can be captured by using a memory dump. Only data written to memory is encrypted.

+By default, an agent side policy embedded in the pod VM image disables the exec and log APIs for a Confidential Containers pod. This policy ensures that sensitive data isn't written to standard I/O.

+In a test scenario, you can override the restriction at runtime by adding a policy annotation to the pod. For Technology Preview, runtime policy annotations aren't verified by remote attestation.

+1. Create a verification-pod.yaml manifest file:

+ ```

+ apiVersion: v1

+ kind: Pod

+ metadata:

+ name: ocp-cc-pod

+ labels:

+ app: ocp-cc-pod

+ annotations:

+ io.katacontainers.config.agent.policy: cGFja2FnZSBhZ2VudF9wb2xpY3kKCmRlZmF1bHQgQWRkQVJQTmVpZ2hib3JzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgQWRkU3dhcFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENsb3NlU3RkaW5SZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBDb3B5RmlsZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENyZWF0ZUNvbnRhaW5lclJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENyZWF0ZVNhbmRib3hSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBEZXN0cm95U2FuZGJveFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IEV4ZWNQcm9jZXNzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgR2V0TWV0cmljc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IEdldE9PTUV2ZW50UmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgR3Vlc3REZXRhaWxzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgTGlzdEludGVyZmFjZXNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBMaXN0Um91dGVzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgTWVtSG90cGx1Z0J5UHJvYmVSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBPbmxpbmVDUFVNZW1SZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBQYXVzZUNvbnRhaW5lclJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFB1bGxJbWFnZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFJlYWRTdHJlYW1SZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBSZW1vdmVDb250YWluZXJSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBSZW1vdmVTdGFsZVZpcnRpb2ZzU2hhcmVNb3VudHNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBSZXNlZWRSYW5kb21EZXZSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBSZXN1bWVDb250YWluZXJSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBTZXRHdWVzdERhdGVUaW1lUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU2V0UG9saWN5UmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU2lnbmFsUHJvY2Vzc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFN0YXJ0Q29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU3RhcnRUcmFjaW5nUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU3RhdHNDb250YWluZXJSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBTdG9wVHJhY2luZ1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFR0eVdpblJlc2l6ZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFVwZGF0ZUNvbnRhaW5lclJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFVwZGF0ZUVwaGVtZXJhbE1vdW50c1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFVwZGF0ZUludGVyZmFjZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFVwZGF0ZVJvdXRlc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFdhaXRQcm9jZXNzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgV3JpdGVTdHJlYW1SZXF1ZXN0IDo9IHRydWUK

+ spec:

+ runtimeClassName: kata-remote

+ containers:

+ - name: skr-openshift

+ image: registry.access.redhat.com/ubi9/ubi:9.3

+ command:

+ - sleep

+ - "36000"

+ securityContext:

+ privileged: false

+ seccompProfile:

+ type: RuntimeDefault

+ ```

+

+

+ The pod metada `annotations` overrides the policy that prevents sensitive data from being written to standard I/O.

+

+1. Create the pod by running the following command:

+ `$ oc create -f verification-pod.yaml`

+1. Connect to the Bash shell of the ocp-cc-pod pod by running the following command:

+ `$ oc exec -it ocp-cc-pod -- bash`

+1. Fetch the pod secret by running the following command:

+ `$ curl http://127.0.0.1:8006/cdh/resource/default/kbsres1/key1`

+

+ **Example output**

+ `res1val1`

+

+ The Trustee server returns the secret only if the attestation is successful.

+ Title: Confidential Containers with Azure Red Hat OpenShift (Preview)

+description: Discover how to utilize Confidential Containers with Azure Red Hat OpenShift to protect sensitive data.

+# Confidential Containers with Azure Red Hat OpenShift

+Confidential Containers offer a robust solution to protect sensitive data within cloud environments. By using hardware-based trusted execution environments (TEEs), Confidential Containers provide a secure enclave within the host system, isolating applications and their data from potential threats. This isolation ensures that even if the host system is compromised, the confidential data remains protected.

+This article describes the benefits of using Confidential Containers to safeguard sensitive data and explains how Confidential Containers function within Azure Red Hat OpenShift.

+## Benefits of Using Confidential Containers

+Confidential Containers offer several key benefits:

+- Enhanced Data Security: By isolating applications and their data within a secure enclave, Confidential Containers protect sensitive information from unauthorized access, even if the host system is compromised.

+- Regulatory Compliance: Industries such as healthcare, finance, and government are subject to stringent data privacy regulations. Confidential Containers can help organizations meet these compliance requirements by providing a robust mechanism for protecting sensitive data.

+- Improved Trust and Confidence: Confidential Containers can foster trust between cloud service providers and their customers by demonstrating commitment to data security and privacy.

+- Reduced Risk of Data Breaches: The use of Confidential Containers can significantly reduce the risk of data breaches, which can have devastating consequences for organizations.

+- Increased Efficiency: Confidential Containers can streamline the development and deployment of applications by providing a secure and efficient environment for running sensitive workloads.

+## Typical use cases

+The following table describes the most common use cases for deploying Confidential Containers.

+|Use case |Industry |Example |

+||||

+|**Regulator compliance**<br>Meeting strict data protection and privacy regulations. |Government, Finance, Healthcare |A healthcare provider using Confidential containers to process and store patient data in compliance with HIPAA regulations. |

+|**Multi-tenancy environments**<br>Hosting multiple clients' applications and data with strong isolation. |SaaS providers, Cloud service providers |A cloud service provider offering isolated environments for different clients within the same infrastructure. |

+|**Secure AI/ML model training**<br>Training AI models on sensitive data without exposing the data. |AI/ML, Any industry using sensitive data for AI |A financial institution training fraud detection models on customer transaction data. |

+## How Confidential Containers work

+Confidential Containers is a feature of Red Hat OpenShift sandboxed containers, which provide an isolated environment for running containerized applications. The core of Confidential Containers is the Confidential Virtual Machine (CVM). This specialized virtual machine, operating within a Trusted Execution Environment (TEE), establishes a secure enclave for applications and their associated data. TEEs, hardware-based isolated environments fortified with enhanced security features, ensure that even if the host system is compromised, the data residing within the CVM remains protected.

+Azure Red Hat OpenShift serves as the orchestrator, overseeing the sandboxing of workloads (pods) through the utilization of virtual machines. When employing CVMs, Azure Red Hat OpenShift empowers Confidential Container capabilities for your workloads. Once a Confidential Containers workload is created, Azure Red Hat OpenShift deploys it within a CVM executing within the TEE, providing a secure and isolated environment for your sensitive data.

+The diagram shows the three main steps for using Confidential Containers on an ARO cluster:

+1. The OpenShift Sandboxed Containers Operator is deployed on the ARO cluster.

+1. Kata Runtime container on an ARO worker node uses the cloud-api-adapter to create a peer pod on a confidential VM.

+1. The remote attestation agent on the peer pod initiates the attestation of the container image before the kata-agent deploys it, ensuring the integrity of the image.

+### Attestation

+Attestation constitutes a fundamental component of Confidential Containers, particularly within the context of zero-trust security. Prior to deploying a workload as a Confidential Containers workload, it's imperative to verify the trustworthiness of the TEE where the workload is executed. Attestation ensures that the TEE is indeed secure and possesses the capability to safeguard your confidential data.

+### The Trustee Project

+The Trustee project provides the attestation capabilities essential for Confidential Containers. It executes attestation operations and delivers secrets to the TEE following successful verification. Key components of Trustee encompass:

+- Trustee agents: These components operate within the CVM, including the Attestation Agent (AA) responsible for transmitting evidence to substantiate the environment's trustworthiness.

+- Key Broker Service (KBS): This service functions as an entrypoint for remote attestation, forwarding evidence to the Attestation Service (AS) for verification.

+- Attestation Service (AS): This service validates the TEE evidence.

+### The Confidential Compute Attestation Operator

+The Confidential Compute Attestation Operator, an integral component of the Azure Red Hat OpenShift Confidential Containers solution, facilitates the deployment and management of Trustee services within an Azure Red Hat OpenShift cluster. It streamlines the configuration of Trustee services and the management of secrets for Confidential Containers workloads.

+### A Unified perspective

+A typical Confidential Containers deployment involves Azure Red Hat OpenShift working with the Confidential Compute Attestation Operator deployed in a separate, trusted environment. The workload is executed within a CVM operating inside a TEE, benefiting from the encrypted memory and integrity guarantees provided by the TEE. Trustee agents residing within the CVM perform attestation and acquire requisite secrets, safeguarding the security and confidentiality of your data.

