+ Title: Planning red teaming for large language models (LLMs) and their applications

+description: Learn about how red teaming and adversarial testing are an essential practice in the responsible development of systems and features using large language models (LLMs)

+# Planning red teaming for large language models (LLMs) and their applications

+This guide offers some potential strategies for planning how to set up and manage red teaming for responsible AI (RAI) risks throughout the large language model (LLM) product life cycle.

+## What is red teaming?

+## Why is RAI red teaming an important practice?

+Red teaming is a best practice in the responsible development of systems and features using LLMs. While not a replacement for systematic measurement and mitigation work, red teamers help to uncover and identify harms and, in turn, enable measurement strategies to validate the effectiveness of mitigations.

+While Microsoft has conducted red teaming exercises and implemented safety systems (including [content filters](./content-filter.md) and other [mitigation strategies](./prompt-engineering.md)) for its Azure OpenAI Service models (see this [Overview of responsible AI practices](/legal/cognitive-services/openai/overview)), the context of each LLM application will be unique and you also should conduct red teaming to:

+- Test the LLM base model and determine whether there are gaps in the existing safety systems, given the context of your application.

+- Provide feedback on failures in order to make improvements.

+- Note that red teaming is not a replacement for systematic measurement. A best practice is to complete an initial round of manual red teaming before conducting systematic measurements and implementing mitigations. As highlighted above, the goal of RAI red teaming is to identify harms, understand the risk surface, and develop the list of harms that can inform what needs to be measured and mitigated.

+Here is how you can get started and plan your process of red teaming LLMs. Advance planning is critical to a productive red teaming exercise.

+## Before testing

+### Plan: Who will do the testing

+**Assemble a diverse group of red teamers**

+Determine the ideal composition of red teamers in terms of peopleΓÇÖs experience, demographics, and expertise across disciplines (for example, experts in AI, social sciences, security) for your productΓÇÖs domain. For example, if youΓÇÖre designing a chatbot to help health care providers, medical experts can help identify risks in that domain.

+**Recruit red teamers with both benign and adversarial mindsets**

+**Assign red teamers to harms and/or product features**

+- Assign RAI red teamers with specific expertise to probe for specific types of harms (for example, security subject matter experts can probe for jailbreaks, meta prompt extraction, and content related to cyberattacks).

+- For multiple rounds of testing, decide whether to switch red teamer assignments in each round to get diverse perspectives on each harm and maintain creativity. If switching assignments, allow time for red teamers to get up to speed on the instructions for their newly assigned harm.

+- In later stages, when the application and its UI are developed, you might want to assign red teamers to specific parts of the application (i.e., features) to ensure coverage of the entire application.

+- Consider how much time and effort each red teamer should dedicate (for example, those testing for benign scenarios might need less time than those testing for adversarial scenarios).

+It can be helpful to provide red teamers with:

+ - Clear instructions that could include:

+ - An introduction describing the purpose and goal of the given round of red teaming; the product and features that will be tested and how to access them; what kinds of issues to test for; red teamersΓÇÖ focus areas, if the testing is more targeted; how much time and effort each red teamer should spend on testing; how to record results; and who to contact with questions.

+ - A file or location for recording their examples and findings, including information such as:

+ - The date an example was surfaced; a unique identifier for the input/output pair if available, for reproducibility purposes; the input prompt; a description or screenshot of the output.

+### Plan: What to test

+Because an application is developed using a base model, you may need to test at several different layers:

+- The LLM base model with its safety system in place to identify any gaps that may need to be addressed in the context of your application system. (Testing is usually done through an API endpoint.)

+- Your application. (Testing is best done through a UI.)

+- Both the LLM base model and your application, before and after mitigations are in place.

+The following recommendations help you choose what to test at various points during red teaming:

+- You can begin by testing the base model to understand the risk surface, identify harms, and guide the development of RAI mitigations for your product.

+- Test versions of your product iteratively with and without RAI mitigations in place to assess the effectiveness of RAI mitigations. (Note, manual red teaming might not be sufficient assessmentΓÇöuse systematic measurements as well, but only after completing an initial round of manual red teaming.)

+- Conduct testing of application(s) on the production UI as much as possible because this most closely resembles real-world usage.

+When reporting results, make clear which endpoints were used for testing. When testing was done in an endpoint other than product, consider testing again on the production endpoint or UI in future rounds.

+### Plan: How to test

+**Conduct open-ended testing to uncover a wide range of harms.**

+The benefit of RAI red teamers exploring and documenting any problematic content (rather than asking them to find examples of specific harms) enables them to creatively explore a wide range of issues, uncovering blind spots in your understanding of the risk surface.

+**Create a list of harms from the open-ended testing.**

+- Consider creating a list of harms, with definitions and examples of the harms.

+- Provide this list as a guideline to red teamers in later rounds of testing.

+**Conduct guided red teaming and iterate: Continue probing for harms in the list; identify new harms that surface.**

+Use a list of harms if available and continue testing for known harms and the effectiveness of their mitigations. In the process, you will likely identify new harms. Integrate these into the list and be open to shifting measurement and mitigation priorities to address the newly identified harms.

+Plan which harms to prioritize for iterative testing. Several factors can inform your prioritization, including, but not limited to, the severity of the harms and the context in which they are more likely to surface.

+### Plan: How to record data

+**Decide what data you need to collect and what data is optional.**

+- Decide what data the red teamers will need to record (for example, the input they used; the output of the system; a unique ID, if available, to reproduce the example in the future; and other notes.)

+- Be strategic with what data you are collecting to avoid overwhelming red teamers, while not missing out on critical information.

+**Create a structure for data collection**

+A shared Excel spreadsheet is often the simplest method for collecting red teaming data. A benefit of this shared file is that red teamers can review each otherΓÇÖs examples to gain creative ideas for their own testing and avoid duplication of data.

+## During testing

+**Plan to be on active standby while red teaming is ongoing**

+- Be prepared to assist red teamers with instructions and access issues.

+- Monitor progress on the spreadsheet and send timely reminders to red teamers.

+## After each round of testing

+**Report data**

+Share a short report on a regular interval with key stakeholders that:

+1. Lists the top identified issues.

+2. Provides a link to the raw data.

+3. Previews the testing plan for the upcoming rounds.

+4. Acknowledges red teamers.

+5. Provides any other relevant information.

+**Differentiate between identification and measurement**

+In the report, be sure to clarify that the role of RAI red teaming is to expose and raise understanding of risk surface and is not a replacement for systematic measurement and rigorous mitigation work. It is important that people do not interpret specific examples as a metric for the pervasiveness of that harm.

+Additionally, if the report contains problematic content and examples, consider including a content warning.

+The guidance in this document is not intended to be, and should not be construed as providing, legal advice. The jurisdiction in which you're operating may have various regulatory or legal requirements that apply to your AI system. Be aware that not all of these recommendations are appropriate for every scenario and, conversely, these recommendations may be insufficient for some scenarios.

+|**Retrieved documents** | Specifies the number of top-scoring documents from your data index used to generate responses. You might want to increase the value when you have short documents or want to provide more context. The default value is 5. This is the `topNDocuments` parameter in the API. |

+# [OpenAI Python 0.28.1](#tab/python)

+# [OpenAI Python 1.x](#tab/python-new)

+```python

+import os

+from openai import AzureOpenAI

+client = AzureOpenAI(

+ api_key = os.getenv("AZURE_OPENAI_KEY"),

+ api_version = "2023-05-15",

+ azure_endpoint =os.getenv("AZURE_OPENAI_ENDPOINT")

+)

+response = client.embeddings.create(

+ input = "Your text string goes here",

+ model= "text-embedding-ada-002"

+)

+print(response.model_dump_json(indent=2))

+```

+| `topNDocuments` | number | Optional | 5 | Specifies the number of top-scoring documents from your data index used to generate responses. You might want to increase the value when you have short documents or want to provide more context. This is the *retrieved documents* parameter in Azure OpenAI studio. |

+ <version>1.33.0</version>

+ implementation 'com.microsoft.cognitiveservices.speech:client-sdk-embedded:1.33.0@aar'

+For embedded speech, you need to download the speech recognition models for [speech to text](speech-to-text.md) and voices for [text to speech](text-to-speech.md). Instructions are provided upon successful completion of the [limited access review](https://aka.ms/csgate-embedded-speech) process.

+All text to speech locales [here](language-support.md?tabs=tts) (except fa-IR, Persian (Iran)) are available out of box with either 1 selected female and/or 1 selected male voices. We welcome your input to help us gauge demand for more languages and voices.

+With hybrid speech configuration for [text to speech](text-to-speech.md) (voices), embedded and cloud synthesis are run in parallel and the final result is selected based on response speed. The best result is evaluated again on each new synthesis request.

+For embedded voices, it is essential to note that certain SSML tags may not be currently supported due to differences in the model structure. For detailed information regarding the unsupported SSML tags, refer to the following table.

+ Title: Deploy an AI model on Azure Kubernetes Service (AKS) with the AI toolchain operator (Preview)

+description: Learn how to enable the AI toolchain operator add-on on Azure Kubernetes Service (AKS) to simplify OSS AI model management and deployment.

+# Deploy an AI model on Azure Kubernetes Service (AKS) with the AI toolchain operator (Preview)

+The AI toolchain operator (KAITO) is a managed add-on for AKS that simplifies the experience of running OSS AI models on your AKS clusters. The AI toolchain operator automatically provisions the necessary GPU nodes and sets up the associated inference server as an endpoint server to your AI models. Using this add-on reduces your onboarding time and enables you to focus on AI model usage and development rather than infrastructure setup.

+This article shows you how to enable the AI toolchain operator add-on and deploy an AI model on AKS.

+## Before you begin

+* This article assumes a basic understanding of Kubernetes concepts. For more information, see [Kubernetes core concepts for AKS](./concepts-clusters-workloads.md).

+* If you aren't familiar with Microsoft Entra Workload Identity, see the [Workload Identity overview](../active-directory/workload-identities/workload-identities-overview.md).

+* For ***all hosted model inference files*** and recommended infrastructure setup, see the [KAITO GitHub repository](https://github.com/Azure/kaito).

+## Prerequisites

+* If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+ * If you have multiple Azure subscriptions, make sure you select the correct subscription in which the resources will be created and charged using the [`az account set`][az-account-set] command.

+ > [!NOTE]

+ > The subscription you use must have GPU VM quota.

+* Azure CLI version 2.47.0 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli).

+* Helm v3 installed. For more information, see [Installing Helm](https://helm.sh/docs/intro/install/).

+* The Kubernetes command-line client, kubectl, installed and configured. For more information, see [Install kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/).

+## Enable the Azure CLI preview extension

+* Enable the Azure CLI preview extension using the [`az extension add`][az-extension-add] command.

+ ```azurecli-interactive

+ az extension add --name aks-preview

+ ```

+### Export environment variables

+* To simplify the configuration steps in this article, you can define environment variables using the following commands. Make sure to replace the placeholder values with your own.

+ ```azurecli-interactive

+ export AZURE_SUBSCRIPTION_ID="mySubscriptionID"

+ export AZURE_RESOURCE_GROUP="myResourceGroup"

+ export CLUSTER_NAME="myClusterName"

+ ```

+## Enable the AI toolchain operator add-on on an AKS cluster

+1. Create an Azure resource group using the [`az group create`][az-group-create] command.

+ ```azurecli-interactive

+ az group create --name AZURE_RESOURCE_GROUP --location eastus

+ ```

+2. Create an AKS cluster with the AI toolchain operator add-on enabled using the [`az aks create`][az-aks-create] command with the `--enable-ai-toolchain-operator`, `--enable-workload-identity`, and `--enable-oidc-issuer` flags.

+ ```azurecli-interactive

+ az aks create --resource-group AZURE_RESOURCE_GROUP --name CLUSTER_NAME --generate-ssh-keys --enable-managed-identity --enable-workload-identity --enable-oidc-issuer --enable-ai-toolchain-operator

+ ```

+ > [!NOTE]

+ > AKS creates a managed identity once you enable the AI toolchain operator add-on. The managed identity is used to access the AI toolchain operator workspace CRD. The AI toolchain operator workspace CRD is used to create and manage AI toolchain operator workspaces.

+ >

+ > AI toolchain operator enablement requires the enablement of workload identity and OIDC issuer.

+## Connect to your cluster

+1. Configure `kubectl` to connect to your cluster using the [`az aks get-credentials`][az-aks-get-credentials] command.

+ ```azurecli-interactive

+ az aks get-credentials --resource-group AZURE_RESOURCE_GROUP --name CLUSTER_NAME

+ ```

+2. Verify the connection to your cluster using the `kubectl get` command.

+ ```azurecli-interactive

+ kubectl get nodes

+ ```

+3. Export environment variables for the principal ID identity and client ID identity using the following commands:

+ ```azurecli-interactive

+ export MC_RESOURCE_GROUP=$(az aks show --resource-group AZURE_RESOURCE_GROUP --name CLUSTER_NAME --query nodeResourceGroup -o tsv)

+ export PRINCIPAL_ID=$(az identity show --name "ai-toolchain-operator-{CLUSTER_NAME}" --resource-group "{MC_RESOURCE_GROUP} --query 'principalId' -o tsv)

+ export CLIENT_ID=$(az identity show --name gpuIdentity --resource-group "${AZURE_RESOURCE_GROUP}" --subscription "${AZURE_SUBSCRIPTION_ID}" --query 'clientId' -o tsv)

+ ```

+## Create a role assignment for the principal ID identity

+1. Create a new role assignment for the service principal using the [`az role assignment create`][az-role-assignment-create] command.

+ ```azurecli-interactive

+ az role assignment create --role "Contributor" --assignee "${PRINCIPAL_ID}" --scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}/resourcegroups/${AZURE_RESOURCE_GROUP}"/providers/Microsoft.ContainerService/managedClusters/${CLUSTER_NAME}"

+ ```

+2. Get the AKS OIDC Issuer URL and export it as an environment variable using the following command:

+ ```azurecli-interactive

+ export AKS_OIDC_ISSUER=$(az aks show --resource-group "${AZURE_RESOURCE_GROUP}" --name "${CLUSTER_NAME}" --subscription "${AZURE_SUBSCRIPTION_ID}" --query "oidcIssuerProfile.issuerUrl" -o tsv)

+ ```

+## Establish a federated identity credential

+* Create the federated identity credential between the managed identity, AKS OIDC issuer, and subject using the [`az identity federated-credential create`][az-identity-federated-credential-create] command.

+ ```azurecli-interactive

+ az identity federated-credential create --name "${FEDERATED_IDENTITY}" --identity-name "ai-toolchain-operator-{CLUSTER_NAME}" --resource-group "${AZURE_RESOURCE_GROUP} --issuer "${AKS_OIDC_ISSUER}" --subject system:serviceaccount:"kube-system":"gpu-provisioner" --audience api://AzureADTokenExchange --subscription "${AZURE_SUBSCRIPTION_ID}"

+ ```

+## Deploy a default hosted AI model

+1. Deploy the Falcon 7B model YAML file from the GitHub repository using the `kubectl apply` command.

+ ```azurecli-interactive

+ kubectl apply -f https://raw.githubusercontent.com/Azure/kaito/main/examples/kaito_workspace_falcon_7b.yaml

+ ```

+2. Track the live resource changes in your workspace using the `kubectl get` command.

+ ```azurecli-interactive

+ kubectl get workspace workspace-falcon-7b -w

+ ```

+3. Check your service and get the service IP address using the `kubectl get svc` command.

+ ```azurecli-interactive

+ export SERVICE_IP=$(kubectl get svc workspace-falcon-7b -o jsonpath='{.status.loadBalancer.ingress[0].ip}')

+ ```

+4. Run the Falcon 7B model with a sample input of your choice using the following `curl` command:

+ ```azurecli-interactive

+ curl -X POST "http://SERVICE_IP:80/chat" -H "accept: application/json" -H "Content-Type: application/json" -d '{"prompt":"YOUR_PROMPT_HERE"}'

+ ```

+## Clean up resources

+If you no longer need these resources, you can delete them to avoid incurring extra Azure charges.

+* Delete the resource group and its associated resources using the [`az group delete`][az-group-delete] command.

+ ```azurecli-interactive

+ az group delete --name AZURE_RESOURCE_GROUP --yes --no-wait

+ ```

+## Next steps

+For more inference model options, see the [KAITO GitHub repository](https://github.com/Azure/kaito).

+<!-- LINKS -->

+[az-group-create]: /cli/azure/group#az_group_create

+[az-group-delete]: /cli/azure/group#az_group_delete

+[az-aks-create]: /cli/azure/aks#az_aks_create

+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials

+[az-role-assignment-create]: /cli/azure/role/assignment#az_role_assignment_create

+[az-identity-federated-credential-create]: /cli/azure/identity/federated-credential#az_identity_federated_credential_create

+[az-account-set]: /cli/azure/account#az_account_set

+[az-extension-add]: /cli/azure/extension#az_extension_add

+ Title: Performance and scaling best practices for large workloads in Azure Kubernetes Service (AKS)

+description: Learn the best practices for performance and scaling for large workloads in Azure Kubernetes Service (AKS).

+# Best practices for performance and scaling for large workloads in Azure Kubernetes Service (AKS)

+> [!NOTE]

+> This article focuses on general best practices for **large workloads**. For best practices specific to **small to medium workloads**, see [Performance and scaling best practices for small to medium workloads in Azure Kubernetes Service (AKS)](./best-practices-performance-scale.md).

+As you deploy and maintain clusters in AKS, you can use the following best practices to help you optimize performance and scaling.

+Keep in mind that *large* is a relative term. Kubernetes has a multi-dimensional scale envelope, and the scale envelope for your workload depends on the resources you use. For example, a cluster with 100 nodes and thousands of pods or CRDs might be considered large. A 1,000 node cluster with 1,000 pods and various other resources might be considered small from the control plane perspective. The best signal for scale of a Kubernetes control plane is API server HTTP request success rate and latency, as that's a proxy for the amount of load on the control plane.

+In this article, you learn about:

+> [!div class="checklist"]

+>

+> * AKS and Kubernetes control plane scalability.

+> * Kubernetes Client best practices, including backoff, watches, and pagination.

+> * Azure API and platform throttling limits.

+> * Feature limitations.

+> * Networking and node pool scaling best practices.

+## AKS and Kubernetes control plane scalability

+In AKS, a *cluster* consists of a set of nodes (physical or virtual machines (VMs)) that run Kubernetes agents and are managed by the Kubernetes control plane hosted by AKS. While AKS optimizes the Kubernetes control plane and its components for scalability and performance, it's still bound by the upstream project limits.

+Kubernetes has a multi-dimensional scale envelope with each resource type representing a dimension. Not all resources are alike. For example, *watches* are commonly set on secrets, which result in list calls to the kube-apiserver that add cost and a disproportionately higher load on the control plane compared to resources without watches.

+The control plane manages all the resource scaling in the cluster, so the more you scale the cluster within a given dimension, the less you can scale within other dimensions. For example, running hundreds of thousands of pods in an AKS cluster impacts how much pod churn rate (pod mutations per second) the control plane can support.

+The size of the envelope is proportional to the size of the Kubernetes control plane. AKS supports two control plane tiers as part of the Base SKU: the Free tier and the Standard tier. For more information, see [Free and Standard pricing tiers for AKS cluster management][free-standard-tier].

+> [!IMPORTANT]

+> We highly recommend using the Standard tier for production or at-scale workloads. AKS automatically scales up the Kubernetes control plane to support the following scale limits:

+>

+> * Up to 5,000 nodes per AKS cluster

+> * 200,000 pods per AKS cluster (with Azure CNI Overlay)

+In most cases, crossing the scale limit threshold results in degraded performance, but doesn't cause the cluster to immediately fail over. To manage load on the Kubernetes control plane, consider scaling in batches of up to 10-20% of the current scale. For example, for a 5,000 node cluster, scale in increments of 500-1,000 nodes. While AKS does autoscale your control plane, it doesn't happen instantaneously.

+You can leverage API Priority and Fairness (APF) to throttle specific clients and request types to protect the control plane during high churn and load.

+## Kubernetes clients

+Kubernetes clients are the applications clients, such as operators or monitoring agents, deployed in the Kubernetes cluster that need to communicate with the kube-api server to perform read or mutate operations. It's important to optimize the behavior of these clients to minimize the load they add to the kube-api server and Kubernetes control plane.

+AKS doesn't expose control plane and API server metrics via Prometheus or through platform metrics. However, you can analyze API server traffic and client behavior through Kube Audit logs. For more information, see [Troubleshoot the Kubernetes control plane](/troubleshoot/azure/azure-kubernetes/troubleshoot-apiserver-etcd).