+## Next steps

+Now that you know the benefits and various use cases for Confidential Containers, check out [Deploy confidential containers in an Azure Red Hat OpenShift (ARO) cluster](confidential-containers-deploy.md).

+| Log Analytics Workspace | [Log Analytics Workspace Limits](/azure/azure-monitor/service-limits#log-analytics-workspaces) |

+ "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/xinrui-publisher/providers/Microsoft.HybridNetwork/networkfunctions/testnfDependsOn02",

+ [--config global.networkfunctionextension.clusterRegistry.clusterRegistryGCCadence=]

+ [--config global.networkfunctionextension.clusterRegistry.clusterRegistryGCThreshold=]

+`--config global.networkfunctionextension.clusterRegistry.clusterRegistryGCCadence=`

+* This configuration must be provided as a schedule in standard Unix crontab format.

+* This configuration specified as an empty string disable the scheduled job, allowing customers to opt out of running garbage collection.

+* Default value: "0 0 * * *" -- Runs the job once everyday.

+`--config global.networkfunctionextension.backgroundJobThreshold=`

+* This configuration specifies the precent threshold value to trigger the cluster registry garbage collection process.

+* This configuration triggers garbage collection process when cluster registry usage exceeds this value.

+* Default value: 0.

+* Release Notes for Version 2.0.2860-160

+* CVE - A total of 19 CVEs are addressed in this release.

+## Release 2.0.2860-160

+Document Revision 1.0

+### Release Summary

+Azure Operator Service Manager is a cloud orchestration service that enables automation of operator network-intensive workloads, and mission critical applications hosted on Azure Operator Nexus. Azure Operator Service Manager unifies infrastructure, software, and configuration management with a common model into a single interface, both based on trusted Azure industry standards. This October 31, 2024 Azure Operator Service Manager release includes updating the NFO version to 2.0.2860-160, the details of which are further outlined in the remainder of this document.

+### Release Details

+* Release Version: Version 2.0.2860-160

+* Release Date: October 31, 2024

+* Is NFO update required: YES, Update only

+* Dependency Versions: Go/1.22.4 - Helm/3.15.2

+### Release Installation

+This release can be installed with as an update on top of release 2.0.2847-158. See [learn documentation](manage-network-function-operator.md) for more installation guidance.

+### Release Highlights

+#### Cluster registry garbage collection automation

+This version expands the cluster registry garbage collection feature set to include automatic cleanup. A background job runs to regularly clean up container images. The job schedule, how frequently each day the jobs runs, and the threshold condition to trigger cleanup, expressed as percent capacity utilized, is configured by end-user. By default, the job will run once per day at a 0% utilization threshold.

+#### Bugfix Related Updates

+The following bug fixes, or other defect resolutions, are delivered with this release, for either Network Function Operator (NFO) or resource provider (RP) components.

+None

+#### Security Related Updates

+None

+## Asia Pacific (APAC)

+## Brazil (APAC)

+| Azure region | OCI region | Oracle Exadata Database@Azure | Oracle Autonomous Database@Azure |

+|-|--|-|-|

+| Brazil South | Brazil Southeast (Vinhedo) | Γ£ô | |

+[Configure a point-to-site connection to a virtual network by using certification authentication: Azure portal](../../vpn-gateway/point-to-site-certificate-gateway.md)

+## Migrate to the Azure Monitor Agent

+## Connect to Microsoft services via API-based connectors

+## Related content

+## Prerequisites

+To ingest data into Microsoft Sentinel using a standalone, diagnostic settings-based connector, you must have read and write permissions on the Log Analytics workspace enabled for Microsoft Sentinel.

+To ingest data into Microsoft Sentinel using diagnostic settings-based connectors managed by Azure Policy, you must also have the following prerequisites:

+- To use Azure Policy to apply a log streaming policy to your resources, you must have the Owner role for the policy assignment scope.

+- The following prerequisites, depending on which connector you're using:

+ |Data connector |Licensing, costs, and other information |

+ |||

+ |**Azure Activity**| This connector now uses the diagnostic settings pipeline. If you're using the legacy method, you must disconnect the existing subscriptions from the legacy method before setting up the new Azure Activity log connector.<br><br>1. From the Microsoft Sentinel navigation menu, select **Data connectors**. From the list of connectors, select **Azure Activity**, and then select the **Open connector page** button on the lower right.<br>2. Under the **Instructions** tab, in the **Configuration** section, in step 1, review the list of your existing subscriptions that are connected to the legacy method, and disconnect them all at once by clicking the **Disconnect All** button below.<br>3. Continue setting up the new connector with the instructions in this section. |

+ |**Azure DDoS Protection**|- Configured [Azure DDoS Standard protection plan](../ddos-protection/manage-ddos-protection.md#create-a-ddos-protection-plan).<br>- Configured [virtual network with Azure DDoS Standard enabled](../ddos-protection/manage-ddos-protection.md#enable-for-a-new-virtual-network)<br>- Other charges may apply<br>- The **Status** for Azure DDoS Protection Data Connector changes to **Connected** only when the protected resources are under a DDoS attack.|

+ |**Azure Storage Account**|The storage account (parent) resource has within it other (child) resources for each type of storage: files, tables, queues, and blobs. </br>When configuring diagnostics for a storage account, you must select and configure: <br><br>- The parent account resource, exporting the **Transaction** metric.<br>- Each of the child storage-type resources, exporting all the logs and metrics.<br><br>You'll only see the storage types that you actually have defined resources for.|

+## Connect via a standalone diagnostic settings-based connector

+This procedure describes how to connect to Microsoft Sentinel using data connectors that use standalone connections based on diagnostic settings.

+ Mark the **Send to Log Analytics** check box. Two new fields are displayed below it. Choose the relevant **Subscription** and **Log Analytics Workspace** (where Microsoft Sentinel resides).

+## Connect via a diagnostic setting-based connector managed by Azure Policy

+This procedure describes how to connect to Microsoft Sentinel using data connectors that use connections that are based on diagnostic settings and are managed by Azure Policy.

+ The policy assignment wizard opens, ready to create a new policy, with a policy name prepopulated.

+ - The remaining drop-down fields represent the available diagnostic log types. Leave marked as *True* all the log types you want to ingest.

+With this type of data connector, the connectivity status indicators (a color stripe in the data connectors gallery and connection icons next to the data type names) shows as *connected* (green) only if data has been ingested at some point in the past 14 days. Once 14 days have passed with no data ingestion, the connector shows as being disconnected. The moment more data comes through, the *connected* status returns.

+## Related content

+- [Threat intelligence integration in Microsoft Sentinel](threat-intelligence-integration.md)

+$SubscriptionId = "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"

+### Can we replicate from one Zone to non-zone with Azure Site Recovery?

+Yes, this is supported.

+> [!NOTE]

+> Alternatively, you can download the key, import it in the secondary key vault region. You can then modify your replicas disks to use the keys.

+- **Private IP address**: If you're using static IP addresses, you cannot retain the same IP address in zone to zone failover.

+>

+> Azure Site Recovery isn't supported for VMs with Premium SSD v2 disks.

+18.04 LTS | 9.63 | 5.4.0-1135-azure <br> 5.4.0-192-generic <br> 4.15.0-1180-azure <br> 4.15.0-228-generic <br> 5.4.0-1136-azure <br> 5.4.0-193-generic <br> 5.4.0-1137-azure <br> 5.4.0-1138-azure <br> 5.4.0-195-generic <br> 5.4.0-196-generic <br> 4.15.0-1181-azure <br> 4.15.0-229-generic <br> 4.15.0-1182-azure <br> 4.15.0-230-generic <br> 5.4.0-1139-azure <br> 5.4.0-198-generic |

+20.04 LTS | 9.62| 5.15.0-1065-azure <br>5.15.0-1067-azure <br>5.15.0-113-generic <br>5.4.0-1131-azure <br>5.4.0-1132-azure <br>5.4.0-186-generic <br> 5.4.0-187-generic <br> 5.15.0-1068-azure <br> 5.15.0-116-generic <br> 5.15.0-117-generic <br> 5.4.0-1133-azure <br> 5.4.0-1134-azure <br> 5.4.0-189-generic <br> 5.4.0-190-generic <br> 5.15.0-1074-azure <br> 5.15.0-124-generic <br> 5.4.0-1139-azure <br> 5.4.0-198-generic |

+22.04 LTS | 9.63| 5.15.0-1070-azure <br> 5.15.0-118-generic <br> 5.15.0-1071-azure <br> 5.15.0-119-generic <br> 5.15.0-1072-azure <br> 5.15.0-1073-azure <br> 5.15.0-121-generic <br> 5.15.0-122-generic <br> 5.15.0-1074-azure <br> +5.15.0-124-generic |

+22.04 LTS | 9.62| 5.15.0-1066-azure <br> 5.15.0-1067-azure <br>5.15.0-112-generic <br>5.15.0-113-generic <br>6.5.0-1022-azure <br>6.5.0-1023-azure <br>6.5.0-41-generic <br> 5.15.0-1068-azure <br> 5.15.0-116-generic <br> 5.15.0-117-generic <br> 6.5.0-1024-azure <br> 6.5.0-1025-azure <br> 6.5.0-44-generic <br> 6.5.0-45-generic |

+SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | 9.63 | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.194-azure:5 <br> 4.12.14-16.197-azure:5 <br> 4.12.14-16.200-azure:5 |

+SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4, SP5, SP6) | 9.63 | All [stock SUSE 15 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150500.33.63-azure:5 <br> 5.14.21-150500.33.66-azure:5 <br> 6.4.0-150600.6-azure:6 <br>6.4.0-150600.8.11-azure:6 <br> 6.4.0-150600.8.5-azure:6 <br> 6.4.0-150600.8.8-azure:6 <br> 6.4.0-150600.8.14-azure:6 <br> 5.14.21-150500.33.69-azure:5 |

+In this case, the customer provides custom application proxy settings in Mobility Service config file ProxyInfo.conf. This method allows customers to provide proxy only for Mobility Service or a different proxy for Azure Site Recovery Mobility Service than a proxy (or no proxy) for rest of the applications on the machine. Check whether the file `C:\ProgramData\Microsoft Azure Site Recovery\Config\ProxyInfo.conf` has any proxy entry. In case the file doesn't exist, create one.

+Guest VM network: Static IP (Linux) | Yes | Yes

+> [!NOTE]

+> For Guest VM network, static IP (Linux), Static IP from source OS's NIC is not used on Azure. The vNIC on Azure VM is configured with a new Azure IP of selected virtual network.

+ASRDeploymentPlanner.exe -Operation GenerateReport -Virtualization Hyper-V -Directory "E:\Hyper-V_ProfiledData" -VMListFile "E:\Hyper-V_ProfiledData\ProfileVMList1.txt" -SubscriptionID aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e -OfferID MS-AZR-0148P -TargetRegion southindia -Currency INR

+Set up one or more Log Analytics workspaces to store your Backup reporting data. The location and subscription of this Log Analytics workspace can be different from where your vaults are located or subscribed.

+1. Select **Azure Site Recovery Jobs** and **Azure Site Recovery Replicated Item Details**, and on the **Destination** table **Resource Specific** options to populate the reports.

+- [Diagnostics in Backup and Site Recovery](../backup/backup-azure-diagnostic-events.md)

+ASRDeploymentPlanner.exe -Operation GenerateReport -Virtualization VMware -Directory ΓÇ£E:\vCenter1_ProfiledDataΓÇ¥ -VMListFile ΓÇ£E:\vCenter1_ProfiledData\ProfileVMList1.txtΓÇ¥ -SubscriptionID aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e -OfferID MS-AZR-0148P -TargetRegion southindia -Currency INR

+> [!NOTE]

+> If the registry keys are absent, you don't need to create them for Windows Server 2012 R2 or later versions if TLS 1.2 is enabled in SChannel protocols.

+Dynamic disk | OS disk must be a basic disk. <br/><br/>Data disks can be dynamic disks. <br><br> Data disks can be spanned volumes.

+| Supported Azure Functions [runtimes](../azure-functions/supported-languages.md#languages-by-runtime-version)¹ | See [supported languages and runtimes](languages-runtimes.md#api). | All |

+zone_pivot_groups: static-web-apps-ci-cd

+## Security

+You can choose between two different deployment authorization policies to secure your build configuration. Static Web Apps supports either using an Azure deployment token (recommended), or a GitHub access token.

+Use the following steps to set the deployment authorization policy in your app:

+- **New apps**: When you create your static web app, on the *Deployment configuration* tab, make a selection for the *Deployment authorization policy*.

+- **Existing apps**: To update an existing app, go to *Settings* > *Configuration* > *Deployment configuration*, and make a selection for the *Deployment authorization policy*.

+```yaml

+trigger:

+ - main

+pool:

+ vmImage: ubuntu-latest

+steps:

+ - checkout: self

+ submodules: true

+ - task: AzureStaticWebApp@0

+ inputs:

+ app_location: 'src' # App source code path relative to cwd

+ api_location: 'api' # Api source code path relative to cwd

+ output_location: 'public' # Built app content directory relative to app_location - optional

+ cwd: '$(System.DefaultWorkingDirectory)/myapp' # Working directory - optional

+ azure_static_web_apps_api_token: $(deployment_token)

+```

+In this configuration:

+- The `main` branch is monitored for commits.

+- The `app_location` points to the `src` folder that contains the source files for the web app. This value is relative to the working directory (`cwd`). To set it to the working directory, use `/`.

+- The `api_location` points to the `api` folder that contains the Azure Functions application for the site's API endpoints. This value is relative to the working directory (`cwd`). To set it to the working directory, use `/`.

+- The `output_location` points to the `public` folder that contains the final version of the app's source files. This value is relative to `app_location`. For .NET projects, the location is relative to the output folder.

+- The `cwd` is an absolute path pointing to the working directory. It defaults to `$(System.DefaultWorkingDirectory)`.

+- The `$(deployment_token)` variable points to the [generated Azure DevOps deployment token](./deployment-token-management.md).

+> [!NOTE]

+> `app_location` and `api_location` must be relative to the working directory (`cwd`) and they must be subdirectories under `cwd`.

+# [Azure deployment token](#tab/adt)

+```yml

+name: Azure Static Web Apps CI/CD

+on:

+ push:

+ branches:

+ - main

+ - dev

+ pull_request:

+ types: [opened, synchronize, reopened, closed]

+ branches:

+ - main

+jobs:

+ build_and_deploy_job:

+ if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed')

+ runs-on: ubuntu-latest

+ name: Build and Deploy Job

+ permissions:

+ id-token: write

+ contents: read

+ steps:

+ - uses: actions/checkout@v3

+ with:

+ submodules: true

+ lfs: false

+ - name: Install OIDC Client from Core Package

+ run: npm install @actions/core@1.6.0 @actions/http-client

+ - name: Get Id Token

+ uses: actions/github-script@v6

+ id: idtoken

+ with:

+ script: |

+ const coredemo = require('@actions/core')

+ return await coredemo.getIDToken()

+ result-encoding: string

+ - name: Build And Deploy

+ id: builddeploy

+ uses: Azure/static-web-apps-deploy@v1

+ with:

+ azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_GENTLE_WATER }}

+ action: "upload"

+ ###### Repository/Build Configurations - These values can be configured to match your app requirements. ######

+ # For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig

+ app_location: "/" # App source code path

+ api_location: "" # Api source code path - optional

+ output_location: "dist/angular-basic" # Built app content directory - optional

+ production_branch: "dev"

+ github_id_token: ${{ steps.idtoken.outputs.result }}

+ ###### End of Repository/Build Configurations ######

+ close_pull_request_job:

+ if: github.event_name == 'pull_request' && github.event.action == 'closed'

+ runs-on: ubuntu-latest

+ name: Close Pull Request Job

+ steps:

+ - name: Close Pull Request

+ id: closepullrequest

+ uses: Azure/static-web-apps-deploy@v1

+ with:

+ azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_GENTLE_WATER_030D91C1E }}

+ action: "close"

+```

+# [GitHub access token](#tab/gat)

+The *Close Pull Request* job is part of the Azure Static Web Apps GitHub Actions workflow, closing the pull request after it's merged. The `Azure/static-web-apps-deploy` action deploys the app to Azure Static Web Apps, requiring the `azure_static_web_apps_api_token` for authentication.

+Sometimes you need your workflow to continue to process even when some secrets are missing. To configure your workflow to proceed without defined secrets, set the `SKIP_DEPLOY_ON_MISSING_SECRETS` environment variable to `true`.

+SMB Multichannel enables an SMB 3.x client to establish multiple network connections to an SMB file share. Azure Files supports SMB Multichannel on premium file shares (file shares in the FileStorage storage account kind). There is no additional cost for enabling SMB Multichannel in Azure Files. SMB Multichannel is now enabled by default in all Azure regions.

+SMB Multichannel enables an SMB client to establish multiple network connections to an SMB file share. Azure Files supports SMB Multichannel on premium file shares for Windows clients. On the service side, SMB Multichannel is now enabled by default for all newly created storage accounts in all Azure regions. There's no additional cost for enabling SMB Multichannel.