+LIST requests can be expensive. When working with lists that might have more than a few thousand small objects or more than a few hundred large objects, you should consider the following guidelines:

+* **Consider the number of objects (CRs) you expect to eventually exist** when defining a new resource type (CRD).

+* **The load on etcd and API server primarily relies on the number of objects that exist, not the number of objects that are returned**. Even if you use a field selector to filter the list and retrieve only a small number of results, these guidelines still apply. The only exception is retrieval of a single object by `metadata.name`.

+* **Avoid repeated LIST calls if possible** if your code needs to maintain an updated list of objects in memory. Instead, consider using the Informer classes provided in most Kubernetes libraries. Informers automatically combine LIST and WATCH functionalities to efficiently maintain an in-memory collection.

+* **Consider whether you need strong consistency** if Informers don't meet your needs. Do you need to see the most recent data, up to the exact moment in time you issued the query? If not, set `ResourceVersion=0`. This causes the API server cache to serve your request instead of etcd.

+* **If you can't use Informers or the API server cache, read large lists in chunks**.

+* **Avoid listing more often than needed**. If you can't use Informers, consider how often your application lists the resources. After you read the last object in a large list, don't immediately re-query the same list. You should wait awhile instead.

+* **Consider the number of running instances of your client application**. There's a big difference between having a single controller listing objects vs. having pods on each node doing the same thing. If you plan to have multiple instances of your client application periodically listing large numbers of objects, your solution won't scale to large clusters.

+## Azure API and Platform throttling

+The load on a cloud application can vary over time based on factors such as the number of active users or the types of actions that users perform. If the processing requirements of the system exceed the capacity of the available resources, the system can become overloaded and suffer from poor performance and failures.

+To handle varying load sizes in a cloud application, you can allow the application to use resources up to a specified limit and then throttle them when the limit is reached. On Azure, throttling happens at two levels. Azure Resource Manager (ARM) throttles requests for the subscription and tenant. If the request is under the throttling limits for the subscription and tenant, ARM routes the request to the resource provider. The resource provider then applies throttling limits tailored to its operations. For more information, see [ARM throttling requests](../azure-resource-manager/management/request-limits-and-throttling.md).

+### Manage throttling in AKS

+Azure API limits are usually defined at a subscription-region combination level. For example, all clients within a subscription in a given region share API limits for a given Azure API, such as Virtual Machine Scale Sets PUT APIs. Every AKS cluster has several AKS-owned clients, such as cloud provider or cluster autoscaler, or customer-owned clients, such as Datadog or self-hosted Prometheus, that call Azure APIs. When running multiple AKS clusters in a subscription within a given region, all the AKS-owned and customer-owned clients within the clusters share a common set of API limits. Therefore, the number of clusters you can deploy in a subscription region is a function of the number of clients deployed, their call patterns, and the overall scale and elasticity of the clusters.

+Keeping the above considerations in mind, customers are typically able to deploy between 20-40 small to medium scale clusters per subscription-region. You can maximize your subscription scale using the following best practices:

+Always upgrade your Kubernetes clusters to the latest version. Newer versions contain many improvements that address performance and throttling issues. If you're using an upgraded version of Kubernetes and still see throttling due to the actual load or the number of clients in the subscription, you can try the following options:

+* **Analyze errors using AKS Diagnose and Solve Problems**: You can use [AKS Diagnose and Solve Problems](./aks-diagnostics.md) to analyze errors, identity the root cause, and get resolution recommendations.

+ * **Increase the Cluster Autoscaler scan interval**: If the diagnostic reports show that [Cluster Autoscaler throttling has been detected](/troubleshoot/azure/azure-kubernetes/429-too-many-requests-errors#analyze-and-identify-errors-by-using-aks-diagnose-and-solve-problems), you can [increase the scan interval](./cluster-autoscaler.md#change-the-cluster-autoscaler-settings) to reduce the number of calls to Virtual Machine Scale Sets from the Cluster Autoscaler.

+ * **Reconfigure third-party applications to make fewer calls**: If you filter by *user agents* in the ***View request rate and throttle details*** diagnostic and see that [a third-party application, such as a monitoring application, makes a large number of GET requests](/troubleshoot/azure/azure-kubernetes/429-too-many-requests-errors#analyze-and-identify-errors-by-using-aks-diagnose-and-solve-problems), you can change the settings of these applications to reduce the frequency of the GET calls. Make sure the application clients use exponential backoff when calling Azure APIs.

+* **Split your clusters into different subscriptions or regions**: If you have a large number of clusters and node pools that use Virtual Machine Scale Sets, you can split them into different subscriptions or regions within the same subscription. Most Azure API limits are shared at the subscription-region level, so you can move or scale your clusters to different subscriptions or regions to get unblocked on Azure API throttling. This option is especially helpful if you expect your clusters to have high activity. There are no generic guidelines for these limits. If you want specific guidance, you can create a support ticket.

+## Feature limitations

+As you scale your AKS clusters to larger scale points, keep the following feature limitations in mind:

+* AKS supports up to a 1,000 node scale in an AKS cluster by default. While AKS doesn't prevent you from scaling further, doing so might result in degraded performance. If you want to scale beyond 1,000 nodes, you can request a limit increase. For more information, see [Best practices for creating and running AKS clusters at scale][run-aks-at-scale].

+* [Azure Network Policy Manager (Azure npm)][azure-npm] only supports up to 250 nodes.

+* You can't use the Stop and Start feature with clusters that have more than 100 nodes. For more information, see [Stop and start an AKS cluster](./start-stop-cluster.md).

+## Networking

+As you scale your AKS clusters to larger scale points, keep the following networking best practices in mind:

+* Use Managed NAT for cluster egress with at least two public IPs on the NAT gateway. For more information, see [Create a managed NAT gateway for your AKS cluster][managed-nat-gateway].

+* Use Azure CNI Overlay to scale up to 200,000 pods and 5,000 nodes per cluster. For more information, see [Configure Azure CNI Overlay networking in AKS][azure-cni-overlay].

+* If your application needs direct pod-to-pod communication across clusters, use Azure CNI with dynamic IP allocation and scale up to 50,000 application pods per cluster with one routable IP per pod. For more information, see [Configure Azure CNI networking for dynamic IP allocation in AKS][azure-cni-dynamic-ip].

+* When using internal Kubernetes services behind an internal load balancer, we recommend creating an internal load balancer or service below a 750 node scale for optimal scaling performance and load balancer elasticity.

+* Azure npm only supports up to 250 nodes. If you want to enforce network policies for larger clusters, consider using [Azure CNI powered by Cilium](./azure-cni-powered-by-cilium.md), which combines the robust control plane of Azure CNI with the Cilium data plane to provide high performance networking and security.

+## Node pool scaling

+As you scale your AKS clusters to larger scale points, keep the following node pool scaling best practices in mind:

+* For system node pools, use the *Standard_D16ds_v5* SKU or an equivalent core/memory VM SKU with ephemeral OS disks to provide sufficient compute resources for kube-system pods.

+* Since AKS has a limit of 1,000 nodes per node pool, we recommend creating at least five user node pools to scale up to 5,000 nodes.

+* When running at-scale AKS clusters, use the cluster autoscaler whenever possible to ensure dynamic scaling of node pools based on the demand for compute resources. For more information, see [Automatically scale an AKS cluster to meet application demands][cluster-autoscaler].

+* If you're scaling beyond 1,000 nodes and are *not* using the cluster autoscaler, we recommend scaling in batches of 500-700 nodes at a time. The scaling operations should have a two-minute to five-minute wait time between scale up operations to prevent Azure API throttling. For more information, see [API management: Caching and throttling policies][throttling-policies].

+> [!NOTE]

+> You can't use [Azure Network Policy Manager (Azure NPM)][azure-npm] with clusters that have more than 500 nodes.

+<!-- LINKS - Internal >

+[run-aks-at-scale]: ./operator-best-practices-run-at-scale.md

+[managed-nat-gateway]: ./nat-gateway.md

+[azure-cni-dynamic-ip]: ./configure-azure-cni-dynamic-ip-allocation.md

+[azure-cni-overlay]: ./azure-cni-overlay.md

+[free-standard-tier]: ./free-standard-pricing-tiers.md

+[cluster-autoscaler]: cluster-autoscaler.md

+[azure-npm]: ../virtual-network/kubernetes-network-policies.md

+<!-- LINKS - External -->

+[throttling-policies]: https://azure.microsoft.com/blog/api-management-advanced-caching-and-throttling-policies/

+ Title: Performance and scaling best practices for small to medium workloads in Azure Kubernetes Service (AKS)

+description: Learn the best practices for performance and scaling for small to medium workloads in Azure Kubernetes Service (AKS).

+# Best practices for performance and scaling for small to medium workloads in Azure Kubernetes Service (AKS)

+> [!NOTE]

+> This article focuses on general best practices for **small to medium workloads**. For best practices specific to **large workloads**, see [Performance and scaling best practices for large workloads in Azure Kubernetes Service (AKS)](./best-practices-performance-scale-large.md).

+As you deploy and maintain clusters in AKS, you can use the following best practices to help you optimize performance and scaling.

+In this article, you learn about:

+> [!div class="checklist"]

+>

+> * Tradeoffs and recommendations for autoscaling your workloads.

+> * Managing node scaling and efficiency based on your workload demands.

+> * Networking considerations for ingress and egress traffic.

+> * Monitoring and troubleshooting control plane and node performance.

+> * Capacity planning, surge scenarios, and cluster upgrades.

+> * Storage and networking considerations for data plane performance.

+## Application autoscaling vs. infrastructure autoscaling

+### Application autoscaling

+Application autoscaling is useful when dealing with cost optimization or infrastructure limitations. A well-configured autoscaler maintains high availability for your application while also minimizing costs. You only pay for the resources required to maintain availability, regardless of the demand.

+For example, if an existing node has space but not enough IPs in the subnet, it might be able to skip the creation of a new node and instead immediately start running the application on a new pod.

+#### Horizontal Pod autoscaling

+Implementing [horizontal pod autoscaling](./concepts-scale.md#horizontal-pod-autoscaler) is useful for applications with a steady and predictable resource demand. The Horizontal Pod Autoscaler (HPA) dynamically scales the number of pod replicas, which effectively distributes the load across multiple pods and nodes. This scaling mechanism is typically most beneficial for applications that can be decomposed into smaller, independent components capable of running in parallel.

+The HPA provides resource utilization metrics by default. You can also integrate custom metrics or leverage tools like the [Kubernetes Event-Driven Autoscaler (KEDA) (Preview)](./keda-about.md). These extensions allow the HPA to make scaling decisions based on multiple perspectives and criteria, providing a more holistic view of your application's performance. This is especially helpful for applications with varying complex scaling requirements.

+> [!NOTE]

+> If maintaining high availability for your application is a top priority, we recommend leaving a slightly higher buffer for the minimum pod number for your HPA to account for scaling time.

+#### Vertical Pod autoscaling

+Implementing [vertical pod autoscaling](./vertical-pod-autoscaler.md) is useful for applications with fluctuating and unpredictable resource demands. The Vertical Pod Autoscaler (VPA) allows you to fine-tune resource requests, including CPU and memory, for individual pods, enabling precise control over resource allocation. This granularity minimizes resource waste and enhances the overall efficiency of cluster utilization. The VPA also streamlines application management by automating resource allocation, freeing up resources for critical tasks.

+> [!WARNING]

+> You shouldn't use the VPA in conjunction with the HPA on the same CPU or memory metrics. This combination can lead to conflicts, as both autoscalers attempt to respond to changes in demand using the same metrics. However, you can use the VPA for CPU or memory in conjunction with the HPA for custom metrics to prevent overlap and ensure that each autoscaler focuses on distinct aspects of workload scaling.

+> [!NOTE]

+> The VPA works based on historical data. We recommend waiting at least *24 hours* after deploying the VPA before applying any changes to give it time to collect recommendation data.

+### Infrastructure autoscaling

+#### Cluster autoscaling

+Implementing cluster autoscaling is useful if your existing nodes lack sufficient capacity, as it helps with scaling up and provisioning new nodes.

+When considering cluster autoscaling, the decision of when to remove a node involves a tradeoff between optimizing resource utilization and ensuring resource availability. Eliminating underutilized nodes enhances cluster utilization but might result in new workloads having to wait for resources to be provisioned before they can be deployed. It's important to find a balance between these two factors that aligns with your cluster and workload requirements and [configure the cluster autoscaler profile settings accordingly](./cluster-autoscaler.md#change-the-cluster-autoscaler-settings).

+The Cluster Autoscaler profile settings apply universally to all autoscaler-enabled node pools in your cluster. This means that any scaling actions occurring in one autoscaler-enabled node pool might impact the autoscaling behavior in another node pool. It's important to apply consistent and synchronized profile settings across all relevant node pools to ensure that the autoscaler behaves as expected.

+##### Overprovisioning

+Overprovisioning is a strategy that helps mitigate the risk of application pressure by ensuring there's an excess of readily available resources. This approach is especially useful for applications that experience highly variable loads and cluster scaling patterns that show frequent scale ups and scale downs.

+To determine the optimal amount of overprovisioning, you can use the following formula:

+```txt

+1-buffer/1+traffic

+```

+For example, let's say you want to avoid hitting 100% CPU utilization in your cluster. You might opt for a 30% buffer to maintain a safety margin. If you anticipate an average traffic growth rate of 40%, you might consider overprovisioning by 50%, as calculated by the formula:

+```txt

+1-30%/1+40%=50%

+```

+An effective overprovisioning method involves the use of *pause pods*. Pause pods are low-priority deployments that can be easily replaced by high-priority deployments. You create low priority pods that serve the sole purpose of reserving buffer space. When a high-priority pod requires space, the pause pods are removed and rescheduled on another node or a new node to accommodate the high priority pod.

+The following YAML shows an example pause pod manifest:

+```yml

+apiVersion: scheduling.k8s.io/v1

+kind: PriorityClass

+metadata:

+ name: overprovisioning

+value: -1

+globalDefault: false

+description: "Priority class used by overprovisioning."

+

+apiVersion: apps/v1

+kind: Deployment

+metadata:

+ name: overprovisioning

+ namespace: kube-system

+spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ run: overprovisioning

+ template:

+ metadata:

+ labels:

+ run: overprovisioning

+ spec:

+ priorityClassName: overprovisioning

+ containers:

+ - name: reserve-resources

+ image: your-custome-pause-image

+ resources:

+ requests:

+ cpu: 1

+ memory: 4Gi

+```

+## Node scaling and efficiency

+> **Best practice guidance**:

+>

+> Carefully monitor resource utilization and scheduling policies to ensure nodes are being used efficiently.

+Node scaling allows you to dynamically adjust the number of nodes in your cluster based on workload demands. It's important to understand that adding more nodes to a cluster isn't always the best solution for improving performance. To ensure optimal performance, you should carefully monitor resource utilization and scheduling policies to ensure nodes are being used efficiently.

+### Node images

+> **Best practice guidance**:

+>

+> Use the latest node image version to ensure that you have the latest security patches and bug fixes.

+Using the latest node image version provides the best performance experience. AKS ships performance improvements within the weekly image releases. The latest daemonset images are cached on the latest VHD image, which provide lower latency benefits for node provisioning and bootstrapping. Falling behind on updates might have a negative impact on performance, so it's important to avoid large gaps between versions.

+#### Azure Linux

+The [Azure Linux Container Host on AKS](../azure-linux/intro-azure-linux.md) uses a native AKS image and provides a single place for Linux development. Every package is built from source and validated, ensuring your services run on proven components.

+Azure Linux is lightweight, only including the necessary set of packages to run container workloads. It provides a reduced attack surface and eliminates patching and maintenance of unnecessary packages. At its base layer, it has a Microsoft-hardened kernel tuned for Azure. This image is ideal for performance-sensitive workloads and platform engineers or operators that manage fleets of AKS clusters.

+#### Ubuntu 2204

+The [Ubuntu 2204 image](https://github.com/Azure/AKS/blob/master/CHANGELOG.md) is the default node image for AKS. It's a lightweight and efficient operating system optimized for running containerized workloads. This means that it can help reduce resource usage and improve overall performance. The image includes the latest security patches and updates, which help ensure that your workloads are protected from vulnerabilities.

+The Ubuntu 2204 image is fully supported by Microsoft, Canonical, and the Ubuntu community and can help you achieve better performance and security for your containerized workloads.

+### Virtual machines (VMs)

+> **Best practice guidance**:

+>

+> When selecting a VM, ensure the size and performance of the OS disk and VM SKU don't have a large discrepancy. A discrepancy in size or performance can cause performance issues and resource contention.

+Application performance is closely tied to the VM SKUs you use in your workloads. Larger and more powerful VMs, generally provide better performance. For *mission critical or product workloads*, we recommend using VMs with at least an 8-core CPU. VMs with newer hardware generations, like v4 and v5, can also help improve performance. Keep in mind that create and scale latency might vary depending on the VM SKUs you use.

+### Use dedicated system node pools

+For scaling performance and reliability, we recommend using a dedicated system node pool. With this configuration, the dedicated system node pool reserves space for critical system resources such as system OS daemons. Your application workload can then run in a user node pool to increase the availability of allocatable resources for your application. This configuration also helps mitigate the risk of resource competition between the system and application.

+### Create operations

+Review the extensions and add-ons you have enabled during create provisioning. Extensions and add-ons can add latency to overall duration of create operations. If you don't need an extension or add-on, we recommend removing it to improve create latency.

+You can also use availability zones to provide a higher level of availability to protect against potential hardware failures or planned maintenance events. AKS clusters distribute resources across logical sections of underlying Azure infrastructure. Availability zones physically separate nodes from other nodes to help ensure that a single failure doesn't impact the availability of your application. Availability zones are only available in certain regions. For more information, see [Availability zones in Azure](../reliability/availability-zones-overview.md).

+## Kubernetes API server

+### LIST and WATCH operations

+Kubernetes uses the LIST and WATCH operations to interact with the Kubernetes API server and monitor information about cluster resources. These operations are fundamental to how Kubernetes performs resource management.

+**The LIST operation retrieves a list of resources that fit within certain criteria**, such as all pods in a specific namespace or all services in the cluster. This operation is useful when you want to get an overview of your cluster resources or you need to operator on multiple resources at once.

+The LIST operation can retrieve large amounts of data, especially in large clusters with multiple resources. Be mindful of the fact that making unbounded or frequent LIST calls puts a significant load on the API server and can close down response times.

+**The WATCH operation performs real-time resource monitoring**. When you set up a WATCH on a resource, the API server sends you updates whenever there are changes to that resource. This is important for controllers, like the ReplicaSet controller, which rely on WATCH to maintain the desired state of resources.

+Be mindful of the fact that watching too many mutable resources or making too many concurrent WATCH requests can overwhelm the API server and cause excessive resource consumption.

+To avoid potential issues and ensure the stability of the Kubernetes control plane, you can use the following strategies:

+**Resource quotas**

+Implement resource quotas to limit the number of resources that can be listed or watched by a particular user or namespace to prevent excessive calls.

+**API Priority and Fairness**

+Kubernetes introduced the concept of API Priority and Fairness (APF) to prioritize and manage API requests. You can use APF in Kubernetes to protect the cluster's API server and reduce the number of `HTTP 429 Too Many Requests` responses seen by client applications.

+| Custom resource | Key features |

+| -- | |

+| PriorityLevelConfigurations | ΓÇó Define different priority levels for API requests.<br/> ΓÇó Specifies a unique name and assigns an integer value representing the priority level. Higher priority levels have lower integer values, indicating they're more critical.<br/> ΓÇó Can use multiple to categorize requests into different priority levels based on their importance.<br/> ΓÇó Allow you to specify whether requests at a particular priority level should be subject to rate limits. |

+| FlowSchemas | ΓÇó Define how API requests should be routed to different priority levels based on request attributes.<br/> ΓÇó Specify rules that match requests based on criteria like API groups, versions, and resources.<br/> ΓÇó When a request matches a given rule, the request is directed to the priority level specified in the associated PriorityLevelConfiguration.<br/> ΓÇó Can use to set the order of evaluation when multiple FlowSchemas match a request to ensure that certain rules take precedence. |

+Configuring API with PriorityLevelConfigurations and FlowSchemas enables the prioritization of critical API requests over less important requests. This ensures that essential operations don't starve or experience delays because of lower priority requests.

+**Optimize labeling and selectors**

+When using LIST operations, optimize label selectors to narrow down the scope of the resources you want to query to reduce the amount of data returned and the load on the API server.