+- A [virtual network](../../vpn-gateway/point-to-site-certificate-gateway.md) with a private endpoint for the storage account that contains the Azure file share you want to mount on-premises. To learn how to create a private endpoint, see [Configuring Azure Files network endpoints](storage-files-networking-endpoints.md?tabs=azure-powershell).

+- [Configure server settings for P2S VPN Gateway connections](../../vpn-gateway/point-to-site-certificate-gateway.md)

+Define your parameters in this cell. It can be something as simple as:

+```python

+a = 1

+b = 3

+c = "Default Value"

+```

+You can reference these parameters in other cells and when you run the notebook to use the default values you specify in the parameters cell.

+When you run this notebook from a pipeline, Azure Data Factory looks for the parameters cell and uses the values you provided as defaults for the parameters passed in at execution time. If you [assign parameters values from a pipeline](#assign-parameters-values-from-a-pipeline), the execution engine will add a new cell beneath the parameters cell with input parameters to overwrite the default values.

+>[!TIP]

+>Data Factory won't automatically populate the parameters. You need to add them manually. Be sure to use the exact same name in both your parameters cell in the notebook and the base parameter in the pipeline.

+Once you've added your parameters to your activity, Data Factory will pass the values you specify in your activity to your notebook, and your notebook will run with those new parameter values, instead of the defaults you specified in the parameters cell.

+ Title: Deliver applications from partner solutions with app attach - Azure Virtual Desktop

+description: Learn how to deliver applications to your remote desktop or app using partner solutions with app attach.

+# Deliver applications from partner solutions to Azure Virtual Desktop with app attach

+Several partners provide application delivery solutions to Azure Virtual Desktop via integration with [app attach](app-attach-overview.md). This article provides links to those partners where you can read more about connecting to Azure Virtual Desktop. You can also use our native app attach solution to dynamically deliver applications to your session hosts.

+## Partner application delivery

+The following partners have application delivery solutions that have been approved to use with Azure Virtual Desktop. Visit their documentation to learn how to deliver applications to Azure Virtual Desktop.

+| Partner | Partner documentation | Partner support |

+|:-|:-|:-|

+| Liquidware | [Liquidware FlexApp documentation](https://www.liquidware.com/profileunity-documentation) | [Liquidware support](https://www.liquidware.com/support) |

+| Numecent | [Numencent CloudPager documentation](https://20110124.fs1.hubspotusercontent-na1.net/hubfs/20110124/Numecent%20Cloudpaging%20App%20Attach%20Integration%20-%20Solution%20Brief.pdf) | [Numencent support](https://numecent.freshdesk.com/support/home) |

+| Omnissa | [Omnissa App Volumes documentation](https://docs.omnissa.com/category/App_Volumes) | [Omnissa support](https://customerconnect.omnissa.com/home) |

+>[!IMPORTANT]

+>If you encounter an issue when trying to deliver applications to Azure Virtual Desktop session hosts, you must verify whether it's unique to your approved partner. You can verify whether this is a unique issue by trying to reproduce it on [App attach overview](app-attach-overview.md). If you can't reproduce the issue on first-party app attach, then you must contact your client's provider for support.

+## Next steps

+Learn more about Remote Desktop clients at [App attach overview](app-attach-overview.md).

+> - RDP Shortpath for public networks via STUN for Azure Virtual Desktop is available in the Azure public cloud and Azure Government cloud.

+> - RDP Shortpath for public networks via TURN for Azure Virtual Desktop is only available in the Azure public cloud.

+## Detect call redirection

+To detect whether call redirection is active, you can check the `isCallRedirectionEnabled` property of the `MediaDevices` object. If this property is `true`, call redirection is active. If this property is `undefined` or `false`, call redirection isn't active.

+window.navigator.mediaDevices['isCallRedirectionEnabled'] = true;

+## Detect disconnection from a remote session

+> - RDP Shortpath for public networks via STUN for Azure Virtual Desktop is available in the Azure public cloud and Azure Government cloud.

+> - RDP Shortpath for public networks via TURN for Azure Virtual Desktop is only available in the Azure public cloud.

+## October 2024

+In October 2024, we made the following changes to the documentation:

+- Published a new article where you can lean about [Graphics encoding over the Remote Desktop Protocol](graphics-encoding.md).

+- Rewrote [Multimedia redirection for video playback and calls](multimedia-redirection-video-playback-calls.md) and added a new article for [Developer integration with multimedia redirection for WebRTC-based calling apps](multimedia-redirection-developer-integration.md).

+- Published a set of new articles for host pools using the session host configuration management approach and session host update:

+ - [Host pool management approaches](host-pool-management-approaches.md).

+ - [Session host update](session-host-update.md).

+ - [Update session hosts using session host update](session-host-update-configure.md).

+ - [Example diagnostic queries for session host update](session-host-update-diagnostics.md).

+ - [Troubleshoot session host update](troubleshoot-session-host-update.md).

+- Updated [Deploy Azure Virtual Desktop](deploy-azure-virtual-desktop.md) and [Add session hosts to a host pool](add-session-hosts-host-pool.md) to include the session host configuration management approach.

+- Consolidated Remote Desktop client articles per platform into a [single article with a tab per platform](./users/connect-remote-desktop-client.md) and separated [legacy Windows clients to their own article](./users/connect-legacy-windows.md).

+- Reorganized the table of contents into a new structure, changing the way articles are grouped and displayed. The new structure is designed to make it easier to find the information you need in the different stages of your journey with Azure Virtual Desktop.

+ https://login.microsoftonline.com/c2d26d12-71cc-4f3b-8557-1fa18d077698/oauth2/authorize?client_id=22223333-cccc-4444-dddd-5555eeee6666&response_type=code&redirect_uri=https://www.microsoft.com

+ https://login.microsoftonline.com/24baaf57-f30d-4fba-a20e-822030f7eba3/oauth2/authorize?client_id=11112222-bbbb-3333-cccc-4444dddd5555&response_type=code&redirect_uri=https://www.microsoft.com

+ --tenant aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e

+ --tenant bbbb1b1b-cc2c-dd3d-ee4e-ffffff5f5f5f

+You can [connect your own computer to a virtual network](../vpn-gateway/point-to-site-certificate-gateway.md?toc=%2fazure%2fvirtual-network%2ftoc.json) through a VPN, and interact with resources in a virtual network, or in peered virtual networks. For reusable scripts to complete many of the tasks covered in the virtual network articles, see [script samples](cli-samples.md).

+* [Configure a point-to-site connection to a virtual network by using the Azure portal](../vpn-gateway/point-to-site-certificate-gateway.md)

+- Virtual networks configured with the Azure Private Link service don't support Virtual Network encryption, so Virtual Network encryption shouldn't be enabled on these virtual networks.

+- Virtual Network encryption shouldn't be enabled in virtual networks that have Azure confidential computing VM SKUs. If you want to use Azure confidential computing VMs in virtual networks where Virtual Network encryption is enabled, then:

+ - Enable Accelerated Networking on the VM's NIC if it's supported.

+ - If Accelerated Networking isn't supported, change the VM SKU to one that supports Accelerated Networking or Virtual Network encryption.

+

+ Don't enable Virtual Network encryption if the VM SKU doesn't support Accelerated Networking or Virtual Network encryption.

+The Ubuntu Azure kernel is the most optimized for network performance on Azure. Currently all Ubuntu images by Canonical come by default with the optimized Azure kernel installed.

+You can simply use the command below to make sure you are using the Azure kernel which is identified by -azure at the end of the version.

+uname -r

+#sample output on Azure kernel:

+6.8.0-1017-azure

+### Other distributions

+Most modern distributions should have significant improvements with kernels newer than 4.19+, you can check the current kernel version and make sure you are running a newer kernel.

+> Service endpoint routes override any BGP or user-defined routes (UDRs) for the address prefix match of an Azure service. For more information, see [troubleshooting with effective routes](diagnose-network-routing-problem.md).

+- SUSE:

+ ```bash

+ #SUSE - Install Git and other helpful tools

+ sudo zypper install gcc

+ sudo zypper install git

+ sudo zypper install gcc-c++

+ sudo zypper install ncurses-devel

+ sudo zypper install automake

+ sudo zypper install autoconf

+ sudo zypper install libtool

+ sudo zypper install make

+ ```

+> System routes for traffic related to virtual network, virtual network peerings, or virtual network service endpoints, are preferred routes, even if BGP routes are more specific. Routes with next hop type virtual network service endpoint, cannot be overriden, even using a route table.

+ az network vhub connection create --resource-group "[resource_group_name]" --name "[connection_name]" --vhub-name "[virtual_hub_name]" --remote-vnet "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/rgName/providers/Microsoft.Network/virtualNetworks/vnetName"

+- For more information about Virtual WAN, see the [FAQ](virtual-wan-faq.md).

+|Route-prefix| drop |10.3.0.0/8,10.4.0.0/8 |The routes specified in the rule are dropped. |

+* [Certificate authentication](point-to-site-certificate-gateway.md)

+Verify that you have a functioning point-to-site VPN already configured. If you don't, configure one using the steps the **Create a point-to-site VPN** article using either [PowerShell](vpn-gateway-howto-point-to-site-rm-ps.md), or the [Azure portal](point-to-site-certificate-gateway.md).

+1. If you don't already have a functioning point-to-site environment, follow the instruction to create one. See [Create a point-to-site VPN](point-to-site-certificate-gateway.md) to create and configure a point-to-site VPN gateway. When you create a VPN gateway, the Basic SKU isn't supported for OpenVPN.

+* [Certificate authentication](point-to-site-certificate-gateway.md)

+* [Configure a P2S connection - Azure certificate authentication](point-to-site-certificate-gateway.md)

+* The VPN gateway is configured for point-to-site certificate authentication and the OpenVPN tunnel type. See [Configure server settings for P2S VPN Gateway connections - certificate authentication](point-to-site-certificate-gateway.md) for steps.

+* VPN client profile configuration files have been generated and are available. See [Generate VPN client profile configuration files](point-to-site-certificate-gateway.md#profile-files) for steps.

+1. Locate the VPN client profile configuration package that you generated in the [Configure server settings for P2S VPN Gateway connections - certificate authentication](point-to-site-certificate-gateway.md#profile-files) article.

+For additional steps, return to the [P2S Azure portal](point-to-site-certificate-gateway.md) article.

+ Title: 'Configure P2S server configuration - certificate authentication: Azure portal'

+description: Learn how to configure VPN Gateway server settings for P2S configurations - certificate authentication.

+# Configure server settings for P2S VPN Gateway certificate authentication

+This article helps you configure the necessary VPN Gateway point-to-site (P2S) server settings to let you securely connect individual clients running Windows, Linux, or macOS to an Azure virtual network (VNet). P2S VPN connections are useful when you want to connect to your VNet from a remote location, such as when you're telecommuting from home or a conference. You can also use P2S instead of a site-to-site (S2S) VPN when you have only a few clients that need to connect to a virtual network (VNet).

+P2S connections don't require a VPN device or a public-facing IP address. There are various different configuration options available for P2S. For more information about point-to-site VPN, see [About point-to-site VPN](point-to-site-about.md).

+The steps in this article create a P2S configuration that uses **certificate authentication** and the Azure portal. To create this configuration using the Azure PowerShell, see the [Configure P2S - Certificate - PowerShell](vpn-gateway-howto-point-to-site-rm-ps.md) article. For RADIUS authentication, see the [P2S RADIUS](point-to-site-how-to-radius-ps.md) article. For Microsoft Entra authentication, see the [P2S Microsoft Entra ID](openvpn-azure-ad-tenant.md) article.

+## Prerequisites

+Verify that you have an Azure subscription. If you don't already have an Azure subscription, you can activate your [MSDN subscriber benefits](https://azure.microsoft.com/pricing/member-offers/msdn-benefits-details) or sign up for a [free account](https://azure.microsoft.com/pricing/free-trial).

+### <a name="example"></a>Example values

+You can use the following values to create a test environment, or refer to these values to better understand the examples in this article:

+**VNet**

+* **VNet Name:** VNet1

+* **Address space:** 10.1.0.0/16<br>For this example, we use only one address space. You can have more than one address space for your VNet.

+* **Subnet name:** FrontEnd

+* **Subnet address range:** 10.1.0.0/24

+* **Subscription:** If you have more than one subscription, verify that you're using the correct one.

+* **Resource Group:** TestRG1

+* **Location:** East US

+**Virtual network gateway**

+* **Virtual network gateway name:** VNet1GW

+* **Gateway type:** VPN

+* **VPN type:** Route-based (required for P2S)

+* **SKU:** VpnGw2

+* **Generation:** Generation2

+* **Gateway subnet address range:** 10.1.255.0/27

+* **Public IP address name:** VNet1GWpip

+* **Public IP address name 2:** VNet1GWpip2 - for active-active mode gateways.

+**Connection type and client address pool**

+* **Connection type:** Point-to-site

+* **Client address pool:** 172.16.201.0/24<br>VPN clients that connect to the VNet using this point-to-site connection receive an IP address from the client address pool.

+## <a name="createvnet"></a>Create a VNet

+In this section, you create a VNet. Refer to the [Example values](#example) section for the suggested values to use for this configuration.

+## Create a gateway subnet

+The virtual network gateway requires a specific subnet named **GatewaySubnet**. The gateway subnet is part of the IP address range for your virtual network and contains the IP addresses that the virtual network gateway resources and services use. Specify a gateway subnet that's /27 or larger.

+## <a name="creategw"></a>Create the VPN gateway

+In this step, you create the virtual network gateway for your VNet. Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.

+> [!NOTE]

+> The Basic gateway SKU does not support IKEv2 or RADIUS authentication. If you plan on having Mac clients connect to your VNet, do not use the Basic SKU.

+You can see the deployment status on the **Overview** page for your gateway. After the gateway is created, you can view the IP address that has been assigned to it by looking at the VNet in the portal. The gateway appears as a connected device.

+## <a name="generatecert"></a>Generate certificates

+Certificates are used by Azure to authenticate clients connecting to a VNet over a point-to-site VPN connection. Once you obtain a root certificate, you [upload](#uploadfile) the public key information to Azure. The root certificate is then considered 'trusted' by Azure for connection over P2S to the VNet.

+You also generate client certificates from the trusted root certificate, and then install them on each client computer. The client certificate is used to authenticate the client when it initiates a connection to the VNet.

+The root certificate must be generated and extracted before you configure the point-to-site gateway settings.

+### <a name="getcer"></a>Generate a root certificate

+### <a name="generateclientcert"></a>Generate client certificates

+## <a name="addresspool"></a>Add the address pool

+The **Point-to-site configuration** page contains the configuration information that's needed for the P2S VPN. Once all the P2S settings have been configured and the gateway has been updated, the Point-to-site configuration page is used to view or change P2S VPN settings.

+1. Go to the gateway you created in the previous section.

+1. In the left pane, select **Point-to-site configuration**.

+1. Click **Configure now** to open the configuration page.

+The client address pool is a range of private IP addresses that you specify. The clients that connect over a point-to-site VPN dynamically receive an IP address from this range. Use a private IP address range that doesn't overlap with the on-premises location that you connect from, or the VNet that you want to connect to. If you configure multiple protocols and SSTP is one of the protocols, then the configured address pool is split between the configured protocols equally.

+ :::image type="content" source="./media/vpn-gateway-howto-point-to-site-resource-manager-portal/configuration-address-pool.png" alt-text="Screenshot of Point-to-site configuration page - address pool." lightbox="./media/vpn-gateway-howto-point-to-site-resource-manager-portal/configuration-address-pool.png":::

+1. On the **Point-to-site configuration** page, in the **Address pool** box, add the private IP address range that you want to use. VPN clients dynamically receive an IP address from the range that you specify. The minimum subnet mask is 29 bit for active/passive and 28 bit for active/active configuration.

+If your VPN gateway is configured with an availability zone SKU (AZ) and is in active-active mode, point-to-site VPN configurations require three public IP addresses. You can use the example value **VNet1GWpip3**.

+## <a name="type"></a>Specify tunnel and authentication type

+> [!NOTE]

+> If you don't see tunnel type or authentication type on the **Point-to-site configuration** page, your gateway is using the Basic SKU. The Basic SKU doesn't support IKEv2 or RADIUS authentication. If you want to use these settings, you need to delete and re-create the gateway using a different gateway SKU.

+>

+In this section, you specify the tunnel type and the authentication type. These settings can become complex, depending on the tunnel type you require and the VPN client software that will be used to make the connection from the user's operating system. The steps in this article walk you through basic configuration settings and choices.

+You can select options that contain multiple tunnel types from the dropdown - such as *IKEv2 and OpenVPN(SSL)* or *IKEv2 and SSTP (SSL)*, however, only certain combinations of tunnel types and authentication types are supported. For example, Microsoft Entra authentication can only be used when you select *OpenVPN (SSL)* from the tunnel type dropdown, and not *IKEv2 and OpenVPN(SSL)*.