+In Kubernetes CREATE and UPDATE operations refer to actions that manage and modify cluster resources.

+### CREATE and UPDATE operations

+**The CREATE operation creates new resources in the Kubernetes cluster**, such as pods, services, deployments, configmaps, and secrets. During a CREATE operation, a client, such as `kubectl` or a controller, sends a request to the Kubernetes API server to create the new resource. The API server validates the request, ensures compliance with any admission controller policies, and then creates the resource in the cluster's desired state.

+**The UPDATE operation modifies existing resources in the Kubernetes cluster**, including changes to resources specifications, like number of replicas, container images, environment variables, or labels. During an UPDATE operation, a client sends a request to the API server to update an existing resource. The API server validates the request, applies the changes to the resource definition, and updates the cluster resource.

+CREATE and UPDATE operations can impact the performance of the Kubernetes API server under the following conditions:

+* **High concurrency**: When multiple users or applications make concurrent CREATE or UPDATE requests, it can lead to a surge in API requests arriving at the server at the same time. This can stress the API server's processing capacity and cause performance issues.

+* **Complex resource definitions**: Resource definitions that are overly complex or involve multiple nested objects can increase the time it takes for the API server to validate and process CREATE and UPDATE requests, which can lead to performance degradation.

+* **Resource validation and admission control**: Kubernetes enforces various admission control policies and validation checks on incoming CREATE and UPDATE requests. Large resource definitions, like ones with extensive annotations or configurations, might require more processing time.

+* **Custom controllers**: Custom controllers that watch for changes in resources, like Deployments or StatefulSet controllers, can generate a significant number of updates when scaling or rolling out changes. These updates can strain the API server's resources.

+For more information, see [Troubleshoot API server and etcd problems in AKS](/troubleshoot/azure/azure-kubernetes/troubleshoot-apiserver-etcd).

+## Data plane performance

+The Kubernetes data plane is responsible for managing network traffic between containers and services. Issues with the data plane can lead to slow response times, degraded performance, and application downtime. It's important to carefully monitor and optimize data plane configurations, such as network latency, resource allocation, container density, and network policies, to ensure your containerized applications run smoothly and efficiently.

+### Storage types

+AKS recommends and defaults to using ephemeral OS disks. Ephemeral OS disks are created on local VM storage and aren't saved to remote Azure storage like managed OS disks. They have faster reimaging and boot times, enabling faster cluster operations, and they provide lower read/write latency on the OS disk of AKS agent nodes. Ephemeral OS disks work well for stateless workloads, where applications are tolerant of individual VM failures but not of VM deployment time or individual VM reimaging instances. Only certain VM SKUs support ephemeral OS disks, so you need to ensure that your desired SKU generation and size is compatible. For more information, see [Ephemeral OS disks in Azure Kubernetes Service (AKS)](./cluster-configuration.md#use-ephemeral-os-on-new-clusters).

+If your workload is unable to use ephemeral OS disks, AKS defaults to using Premium SSD OS disks. If Premium SSD OS disks aren't compatible with your workload, AKS defaults to Standard SSD disks. Currently, the only other available OS disk type is Standard HDD. For more information, see [Storage options in Azure Kubernetes Service (AKS)](./concepts-storage.md).

+The following table provides a breakdown of suggested use cases for OS disks supported in AKS:

+| OS disk type | Key features | Suggested use cases |

+|--|--||

+| Ephemeral OS disks | ΓÇó Faster reimaging and boot times.<br/> ΓÇó Lower read/write latency on OS disk of AKS agent nodes.<br/> ΓÇó High performance and availability. | ΓÇó Demanding enterprise workloads, such as SQL Server, Oracle, Dynamics, Exchange Server, MySQL, Cassandra, MongoDB, SAP Business Suite, etc.<br/> ΓÇó Stateless production workloads that require high availability and low latency. |

+| Premium SSD OS disks | ΓÇó Consistent performance and low latency.<br/> ΓÇó High availability. | ΓÇó Demanding enterprise workloads, such as SQL Server, Oracle, Dynamics, Exchange Server, MySQL, Cassandra, MongoDB, SAP Business Suite, etc.<br/> ΓÇó Input/output (IO) intensive enterprise workloads. |

+| Standard SSD OS disks | ΓÇó Consistent performance.<br/> ΓÇó Better availability and latency compared to Standard HDD disks. | ΓÇó Web servers.<br/> ΓÇó Low input/output operations per second (IOPS) application servers.<br/> ΓÇó Lightly used enterprise applications.<br/> ΓÇó Dev/test workloads. |

+| Standard HDD disks | ΓÇó Low cost.<br/> ΓÇó Exhibits variability in performance and latency. | ΓÇó Backup storage.<br/> ΓÇó Mass storage with infrequent access. |

+#### IOPS and throughput

+Input/output operations per second (IOPS) refers to the number of read and write operations that a disk can perform in a second. Throughout refers to the amount of data that can be transferred in a given time period.

+OS disks are responsible for storing the operating system and its associated files, and the VMs are responsible for running the applications. When selecting a VM, ensure the size and performance of the OS disk and VM SKU don't have a large discrepancy. A discrepancy in size or performance can cause performance issues and resource contention. For example, if the OS disk is significantly smaller than the VMs, it can limit the amount of space available for application data and cause the system to run out of disk space. If the OS disk has lower performance than the VMs, it can become a bottleneck and limit the overall performance of the system. Make sure the size and performance are balanced to ensure optimal performance in Kubernetes.

+You can use the following steps to monitor IOPS and bandwidth meters on OS disks in the Azure portal:

+1. Navigate to the [Azure portal](https://portal.azure.com/).

+2. Search for **Virtual machine scale sets** and select your virtual machine scale set.

+3. Under **Monitoring**, select **Metrics**.

+Ephemeral OS disks can provide dynamic IOPS and throughput for your application, whereas managed disks have capped IOPS and throughput. For more information, see [Ephemeral OS disks for Azure VMs](../virtual-machines/ephemeral-os-disks.md).

+[Azure Premium SSD v2](../virtual-machines/disks-types.md#premium-ssd-v2) is designed for IO-intense enterprise workloads that require sub-millisecond disk latencies and high IOPS and throughput at a low cost. It's suited for a broad range of workloads, such as SQL server, Oracle, MariaDB, SAP, Cassandra, MongoDB, big data/analytics, gaming, and more. This disk type is the highest performing option currently available for persistent volumes.

+### Pod scheduling

+The memory and CPU resources allocated to a VM have a direct impact on the performance of the pods running on the VM. When a pod is created, it's assigned a certain amount of memory and CPU resources, which are used to run the application. If the VM doesn't have enough memory or CPU resources available, it can cause the pods to slow down or even crash. If the VM has too much memory or CPU resources available, it can cause the pods to run inefficiently, wasting resources and increasing costs. We recommend monitoring the total pod requests across your workloads against the total allocatable resources for best scheduling predictability and performance. You can also set the maximum pods per node based on your capacity planning using `--max-pods`.

+> This feature enables more control over creating and managing multiple node pools and requires separate commands for *create/update/delete* (CRUD) operations. Previously, cluster operations through [`az aks create`][az-aks-create] or [`az aks update`][az-aks-update] used the managedCluster API and were the only options to change your control plane and a single node pool. This feature exposes a separate operation set for agent pools through the agentPool API and requires use of the [`az aks nodepool`][az-aks-nodepool] command set to execute operations on an individual node pool.

+* The AKS cluster must use the Standard SKU load balancer to use multiple node pools. This feature isn't supported with Basic SKU load balancers.

+* If you expand your VNET after creating the cluster, you must update your cluster before adding a subnet outside the original CIDR block. While AKS errors-out on the agent pool add, the `aks-preview` Azure CLI extension (version 0.5.66 and higher) now supports running [`az aks update`][az-aks-update] command with only the required `-g <resourceGroup> -n <clusterName>` arguments. This command performs an update operation without making any changes, which can recover a cluster stuck in a failed state.

+* In clusters with Kubernetes version less than 1.23.3, kube-proxy SNATs traffic from new subnets, which can cause Azure Network Policy to drop the packets.

+> * When you create or update a node pool to run Windows Server containers, the default value for `--node-vm-size` is *Standard_D2s_v3*, which was minimum recommended size for Windows Server 2019 node pools prior to Kubernetes version 1.20. The minimum recommended size for Windows Server 2019 node pools using `containerd` is *Standard_D4s_v3*. When setting the `--node-vm-size` parameter, check the list of [restricted VM sizes][restricted-vm-sizes].

+> * We recommended using [taints or labels][aks-taints] with your Windows Server 2019 node pools running `containerd` and tolerations or node selectors with your deployments to guarantee your workloads are scheduled correctly.

+[az-aks-update]: /cli/azure/aks#az_aks_update

+[az-aks-nodepool]: /cli/azure/aks/nodepool

+

+No, you cannot restore your cluster after deleting it. When you delete your cluster, the node resource group and all its resources are also deleted. An example of the second resource group is *MC_myResourceGroup_myAKSCluster_eastus*.

+If you want to keep any of your resources, move them to another resource group before deleting your cluster. If you want to protect against accidental deletes, you can lock the AKS managed resource group hosting your cluster resources using [Node resource group lockdown][node-resource-group-lockdown].

+- [Local-gadget](https://inspektor-gadget.io/docs/): Uses in-kernel eBPF helper programs to monitor events related to syscalls from userspace programs in a pod.

+[node-resource-group-lockdown]: cluster-configuration.md#create-an-aks-cluster-with-node-resource-group-lockdown

+Graphical processing units (GPUs) are often used for compute-intensive workloads, such as graphics and visualization workloads. AKS supports GPU-enabled Linux node pools to run compute-intensive Kubernetes workloads. For more information on available GPU-enabled VMs, see [GPU-optimized VM sizes in Azure][gpu-skus]. For AKS node pools, we recommend a minimum size of *Standard_NC6s_v3*. The NVv4 series (based on AMD GPUs) aren't supported with AKS.

+ --node-vm-size Standard_NC6s_v3 \

+ * `--node-vm-size`: Sets the VM size for the node in the node pool to *Standard_NC6s_v3*.

+ --node-vm-size Standard_NC6s_v3 \

+ * `--node-vm-size`: Sets the VM size for the node in the node pool to *Standard_NC6s_v3*.

+In the following example, we create a GPU-based node pool that uses the *Standard_NC6s_v3* VM size. These VMs are powered by the NVIDIA Tesla K80 card. For information, see [Available sizes for Linux virtual machines in Azure][vm-sizes].

+ --node-vm-size Standard_NC6s_v3 \

+ "vmSize": "Standard_NC6s_v3",

+This article describes how to update the SSH key (preview) on your AKS clusters or node pools.

+## Update SSH public key (preview) on an existing AKS cluster

+> [Use PaaS services for stateful workloads in AKS][aks-tutorial-paas]

+> [!IMPORTANT]

+> This tutorial uses *myResourceGroup* as a placeholder for the resource group name. If you want to use a different name, replace *myResourceGroup* with your own resource group name.

+2. Create an ACR instance using the [`az acr create`][az-acr-create] command and provide your own unique registry name. The registry name must be unique within Azure and contain 5-50 alphanumeric characters. The rest of this tutorial uses an environment variable, `$ACRNAME`, as a placeholder for the container registry name. You can set this environment variable to your unique ACR name to use in future commands. The *Basic* SKU is a cost-optimized entry point for development purposes that provides a balance of storage and throughput.

+ az acr create --resource-group myResourceGroup --name $ACRNAME --sku Basic

+2. Create an ACR instance using the [`New-AzContainerRegistry`][new-azcontainerregistry] cmdlet and provide your own unique registry name. The registry name must be unique within Azure and contain 5-50 alphanumeric characters. The rest of this tutorial uses an environment variable, `$ACRNAME`, as a placeholder for the container registry name. You can set this environment variable to your unique ACR name to use in future commands. The *Basic* SKU is a cost-optimized entry point for development purposes that provides a balance of storage and throughput.

+ New-AzContainerRegistry -ResourceGroupName myResourceGroup -Name $ACRNAME -Location eastus -Sku Basic

+ az acr build --registry $ACRNAME --image aks-store-demo/product-service:latest ./src/product-service/

+ az acr build --registry $ACRNAME --image aks-store-demo/order-service:latest ./src/order-service/

+ az acr build --registry $ACRNAME --image aks-store-demo/store-front:latest ./src/store-front/

+ az acr repository list --name $ACRNAME --output table

+ Get-AzContainerRegistryRepository -RegistryName $ACRNAME

+[az-aks-update]: /cli/azure/aks#az_aks_update

+| node.kubernetes.io/instance-type | \<VM size> | Standard_NC6s_v3 | Virtual |

+## Limitations

+Virtual nodes functionality is heavily dependent on ACI's feature set. In addition to the [quotas and limits for Azure Container Instances](../container-instances/container-instances-quotas.md), the following are scenarios not supported with virtual nodes or are deployment considerations:

+* To schedule Windows Server containers to ACI, you need to manually install the open source [Virtual Kubelet ACI](https://github.com/virtual-kubelet/azure-aci) provider.

+* Using API server authorized ip ranges for AKS.

+> You can create private and public listeners with the same port number. However, be aware of any Network Security Group (NSG) associated with the application gateway subnet. Depending on your NSG's configuration, you may need an allow-inbound rule with **Destination IP addresses** as your application gateway's Public and Private frontend IPs. When using the same port, your application gateway changes the "Destination" of the inbound flow to the frontend IPs of your gateway.

+Upon configuring **active public and private listeners** (with Rules) **with the same port number**, your application gateway changes the "Destination" of all inbound flows to the frontend IPs of your gateway. This is true even for the listeners not sharing any port. You must thus include your gateway's frontend Public and Private IP addresses in the Destination of the inbound rule when using the same port configuration.

+

+ - **Subnet name** (backend server subnet): In the second row of the **Subnets** grid, enter *myBackendSubnet* in the **Subnet name** column.

+ - **Address range** (backend server subnet): In the second row of the **Subnets** Grid, enter an address range that doesn't overlap with the address range of *myAGSubnet*. For example, if the address range of *myAGSubnet* is 10.0.0.0/24, enter *10.0.1.0/24* for the address range of *myBackendSubnet*.

+1. Sign in to the [Azure portal](https://portal.azure.com) and select your virtual machine

+- Ensure to have the Windows PowerShell console installed. We recommend that you use PowerShell version 7.2 or higher. Follow the steps to [Install PowerShell on Windows](/powershell/scripting/install/installing-powershell-on-windows).

+ | | |

+`OutputDCRTemplateFolderPath`| Yes | Folder path where DCR templates are created. |

+1. Any VM with > 100 file/registry settings for migration via portal isn't supported now.

+1. Any VM with > 100 file/registry settings for migration via portal isn't supported now.

+- [Dev/Test (Visual Studio)](/azure/devtest/offer/overview-what-is-devtest-offer-visual-studio)

+- Disaster Recovery ([Entitled benefit DR instances from Software Assurance](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-by-benefits) or subscription only)

+ :::image type="content" source="media/quick-enable-hybrid-vm/add-single-server.png" alt-text="Screenshot of Azure portal's add server page." lightbox="media/quick-enable-hybrid-vm/add-single-server.png":::

+1. On the **Basics** page, provide the following:

+ definition (if you have enabled the Azure Connected Machine agent on a Windows-based machine). For a Linux-based machine, find the corresponding _\[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines_ policy definition. Click on that policy and click **Add**.

+1. Launch the Azure Arc service in the Azure portal by clicking **All services**, then searching for and selecting **Machines - Azure Arc**.

+1. On the **Azure Arc - Machines** page, select the connected machine you created in the [quickstart](quick-enable-hybrid-vm.md) article.

+When a new version of a VM extension is published, it becomes available for installation and manual upgrade on Arc-enabled servers. For servers that already have the extension installed and automatic extension upgrade enabled, it might take 5 - 8 weeks for every server with that extension to get the automatic upgrade. Upgrades are issued in batches across Azure regions and subscriptions, so you might see the extension get upgraded on some of your servers before others. If you need to upgrade an extension immediately, follow the guidance to manually upgrade extensions using the [Azure portal](manage-vm-extensions-portal.md#upgrade-extensions), [Azure PowerShell](manage-vm-extensions-powershell.md#upgrade-extension) or [Azure CLI](manage-vm-extensions-cli.md#upgrade-extensions).

+1. Go to the [Azure portal](https://portal.azure.com) navigate to **Machines - Azure Arc**.

+1. Select the applicable server.

+1. In the left pane, select the **Extensions** tab to see a list of all extensions installed on the server.

+If multiple extension upgrades are available for a machine, the upgrades might be batched together, but each extension upgrade is applied individually on a machine. A failure on one extension doesn't impact the other extension(s) to be upgraded. For example, if two extensions are scheduled for an upgrade, and the first extension upgrade fails, the second extension will still be upgraded.

+2. In the portal, browse to **Machines - Azure Arc** and select your machine from the list.

+3. Choose **Extensions**, then select **Add**.

+4. Choose the extension you want from the list of available extensions and follow the instructions in the wizard. In this example, we will deploy the Log Analytics VM extension.

+5. After confirming the required information provided, select **Review + Create**. A summary of the deployment is displayed and you can review the status of the deployment.

+2. In the portal, browse to **Machines - Azure Arc** and select your machine from the list.

+2. In the portal, browse to **Machines - Azure Arc** and select your hybrid machine from the list.

+2. In the portal, browse to **Machines - Azure Arc** and select your hybrid machine from the list.

+1. On the **Machines - Azure Arc** page, select **Add/Create** at the upper left, then select **Add a machine** from the drop-down menu.

+1. On the **Add servers with Azure Arc** page, select the **Add multiple servers** tile, and then select **Generate script**.

+1. On the **Basics** page, provide the following:

+ 1. Select the **Subscription** and **Resource group** for the machines.

+ 1. In the **Region** drop-down list, select the Azure region to store the servers' metadata.

+ 1. Select **Next**.

+ 1. In the **Authentication** section, under the **Service principal** drop-down list, select **Arc-for-servers**. Then select, **Next**.

+1. Select **Next**.

+1. Navigate to the **Machines - Azure Arc** page, select **Add/Create**, and then select **Add a machine** from the drop-down menu.

+1. On the **Add servers with Azure Arc** page, select **Add servers** from the **Add managed servers from Update Management** tile.

+1. On the **Resource details** page, configure the following:

+ 1. Select the **Subscription** and **Resource group** where you want the server to be managed within Azure.

+ 1. Select **Next**.

+1. On the **Servers** page, select **Add Servers**, then select the **Subscription** and **Automation account** from the drop-down list that has the Update Management feature enabled and includes the machines you want to onboard to Azure Arc-enabled servers.

+ Once you confirm your selection, select **Next**.

+With Windows Server 2012 and Windows Server 2012 R2 having reached end of support on October 10, 2023, Azure Arc-enabled servers lets you enroll your existing Windows Server 2012/2012 R2 machines in [Extended Security Updates (ESUs)](/windows-server/get-started/extended-security-updates-overview). Affording both cost flexibility and an enhanced delivery experience, Azure Arc better positions you to migrate to Azure.

+ Enrollment in ESUs does not impact Azure Update Manager. After enrollment in ESUs through Azure Arc, the server becomes eligible for ESU patches. These patches can be delivered through Azure Update Manager or any other patching solution. You'll still need to configure updates from Microsoft Updates or Windows Server Update Services.

+ >Activation of ESU is planned for the third quarter of 2023. Using Azure services such as Azure Update Manager and Azure Policy to support managing ESU-eligible Windows Server 2012/2012 R2 machines are also planned for the third quarter.

+We recommend you deploy your machines to Azure Arc in preparation for when the related Azure services deliver supported functionality to manage ESU. Once these machines are onboarded to Azure Arc-enabled servers, you'll have visibility into their ESU coverage and enroll through the Azure portal or using Azure Policy. Billing for this service starts from October 2023 (i.e., after Windows Server 2012 end of support).

+The Azure Connected Machine agent hasn't been tested on operating systems hardened by the Center for Information Security (CIS) Benchmark.

+[Azure Private Link](../../private-link/private-link-overview.md) allows you to securely link Azure PaaS services to your virtual network using private endpoints. For many services, you just set up an endpoint per resource. This means you can connect your on-premises or multicloud servers with Azure Arc and send all traffic over an Azure [ExpressRoute](../../expressroute/expressroute-introduction.md) or site-to-site [VPN connection](../../vpn-gateway/vpn-gateway-about-vpngateways.md) instead of using public networks.