+Additionally, the tunnel type and the authentication type correspond to the VPN client software that can be used to connect to Azure. For example, one VPN client software application might be only able to connect via IKEv2, while another can only connect via OpenVPN. And some client software, while it supports a certain tunnel type, might not support the authentication type you choose.

+As you can tell, planning the tunnel type and authentication type is important when you have various VPN clients connecting from different operating systems. Consider the following criteria when you choose your tunnel type in combination with **Azure certificate** authentication. Other authentication types have different considerations.

+* **Windows**:

+ * Windows computers connecting via the native VPN client already installed in the operating system try IKEv2 first and, if that doesn't connect, they fall back to SSTP (if you selected both IKEv2 and SSTP from the tunnel type dropdown).

+ * If you select the OpenVPN tunnel type, you can connect using an OpenVPN Client or the Azure VPN Client.

+ * The Azure VPN Client can support [optional configuration settings](azure-vpn-client-optional-configurations.md) such as custom routes and forced tunneling.

+* **macOS and iOS**:

+ * The native VPN client for iOS and macOS can only use the IKEv2 tunnel type to connect to Azure.

+ * The Azure VPN Client isn't supported for certificate authentication at this time, even if you select the OpenVPN tunnel type.

+ * If you want to use the OpenVPN tunnel type with certificate authentication, you can use an OpenVPN client.

+ * For macOS, you can use the Azure VPN Client with the OpenVPN tunnel type and Microsoft Entra ID authentication (not certificate authentication).

+* **Linux**:

+ * The Azure VPN Client for Linux supports the OpenVPN tunnel type.

+ * The strongSwan client on Android and Linux can use only the IKEv2 tunnel type to connect.

+### Tunnel and authentication type

+1. For **Tunnel type**, select the tunnel type that you want to use. For this exercise, from the dropdown, select **IKEv2 and OpenVPN(SSL)**.

+1. For **Authentication type**, select the authentication type that you want to use. For this exercise, from the dropdown, select **Azure certificate**. If you're interested in other authentication types, see the articles for [Microsoft Entra ID](openvpn-azure-ad-tenant.md) and [RADIUS](point-to-site-how-to-radius-ps.md).

+## <a name="publicip3"></a>Additional IP address

+If you have an active-active mode gateway that uses an availability zone SKU (AZ SKU), you need a third public IP address. If this setting doesn't apply to your gateway, you don't need to add an additional IP address.

+## <a name="uploadfile"></a>Upload root certificate public key information

+In this section, you upload public root certificate data to Azure. Once the public certificate data is uploaded, Azure can use it to authenticate clients that have installed a client certificate generated from the trusted root certificate.

+1. Make sure that you exported the root certificate as a **Base-64 encoded X.509 (.CER)** file in the previous steps. You need to export the certificate in this format so you can open the certificate with text editor. You don't need to export the private key.

+1. Open the certificate with a text editor, such as Notepad. When copying the certificate data, make sure that you copy the text as one continuous line:

+ :::image type="content" source="./media/vpn-gateway-howto-point-to-site-resource-manager-portal/certificate.png" alt-text="Screenshot of data in the certificate." lightbox="./media/vpn-gateway-howto-point-to-site-resource-manager-portal/certificate-expand.png":::

+1. Go to your **Virtual network gateway -> Point-to-site configuration** page in the **Root certificate** section. This section is only visible if you have selected **Azure certificate** for the authentication type.

+1. In the **Root certificate** section, you can add up to 20 trusted root certificates.

+ * Paste the certificate data into the **Public certificate data** field.

+ * **Name** the certificate.

+ :::image type="content" source="./media/vpn-gateway-howto-point-to-site-resource-manager-portal/public-certificate-data.png" alt-text="Screenshot of certificate data field." lightbox="./media/vpn-gateway-howto-point-to-site-resource-manager-portal/public-certificate-data.png":::

+1. Additional routes aren't necessary for this exercise. For more information about the custom routing feature, see [Advertise custom routes](vpn-gateway-p2s-advertise-custom-routes.md).

+1. Select **Save** at the top of the page to save all of the configuration settings.

+## <a name="profile-files"></a>Generate VPN client profile configuration files

+All the necessary configuration settings for the VPN clients are contained in a VPN client profile configuration zip file. VPN client profile configuration files are specific to the P2S VPN gateway configuration for the VNet. If there are any changes to the P2S VPN configuration after you generate the files, such as changes to the VPN protocol type or authentication type, you need to generate new VPN client profile configuration files and apply the new configuration to all of the VPN clients that you want to connect. For more information about P2S connections, see [About point-to-site VPN](point-to-site-about.md).

+You can generate client profile configuration files using PowerShell, or by using the Azure portal. The following examples show both methods. Either method returns the same zip file.

+### Azure portal

+### PowerShell

+## <a name="clientconfig"></a>Configure VPN clients and connect to Azure

+For steps to configure your VPN clients and connect to Azure, see the following articles:

+## <a name="verify"></a>Verify your connection

+These instructions apply to Windows clients.

+1. To verify that your VPN connection is active, open an elevated command prompt, and run *ipconfig/all*.

+1. View the results. Notice that the IP address you received is one of the addresses within the point-to-site VPN Client Address Pool that you specified in your configuration. The results are similar to this example:

+ ```

+ PPP adapter VNet1:

+ Connection-specific DNS Suffix .:

+ Description.....................: VNet1

+ Physical Address................:

+ DHCP Enabled....................: No

+ Autoconfiguration Enabled.......: Yes

+ IPv4 Address....................: 172.16.201.3(Preferred)

+ Subnet Mask.....................: 255.255.255.255

+ Default Gateway.................:

+ NetBIOS over Tcpip..............: Enabled

+ ```

+## <a name="connectVM"></a>Connect to a virtual machine

+These instructions apply to Windows clients.

+* Verify that the VPN client configuration package was generated after the DNS server IP addresses were specified for the VNet. If you updated the DNS server IP addresses, generate and install a new VPN client configuration package.

+* Use 'ipconfig' to check the IPv4 address assigned to the Ethernet adapter on the computer from which you're connecting. If the IP address is within the address range of the VNet that you're connecting to, or within the address range of your VPNClientAddressPool, this is referred to as an overlapping address space. When your address space overlaps in this way, the network traffic doesn't reach Azure, it stays on the local network.

+## <a name="add"></a>Add or remove trusted root certificates

+You can add and remove trusted root certificates from Azure. When you remove a root certificate, clients that have a certificate generated from that root won't be able to authenticate, and thus won't be able to connect. If you want a client to authenticate and connect, you need to install a new client certificate generated from a root certificate that is trusted (uploaded) to Azure.

+You can add up to 20 trusted root certificate .cer files to Azure. For instructions, see the section [Upload a trusted root certificate](#uploadfile).

+To remove a trusted root certificate:

+1. Navigate to the **Point-to-site configuration** page for your virtual network gateway.

+1. In the **Root certificate** section of the page, locate the certificate that you want to remove.

+1. Select the ellipsis next to the certificate, and then select **Remove**.

+## <a name="revokeclient"></a>Revoke a client certificate

+You can revoke client certificates. The certificate revocation list allows you to selectively deny P2S connectivity based on individual client certificates. This is different than removing a trusted root certificate. If you remove a trusted root certificate .cer from Azure, it revokes the access for all client certificates generated/signed by the revoked root certificate. When you revoke a client certificate, rather than the root certificate, it allows the other certificates that were generated from the root certificate to continue to be used for authentication.

+The common practice is to use the root certificate to manage access at team or organization levels, while using revoked client certificates for fine-grained access control on individual users.

+You can revoke a client certificate by adding the thumbprint to the revocation list.

+1. Retrieve the client certificate thumbprint. For more information, see [How to retrieve the Thumbprint of a Certificate](/dotnet/framework/wcf/feature-details/how-to-retrieve-the-thumbprint-of-a-certificate).

+1. Copy the information to a text editor and remove all spaces so that it's a continuous string.

+1. Navigate to the virtual network gateway **Point-to-site-configuration** page. This is the same page that you used to [upload a trusted root certificate](#uploadfile).

+1. In the **Revoked certificates** section, input a friendly name for the certificate (it doesn't have to be the certificate CN).

+1. Copy and paste the thumbprint string to the **Thumbprint** field.

+1. The thumbprint validates and is automatically added to the revocation list. A message appears on the screen that the list is updating.

+1. After updating has completed, the certificate can no longer be used to connect. Clients that try to connect using this certificate receive a message saying that the certificate is no longer valid.

+## <a name="faq"></a>Point-to-site FAQ

+For frequently asked questions, see the [FAQ](vpn-gateway-vpn-faq.md#P2S).

+## Next steps

+Once your connection is complete, you can add virtual machines to your VNets. For more information, see [Virtual Machines](../index.yml). To understand more about networking and virtual machines, see [Azure and Linux VM network overview](../virtual-network/network-overview.md).

+For P2S troubleshooting information, [Troubleshooting Azure point-to-site connections](vpn-gateway-troubleshoot-vpn-point-to-site-connection-problems.md).

+1. Print the self-signed root certificate public data in base64 format. This is the format that's supported by Azure. Upload this certificate to Azure as part of your [P2S configuration](point-to-site-certificate-gateway.md#uploadfile) steps.

+To continue configuration steps, see [Point-to-site certificate authentication](point-to-site-certificate-gateway.md#uploadfile).

+ :::image type="content" source="./media/point-to-site-entra-gateway/values.png" alt-text="Screenshot showing settings for Tunnel type, Authentication type, and Microsoft Entra ID settings." lightbox="./media/point-to-site-entra-gateway/values.png":::

+* [Certificate authentication](point-to-site-certificate-gateway.md)

+In this step, you configure and create the virtual network gateway for your VNet. For more complete information about authentication and tunnel type, see [Specify tunnel and authentication type](point-to-site-certificate-gateway.md#type) in the Azure portal version of this article.

+For information about generating certificates, see the [Generate certificates](point-to-site-certificate-gateway.md#generatecert) section of the Point-to-site configuration article.

+* You created and configured your VPN gateway for point-to-site certificate authentication and the OpenVPN tunnel type. See [Configure server settings for P2S VPN Gateway connections - certificate authentication](point-to-site-certificate-gateway.md) for steps.

+* You generated and downloaded the VPN client configuration files. See [Generate VPN client profile configuration files](point-to-site-certificate-gateway.md#profile-files) for steps.

+Follow up with any additional server or connection settings. See [Point-to-site configuration steps](point-to-site-certificate-gateway.md).

+* The VPN gateway is configured for point-to-site certificate authentication and the IKEv2 tunnel type. See [Configure server settings for P2S VPN Gateway connections - certificate authentication](point-to-site-certificate-gateway.md) for steps.

+* VPN client profile configuration files have been generated and are available. See [Generate VPN client profile configuration files](point-to-site-certificate-gateway.md#profile-files) for steps.

+Locate and unzip the [VPN client profile configuration package](point-to-site-certificate-gateway.md#profile-files) you generated and downloaded. You can find all of the information that you need for configuration in the **Generic** folder. Azure doesnΓÇÖt provide a *mobileconfig* file for this configuration.

+For more steps, return to the [P2S Azure portal](point-to-site-certificate-gateway.md) article.

+* You created and configured your VPN gateway for point-to-site certificate authentication and the OpenVPN tunnel type. See [Configure server settings for P2S VPN Gateway connections - certificate authentication](point-to-site-certificate-gateway.md) for steps.

+* You generated and downloaded the VPN client configuration files. See [Generate VPN client profile configuration files](point-to-site-certificate-gateway.md#profile-files) for steps.

+Follow up with any additional server or connection settings. See [Point-to-site configuration steps](point-to-site-certificate-gateway.md).

+* You created and configured your VPN gateway for point-to-site certificate authentication and the OpenVPN tunnel type. See [Configure server settings for P2S VPN Gateway connections - certificate authentication](point-to-site-certificate-gateway.md) for steps.

+* You generated and downloaded the VPN client configuration files. See [Generate VPN client profile configuration files](point-to-site-certificate-gateway.md#profile-files) for steps.

+For additional steps, return to the [P2S Azure portal](point-to-site-certificate-gateway.md) article.

+* You created and configured your VPN gateway for point-to-site certificate authentication and the OpenVPN tunnel type. See [Configure server settings for P2S VPN Gateway connections - certificate authentication](point-to-site-certificate-gateway.md) for steps.

+* You generated and downloaded the VPN client configuration files. See [Generate VPN client profile configuration files](point-to-site-certificate-gateway.md#profile-files) for steps.

+Follow up with any additional server or connection settings. See [Point-to-site configuration steps](point-to-site-certificate-gateway.md).

+* You created and configured your VPN gateway for point-to-site certificate authentication and the OpenVPN tunnel type. See [Configure server settings for P2S VPN Gateway connections - certificate authentication](point-to-site-certificate-gateway.md) for steps.

+* You generated and downloaded the VPN client configuration files. See [Generate VPN client profile configuration files](point-to-site-certificate-gateway.md#profile-files) for steps.

+Follow up with any additional server or connection settings. See [Point-to-site configuration steps](point-to-site-certificate-gateway.md).

+* You created and configured your VPN gateway for point-to-site certificate authentication and an IKEv2/SSTP tunnel type. See [Configure server settings for P2S VPN Gateway connections - certificate authentication](point-to-site-certificate-gateway.md) for steps.

+* You generated and downloaded the VPN client configuration files. See [Generate VPN client profile configuration files](point-to-site-certificate-gateway.md#profile-files) for steps.

+Follow up with any additional server or connection settings. See [Point-to-site configuration steps](point-to-site-certificate-gateway.md).

+* You created and configured your VPN gateway for point-to-site certificate authentication and the OpenVPN tunnel type. See [Configure server settings for P2S VPN Gateway connections - certificate authentication](point-to-site-certificate-gateway.md) for steps.

+* You generated and downloaded the VPN client configuration files. See [Generate VPN client profile configuration files](point-to-site-certificate-gateway.md#profile-files) for steps.

+Follow up with any additional server or connection settings. See [Point-to-site configuration steps](point-to-site-certificate-gateway.md).

+* You created and configured your VPN gateway for point-to-site certificate authentication and the OpenVPN tunnel type. See [Configure server settings for P2S VPN Gateway connections - certificate authentication](point-to-site-certificate-gateway.md) for steps.

+* You generated and downloaded the VPN client configuration files. See [Generate VPN client profile configuration files](point-to-site-certificate-gateway.md#profile-files) for steps.

+Follow up with any additional server or connection settings. See [Point-to-site configuration steps](point-to-site-certificate-gateway.md).

+> [Point-to-site VPN connections](point-to-site-certificate-gateway.md)

+> [Point-to-site VPN connections](point-to-site-certificate-gateway.md)

+See [Create a P2S VPN using the Azure portal](point-to-site-certificate-gateway.md) to begin creating your P2S VPN.

+For point-to-site connections, each VPN client must have a client certificate installed locally to connect. Additionally, the root certificate public key information must be uploaded to Azure. For more information, see [Point-to-site configuration - certificate authentication](point-to-site-certificate-gateway.md).

+We recommend using the [Windows 10 or later PowerShell steps](vpn-gateway-certificates-point-to-site.md) to create your certificates. We provide these MakeCert instructions as an optional method. The certificates that you generate using either method can be installed on [any supported client operating system](point-to-site-certificate-gateway.md#faq). MakeCert has the following limitation:

+The exported.cer file must be uploaded to Azure. For instructions, see [Configure a Point-to-Site connection](point-to-site-certificate-gateway.md#uploadfile). To add an additional trusted root certificate, see [this section](point-to-site-certificate-gateway.md#add) of the article.

+* For **Resource Manager** deployment model steps, see [Configure P2S using native Azure certificate authentication](point-to-site-certificate-gateway.md).

+If you don't have a computer that meets the operating system requirement, you can use [MakeCert](vpn-gateway-certificates-point-to-site-makecert.md) to generate certificates. The certificates that you generate using either method can be installed on any [supported](point-to-site-certificate-gateway.md#faq) client operating system.

+* For **Resource Manager** deployment model steps, see [Configure P2S using native Azure certificate authentication](point-to-site-certificate-gateway.md).

+Configure the VPN gateway to use IKEv2 and certificate-based authentication using the [Configure a Point-to-Site VPN connection](point-to-site-certificate-gateway.md) article.

+ Use the instructions in the [Configure a Point-to-Site VPN connection](point-to-site-certificate-gateway.md) article to configure the VPN gateway to use IKEv2 and certificate-based authentication.

+This article helps you configure a point-to-site (P2S) VPN to securely connect individual clients running Windows, Linux, or macOS to an Azure virtual network (VNet) using Azure PowerShell. This article contains basic PowerShell configuration steps. For more comprehensive information about creating this type of P2S VPN, see the Azure portal article [Configure a point-to-site VPN using the Azure portal](point-to-site-certificate-gateway.md).