+- Configure the firewall on your local network to allow outbound TCP 443 (HTTPS) access to Microsoft Entra ID and Azure using the downloadable service tag files. The [JSON file](https://www.microsoft.com/en-us/download/details.aspx?id=56519) contains all the public IP address ranges used by Microsoft Entra ID and Azure and is updated monthly to reflect any changes. Azure AD's service tag is `AzureActiveDirectory` and Azure's service tag is `AzureResourceManager`. Consult with your network administrator and network firewall vendor to learn how to configure your firewall rules.

+ b. Choose **Yes** for **Integrate with private DNS zone**, and let it automatically create a new Private DNS Zone. The actual DNS zones might be different from what is shown in the screenshot below.

+If you're only planning to use Private Links to support a few machines or servers, you might not want to update your entire network's DNS configuration. In this case, you can add the private endpoint hostnames and IP addresses to your operating systems **Hosts** file. Depending on the OS configuration, the Hosts file can be the primary or alternative method for resolving hostname to IP address.

+1. Save the file with your changes. You might need to save to another directory first, then copy the file to the original path.

+1. Navigate to **Machines - Azure Arc**.

+1. On the **Machines - Azure Arc** page, select **Add/Create** at the upper left, and then select **Add a machine** from the drop-down menu.

+1. On the **Basics** page, provide the following:

+ 1. Select the **Subscription** and **Resource group** for the machine.

+ 1. Under **Connectivity method**, select **Private endpoint** and select the Azure Arc Private Link Scope created in Part 1 from the drop-down list.

+After downloading the script, you have to run it on your machine or server using a privileged (administrator or root) account. Depending on your network configuration, you might need to download the agent from a computer with internet access and transfer it to your machine or server, and then modify the script with the path to the agent.

+> Network traffic from the Azure Connected Machine agent to Microsoft Entra ID and Azure Resource Manager will continue to use public endpoints. If your server needs to communicate through a proxy server to reach these endpoints, [configure the agent with the proxy server URL](manage-agent.md#update-or-remove-proxy-settings) before connecting it to Azure. You might also need to [configure a proxy bypass](manage-agent.md#proxy-bypass-for-private-endpoints) for the Azure Arc services if your private endpoint is not accessible from your proxy server.

+It might take up to 15 minutes for the Private Link Scope to accept connections from the recently associated server(s).

+2. Find and delete the old Arc resource bridge resource under the [Resource Bridges tab from the Azure Arc center](https://ms.portal.azure.com/#view/Microsoft_Azure_HybridCompute/AzureArcCenterBlade/~/resourceBridges).

+6. In the same machine, run the following scripts, as applicable:

+ - [Download the script](https://download.microsoft.com/download/6/b/4/6b4a5009-fed8-46c2-b22b-b24a4d0a06e3/arcvmm-appliance-dr.ps1) if you are running the script from a Windows machine

+ - [Download the script](https://download.microsoft.com/download/0/5/c/05c2bcb8-87f8-4ead-9757-a87a0759071c/arcvmm-appliance-dr.sh) if you are running the script from a Linux machine

+7. Once the script is run successfully, the old Resource Bridge will be recovered and the connection is re-established to the existing Azure-enabled SCVMM resources.

+| **SCVMM** | You need an SCVMM management server running version 2019 or later.<br/><br/> A private cloud with minimum free capacity of 32 GB of RAM, 4 vCPUs with 100 GB of free disk space. <br/><br/> A VM network with internet access, directly or through proxy. Appliance VM will be deployed using this VM network.<br/><br/> Only Static IP allocation is supported and VMM Static IP Pool is required. Follow [these steps](https://learn.microsoft.com/system-center/vmm/network-pool?view=sc-vmm-2022) to create a VMM Static IP Pool and ensure that the Static IP Pool has at least four IP addresses. Dynamic IP allocation using DHCP is not supported. |

+In this article, you learn how to perform various administrative operations related to Azure Arc-enabled VMware vSphere:

+- Upgrading the Azure Arc resource bridge

+ Title: What is Azure Arc-enabled VMware vSphere?

+# What is Azure Arc-enabled VMware vSphere?

+Azure Arc-enabled VMware vSphere is an [Azure Arc](../overview.md) service that helps you simplify management of hybrid IT estate distributed across VMware vSphere and Azure. It does so by extending the Azure control plane to VMware vSphere infrastructure and enabling the use of Azure security, governance, and management capabilities consistently across VMware vSphere and Azure.

+Arc-enabled VMware vSphere allows you to:

+Arc-enabled VMware vSphere provides these capabilities by integrating with your VMware vCenter Server. To connect your VMware vCenter Server to Azure Arc, you need to deploy the [Azure Arc resource bridge](../resource-bridge/overview.md) in your vSphere environment. Azure Arc resource bridge is a virtual appliance that hosts the components that communicate with your vCenter Server and Azure.

+Azure Arc-enabled VMware vSphere currently works with vCenter Server versions 7 and 8.

+> Azure Arc-enabled VMware vSphere supports vCenters with a maximum of 9500 VMs. If your vCenter has more than 9500 VMs, we don't recommend you to use Arc-enabled VMware vSphere with it at this point.

+You can use Azure Arc-enabled VMware vSphere in these supported regions:

+- East US2

+- West US2

+- West US3

+- South Central US

+- Canada Central

+- North Europe

+- Sweden Central

+- Southeast Asia

+- Australia East

+In this article, you learn how to perform various operations on the Azure Arc-enabled VMware vSphere VMs such as:

+First, the script deploys a virtual appliance called [Azure Arc resource bridge](../resource-bridge/overview.md) in your vCenter environment. Then, it installs a VMware cluster extension to provide a continuous connection between vCenter Server and Azure Arc.

+This account is used for the ongoing operation of Azure Arc-enabled VMware vSphere and the deployment of the Azure Arc resource bridge VM.

+| **Control Plane IP address** | Azure Arc resource bridge runs a Kubernetes cluster, and its control plane always requires a static IP address. Provide an IP address that meets the following requirements: <br> - The IP address must have internet access. <br> - The IP address must be within the subnet defined by IP address prefix. <br> - If you're using static IP address option for resource bridge VM IP address, the control plane IP address must be outside of the IP address range provided for the VM (Start range IP - End range IP). <br> - If there's a DHCP service on the network, the IP address must be outside of DHCP range.|

+In this article, you learn how to recover the Azure Arc resource bridge connection into a working state in disaster scenarios such as accidental deletion. In such cases, the connection between on-premises infrastructure and Azure is lost and any operations performed through Arc fail.

+## Recovering the Arc resource bridge if there is VM deletion

+6. Once the script successfully finishes, the resource bridge should be recovered, and the previously disconnected Arc-enabled resources are manageable in Azure again.

+[Troubleshoot Azure Arc resource bridge issues](../resource-bridge/troubleshoot-resource-bridge.md)

+1. Go to the [**VMware vCenters** list in Arc center](https://portal.azure.com/#view/Microsoft_Azure_HybridCompute/AzureArcCenterBlade/~/vCenter).

+# Support matrix for Azure Arc-enabled VMware vSphere

+This article documents the prerequisites and support requirements for using [Azure Arc-enabled VMware vSphere](overview.md) to manage your VMware vSphere VMs through Azure Arc.

+To use Arc-enabled VMware vSphere, you must deploy an Azure Arc resource bridge in your VMware vSphere environment. The resource bridge provides an ongoing connection between your VMware vCenter Server and Azure. Once you've connected your VMware vCenter Server to Azure, components on the resource bridge discover your vCenter inventory. You can enable them in Azure and start performing virtual hardware and guest OS operations on them using Azure Arc.

+Azure Arc-enabled VMware vSphere works with vCenter Server versions 7 and 8.

+> Azure Arc-enabled VMware vSphere currently supports vCenters with a maximum of 9500 VMs. If your vCenter has more than 9500 VMs, it's not recommended to use Arc-enabled VMware vSphere with it at this point.

+This account is used for the ongoing operation of Azure Arc-enabled VMware vSphere and the deployment of the Azure Arc resource bridge VM.

+ Title: Switch to the new version of VMware vSphere

+description: Learn to switch to the new version of VMware vSphere and use its capabilities

+# Customer intent: As a VI admin, I want to switch to the new version of Arc-enabled VMware vSphere and leverage the associated capabilities.

+# Switch to the new version of VMware vSphere

+On August 21, 2023, we rolled out major changes to **Azure Arc-enabled VMware vSphere**. By switching to the new version, you can use all the Azure management services that are available for Arc-enabled Servers.

+> [!NOTE]

+> If you're new to Arc-enabled VMware vSphere, you'll be able to leverage the new capabilities by default. To get started with the new version, see [Quickstart: Connect VMware vCenter Server to Azure Arc by using the helper script](quick-start-connect-vcenter-to-arc-using-script.md).

+## Switch to the new version (Existing customer)

+If you've onboarded to **Azure Arc-enabled VMware** before August 21, 2023, for VMs that are Azure-enabled, follow these steps to switch to the new version:

+>[!Note]

+>If you had enabled guest management on any of the VMs, remove [VM extensions](/azure/azure-arc/vmware-vsphere/remove-vcenter-from-arc-vmware#step-1-remove-vm-extensions) and [disconnect agents](/azure/azure-arc/vmware-vsphere/remove-vcenter-from-arc-vmware#step-2-disconnect-the-agent-from-azure-arc).

+1. From your browser, go to the vCenters blade on [Azure Arc Center](https://ms.portal.azure.com/#view/Microsoft_Azure_HybridCompute/AzureArcCenterBlade/~/overview) and select the vCenter resource.

+2. Select all the virtual machines that are Azure enabled with the older version.

+3. Select **Remove from Azure**.

+ :::image type="VM Inventory view" source="media/switch-to-new-version-vmware/vm-inventory-view-inline.png" alt-text="Screenshot of VM Inventory view." lightbox="media/switch-to-new-version-vmware/vm-inventory-view-expanded.png":::

+4. After successful removal from Azure, enable the same resources again in Azure.

+5. Once the resources are re-enabled, the VMs are auto switched to the new version. The VM resources will now be represented as **Machine - Azure Arc (VMware)**.

+ :::image type=" New VM browse view" source="media/switch-to-new-version-vmware/new-vm-browse-view-inline.png" alt-text="Screenshot of New VM browse view." lightbox="media/switch-to-new-version-vmware/new-vm-browse-view-expanded.png":::

+

+## Next steps

+[Create a virtual machine on VMware vCenter using Azure Arc](/azure/azure-arc/vmware-vsphere/quick-start-create-a-vm).

+>[!IMPORTANT]

+>Microsoft periodically updates the underlying VM used in cache instances. This can change the performance characteristics from cache to cache and from region to region. The example benchmarking values on this page reflect older generation cache hardware in a single region. You may see better or different results in practice.

+>

+Durable Functions is supported in the new [Python v2 programming model](../functions-reference-python.md?pivots=python-mode-decorators). To use the v2 model, you must install the Durable Functions SDK, which is the PyPI package `azure-functions-durable`, version `1.2.2` or a later version. You must also check `host.json` to make sure your app is referencing [Extension Bundles](../functions-bindings-register.md#extension-bundles) version 4.x to use the v2 model with Durable Functions.

+You can provide feedback and suggestions in the [Durable Functions SDK for Python repo](https://github.com/Azure/azure-functions-durable-python/issues).

+ :::image type="content" source="./media/tutorial-search-location/basic-map.png" lightbox="./media/tutorial-search-location/basic-map.png" alt-text="A screenshot showing the most basic map that you can make by calling `atlas.Map` using your Azure Maps account key.":::

+ :::image type="content" source="./media/tutorial-search-location/pins-map.png" lightbox="./media/tutorial-search-location/pins-map.png" alt-text="A screenshot showing the map resulting from the search, which is a map showing Seattle with round-blue pins at locations of gas stations.":::

+ :::image type="content" source="./media/tutorial-search-location/popup-map.png" lightbox="./media/tutorial-search-location/popup-map.png" alt-text="A screenshot of a map with information popups that appear when you hover over a search pin.":::

+The Azure Maps Web SDK provides a powerful canvas for rendering large spatial data sets in many different ways. In some cases, there are multiple ways to render data the same way, but depending on the size of the data set and the desired functionality, one method might perform better than others. This article highlights best practices and tips and tricks to maximize performance and create a smooth user experience.

+* **GeoJSON source**: The `DataSource` class manages raw location data in GeoJSON format locally. Good for small to medium data sets (upwards of hundreds of thousands of features).

+* **Vector tile source**: The `VectorTileSource` class loads data formatted as vector tiles for the current map view, based on the maps tiling system. Ideal for large to massive data sets (millions or billions of features).

+Azure maps provide several different layers for rendering data on a map. There are many optimizations you can take advantage of to tailor these layers to your scenario the increase performances and the overall user experience.

+That said, if you only have a few points to render on the map, the simplicity of HTML markers might be preferred. Additionally, HTML markers can easily be made draggable if needed.

+When working with large sets of data points you might find that when rendered at certain zoom levels, many of the points overlap and are only partial visible, if at all. Clustering is process of grouping points that are close together and representing them as a single clustered point. As the user zooms in the map, clusters break apart into their individual points. This can significantly reduce the amount of data that needs to be rendered, make the map feel less cluttered, and improve performance. The `DataSource` class has options for clustering data locally. Additionally, many tools that generate vector tiles also have clustering options.

+The heat map layer can render tens of thousands of data points easily. For larger data sets, consider enabling clustering on the data source and using a small cluster radius and use the clusters `point_count` property as a weight for the height map. When the cluster radius is only a few pixels in size, there's little visual difference in the rendered heat map. Using a larger cluster radius improves performance more but might reduce the resolution of the rendered heat map.

+The above code functions fine if all features in the data source have a `myColor` property, and the value of that property is a color. This might not be an issue if you have complete control of the data in the data source and know for certain all features have a valid color in a `myColor` property. That said, to make this code safe from errors, a `case` expression can be used with the `has` expression to check that the feature has the `myColor` property. If it does, the `to-color` type expression can then be used to try to convert the value of that property to a color. If the color is invalid, a fallback color can be used. The following code demonstrates how to do this and sets the fallback color to green.

+* Check the console for errors of the browser's developer tools. Some errors might cause the map not to render. Debug your application.

+If the symbol is only out of place when the map is rotated, check the `rotationAlignment` option. By default, symbols rotate with the maps viewport, appearing upright to the user. However, depending on your scenario, it might be desirable to lock the symbol to the map's orientation by setting the `rotationAlignment` option to `map`.

+If the symbol is only out of place when the map is pitched/tilted, check the `pitchAlignment` option. By default, symbols stay upright in the maps viewport when the map is pitched or tilted. However, depending on your scenario, it might be desirable to lock the symbol to the map's pitch by setting the `pitchAlignment` option to `map`.

+* Try removing data-driven expressions from your rendering layer. It's possible that one of them might have an error in it that is causing the issue.

+| AlmaLinux 9 | Γ£ô³ | | |

+| Oracle Linux 9 | Γ£ô | | |

+| Rocky Linux 9 | Γ£ô | | |

+- Azure Monitor supports monitoring multiple resources of the same type with one metric alert rule for resources that exist in the same Azure region. For a list of Azure services that are currently supported for this feature, see [Supported resources for metric alerts in Azure Monitor](alerts-metric-near-real-time.md).

+|Log alert|You can use log alerts to perform advanced logic operations on your data. If the data you want to monitor is available in logs, or requires advanced logic, you can use the robust features of Kusto Query Language (KQL) for data manipulation by using log alerts.|Each log alert rule is billed based on the interval at which the log query is evaluated. More frequent query evaluation results in a higher cost. For log alerts configured for at-scale monitoring using splitting by dimensions, the cost also depends on the number of time series created by the dimensions resulting from your query. |

+For troubleshooting information, including "no data" scenarios and customizing logs, see [Troubleshoot Application Insights monitoring of Node.js apps and services](/troubleshoot/azure/azure-monitor/app-insights/troubleshoot-app-insights-nodejs).

+> [!NOTE]

+> - If you've adopted our OpenTelemetry Distro and are looking for configuration options, see [Enable Sampling](opentelemetry-configuration.md#enable-sampling).

+| Network managers | [AVNMConnectivityConfigurationChange](/azure/azure-monitor/reference/tables/AVNMConnectivityConfigurationChange) |

+> [!NOTE]

+> The table name is case sensitive.

+## October 2023

+|Subservice | Article | Description |

+||||

+General|[Best practices for monitoring Kubernetes with Azure Monitor](best-practices-containers.md)|New article.|

+General|[Estimate Azure Monitor costs](cost-estimate.md)|New article describing use of Azure Monitor pricing calculator.|

+General|[Azure Monitor billing meter names](cost-meters.md)|Billing meters moved into dedicated reference article.|

+General|[Azure Monitor cost and usage](cost-usage.md)|Rewritten.|

+Agents|[Collect logs from a text or JSON file with Azure Monitor Agent](agents/data-collection-text-log.md)|Added the ability to collect logs from a JSON file with Azure Monitor Agent.|

+Alerts|[Create or edit an alert rule](alerts/alerts-create-new-alert-rule.md)|Custom properties for Azure Monitor alerts are now located in the Details tab when creating or editing an alert rule. |

+Alerts|[Create or edit an alert rule](alerts/alerts-create-new-alert-rule.md)|Added note clarifying the limitations of setting the frequency of alert rules to one minute. |

+Application-Insights|[IP addresses used by Azure Monitor](app/ip-addresses.md)|A logic model diagram is available to assist with troubleshooting scenarios.|

+Application-Insights|[Application Insights Overview dashboard](app/overview-dashboard.md)|All of the Application Insights experiences are now defined in a manner that mirrors the Azure portal experience. We've included a logic model diagram to visually convey how Application Insights works at a high level.|

+Application-Insights|[Enable Azure Monitor OpenTelemetry for .NET, Node.js, Python, and Java applications](app/opentelemetry-enable.md)|Our OpenTelemetry Distro released for .NET, Java, Python, and Node.js. This is a replacement for classic Application Insights SDKs.|

+Essentials|[Collect IIS logs with Azure Monitor Agent](agents/data-collection-iis.md)|Added guidance on setting up data collection endpoints based on deployment.|

+Logs|[Restore logs in Azure Monitor](logs/restore.md)|Updated information about the cost of restoring logs. |

+Logs|[Log Analytics workspace data export in Azure Monitor](logs/logs-data-export.md)|Billing for Data Export was enabled in early October 2023.|

+Logs|[Analyze usage in a Log Analytics workspace](logs/analyze-usage.md)|Added support for querying data volume from events directly, and by computer.|

+* [Configuring Azure NetApp Files Application Volume Group (AVG) for zonal SAP HANA deployment](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/configuring-azure-netapp-files-anf-application-volume-group-avg/ba-p/3943801)

+* Germany North

+This article connects resource provider namespaces to Azure services. If you don't know the resource provider, see [Find resource provider](#find-resource-provider).