+In this step, you configure and create the virtual network gateway for your VNet. For more complete information about authentication and tunnel type, see [Specify tunnel and authentication type](point-to-site-certificate-gateway.md#type) in the Azure portal version of this article.

+> You can't upload the .cer file using Azure Cloud Shell. You can either use PowerShell locally on your computer, or you can use the [Azure portal steps](point-to-site-certificate-gateway.md#uploadfile).

+1. Upload the public key information to Azure. Once the certificate information is uploaded, Azure considers it to be a trusted root certificate. When uploading, make sure you're running PowerShell locally on your computer, or instead, you can use the [Azure portal steps](point-to-site-certificate-gateway.md#uploadfile). When the upload is complete, you'll see a PowerShell return showing PublicCertData. It takes about 10 minutes for the certificate upload process to complete.

+# Do not change VNet-to-VNet to another wording, such as Net-to-Net. VNet-to-VNet is the correct term and is the value used by Azure to denote this specific type of connection. It is different than a typical network connection.

+# Configure a VNet-to-VNet VPN connection - Azure portal

+This article helps you connect your virtual networks using the VNet-to-VNet connection type in the Azure portal. When you use the portal to connect virtual networks using VNet-to-VNet, the virtual networks can be in different regions, but must be in the same subscription. If your virtual networks are in different subscriptions, use the [PowerShell](vpn-gateway-vnet-vnet-rm-ps.md) instructions instead. This article doesn't apply to virtual network peering. For virtual network peering, see the [Virtual Network peering](../virtual-network/virtual-network-peering-overview.md) article.

+## About VNet-to-VNet connections

+Configuring a VNet-to-VNet connection is a simple way to connect virtual networks. When you connect a virtual network to another virtual network with a VNet-to-VNet connection type, it's similar to creating a site-to-site IPsec connection to an on-premises location. Both connection types use a VPN gateway to provide a secure tunnel with IPsec/IKE and function the same way when communicating. However, they differ in the way the local network gateway is configured.

+* When you create a VNet-to-VNet connection, the local network gateway address space is automatically created and populated. However, the local network gateway isn't visible in this configuration. That means that you can't configure it manually.

+* If you update the address space for one VNet, the other VNet automatically routes to the updated address space.

+* It's typically faster and easier to create a VNet-to-VNet connection than a site-to-site connection.

+* If you know you want to specify more address spaces for the local network gateway, or plan to add more connections later and need to adjust the local network gateway, create the configuration using the [site-to-site connection](./tutorial-site-to-site-portal.md) steps instead.

+* The VNet-to-VNet connection doesn't include point-to-site client pool address space. If you need transitive routing for point-to-site clients, then create a site-to-site connection between the virtual network gateways, or use virtual network peering.

+### Why create a VNet-to-VNet connection?

+* Cross region geo-redundancy and geo-presence

+ * You can set up your own geo-replication or synchronization with secure connectivity without going over internet-facing endpoints.

+ * With Azure Traffic Manager and Azure Load Balancer, you can set up highly available workload with geo-redundancy across multiple Azure regions. For example, you can set up SQL Server Always On availability groups across multiple Azure regions.

+* Regional multi-tier applications with isolation or administrative boundaries

+ Within the same region, you can set up multi-tier applications with multiple virtual networks that are connected together because of isolation or administrative requirements. VNet-to-VNet communication can be combined with multi-site configurations. These configurations let you establish network topologies that combine cross-premises connectivity with inter-virtual network connectivity, as shown in the following diagram:

+ :::image type="content" source="./media/vpn-gateway-howto-vnet-vnet-resource-manager-portal/connections-diagram.png" alt-text="Diagram of a VNet-to-VNet connection showing multiple subscriptions.":::

+## Create and configure VNet1

+If you already have a VNet, verify that the settings are compatible with your VPN gateway design. Pay particular attention to any subnets that might overlap with other networks. Your connection won't work properly if you have overlapping subnets.

+In this section, create VNet1 using the following values. If you're using your own values, make sure the address spaces don't overlap with any of the virtual networks to which you want to connect.

+### Create the gateway subnet

+### Create the VNet1 VPN gateway

+In this step, you create the virtual network gateway for your virtual network. Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU. For gateway SKU pricing, see [Pricing](https://azure.microsoft.com/pricing/details/vpn-gateway/).

+Create a virtual network gateway (VPN gateway) by using the following values:

+* **Name**: VNet1GW

+* **Gateway type**: VPN

+* **SKU**: VpnGw2AZ

+* **Generation**: Generation 2

+* **Virtual network**: VNet1

+* **Gateway subnet address range**: 10.1.255.0/27

+* **Public IP address**: Create new

+* **Public IP address name:** VNet1GWpip1

+* **Public IP address SKU:** Standard

+* **Assignment:** Static

+* **Second Public IP address name:** VNet1GWpip2

+* **Enable active-active mode**: Enabled

+A gateway can take 45 minutes or more to fully create and deploy. You can see the deployment status on the **Overview** page for your gateway. After the gateway is created, you can view the IP address that has been assigned to it by looking at the virtual network in the portal. The gateway appears as a connected device.

+## Create and configure VNet4

+After you've configured VNet1, create VNet4 and the VNet4 gateway by repeating the previous steps and replacing the values with VNet4 values. You don't need to wait until the virtual network gateway for VNet1 has finished creating before you configure VNet4. If you're using your own values, make sure the address spaces don't overlap with any of the virtual networks to which you want to connect.

+You can use the following examples values to configure VNet4 and the VNet4 gateway.

+* **Virtual network settings**

+ * **Name**: VNet4

+ * **Address space**: 10.41.0.0/16

+ * **Subscription**: Select the subscription you want to use.

+ * **Resource group**: TestRG4

+ * **Location**: West US 2

+ * **Subnet**

+ * **Name**: FrontEnd

+ * **Address range**: 10.41.0.0/24

+Add the gateway subnet:

+* **Name**: GatewaySubnet

+* **Gateway subnet address range**: 10.41.255.0/27

+### Configure the VNet4 VPN gateway

+You can use the following examples values to configure the VNet4 VPN gateway.

+* **Virtual network gateway settings**

+ * **Name**: VNet4GW

+ * **Resource group**: West US 2

+ * **Generation**: Generation 2

+ * **Gateway type**: Select **VPN**.

+ * **VPN type**: Select **Route-based**.

+ * **SKU**: VpnGw2AZ

+ * **Generation**: Generation2

+ * **Virtual network**: VNet4

+ * **Public IP address name:** VNet4GWpip1

+ * **Public IP address SKU:** Standard

+ * **Assignment:** Static

+ * **Second Public IP address name:** VNet4GWpip2

+ * **Enable active-active mode**: Enabled

+You can create either a bidirectional, or a single direction connection. For this exercise, we'll specify a bidirectional connection. The bidirectional connection value creates two separate connections so that traffic can flow in both directions.

+1. On the virtual network gateway page, in the left pane, select **Connections** to open the Connections page. Then select **+ Add** to open the **Create connection** page.

+ * **Establish bidirectional connectivity**: Select this value if you want to establish traffic flow in both directions. If you don't select this setting and you later want to add a connection in the opposite direction, you'll need to create a new connection originating from the other virtual network gateway.

+1. Locate the virtual network gateway in the Azure portal. For example, **VNet1GW**.

+1. On the **Virtual network gateway** page, select **Connections** to view the **Connections** page for the virtual network gateway. After the connection is established, you'll see the **Status** values change to **Connected**.

+You can create another VNet-to-VNet connection, or create an IPsec site-to-site connection to an on-premises location.

+* Before you create more connections, verify that the address space for your virtual network doesn't overlap with any of the address spaces you want to connect to.

+* When you configure a new connection, be sure to adjust the **Connection type** to match the type of connection you want to create. If you're adding a [site-to-site connection](./tutorial-site-to-site-portal.md), you must create a local network gateway before you can create the connection.

+* When you configure a connection that uses a shared key, make sure that the shared key is exactly the same for both sides of the connection.

+To create more connections, follow these steps:

+1. In the Azure portal, go to the VPN gateway from which you want to create the connection.

+1. In the left pane, select **Connections**. View the existing connections.

+1. Create the new connection.

+* **Point-to-site**: VPN connection over Secure Socket Tunneling Protocol (SSTP) or IKEv2. This connection doesn't require a VPN device. For more information, see [Configure server settings for point-to-site VPN Gateway certificate authentication](point-to-site-certificate-gateway.md).

+ * For certificate authentication, see [Configure point-to-site certificate authentication](point-to-site-certificate-gateway.md).

+* [Configure a P2S connection - Certificate authentication](point-to-site-certificate-gateway.md)