+## AI and machine learning resource providers

+| Resource provider namespace | Azure service |

+| | - |

+| Microsoft.AutonomousSystems | [Autonomous Systems](https://www.microsoft.com/ai/autonomous-systems) |

+| Microsoft.BotService | [Azure Bot Service](/azure/bot-service/) |

+| Microsoft.CognitiveServices | [Cognitive Services](../../ai-services/index.yml) |

+| Microsoft.EnterpriseKnowledgeGraph | Enterprise Knowledge Graph |

+| Microsoft.MachineLearning | [Machine Learning Studio](../../machine-learning/classic/index.yml) |

+| Microsoft.MachineLearningServices | [Azure Machine Learning](../../machine-learning/index.yml) |

+| Microsoft.Search | [Azure Cognitive Search](../../search/index.yml) |

+## Analytics resource providers

+| Microsoft.Databricks | [Azure Databricks](/azure/azure-databricks/) |

+| Microsoft.DataCatalog | [Data Catalog](../../data-catalog/index.yml) |

+| Microsoft.DataFactory | [Data Factory](../../data-factory/index.yml) |

+| Microsoft.DataLakeAnalytics | [Data Lake Analytics](../../data-lake-analytics/index.yml) |

+| Microsoft.DataLakeStore | [Azure Data Lake Storage Gen2](../../storage/blobs/data-lake-storage-introduction.md) |

+| Microsoft.DataShare | [Azure Data Share](../../data-share/index.yml) |

+| Microsoft.HDInsight | [HDInsight](../../hdinsight/index.yml) |

+| Microsoft.Kusto | [Azure Data Explorer](/azure/data-explorer/) |

+| Microsoft.PowerBI | [Power BI](/power-bi/power-bi-overview) |

+| Microsoft.PowerBIDedicated | [Power BI Embedded](/azure/power-bi-embedded/) |

+| Microsoft.ProjectBabylon | [Azure Data Catalog](../../data-catalog/overview.md) |

+| Microsoft.Purview | [Microsoft Purview](/purview/purview) |

+| Microsoft.StreamAnalytics | [Azure Stream Analytics](../../stream-analytics/index.yml) |

+| Microsoft.Synapse | [Azure Synapse Analytics](/azure/sql-data-warehouse/) |

+## Blockchain resource providers

+| Resource provider namespace | Azure service |

+| | - |

+| Microsoft.Blockchain | [Azure Blockchain Service](../../blockchain/workbench/index.yml) |

+| Microsoft.BlockchainTokens | [Azure Blockchain Tokens](https://azure.microsoft.com/services/blockchain-tokens/) |

+## Compute resource providers

+| Resource provider namespace | Azure service |

+| | - |

+| Microsoft.DesktopVirtualization | [Azure Virtual Desktop](../../virtual-desktop/index.yml) |

+| Microsoft.DevTestLab | [Azure Lab Services](../../lab-services/index.yml) |

+| Microsoft.HanaOnAzure | [SAP HANA on Azure Large Instances](../../virtual-machines/workloads/sap/hana-overview-architecture.md) |

+| Microsoft.LabServices | [Azure Lab Services](../../lab-services/index.yml) |

+| Microsoft.Maintenance | [Azure Maintenance](../../virtual-machines/maintenance-configurations.md) |

+| Microsoft.Microservices4Spring | [Azure Spring Apps](../../spring-apps/overview.md) |

+| Microsoft.Quantum | [Azure Quantum](https://azure.microsoft.com/services/quantum/) |

+| Microsoft.SerialConsole - [registered by default](#registration) | [Azure Serial Console for Windows](/troubleshoot/azure/virtual-machines/serial-console-windows) |

+| Microsoft.ServiceFabric | [Service Fabric](../../service-fabric/index.yml) |

+| Microsoft.VirtualMachineImages | [Azure Image Builder](../../virtual-machines/image-builder-overview.md) |

+| Microsoft.VMware | [Azure VMware Solution](../../azure-vmware/index.yml) |

+| Microsoft.VMwareCloudSimple | [Azure VMware Solution by CloudSimple](../../vmware-cloudsimple/index.md) |

+## Container resource providers

+| Resource provider namespace | Azure service |

+| | - |

+| Microsoft.App | [Azure Container Apps](../../container-apps/index.yml) |

+| Microsoft.RedHatOpenShift | [Azure Red Hat OpenShift](../../virtual-machines/linux/openshift-get-started.md) |

+## Core resource providers

+| Resource provider namespace | Azure service |

+| | - |

+| Microsoft.Addons | core |

+| Microsoft.AzureStack | core |

+| Microsoft.Capacity | core |

+| Microsoft.Commerce - [registered by default](#registration) | core |

+| Microsoft.Marketplace | core |

+| Microsoft.MarketplaceApps | core |

+| Microsoft.MarketplaceOrdering - [registered by default](#registration) | core |

+| Microsoft.SaaS | core |

+| Microsoft.Services | core |

+| Microsoft.Subscription | core |

+| microsoft.support - [registered by default](#registration) | core |

+## Database resource providers

+| Resource provider namespace | Azure service |

+| | - |

+| Microsoft.AzureData | SQL Server registry |

+| Microsoft.Cache | [Azure Cache for Redis](../../azure-cache-for-redis/index.yml) |

+| Microsoft.Sql | [Azure SQL Database](/azure/azure-sql/database/index)<br /> [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/index) <br />[Azure Synapse Analytics](/azure/sql-data-warehouse/) |

+| Microsoft.SqlVirtualMachine | [SQL Server on Azure Virtual Machines](/azure/azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview) |

+## Developer tools resource providers

+| Resource provider namespace | Azure service |

+| | - |

+| Microsoft.AppConfiguration | [Azure App Configuration](../../azure-app-configuration/index.yml) |

+| Microsoft.DevSpaces | [Azure Dev Spaces](/previous-versions/azure/dev-spaces/) |

+| Microsoft.MixedReality | [Azure Spatial Anchors](../../spatial-anchors/index.yml) |

+| Microsoft.Notebooks | [Azure Notebooks](https://notebooks.azure.com/help/introduction) |

+## DevOps resource providers

+| Resource provider namespace | Azure service |

+| | - |

+| microsoft.visualstudio | [Azure DevOps](/azure/devops/) |

+| Microsoft.VSOnline | [Azure DevOps](/azure/devops/) |

+## Hybrid resource providers

+| Resource provider namespace | Azure service |

+| | - |

+| Microsoft.AzureArcData | Azure Arc-enabled data services |

+| Microsoft.AzureStackHCI | [Azure Stack HCI](/azure-stack/hci/overview) |

+| Microsoft.HybridCompute | [Azure Arc-enabled servers](../../azure-arc/servers/index.yml) |

+| Microsoft.Kubernetes | [Azure Arc-enabled Kubernetes](../../azure-arc/kubernetes/index.yml) |

+| Microsoft.KubernetesConfiguration | [Azure Arc-enabled Kubernetes](../../azure-arc/kubernetes/index.yml) |

+## Identity resource providers

+| Resource provider namespace | Azure service |

+| | - |

+| Microsoft.AAD | [Microsoft Entra Domain Services](../../active-directory-domain-services/index.yml) |

+| Microsoft.ADHybridHealthService - [registered by default](#registration) | [Microsoft Entra ID](../../active-directory/index.yml) |

+| Microsoft.AzureActiveDirectory | [Microsoft Entra ID B2C](../../active-directory-b2c/index.yml) |

+| Microsoft.ManagedIdentity | [Managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/index.yml) |

+| Microsoft.Token | Token |

+## Integration resource providers

+| Resource provider namespace | Azure service |

+| | - |

+| Microsoft.ApiManagement | [API Management](../../api-management/index.yml) |

+| Microsoft.Communication | [Azure Communication Services](../../communication-services/overview.md) |

+| Microsoft.Logic | [Logic Apps](../../logic-apps/index.yml) |

+| Microsoft.NotificationHubs | [Notification Hubs](../../notification-hubs/index.yml) |

+| Microsoft.PowerPlatform | [Power Platform](/power-platform/) |

+| Microsoft.Relay | [Azure Relay](../../azure-relay/relay-what-is-it.md) |

+| Microsoft.ServiceBus | [Service Bus](/azure/service-bus/) |

+## IoT resource providers

+| Resource provider namespace | Azure service |

+| | - |

+| Microsoft.Devices | [Azure IoT Hub](../../iot-hub/index.yml)<br />[Azure IoT Hub Device Provisioning Service](../../iot-dps/index.yml) |

+| Microsoft.DeviceUpdate | [Device Update for IoT Hub](../../iot-hub-device-update/index.yml) |

+| Microsoft.DigitalTwins | [Azure Digital Twins](../../digital-twins/overview.md) |

+| Microsoft.TimeSeriesInsights | [Azure Time Series Insights](../../time-series-insights/index.yml) |

+| Microsoft.WindowsIoT | [Windows 10 IoT Core Services](/windows-hardware/manufacture/iot/iotcoreservicesoverview) |

+## Management resource providers

+| Resource provider namespace | Azure service |

+| | - |

+| Microsoft.Advisor | [Azure Advisor](../../advisor/index.yml) |

+| Microsoft.Authorization - [registered by default](#registration) | [Azure Resource Manager](../index.yml) |

+| Microsoft.Automation | [Automation](../../automation/index.yml) |

+| Microsoft.Billing - [registered by default](#registration) | [Cost Management and Billing](/azure/billing/) |

+| Microsoft.Blueprint | [Azure Blueprints](../../governance/blueprints/index.yml) |

+| Microsoft.ClassicSubscription - [registered by default](#registration) | Classic deployment model |

+| Microsoft.Consumption - [registered by default](#registration) | [Cost Management](/azure/cost-management/) |

+| Microsoft.CostManagement - [registered by default](#registration) | [Cost Management](/azure/cost-management/) |

+| Microsoft.CostManagementExports | [Cost Management](/azure/cost-management/) |

+| Microsoft.CustomProviders | [Azure Custom Providers](../custom-providers/overview.md) |

+| Microsoft.DynamicsLcs | [Lifecycle Services](https://lcs.dynamics.com/Logon/Index) |

+| Microsoft.Features - [registered by default](#registration) | [Azure Resource Manager](../index.yml) |

+| Microsoft.GuestConfiguration | [Azure Policy](../../governance/policy/index.yml) |

+| Microsoft.PolicyInsights | [Azure Policy](../../governance/policy/index.yml) |

+| Microsoft.Portal - [registered by default](#registration) | [Azure portal](../../azure-portal/index.yml) |

+| Microsoft.RecoveryServices | [Azure Site Recovery](../../site-recovery/index.yml) |

+| Microsoft.ResourceGraph - [registered by default](#registration) | [Azure Resource Graph](../../governance/resource-graph/index.yml) |

+| Microsoft.ResourceHealth | [Azure Service Health](../../service-health/index.yml) |

+| Microsoft.Resources - [registered by default](#registration) | [Azure Resource Manager](../index.yml) |

+| Microsoft.Scheduler | [Scheduler](../../scheduler/index.yml) |

+| Microsoft.SoftwarePlan | License |

+| Microsoft.Solutions | [Azure Managed Applications](../managed-applications/index.yml) |

+## Media resource providers

+| Resource provider namespace | Azure service |

+| | - |

+## Migration resource providers

+| Resource provider namespace | Azure service |

+| | - |

+| Microsoft.ClassicInfrastructureMigrate | Classic deployment model migration |

+| Microsoft.DataBox | [Azure Data Box](../../databox/index.yml) |

+| Microsoft.DataBoxEdge | [Azure Stack Edge](../../databox-online/azure-stack-edge-overview.md) |

+| Microsoft.DataMigration | [Azure Database Migration Service](../../dms/index.yml) |

+| Microsoft.Migrate | [Azure Migrate](../../migrate/migrate-services-overview.md) |

+## Monitoring resource providers

+| Resource provider namespace | Azure service |

+| | - |

+| Microsoft.AlertsManagement | [Azure Monitor](../../azure-monitor/index.yml) |

+| Microsoft.ChangeAnalysis | [Azure Monitor](../../azure-monitor/index.yml) |

+| Microsoft.Insights | [Azure Monitor](../../azure-monitor/index.yml) |

+| Microsoft.Intune | [Azure Monitor](../../azure-monitor/index.yml) |

+| Microsoft.WorkloadMonitor | [Azure Monitor](../../azure-monitor/index.yml) |

+## Network resource providers

+| Resource provider namespace | Azure service |

+| | - |

+| Microsoft.Cdn | [Content Delivery Network](../../cdn/index.yml) |

+| Microsoft.ClassicNetwork | Classic deployment model virtual network |

+| Microsoft.ManagedNetwork | Virtual networks managed by PaaS services |

+| Microsoft.Network | [Application Gateway](../../application-gateway/index.yml)<br />[Azure Bastion](../../bastion/index.yml)<br />[Azure DDoS Protection](../../ddos-protection/ddos-protection-overview.md)<br />[Azure DNS](../../dns/index.yml)<br />[Azure ExpressRoute](../../expressroute/index.yml)<br />[Azure Firewall](../../firewall/index.yml)<br />[Azure Front Door Service](../../frontdoor/index.yml)<br />[Azure Private Link](../../private-link/index.yml)<br />[Azure Route Server](../../route-server/index.yml)<br />[Load Balancer](../../load-balancer/index.yml)<br />[Network Watcher](../../network-watcher/index.yml)<br />[Traffic Manager](../../traffic-manager/index.yml)<br />[Virtual Network](../../virtual-network/index.yml)<br />[Virtual Network NAT](../../virtual-network/nat-gateway/nat-overview.md)<br />[Virtual WAN](../../virtual-wan/index.yml)<br />[VPN Gateway](../../vpn-gateway/index.yml)<br /> |

+## Security resource providers

+| Resource provider namespace | Azure service |

+| | - |

+| Microsoft.Attestation | [Azure Attestation Service](../../attestation/overview.md) |

+| Microsoft.CustomerLockbox | [Customer Lockbox for Microsoft Azure](../../security/fundamentals/customer-lockbox-overview.md) |

+| Microsoft.DataProtection | Data Protection |

+| Microsoft.HardwareSecurityModules | [Azure Dedicated HSM](../../dedicated-hsm/index.yml) |

+| Microsoft.KeyVault | [Key Vault](../../key-vault/index.yml) |

+| Microsoft.WindowsDefenderATP | [Microsoft Defender Advanced Threat Protection](../../security-center/security-center-wdatp.md) |

+| Microsoft.WindowsESU | Extended Security Updates |

+## Storage resource providers

+| Resource provider namespace | Azure service |

+| | - |

+| Microsoft.ClassicStorage | Classic deployment model storage |

+| Microsoft.ElasticSan | [Elastic SAN Preview](../../storage/elastic-san/index.yml) |

+| Microsoft.HybridData | [StorSimple](../../storsimple/index.yml) |

+| Microsoft.ImportExport | [Azure Import/Export](../../import-export/storage-import-export-service.md) |

+| Microsoft.NetApp | [Azure NetApp Files](../../azure-netapp-files/index.yml) |

+| Microsoft.ObjectStore | Object Store |

+## Web resource providers

+| Resource provider namespace | Azure service |

+| | - |

+| Microsoft.BingMaps | [Bing Maps](/BingMaps/#pivot=main&panel=BingMapsAPI) |

+| Microsoft.CertificateRegistration | [App Service Certificates](../../app-service/configure-ssl-app-service-certificate.md) |

+| Microsoft.DomainRegistration | [App Service](../../app-service/index.yml) |

+| Microsoft.Maps | [Azure Maps](../../azure-maps/index.yml) |

+| Microsoft.SignalRService | [Azure SignalR Service](../../azure-signalr/index.yml) |

+## 5G & Space resource providers

+| Resource provider namespace | Azure service |

+| | - |

+| Microsoft.HybridNetwork | [Network Function Manager](../../network-function-manager/index.yml) |

+| Microsoft.MobileNetwork | [Azure Private 5G Core](../../private-5g-core/index.yml) |

+| Microsoft.Orbital | [Azure Orbital Ground Station](../../orbital/overview.md) |

+Resource providers marked with **- registered by default** in the previous section are automatically registered for your subscription. For other resource providers, you need to [register them](resource-providers-and-types.md). However, many resource providers are registered automatically when you perform specific actions. For example, when you create resources through the portal or by deploying an [Azure Resource Manager template](../templates/overview.md), Azure Resource Manager automatically registers any required unregistered resource providers.

+| The AV64 SKU currently supports RAID-1 FTT1, RAID-5 FTT1, and RAID-1 FTT2 vSAN storage policies. For more information, see [AV64 supported RAID configuration](introduction.md#av64-supported-raid-configuration) |Nov 2023 |N/A|N/A|

+ Title: Deploy Arc-enabled Azure VMware Solution

+# Deploy Arc-enabled Azure VMware Solution

+In this article, learn how to deploy Arc for Azure VMware Solution. Once you set up the components needed for this public preview, you're ready to execute operations in Azure VMware Solution vCenter Server from the Azure portal. Arc-enabled Azure VMware Solution allows you to do the actions:

+- Identify your VMware vSphere resources (VMs, templates, networks, datastores, clusters/hosts/resource pools) and register them with Arc at scale.

+- Perform different virtual machine (VM) operations directly from Azure like; create, resize, delete, and power cycle operations (start/stop/restart) on VMware VMs consistently with Azure.

+- Permit developers and application teams to use VM operations on-demand with [Role-based access control (RBAC)](https://learn.microsoft.com/azure/role-based-access-control/overview).

+- Install the Arc-connected machine agent to [govern, protect, configure, and monitor](https://learn.microsoft.com/azure/azure-arc/servers/overview#supported-cloud-operations) them.

+- Browse your VMware vSphere resources (vms, templates, networks, and storage) in Azure

+## How Arc-enabled VMware vSphere differs from Arc-enabled servers

+You have the flexibility to start with either option, Arc-enabled servers or Arc-enabled VMware vSphere. With both options, you receive the same consistent experience. Regardless of the initial option chosen, you can incorporate the other one later without disruption. The following information helps you understand the difference between both options:

+**Arc-enabled servers**

+Azure Arc-enabled servers interact on the guest operating system level. They do that with no awareness of the underlying infrastructure or the virtualization platform they're running on. Since Arc-enabled servers support bare-metal machines, there might not be a host hypervisor in some cases.

+**Arc-enabled VMware vSphere**

+Arc-enabled VMware vSphere is a superset of Arc-enabled servers that extends management capabilities beyond the quest operating system to the VM itself that provides lifecycle management and CRUD (Create, Read, Update, Delete) operations on a VMware vSphere VM. These lifecycle management capabilities are exposed in the Azure portal with a look and feel just like a regular Azure VM. Azure Arc-enabled VMware vSphere provides guest operating system management that uses the same components as Azure Arc-enabled servers.

+## Deploy Arc

+There should be an isolated NSX-T Data Center network segment for deploying the Arc for Azure VMware Solution Open Virtualization Appliance (OVA). If an isolated NSX-T Data Center network segment doesn't exist, one is created.

+### Prerequisites

+> [!IMPORTANT]

+> You can't create the resources in a separate resource group. Ensure you use the same resource group from where the Azure VMware Solution private cloud was created to create your resources.

+You need the following items to ensure you're set up to begin the onboarding process to deploy Arc for Azure VMware Solution.

+- Validate the regional support before you start the onboarding process. Arc for Azure VMware Solution is supported in all regions where Arc for VMware vSphere on-premises is supported. For details, see [Azure Arc-enabled VMware vSphere](https://learn.microsoft.com/azure/azure-arc/vmware-vsphere/overview#supported-regions).

+- A jump box virtual machine (VM) or a [management VM](https://learn.microsoft.com/azure/azure-arc/resource-bridge/system-requirements#management-machine-requirements) with internet access that has a direct line of site to the vCenter.

+ - From the jump box VM, verify you have access to [vCenter Server and NSX-T manager portals](https://learn.microsoft.com/azure/azure-vmware/tutorial-access-private-cloud#connect-to-the-vcenter-server-of-your-private-cloud).

+- A resource group in the subscription where you have an owner or contributor role.

+- An unused, isolated [NSX Data Center network segment](https://learn.microsoft.com/azure/azure-vmware/tutorial-nsx-t-network-segment) that is a static network segment with static IP assignment of size /28 CIDR for deploying the Arc for Azure VMware Solution OVA. If an isolated NSX-T Data Center network segment doesn't exist, one gets created.

+- Verify your Azure subscription is enabled and has connectivity to Azure end points.

+- The firewall and proxy URLs must be allowlisted in order to enable communication from the management machine, Appliance VM, and Control Plane IP to the required Arc resource bridge URLs. See the [Azure eArc resource bridge (Preview) network requirements](https://learn.microsoft.com/azure/azure-arc/resource-bridge/network-requirements).

+- Verify your vCenter Server version is 6.7 or higher.

+- A resource pool or a cluster with a minimum capacity of 16 GB of RAM and four vCPUs.

+- A datastore with a minimum of 100 GB of free disk space is available through the resource pool or cluster.

+- On the vCenter Server, allow inbound connections on TCP port 443. This action ensures that the Arc resource bridge and VMware vSphere cluster extension can communicate with the vCenter Server.

+> [!NOTE]

+> - Private endpoint is currently not supported.

+> - DHCP support isn't available to customers at this time, only static IP addresses are currently supported.

+## Registration to Arc for Azure VMware Solution feature set

+For feature registration, users need to sign into their **Subscription**, navigate to the **Preview features** tab, and search for 'Azure Arc for Azure VMware Solution'. Once registered, no other permissions are required for users to access Arc.

+Use the following steps to guide you through the process to onboard Azure Arc for Azure VMware Solution.

+2. Open the 'config_avs.json' file and populate all the variables.

+ - `networkForApplianceVM` is the name for the segment for Arc appliance VM. One gets created if it doesn't already exist.

+ - `applianceControlPlaneIpAddress` is the IP address for the Kubernetes API server that should be part of the segment IP CIDR provided. It shouldn't be part of the K8s node pool IP range.

+ - `k8sNodeIPPoolStart`, `k8sNodeIPPoolEnd`, `gatewayIPAddress` ,`applianceControlPlaneIpAddress` are optional. You can choose to skip all the optional fields or provide values for all. If you choose not to provide the optional fields, then you must use /28 address space for `networkCIDRForApplianceVM`

+3. Run the installation scripts. You can optionionally setup this preview from a Windows or Linux-based jump box/VM.

+4. More Azure resources are created in your resource group.

+> After the successful installation of Azure Arc resource bridge, it's recommended to retain a copy of the resource bridge config.yaml files and the kubeconfig file safe and secure them in a place that facilitates easy retrieval. These files could be needed later to run commands to perform management operations on the resource bridge. You can find the 3 .yaml files (config files) and the kubeconfig file in the same folder where you ran the script.

+When the script is run successfully, check the status to see if Azure Arc is now configured. To verify if your private cloud is Arc-enabled, do the following actions:

+- Choose **Azure Arc**.

+- Azure Arc state shows as **Configured**.

+Recover from failed deployments

+If the Azure Arc resource bridge deployment fails, consult the [Azure Arc resource bridge troubleshooting](https://learn.microsoft.com/azure/azure-arc/resource-bridge/troubleshoot-resource-bridge) guide. While there can be many reasons why the Azure Arc resource bridge deployment fails, one of them is KVA timeout error. Learn more about the [KVA timeout error](https://learn.microsoft.com/azure/azure-arc/resource-bridge/troubleshoot-resource-bridge#kva-timeout-error) and how to troubleshoot.

+## Discover and project your VMware vSphere infrastructure resources to Azure

+When Arc appliance is successfully deployed on your private cloud, you can do the following actions.

+- View the status from within the private cloud left navigation under **Operations > Azure Arc**.

+- View the VMware vSphere infrastructure resources from the private cloud left navigation under **Private cloud** then select **Azure Arc vCenter resources**.

+- Discover your VMware vSphere infrastructure resources and project them to Azure by navigating, **Private cloud > Arc vCenter resources > Virtual Machines**.

+- Similar to VMs, customers can enable networks, templates, resource pools, and data-stores in Azure.

+## Enable resource pools, clusters, hosts, datastores, networks, and VM templates in Azure

+Once you connected your Azure VMware Solution private cloud to Azure, you can browse your vCenter inventory from the Azure portal. This section shows you how to enable resource pools, networks, and other non-VM resources in Azure.

+> [!NOTE]

+> Enabling Azure Arc on a VMware vSphere resource is a read-only operation on vCenter. It doesn't make changes to your resource in vCenter.

+1. On your Azure VMware Solution private cloud, in the left navigation, locate **vCenter Inventory**.

+2. Select the resource(s) you want to enable, then select **Enable in Azure**.

+3. Select your Azure **Subscription** and **Resource Group**, then select **Enable**.

+ The enable action starts a deployment and creates a resource in Azure, creating representations for your VMware vSphere resources. It allows you to manage who can access those resources through Role-based access control (RBAC) granularly.

+4. Repeat the previous steps for one or more network, resource pool, and VM template resources.

+## Enable guest management and extension installation

+Before you install an extension, you need to enable guest management on the VMware VM.

+### Prerequisite

+Before you can install an extension, ensure your target machine meets the following conditions:

+- Is running a [supported operating system](https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#supported-operating-systems).

+- Is able to connect through the firewall to communicate over the internet and these [URLs](https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#urls) aren't blocked.

+- Has VMware tools installed and running.

+- Is powered on and the resource bridge has network connectivity to the host running the VM.

+### Enable guest management

+You need to enable guest management on the VMware VM before you can install an extension. Use the following steps to enable guest management.

+1. From the left navigation, locate **vCenter Server Inventory** and choose **Virtual Machines** to view the list of VMs.

+1. Select the VM you want to install the guest management agent on.

+1. Select **Enable guest management** and provide the administrator username and password to enable guest management then select **Apply**.

+1. Verify **Enable guest management** is now checked.

+### Install the LogAnalytics extension

+1. Locate **Extensions** from the left navigation and select **Add**.

+ 1. Based on the extension, you need to provide details. For example, `workspace Id` and `key` for LogAnalytics extension.

+## Supported extensions and management services

+Perform VM operations on VMware VMs through Azure using [supported extensions and management services](https://learn.microsoft.com/azure/azure-arc/vmware-vsphere/perform-vm-ops-through-azure#supported-extensions-and-management-services)

+## Azure VMware Solution private cloud extension with AV64 node size

+The AV64 is a new Azure VMware Solution host SKU, which is available to expand (not to create) the Azure VMware Solution private cloud built with the existing AV36, AV36P, or AV52 SKU. Use the [Microsoft documentation](https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=azure-vmware) to check for availability of the AV64 SKU in the region.

+### Prerequisite for AV64 usage

+See the following prerequisites for AV64 cluster deployment.

+- An Azure VMware solution private cloud is created using AV36, AV36P, or AV52 in AV64 supported [region/AZ](https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=azure-vmware).

+- You need one /23 or three (contiguous or noncontiguous) /25 address blocks for AV64 cluster management.

+### Supportability for customer scenarios

+**Customer with existing Azure VMware Solution private cloud**:

+When a customer has a deployed Azure VMware Solution private cloud, they can scale the private cloud by adding a separate AV64 vCenter node cluster to that private cloud. In this scenario, customers should use the following steps:

+1. Get an AV64 [quota approval from Microsoft](/azure/azure-vmware/request-host-quota-azure-vmware-solution) with the minimum of three nodes. Add other details on the Azure VMware Solution private cloud that you plan to extend using AV64.

+2. Use an existing Azure VMware Solution add-cluster workflow with AV64 hosts to expand.

+**Customer plans to create a new Azure VMware Solution private cloud**: When a customer wants a new Azure VMware Solution private cloud that can use AV64 SKU but only for expansion. In this case, the customer meets the prerequisite of having an Azure VMware Solution private cloud built with AV36, AV36P, or AV52 SKU. The customer needs to buy a minimum of three nodes of AV36, AV36P, or AV52 SKU before expanding using AV64. For this scenario, use the following steps:

+1. Get AV36, AV36P, AV52 and AV64 [quota approval from Microsoft](/azure/azure-vmware/request-host-quota-azure-vmware-solution) with a minimum of three nodes each.

+2. Create an Azure VMware Solution private cloud using AV36, AV36P, or AV52 SKU.

+3. Use an existing Azure VMware Solution add-cluster workflow with AV64 hosts to expand.

+**Azure VMware Solution stretched cluster private cloud**: The AV64 SKU isn't supported with Azure VMware Solution stretched cluster private cloud. This means that an AV64-based expansion isn't possible for an Azure VMware Solution stretched cluster private cloud.

+### AV64 Cluster vSAN fault domain (FD) design and recommendations

+The traditional Azure VMware Solution host clusters don't have explicit vSAN FD configuration. The reasoning is the host allocation logic ensures, within clusters, that no two hosts reside in the same physical fault domain within an Azure region. This feature inherently brings resilience and high availability for storage, which the vSAN FD configuration is supposed to bring. More information on vSAN FD can be found in the [VMware documentation](https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vsan.doc/GUID-8491C4B0-6F94-4023-8C7A-FD7B40D0368D.html).

+The Azure VMware Solution AV64 host clusters have an explicit vSAN fault domain (FD) configuration. Azure VMware Solution control plane configures five vSAN fault domains for AV64 clusters, and hosts are balanced evenly across these five FDs, as users scale up the hosts in a cluster from three nodes to 16 nodes.

+### Cluster size recommendation

+The Azure VMware Solution minimum vSphere node cluster size supported is three. The vSAN data redundancy is handled by ensuring the minimum cluster size of three hosts are in different vSAN FDs. In a vSAN cluster with three hosts, each in a different FD, Should an FD fail (for example, the top of rack switch fails), the vSAN data would be protected. Operations such as object creation (new VM, VMDK, and others) would fail. The same is true of any maintenance activities where an ESXi host is placed into maintenance mode and/or rebooted. To avoid scenarios such as these, it's recommended to deploy vSAN clusters with a minimum of four ESXi hosts.

+### AV64 host removal workflow and best practices

+Because of the AV64 cluster vSAN fault domain (FD) configuration and need for hosts balanced across all FDs, the host removal from AV64 cluster differs from traditional Azure VMware Solution host clusters with other SKUs.

+Currently, a user can select one or more hosts to be removed from the cluster using portal or API. One condition is that a cluster should have a minimum of three hosts. However, an AV64 cluster behaves differently in certain scenarios when AV64 uses vSAN FDs. Any host removal request is checked against potential vSAN FD imbalance. If a host removal request creates an imbalance, the request is rejected with the http 409-Conflict response. The http 409-Conflict response status code indicates a request conflict with the current state of the target resource (hosts).

+The following three scenarios show examples of instances that would normally error out and demonstrate different methods that can be used to remove hosts without creating a vSAN fault domain (FD) imbalance.

+- When removing a host creates a vSAN FD imbalance with a difference of hosts between most and least populated FD to be more than one.

+ In the following example users, need to remove one of the hosts from FD 1 before removing hosts from other FDs.

+ :::image type="content" source="media/introduction/remove-host-scenario-1.png" alt-text="Diagram showing how users need to remove one of the hosts from FD 1 before removing hosts from other FDs." border="false":::

+- When multiple host removal requests are made at the same time and certain host removals create an imbalance. In this scenario, the Azure VMware Solution control plane removes only hosts, which don't create imbalance.

+ In the following example users can't take both of the hosts from the same FDs unless they're reducing the cluster size to four or lower.

+ :::image type="content" source="media/introduction/remove-host-scenario-2.png" alt-text="Diagram showing how users can't take both of the hosts from the same FDs unless they're reducing the cluster size to four or lower." border="false":::

+- When a selected host removal causes less than three active vSAN FDs. This scenario isn't expected to occur given that all AV64 regions have five FDs and, while adding hosts, the Azure VMware Solution control plane takes care of adding hosts from all five FDs evenly.

+ In the following example users can remove one of the hosts from FD 1, but not from FD 2 or 3.

+ :::image type="content" source="media/introduction/remove-host-scenario-3.png" alt-text="Diagram showing how users can remove one of the hosts from FD 1, but not from FD 2 or 3." border="false":::

+**How to identify the host that can be removed without causing a vSAN FD imbalance**: A user can go to the vSphere user interface to get the current state of vSAN FDs and hosts associated with each of them. This helps to identify hosts (based on the previous examples) that can be removed without affecting the vSAN FD balance and avoid any errors in the removal operation.

+### AV64 supported RAID configuration

+This table provides the list of RAID configuration supported and host requirements in AV64 cluster. The RAID6/FTT2 and RAID1/FTT3 policies will be supported in future on AV64 SKU. Microsoft allows customers to use the RAID-5 FTT1 vSAN storage policy for AV64 clusters with six or more nodes to meet the service level agreement.

+|RAID configuration |Failures to tolerate (FTT) | Minimum hosts required |

+|-|--||

+|RAID-1 (Mirroring) Default setting.| 1 | 3 |

+|RAID-5 (Erasure Coding) | 1 | 4 |

+|RAID-1 (Mirroring) | 2 | 5 |

+

+| Microsoft - Azure VMware Solution | Physical infrastructure<ul><li>Azure regions</li><li>Azure availability zones</li><li>Express Route/Global Reach</ul></li>Compute/Network/Storage<ul><li>Rack and power Bare Metal hosts</li><li>Rack and power network equipment</ul></li>Software defined Data Center (SDDC) deploy/lifecycle<ul><li>VMware ESXi deploy, patch, and upgrade</li><li>VMware vCenter Servers deploy, patch, and upgrade</li><li>VMware NSX-T Data Centers deploy, patch, and upgrade</li><li>VMware vSAN deploy, patch, and upgrade</ul></li>SDDC Networking - VMware NSX-T Data Center provider config<ul><li>Microsoft Edge node/cluster, VMware NSX-T Data Center host preparation</li><li>Provider Tier-0 and Tenant Tier-1 Gateway</li><li>Connectivity from Tier-0 (using BGP) to Azure Network via Express Route</ul></li>SDDC Compute - VMware vCenter Server provider config<ul><li>Create default cluster</li><li>Configure virtual networking for vMotion, Management, vSAN, and others</ul></li>SDDC backup/restore<ul><li>Back up and restore VMware vCenter Server</li><li>Back up and restore VMware NSX-T Data Center NSX-T Manager</ul></li>SDDC health monitoring and corrective actions, for example: replace failed hosts</br><br>(optional) VMware HCX deploys with fully configured compute profile on cloud side as add-on</br><br>(optional) SRM deploys, upgrade, and scale up/down</br><br>Support - SDDC platforms and VMware HCX |

+| Customer | Request Azure VMware Solution host quote with Microsoft<br>Plan and create a request for SDDCs on Azure portal with:<ul><li>Host count</li><li>Management network range</li><li>Other information</ul></li>Configure SDDC network and security (VMware NSX-T Data Center)<ul><li>Network segments to host applications</li><li>More Tier -1 routers</li><li>Firewall</li><li>VMware NSX-T Data Center LB</li><li>IPsec VPN</li><li>NAT</li><li>Public IP addresses</li><li>Distributed firewall/gateway firewall</li><li>Network extension using VMware HCX or VMware NSX-T Data Center</li><li>AD/LDAP config for RBAC</ul></li>Configure SDDC - VMware vCenter Server<ul><li>AD/LDAP config for RBAC</li><li>Deploy and lifecycle management of Virtual Machines (VMs) and application<ul><li>Install operating systems</li><li>Patch operating systems</li><li>Install antivirus software</li><li>Install backup software</li><li>Install configuration management software</li><li>Install application components</li><li>VM networking using VMware NSX-T Data Center segments</ul></li><li>Migrate Virtual Machines (VMs)<ul><li>VMware HCX configuration</li><li>Live vMotion</li><li>Cold migration</li><li>Content library sync</ul></li></ul></li>Configure SDDC - vSAN<ul><li>Define and maintain vSAN VM policies</li><li>Add hosts to maintain adequate 'slack space'</ul></li>Configure VMware HCX<ul><li>Download and deploy HCA connector OVA in on-premises</li><li>Pairing on-premises VMware HCX connector</li><li>Configure the network profile, compute profile, and service mesh</li><li>Configure VMware HCX network extension/MON</li><li>Upgrade/updates</ul></li>Network configuration to connect to on-premises, virtual network, or internet</br><br>Add or delete hosts requests to cluster from Portal</br><br>Deploy/lifecycle management of partner (third party) solutions |

+ Title: Manage Arc-enabled Azure VMware private cloud

+description: Learn how to manage your Arc-enabled Azure VMware private cloud.

+# Manage Arc-enabled Azure VMware private cloud

+In this article, learn how to update the Arc appliance credentials, upgrade the Arc resource bridge, and collect logs from the Arc resource bridge.

+## Update Arc appliance credential

+When **cloud admin** credentials are updated, use the following steps to update the credentials in the appliance store.

+1. Sign into the jumpbox VM from where the [onboard process](https://learn.microsoft.com/azure/azure-vmware/arc-enabled-azure-vmware-solution?tabs=windows#onboard-process-to-deploy-azure-arc) was performed. Change the directory to **onboarding directory**.

+1. Run the following command:

+ For Windows-based jumpbox VM.

+

+ `./.temp/.env/Scripts/activate`

+ For Linux-based jumpbox VM

+ `./.temp/.env/bin/activate

+1. Run the following command:

+ `az arcappliance update-infracredentials vmware --kubeconfig <kubeconfig file>`

+1. Run the following command:

+`az connectedvmware vcenter connect --debug --resource-group {resource-group} --name {vcenter-name-in-azure} --location {vcenter-location-in-azure} --custom-location {custom-location-name} --fqdn {vcenter-ip} --port {vcenter-port} --username cloudadmin@vsphere.local --password {vcenter-password}`

+

+> [!NOTE]

+> Customers need to ensure kubeconfig and SSH keys remain available as they will be required for log collection, appliance Upgrade, and credential rotation. These parameters will be required at the time of upgrade, log collection, and credential update scenarios.

+**Parameters**

+Required parameters

+`-kubeconfig # kubeconfig of Appliance resource`

+**Examples**

+The following command invokes the set credential for the specified appliance resource.

+` az arcappliance setcredential <provider> --kubeconfig <kubeconfig>`

+## Upgrade the Arc resource bridge

+Azure Arc-enabled Azure VMware Private Cloud requires the Arc resource bridge to connect your VMware vSphere environment with Azure. Periodically, new images of Arc resource bridge are released to include security and feature updates.

+> [!NOTE]

+> To upgrade the Arc resource bridge VM to the latest version, you'll need to perform the onboarding again with the **same resource IDs**. This will cause some downtime as operations that are performed through Arc during this time might fail.

+Use the following steps to perform a manual upgrade for Arc appliance virtual machine (VM).

+1. Sign into vCenter Server.

+1. Locate the Arc appliance VM, which should be in the resource pool that was configured during onboarding.

+1. Power off the VM.

+1. Delete the VM.

+1. Delete the download template corresponding to the VM.

+1. Delete the resource bridge **Azure Resource Manager** resource.

+1. Get the previous script `Config_avs` file and add the following configuration item:

+ `"register":false`

+1. Download the latest version of the Azure VMware Solution [onboarding script](https://learn.microsoft.com/azure/azure-vmware/deploy-arc-for-azure-vmware-solution?tabs=windows#onboard-process-to-deploy-azure-arc).

+1. Run the new onboarding script with the previous `config_avs.json` from the jump box VM, without changing other config items.

+## Collect logs from the Arc resource bridge

+Perform ongoing administration for Arc-enabled VMware vSphere by [collecting logs from the Arc resource bridge](https://learn.microsoft.com/azure/azure-arc/vmware-vsphere/administer-arc-vmware#collecting-logs-from-the-arc-resource-bridge).

+ Title: Remove Arc-enabled Azure VMware Solution vSphere resources from Azure

+description: Learn how to remove Arc-enabled Azure VMware Solution vSphere resources from Azure.

+# Remove Arc-enabled Azure VMware Solution vSphere resources from Azure

+In this article, learn how to cleanly remove your VMware vCenter environment from Azure Arc-enabled VMware vSphere. For VMware vSphere environments that you no longer want to manage with Azure Arc-enabled VMware vSphere, use the information in this article to perform the following actions:

+- Remove guest management from VMware virtual machines (VMs).

+- Remove VMware vSphere resource from Azure Arc.

+- Remove Arc resource bridge related items in your vCenter.

+## Remove guest management from VMware VMs

+To prevent continued billing of Azure management services, after you remove the vSphere environment from Azure Arc, you must first remove guest management from all Arc-enabled Azure VMware Solution VMs where it was enabled.

+When you enable guest management on Arc-enabled Azure VMware Solution VMs, the Arc connected machine agent is installed on them. Once guest management is enabled, you can install VM extensions on them and use Azure management services like the Log Analytics on them.

+To completely remove guest management, use the following steps to remove any VM extensions from the virtual machine, disconnect the agent, and uninstall the software from your virtual machine. It's important to complete each of the three steps to fully remove all related software components from your virtual machines.

+### Remove VM extensions

+Use the following steps to uninstall extensions from the portal.

+> [!NOTE]

+> **Steps 2-5** must be performed for all the VMs that have VM extensions installed.

+1. Sign in to your Azure VMware Solution private cloud.

+1. Select **Virtual machines** in **Private cloud**, found in the left navigation under ΓÇ£vCenter Server Inventory Page".

+1. Search and select the virtual machine where you have **Guest management** enabled.

+1. Select **Extensions**.

+1. Select the extensions and select **Uninstall**.

+### Disable guest management from Azure Arc

+To avoid problems onboarding the same VM to **Guest management**, we recommend you do the following steps to cleanly disable guest management capabilities.

+> [!NOTE]

+> **Steps 2-3** must be performed for **all VMs** that have **Guest management** enabled.

+1. Sign into the virtual machine using administrator or root credentials and run the following command in the shell.

+ 1. `azcmagent disconnect --force-local-only`.

+1. Uninstall the `ConnectedMachine agent` from the machine.

+1. Set the **identity** on the VM resource to **none**.

+## Uninstall agents from Virtual Machines (VMs)

+### Windows VM uninstall

+To uninstall the Windows agent from the machine, use the following steps:

+1. Sign in to the computer with an account that has administrator permissions.

+2. In **Control Panel**, select **Programs and Features**.

+3. In **Programs and Features**, select **Azure Connected machine Agent**, select **Uninstall**, then select **Yes**.

+4. Delete the `C:\Program Files\AzureConnectedMachineAgent` folder.

+### Linux VM uninstall

+To uninstall the Linux agent, the command to use depends on the Linux operating system. You must have `root` access permissions or your account must have elevated rights using sudo.

+- For Ubuntu, run the following command:

+ ```bash

+ sudo apt purge azcmagent

+ ```

+- For RHEL, CentOS, Oracle Linux run the following command:

+ ```bash

+ sudo yum remove azcmagent

+ ```

+- For SLES, run the following command:

+ ```bash

+ sudo zypper remove azcmagent

+ ```

+## Remove VMware vSphere resources from Azure

+When you activate Arc-enabled Azure VMware Solution resources in Azure, a representation is created for them in Azure. Before you can delete the vCenter Server resource in Azure, you need to delete all of the Azure resource representations you created for your vSphere resources. To delete the Azure resource representations you created, do the following steps:

+1. Go to the Azure portal.

+1. Choose **Virtual machines** from Arc-enabled VMware vSphere resources in the private cloud.

+1. Select all the VMs that have an Azure Enabled value as **Yes**.

+1. Select **Remove from Azure**. This step starts deployment and removes these resources from Azure. The resources remain in your vCenter Server.

+ 1. Repeat steps 2, 3 and 4 for **Resourcespools/clusters/hosts**, **Templates**, **Networks**, and **Datastores**.

+1. When the deletion completes, select **Overview**.

+ 1. Note the Custom location and the Azure Arc Resource bridge resources in the Essentials section.

+1. Select **Remove from Azure** to remove the vCenter Server resource from Azure.

+1. Go to vCenter Server resource in Azure and delete it.

+1. Go to the Custom location resource and select **Delete**.

+1. Go to the Azure Arc Resource bridge resources and select **Delete**.

+At this point, all of your Arc-enabled VMware vSphere resources are removed from Azure.

+## Remove Arc resource bridge related items in your vCenter

+During onboarding, to create a connection between your VMware vCenter and Azure, an Azure Arc resource bridge is deployed into your VMware vSphere environment. As the last step, you must delete the resource bridge VM as well the VM template created during the onboarding.

+As a last step, run the following command:

+[`az rest --method delete`](https://management.azure.com/subscriptions/f%7BsubId%7D/resourcegroups/%7Brg)

+Once that step is done, Arc no longer works on the Azure VMware Solution private cloud. When you delete Arc resources from vCenter Server, it doesn't affect the Azure VMware Solution private cloud for the customer.

+- **Add PSTN participants. (Currently in [public preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/))** Invite public switched telephone network (PSTN) participants to a call using a number purchased through your subscription or via Azure direct routing to your Session Border Controller (SBC).

+| **Add PSTN participants** **| | |

+| - Call participants using phone calls | ✔️** | ❌ | ❌ |

+\* Only available on the web calling SDK. Not available on iOS and Android calling SDKs

+** Currently in [public preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+> [!IMPORTANT]

+> If you plan to enable open/click tracking for your email links, ensure that you are formatting the email content in HTML correctly. Specifically, make sure your tracking content is properly encapsulated within the payload, as demonstrated below:

+```html

+ <a href="https://www.contoso.com">Contoso Inc.,</a>.

+```

+The following documents might be interesting to you:

+| `pstnDialOutEnabled`* | Enable or disable dialing out to a PSTN number in a room.|

+*pstnDialOutEnabled is currently in [public preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)

+> For a walkthrough of setting up a customer tenant and numbers for your testing, see [Configure a test customer for Microsoft Teams Direct Routing with Azure Communications Gateway](configure-test-customer-teams-direct-routing.md) and [Configure test numbers for Microsoft Teams Direct Routing with Azure Communications Gateway](configure-test-numbers-teams-direct-routing.md). When you onboard a real customer, you'll need to follow a similar process, but you'll typically need to ask your customer to carry out the steps that need access to their tenant.

+Azure Communications Gateway sits at the edge of your fixed networks. It connects these networks to Zoom servers, allowing you to support the Zoom Phone Cloud Peering program. The following diagram shows where Azure Communications Gateway sits in your network.

+You provide a trunk towards Zoom (via Azure Communications Gateway) for your customers. Calls flow from Zoom clients through the Zoom servers and Azure Communications Gateway into your network. [!INCLUDE [communications-gateway-multitenant](includes/communications-gateway-multitenant.md)].

+You must provision Azure Communications Gateway with the details of the numbers that you upload to Zoom. This provisioning allows Azure Communications Gateway to route calls correctly. For more information, see [Identifying Zoom calls](#identifying-zoom-calls).

+Azure Communications Gateway doesn't support Premises Peering (where each customer has an eSBC) for Zoom Phone.

+Azure Communications Gateway can use Opus, G.722 and G.711 towards Zoom servers, with a packetization time of 20 ms. You must select the codecs that you want to support when you deploy Azure Communications Gateway.

+If your network can't support a packetization time of 20 ms, you must contact your onboarding team or raise a support request to discuss your requirements for transrating (changing packetization time).

+## Identifying Zoom calls

+You must provision Azure Communications Gateway with all the numbers that you upload to Zoom and indicate that these numbers are enabled for Zoom service. This provisioning allows Azure Communications Gateway to route calls to and from Zoom. It requires [Azure Communications Gateway's Provisioning API](integrate-with-provisioning-api.md).

+> [!IMPORTANT]

+> If numbers that you upload to Zoom aren't configured on Azure Communications Gateway, calls involving those numbers fail.

+>

+> [Configure test numbers for Zoom Phone Cloud Peering with Azure Communications Gateway](configure-test-numbers-zoom.md) explains how to set up test numbers for integration testing. You will need to follow a similar process for real customer numbers.

+Optionally, you can indicate to your network that calls are from Zoom by:

+- Using the Provisioning API to add a header to calls associated with Zoom numbers.

+- Configuring Zoom to add a header with custom contents to SIP INVITEs (as part of uploading numbers to Zoom). For more information on this header, see Zoom's _Zoom Phone Provider Exchange Solution Reference Guide_.

+1. Open a new Visual Studio Code window.

+1. Select <kbd>F1</kbd> to open the command palette.

+1. Enter **Git: Clone** and press enter.

+1. Enter the following URL to clone the sample project:

+ https://github.com/Azure-Samples/containerapps-albumapi-javascript.git

+1. Select a folder to clone the project into.

+1. Select **Open** to open the project in Visual Studio Code.

+1. Select <kbd>F1</kbd> to open the command palette.

+## Create and deploy to Azure Container Apps

+1. Select <kbd>F1</kbd> to open the command palette and run the **Azure Container Apps: Deploy Project from Workspace** command.

+1. Enter the following values as prompted by the extension.

+ | Select subscription | Select the Azure subscription you want to use. |

+ | Select a container apps environment | Select **Create new container apps environment**. You're only asked this question if you have existing Container Apps environments. |

+ | Enter a name for the new container app resource(s) | Enter **my-container-app**. |

+ | Select a location | Select an Azure region close to you. |

+ | Would you like to save your deployment configuration? | Select **Save**. |

+ The Azure activity log panel opens and displays the deployment progress. This process might take a few minutes to complete.

+1. Once this process finishes, Visual Studio Code displays a notification. Select **Browse** to open the deployed app in a browser.

+ In the browser's location bar, append the `/albums` path at the end of the app URL to view data from a sample API request.

+1. Select the **my-container-app** resource group from the *Overview* section.

+1. Enter the resource group name **my-container-app** in the *Are you sure you want to delete "my-container-apps"* confirmation dialog.

+ The process to delete the resource group might take a few minutes to complete.

+* You may use the portal [Cloud Shell](/azure/cloud-shell/get-started?tabs=powershell) to run container copy commands. Alternately, you may run the commands locally; make sure you have [Azure CLI](/cli/azure/install-azure-cli) downloaded and installed on your machine.

+1. Install the certificate according to the process typically used for your operating system. For example, in Linux you would copy the certificate to the `/usr/local/share/ca-certificates/` path.

+> for production workloads. Certain features might not be supported or might have constrained

+An Azure Cosmos DB for PostgreSQL cluster is created with one built-in native PostgreSQL role named 'citus'. You can add more native PostgreSQL roles after cluster provisioning is completed.

+1. In **Microsoft Entra authentication (preview)** section, select **Add Microsoft Entra admins**.

+Use the following procedures to authenticate with Microsoft Entra ID as an Azure Cosmos DB for PostgreSQL user. You can follow along in [Azure Cloud Shell](./../../cloud-shell/get-started.md), on an Azure virtual machine, or on your local machine.

+> Make sure PGPASSWORD variable is set to the Microsoft Entra access token for your

+> subscription for Microsoft Entra authentication. If you need to do Postgres role authentication

+> from the same session you can set PGPASSWORD to the Postgres role password

+> or clear the PGPASSWORD variable value to enter the password interactively.

+To grant the same permissions to Microsoft Entra role `user@tenant.onmicrosoft.com` use the following command:

+ - You can run the script in the Bash environment in [Azure Cloud Shell](../../../../cloud-shell/get-started.md). When Cloud Shell opens, make sure to select **Bash** in the environment field at the upper left of the shell window. Cloud Shell has the latest version of Azure CLI.

+ - You can run the script in the Bash environment in [Azure Cloud Shell](../../../../cloud-shell/get-started.md). When Cloud Shell opens, make sure to select **Bash** in the environment field at the upper left of the shell window. Cloud Shell has the latest version of Azure CLI.

+ - You can run the script in the Bash environment in [Azure Cloud Shell](../../../../cloud-shell/get-started.md). When Cloud Shell opens, make sure to select **Bash** in the environment field at the upper left of the shell window. Cloud Shell has the latest version of Azure CLI.

+ - You can run the script in the Bash environment in [Azure Cloud Shell](../../../../cloud-shell/get-started.md). When Cloud Shell opens, make sure **Bash** appears in the environment field at the upper left of the shell window. Cloud Shell always has the latest version of Azure CLI.

+ - You can run the script in the Bash environment in [Azure Cloud Shell](../../../../cloud-shell/get-started.md). When Cloud Shell opens, make sure **Bash** appears in the environment field at the upper left of the shell window. Cloud Shell always has the latest version of Azure CLI.

+The script in this article demonstrates performing resource lock operations for a API for Table table.

+ - You can run the script in the Bash environment in [Azure Cloud Shell](../../../../cloud-shell/get-started.md). When Cloud Shell opens, make sure **Bash** appears in the environment field at the upper left of the shell window. Cloud Shell always has the latest version of Azure CLI.

+ - You can run the script in the Bash environment in [Azure Cloud Shell](../../../../cloud-shell/get-started.md). When Cloud Shell opens, make sure **Bash** appears in the environment field at the upper left of the shell window. Cloud Shell always has the latest version of Azure CLI.

+> On November 15, 2023, the Azure Enterprise portal is retiring for EA enrollments in the Commercial cloud and is becoming read-only for EA enrollments in the Azure Government cloud.

+> Customers and Partners should use Cost Management + Billing in the Azure portal to manage their enrollments. For more information about enrollment management in the Azure portal, see [Get started with EA billing in the Azure portal](ea-direct-portal-get-started.md).

+> Since August 14, 2023, EA customers is not be able to manage their Azure Government EA enrollments from the [Azure portal](https://portal.azure.com). Instead, they can manage it from the Azure Government portal at [https://portal.azure.us](https://portal.azure.us). The functionality mentioned in this article is same as the Azure Government portal.

+To view detailed usage for specific accounts, download the usage detail report. Usage files can be large. If you prefer, you can use the exports feature to get the same data exported to an Azure Storage account. For more information, see [Export usage details to a storage account](../costs/tutorial-export-acm-data.md).

+An EA administrator can download the invoice from the [Azure portal](https://portal.azure.com) or send it in email. Invoices are sent to whoever is set up to receive invoices for the enrollment. If someone other than an EA administrator needs an email copy of the invoice, an EA administrator can send them a copy.

+Your invoice displays Azure usage charges with costs associated to them first, followed by any Marketplace charges. If you have a credit balance, it gets applied to Azure usage. Your invoice shows Azure usage and Marketplace usage without any cost last.

+### Advanced report download

+You can use the Download Advanced Report to get reports that cover specific date ranges for the selected accounts. The output file is in CSV format to accommodate large record sets.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Search for **Cost Management + Billing** and select it.

+1. Select **Billing scopes** from the navigation menu and then select the billing account that you want to work with.4. In the left navigation menu, select Billing profiles and select the billing profile that you want to work with.

+1. In the navigation menu, select **Usage + Charges**.

+1. At the top of the Usage + charges page, select **Download Advanced report**.

+1. Select a date range and the accounts to include in the report.

+1. Select **Download**.

+1. You can also download files from the **Report History**. It shows the latest reports that you downloaded.

+If your currency uses a period (**.**) for the thousandth place separator and a comma (**,**) for the decimal place separator, it gets displayed incorrectly. For example: *1.000,00*. The import results might vary depending on your regional language setting.

+1. Under **Delimiters**, select the box for **Comma**. Clear **Tab** if selected.

+> [!NOTE]

+> On November 15, 2023, the Azure Enterprise portal is retiring for EA enrollments in the Commercial cloud and is becoming read-only for EA enrollments in the Azure Government cloud.

+> Customers and Partners should use Cost Management + Billing in the Azure portal to manage their enrollments. For more information about enrollment management in the Azure portal, see [Get started with EA billing in the Azure portal](ea-direct-portal-get-started.md).

+ Title: Copy and transform data in Microsoft Fabric Lakehouse (Preview)

+description: Learn how to copy and transform data to and from Microsoft Fabric Lakehouse (Preview) using Azure Data Factory or Azure Synapse Analytics pipelines.

+# Copy and transform data in Microsoft Fabric Lakehouse (Preview) using Azure Data Factory or Azure Synapse Analytics

+Microsoft Fabric Lakehouse is a data architecture platform for storing, managing, and analyzing structured and unstructured data in a single location. In order to achieve seamless data access across all compute engines in Microsoft Fabric, go to [Lakehouse and Delta Tables](/fabric/data-engineering/lakehouse-and-delta-tables) to learn more.

+This article outlines how to use Copy activity to copy data from and to Microsoft Fabric Lakehouse (Preview) and use Data Flow to transform data in Microsoft Fabric Lakehouse (Preview). To learn more, read the introductory article for [Azure Data Factory](introduction.md) or [Azure Synapse Analytics](../synapse-analytics/overview-what-is.md).

+> [!IMPORTANT]

+> This connector is currently in preview. You can try it out and give us feedback. If you want to take a dependency on preview connectors in your solution, please contact [Azure support](https://azure.microsoft.com/support/).

+## Supported capabilities

+This Microsoft Fabric Lakehouse connector is supported for the following capabilities:

+| Supported capabilities|IR | Managed private endpoint|

+|| --| --|

+|[Copy activity](copy-activity-overview.md) (source/sink)|&#9312; &#9313;|Γ£ô |

+|[Mapping data flow](concepts-data-flow-overview.md) (source/sink)|&#9312; |Γ£ô |

+<small>*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*</small>

+## Get started

+## Create a Microsoft Fabric Lakehouse linked service using UI

+Use the following steps to create a Microsoft Fabric Lakehouse linked service in the Azure portal UI.

+1. Browse to the Manage tab in your Azure Data Factory or Synapse workspace and select Linked Services, then select New:

+ # [Azure Data Factory](#tab/data-factory)

+ :::image type="content" source="media/doc-common-process/new-linked-service.png" alt-text="Screenshot of creating a new linked service with Azure Data Factory UI.":::

+ # [Azure Synapse](#tab/synapse-analytics)

+ :::image type="content" source="media/doc-common-process/new-linked-service-synapse.png" alt-text="Screenshot of creating a new linked service with Azure Synapse UI.":::

+1. Search for Microsoft Fabric Lakehouse and select the connector.

+ :::image type="content" source="media/connector-microsoft-fabric-lakehouse/microsoft-fabric-lakehouse-connector.png" alt-text="Screenshot showing select Microsoft Fabric Lakehouse connector.":::

+1. Configure the service details, test the connection, and create the new linked service.

+ :::image type="content" source="media/connector-microsoft-fabric-lakehouse/configure-microsoft-fabric-lakehouse-linked-service.png" alt-text="Screenshot of configuration for Microsoft Fabric Lakehouse linked service.":::

+## Connector configuration details

+The following sections provide details about properties that are used to define Data Factory entities specific to Microsoft Fabric Lakehouse.

+## Linked service properties

+The Microsoft Fabric Lakehouse connector supports the following authentication types. See the corresponding sections for details:

+- [Service principal authentication](#service-principal-authentication)

+### Service principal authentication

+To use service principal authentication, follow these steps.

+1. Register an application with the Microsoft Identity platform. To learn how, see [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md). Make note of these values, which you use to define the linked service:

+ - Application ID

+ - Application key

+ - Tenant ID

+2. Grant the service principal at least the **Contributor** role in Microsoft Fabric workspace. Follow these steps:

+ 1. Go to your Microsoft Fabric workspace, select **Manage access** on the top bar. Then select **Add people or groups**.

+

+ :::image type="content" source="media/connector-microsoft-fabric-lakehouse/fabric-workspace-manage-access.png" alt-text="Screenshot shows selecting Fabric workspace Manage access.":::

+ :::image type="content" source="media/connector-microsoft-fabric-lakehouse/manage-access-pane.png" alt-text=" Screenshot shows Fabric workspace Manage access pane.":::

+

+ 1. In **Add people** pane, enter your service principal name, and select your service principal from the drop-down list.

+

+ 1. Specify the role as **Contributor** or higher (Admin, Member), then select **Add**.

+

+ :::image type="content" source="media/connector-microsoft-fabric-lakehouse/select-workspace-role.png" alt-text="Screenshot shows adding Fabric workspace role.":::

+ 1. Your service principal is displayed on **Manage access** pane.

+

+These properties are supported for the linked service:

+| Property | Description | Required |

+|: |: |: |

+| type | The type property must be set to **Lakehouse**. |Yes |

+| workspaceId | The Microsoft Fabric workspace ID. | Yes |

+| artifactId | The Microsoft Fabric Lakehouse object ID. | Yes |

+| tenant | Specify the tenant information (domain name or tenant ID) under which your application resides. Retrieve it by hovering the mouse in the upper-right corner of the Azure portal. | Yes |

+| servicePrincipalId | Specify the application's client ID. | Yes |

+| servicePrincipalCredentialType | The credential type to use for service principal authentication. Allowed values are **ServicePrincipalKey** and **ServicePrincipalCert**. | Yes |

+| servicePrincipalCredential | The service principal credential. <br/> When you use **ServicePrincipalKey** as the credential type, specify the application's key. Mark this field as **SecureString** to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). <br/> When you use **ServicePrincipalCert** as the credential, reference a certificate in Azure Key Vault, and ensure the certificate content type is **PKCS #12**.| Yes |

+| connectVia | The [integration runtime](concepts-integration-runtime.md) to be used to connect to the data store. You can use the Azure integration runtime or a self-hosted integration runtime if your data store is in a private network. If not specified, the default Azure integration runtime is used. |No |

+**Example: using service principal key authentication**

+You can also store service principal key in Azure Key Vault.

+```json

+{

+ "name": "MicrosoftFabricLakehouseLinkedService",

+ "properties": {

+ "type": "Lakehouse",

+ "typeProperties": {

+ "workspaceId": "<Microsoft Fabric workspace ID>",

+ "artifactId": "<Microsoft Fabric Lakehouse object ID>",

+ "tenant": "<tenant info, e.g. microsoft.onmicrosoft.com>",

+ "servicePrincipalId": "<service principal id>",

+ "servicePrincipalCredentialType": "ServicePrincipalKey",

+ "servicePrincipalCredential": {

+ "type": "SecureString",

+ "value": "<service principal key>"

+ }

+ },

+ "connectVia": {

+ "referenceName": "<name of Integration Runtime>",

+ "type": "IntegrationRuntimeReference"

+ }

+ }

+}

+```

+## Dataset properties

+Microsoft Fabric Lakehouse connector supports two types of datasets, which are Microsoft Fabric Lakehouse Files dataset

+and Microsoft Fabric Lakehouse Table dataset. See the corresponding sections for details.

+- [Microsoft Fabric Lakehouse Files dataset](#microsoft-fabric-lakehouse-files-dataset)

+- [Microsoft Fabric Lakehouse Table dataset](#microsoft-fabric-lakehouse-table-dataset)

+For a full list of sections and properties available for defining datasets, see [Datasets](concepts-datasets-linked-services.md).

+### Microsoft Fabric Lakehouse Files dataset

+Microsoft Fabric Lakehouse connector supports the following file formats. Refer to each article for format-based settings.

+- [Avro format](format-avro.md)

+- [Binary format](format-binary.md)

+- [Delimited text format](format-delimited-text.md)

+- [JSON format](format-json.md)

+- [ORC format](format-orc.md)

+- [Parquet format](format-parquet.md)

+The following properties are supported under `location` settings in the format-based Microsoft Fabric Lakehouse Files dataset:

+| Property | Description | Required |

+| - | | -- |

+| type | The type property under `location` in the dataset must be set to **LakehouseLocation**. | Yes |

+| folderPath | The path to a folder. If you want to use a wildcard to filter folders, skip this setting and specify it in activity source settings. | No |

+| fileName | The file name under the given folderPath. If you want to use a wildcard to filter files, skip this setting and specify it in activity source settings. | No |

+**Example:**

+```json

+{

+ "name": "DelimitedTextDataset",

+ "properties": {

+ "type": "DelimitedText",

+ "linkedServiceName": {

+ "referenceName": "<Microsoft Fabric Lakehouse linked service name>",

+ "type": "LinkedServiceReference"

+ },

+ "typeProperties": {

+ "location": {

+ "type": "LakehouseLocation",

+ "fileName": "<file name>",

+ "folderPath": "<folder name>"

+ },

+ "columnDelimiter": ",",

+ "compressionCodec": "gzip",

+ "escapeChar": "\\",

+ "firstRowAsHeader": true,

+ "quoteChar": "\""

+ },

+ "schema": [ < physical schema, optional, auto retrieved during authoring > ]

+ }

+}

+```

+### Microsoft Fabric Lakehouse Table dataset

+The following properties are supported for Microsoft Fabric Lakehouse Table dataset:

+| Property | Description | Required |

+| :-- | :-- | :-- |

+| type | The **type** property of the dataset must be set to **LakehouseTable**. | Yes |

+| table | The name of your table. | Yes |

+**Example:**

+```json

+{

+    "name": "LakehouseTableDataset",

+    "properties": {

+        "type": "LakehouseTable",

+        "linkedServiceName": {

+            "referenceName": "<Microsoft Fabric Lakehouse linked service name>",

+            "type": "LinkedServiceReference"

+        },

+        "typeProperties": {

+ "table": "<table_name>"

+        },

+        "schema": [< physical schema, optional, retrievable during authoring >]

+    }

+}

+```

+## Copy activity properties

+The copy activity properties for Microsoft Fabric Lakehouse Files dataset and Microsoft Fabric Lakehouse Table dataset are different. See the corresponding sections for details.

+- [Microsoft Fabric Lakehouse Files in Copy activity](#microsoft-fabric-lakehouse-files-in-copy-activity)

+- [Microsoft Fabric Lakehouse Table in Copy activity](#microsoft-fabric-lakehouse-table-in-copy-activity)

+For a full list of sections and properties available for defining activities, see [Copy activity configurations](copy-activity-overview.md#configuration) and [Pipelines and activities](concepts-pipelines-activities.md).

+### Microsoft Fabric Lakehouse Files in Copy activity

+To use Microsoft Fabric Lakehouse Files dataset type as a source or sink in Copy activity, go to the following sections for the detailed configurations.

+#### Microsoft Fabric Lakehouse Files as a source type

+Microsoft Fabric Lakehouse connector supports the following file formats. Refer to each article for format-based settings.

+- [Avro format](format-avro.md)

+- [Binary format](format-binary.md)

+- [Delimited text format](format-delimited-text.md)

+- [JSON format](format-json.md)

+- [ORC format](format-orc.md)

+- [Parquet format](format-parquet.md)

+You have several options to copy data from Microsoft Fabric Lakehouse using the Microsoft Fabric Lakehouse Files dataset:

+- Copy from the given path specified in the dataset.

+- Wildcard filter against folder path or file name, see `wildcardFolderPath` and `wildcardFileName`.

+- Copy the files defined in a given text file as file set, see `fileListPath`.

+The following properties are under `storeSettings` settings in format-based copy source when using Microsoft Fabric Lakehouse Files dataset:

+| Property | Description | Required |

+| | | |

+| type | The type property under `storeSettings` must be set to **LakehouseReadSettings**. | Yes |

+| ***Locate the files to copy:*** | | |

+| OPTION 1: static path<br> | Copy from the folder/file path specified in the dataset. If you want to copy all files from a folder, additionally specify `wildcardFileName` as `*`. | |

+| OPTION 2: wildcard<br>- wildcardFolderPath | The folder path with wildcard characters to filter source folders. <br>Allowed wildcards are: `*` (matches zero or more characters) and `?` (matches zero or single character); use `^` to escape if your actual folder name has wildcard or this escape char inside. <br>See more examples in [Folder and file filter examples](#folder-and-file-filter-examples). | No |

+| OPTION 2: wildcard<br>- wildcardFileName | The file name with wildcard characters under the given folderPath/wildcardFolderPath to filter source files. <br>Allowed wildcards are: `*` (matches zero or more characters) and `?` (matches zero or single character); use `^` to escape if your actual file name has wildcard or this escape char inside. See more examples in [Folder and file filter examples](#folder-and-file-filter-examples). | Yes |

+| OPTION 3: a list of files<br>- fileListPath | Indicates to copy a given file set. Point to a text file that includes a list of files you want to copy, one file per line, which is the relative path to the path configured in the dataset.<br/>When using this option, don't specify file name in dataset. See more examples in [File list examples](#file-list-examples). |No |

+| ***Additional settings:*** | | |

+| recursive | Indicates whether the data is read recursively from the subfolders or only from the specified folder. Note that when recursive is set to true and the sink is a file-based store, an empty folder or subfolder isn't copied or created at the sink. <br>Allowed values are **true** (default) and **false**.<br>This property doesn't apply when you configure `fileListPath`. |No |

+| deleteFilesAfterCompletion | Indicates whether the binary files will be deleted from source store after successfully moving to the destination store. The file deletion is per file, so when copy activity fails, you'll see some files have already been copied to the destination and deleted from source, while others are still remaining on source store. <br/>This property is only valid in binary files copy scenario. The default value: false. |No |

+| modifiedDatetimeStart | Files filter based on the attribute: Last Modified. <br>The files will be selected if their last modified time is greater than or equal to `modifiedDatetimeStart` and less than `modifiedDatetimeEnd`. The time is applied to UTC time zone in the format of "2018-12-01T05:00:00Z". <br> The properties can be NULL, which means no file attribute filter will be applied to the dataset. When `modifiedDatetimeStart` has datetime value but `modifiedDatetimeEnd` is NULL, it means the files whose last modified attribute is greater than or equal with the datetime value will be selected. When `modifiedDatetimeEnd` has datetime value but `modifiedDatetimeStart` is NULL, it means the files whose last modified attribute is less than the datetime value will be selected.<br/>This property doesn't apply when you configure `fileListPath`. | No |

+| modifiedDatetimeEnd | Same as above. | No |

+| enablePartitionDiscovery | For files that are partitioned, specify whether to parse the partitions from the file path and add them as additional source columns.<br/>Allowed values are **false** (default) and **true**. | No |

+| partitionRootPath | When partition discovery is enabled, specify the absolute root path in order to read partitioned folders as data columns.<br/><br/>If it isn't specified, by default,<br/>- When you use file path in dataset or list of files on source, partition root path is the path configured in dataset.<br/>- When you use wildcard folder filter, partition root path is the sub-path before the first wildcard.<br/><br/>For example, assuming you configure the path in dataset as "root/folder/year=2020/month=08/day=27":<br/>- If you specify partition root path as "root/folder/year=2020", copy activity will generate two more columns `month` and `day` with value "08" and "27" respectively, in addition to the columns inside the files.<br/>- If partition root path isn't specified, no extra column will be generated. | No |

+| maxConcurrentConnections | The upper limit of concurrent connections established to the data store during the activity run. Specify a value only when you want to limit concurrent connections.| No |

+**Example:**

+```json

+"activities": [

+ {

+ "name": "CopyFromLakehouseFiles",

+ "type": "Copy",

+ "inputs": [

+ {

+ "referenceName": "<Delimited text input dataset name>",

+ "type": "DatasetReference"

+ }

+ ],

+ "outputs": [

+ {

+ "referenceName": "<output dataset name>",

+ "type": "DatasetReference"

+ }

+ ],

+ "typeProperties": {

+ "source": {

+ "type": "DelimitedTextSource",

+ "storeSettings": {

+ "type": "LakehouseReadSettings",

+ "recursive": true,

+ "enablePartitionDiscovery": false

+ },

+ "formatSettings": {

+ "type": "DelimitedTextReadSettings"

+ }

+ },

+ "sink": {

+ "type": "<sink type>"

+ }

+ }

+ }

+]

+```

+#### Microsoft Fabric Lakehouse Files as a sink type

+Microsoft Fabric Lakehouse connector supports the following file formats. Refer to each article for format-based settings.

+- [Avro format](format-avro.md)

+- [Binary format](format-binary.md)

+- [Delimited text format](format-delimited-text.md)

+- [JSON format](format-json.md)

+- [ORC format](format-orc.md)

+- [Parquet format](format-parquet.md)

+The following properties are under `storeSettings` settings in format-based copy sink when using Microsoft Fabric Lakehouse Files dataset:

+| Property | Description | Required |

+| | | -- |

+| type | The type property under `storeSettings` must be set to **LakehouseWriteSettings**. | Yes |

+| copyBehavior | Defines the copy behavior when the source is files from a file-based data store.<br/><br/>Allowed values are:<br/><b>- PreserveHierarchy (default)</b>: Preserves the file hierarchy in the target folder. The relative path of the source file to the source folder is identical to the relative path of the target file to the target folder.<br/><b>- FlattenHierarchy</b>: All files from the source folder are in the first level of the target folder. The target files have autogenerated names. <br/><b>- MergeFiles</b>: Merges all files from the source folder to one file. If the file name is specified, the merged file name is the specified name. Otherwise, it's an autogenerated file name. | No |

+| blockSizeInMB | Specify the block size in MB used to write data to Microsoft Fabric Lakehouse. Learn more [about Block Blobs](/rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs#about-block-blobs). <br/>Allowed value is **between 4 MB and 100 MB**. <br/>By default, ADF automatically determines the block size based on your source store type and data. For non-binary copy into Microsoft Fabric Lakehouse, the default block size is 100 MB so as to fit in at most approximately 4.75-TB data. It might be not optimal when your data isn't large, especially when you use Self-hosted Integration Runtime with poor network resulting in operation timeout or performance issue. You can explicitly specify a block size, while ensure blockSizeInMB*50000 is big enough to store the data, otherwise copy activity run will fail. | No |

+| maxConcurrentConnections | The upper limit of concurrent connections established to the data store during the activity run. Specify a value only when you want to limit concurrent connections.| No |

+| metadata |Set custom metadata when copy to sink. Each object under the `metadata` array represents an extra column. The `name` defines the metadata key name, and the `value` indicates the data value of that key. If [preserve attributes feature](./copy-activity-preserve-metadata.md#preserve-metadata) is used, the specified metadata will union/overwrite with the source file metadata.<br/><br/>Allowed data values are:<br/>- `$$LASTMODIFIED`: a reserved variable indicates to store the source files' last modified time. Apply to file-based source with binary format only.<br/><b>- Expression<b><br/>- <b>Static value<b>| No |

+**Example:**

+```json

+"activities": [

+ {

+ "name": "CopyToLakehouseFiles",

+ "type": "Copy",

+ "inputs": [

+ {

+ "referenceName": "<input dataset name>",

+ "type": "DatasetReference"

+ }

+ ],

+ "outputs": [

+ {

+ "referenceName": "<Parquet output dataset name>",

+ "type": "DatasetReference"

+ }

+ ],

+ "typeProperties": {

+ "source": {

+ "type": "<source type>"

+ },

+ "sink": {

+ "type": "ParquetSink",

+ "storeSettings": {

+ "type": "LakehouseWriteSettings",

+ "copyBehavior": "PreserveHierarchy",

+ "metadata": [

+ {

+ "name": "testKey1",

+ "value": "value1"

+ },

+ {

+ "name": "testKey2",

+ "value": "value2"

+ }

+ ]

+ },

+ "formatSettings": {

+ "type": "ParquetWriteSettings"

+ }

+ }

+ }

+ }

+]

+```

+#### Folder and file filter examples

+This section describes the resulting behavior of the folder path and file name with wildcard filters.

+| folderPath | fileName | recursive | Source folder structure and filter result (files in **bold** are retrieved)|

+|: |: |: |: |

+| `Folder*` | (Empty, use default) | false | FolderA<br/>&nbsp;&nbsp;&nbsp;&nbsp;**File1.csv**<br/>&nbsp;&nbsp;&nbsp;&nbsp;**File2.json**<br/>&nbsp;&nbsp;&nbsp;&nbsp;Subfolder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File3.csv<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File4.json<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File5.csv<br/>AnotherFolderB<br/>&nbsp;&nbsp;&nbsp;&nbsp;File6.csv |

+| `Folder*` | (Empty, use default) | true | FolderA<br/>&nbsp;&nbsp;&nbsp;&nbsp;**File1.csv**<br/>&nbsp;&nbsp;&nbsp;&nbsp;**File2.json**<br/>&nbsp;&nbsp;&nbsp;&nbsp;Subfolder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**File3.csv**<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**File4.json**<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**File5.csv**<br/>AnotherFolderB<br/>&nbsp;&nbsp;&nbsp;&nbsp;File6.csv |

+| `Folder*` | `*.csv` | false | FolderA<br/>&nbsp;&nbsp;&nbsp;&nbsp;**File1.csv**<br/>&nbsp;&nbsp;&nbsp;&nbsp;File2.json<br/>&nbsp;&nbsp;&nbsp;&nbsp;Subfolder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File3.csv<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File4.json<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File5.csv<br/>AnotherFolderB<br/>&nbsp;&nbsp;&nbsp;&nbsp;File6.csv |

+| `Folder*` | `*.csv` | true | FolderA<br/>&nbsp;&nbsp;&nbsp;&nbsp;**File1.csv**<br/>&nbsp;&nbsp;&nbsp;&nbsp;File2.json<br/>&nbsp;&nbsp;&nbsp;&nbsp;Subfolder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**File3.csv**<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File4.json<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**File5.csv**<br/>AnotherFolderB<br/>&nbsp;&nbsp;&nbsp;&nbsp;File6.csv |

+#### File list examples

+This section describes the resulting behavior of using file list path in copy activity source.

+Assuming you have the following source folder structure and want to copy the files in bold:

+| Sample source structure | Content in FileListToCopy.txt | ADF configuration |

+| | | |

+| filesystem<br/>&nbsp;&nbsp;&nbsp;&nbsp;FolderA<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**File1.csv**<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File2.json<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Subfolder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**File3.csv**<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File4.json<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**File5.csv**<br/>&nbsp;&nbsp;&nbsp;&nbsp;Metadata<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;FileListToCopy.txt | File1.csv<br>Subfolder1/File3.csv<br>Subfolder1/File5.csv | **In dataset:**<br>- File system: `filesystem`<br>- Folder path: `FolderA`<br><br>**In copy activity source:**<br>- File list path: `filesystem/Metadata/FileListToCopy.txt` <br><br>The file list path points to a text file in the same data store that includes a list of files you want to copy, one file per line with the relative path to the path configured in the dataset. |

+#### Some recursive and copyBehavior examples

+This section describes the resulting behavior of the copy operation for different combinations of recursive and copyBehavior values.

+| recursive | copyBehavior | Source folder structure | Resulting target |

+|: |: |: |: |

+| true |preserveHierarchy | Folder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File2<br/>&nbsp;&nbsp;&nbsp;&nbsp;Subfolder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File3<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File4<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File5 | The target Folder1 is created with the same structure as the source:<br/><br/>Folder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File2<br/>&nbsp;&nbsp;&nbsp;&nbsp;Subfolder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File3<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File4<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File5 |

+| true |flattenHierarchy | Folder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File2<br/>&nbsp;&nbsp;&nbsp;&nbsp;Subfolder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File3<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File4<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File5 | The target Folder1 is created with the following structure: <br/><br/>Folder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;autogenerated name for File1<br/>&nbsp;&nbsp;&nbsp;&nbsp;autogenerated name for File2<br/>&nbsp;&nbsp;&nbsp;&nbsp;autogenerated name for File3<br/>&nbsp;&nbsp;&nbsp;&nbsp;autogenerated name for File4<br/>&nbsp;&nbsp;&nbsp;&nbsp;autogenerated name for File5 |

+| true |mergeFiles | Folder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File2<br/>&nbsp;&nbsp;&nbsp;&nbsp;Subfolder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File3<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File4<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File5 | The target Folder1 is created with the following structure: <br/><br/>Folder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File1 + File2 + File3 + File4 + File5 contents are merged into one file with an autogenerated file name. |

+| false |preserveHierarchy | Folder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File2<br/>&nbsp;&nbsp;&nbsp;&nbsp;Subfolder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File3<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File4<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File5 | The target Folder1 is created with the following structure: <br/><br/>Folder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File2<br/><br/>Subfolder1 with File3, File4, and File5 isn't picked up. |

+| false |flattenHierarchy | Folder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File2<br/>&nbsp;&nbsp;&nbsp;&nbsp;Subfolder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File3<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File4<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File5 | The target Folder1 is created with the following structure: <br/><br/>Folder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;autogenerated name for File1<br/>&nbsp;&nbsp;&nbsp;&nbsp;autogenerated name for File2<br/><br/>Subfolder1 with File3, File4, and File5 isn't picked up. |

+| false |mergeFiles | Folder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File2<br/>&nbsp;&nbsp;&nbsp;&nbsp;Subfolder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File3<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File4<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File5 | The target Folder1 is created with the following structure: <br/><br/>Folder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File1 + File2 contents are merged into one file with an autogenerated file name. autogenerated name for File1<br/><br/>Subfolder1 with File3, File4, and File5 isn't picked up. |

+### Microsoft Fabric Lakehouse Table in Copy activity

+To use Microsoft Fabric Lakehouse Table dataset as a source or sink dataset in Copy activity, go to the following sections for the detailed configurations.

+#### Microsoft Fabric Lakehouse Table as a source type

+To copy data from Microsoft Fabric Lakehouse using Microsoft Fabric Lakehouse Table dataset, set the **type** property in the Copy activity source to **LakehouseTableSource**. The following properties are supported in the Copy activity **source** section:

+| Property | Description | Required |

+| : | :-- | :- |

+| type | The **type** property of the Copy Activity source must be set to **LakehouseTableSource**. | Yes |

+| timestampAsOf | The timestamp to query an older snapshot. | No |

+| versionAsOf | The version to query an older snapshot. | No |

+**Example:**

+```json

+"activities":[

+ {

+ "name": "CopyFromLakehouseTable",

+ "type": "Copy",

+ "inputs": [

+ {

+ "referenceName": "<Microsoft Fabric Lakehouse Table input dataset name>",

+ "type": "DatasetReference"

+ }

+ ],

+ "outputs": [

+ {

+ "referenceName": "<output dataset name>",

+ "type": "DatasetReference"

+ }

+ ],

+ "typeProperties": {

+ "source": {

+ "type": "LakehouseTableSource",

+ "timestampAsOf": "2023-09-23T00:00:00.000Z",

+ "versionAsOf": 2

+ },

+ "sink": {

+ "type": "<sink type>"

+ }

+ }

+ }

+]

+```

+#### Microsoft Fabric Lakehouse Table as a sink type

+To copy data to Microsoft Fabric Lakehouse using Microsoft Fabric Lakehouse Table dataset, set the **type** property in the Copy Activity sink to **LakehouseTableSink**. The following properties are supported in the Copy activity **sink** section:

+| Property | Description | Required |

+| : | :-- | :- |

+| type | The **type** property of the Copy Activity source must be set to **LakehouseTableSink**. | Yes |

+**Example:**

+```json

+"activities":[

+ {

+ "name": "CopyToLakehouseTable",

+ "type": "Copy",

+ "inputs": [

+ {

+ "referenceName": "<input dataset name>",

+ "type": "DatasetReference"

+ }

+ ],

+ "outputs": [

+ {

+ "referenceName": "<Microsoft Fabric Lakehouse Table output dataset name>",

+ "type": "DatasetReference"

+ }

+ ],

+ "typeProperties": {

+ "source": {

+ "type": "<source type>"

+ },

+ "sink": {

+ "type": "LakehouseTableSink",

+ "tableActionOption ": "Append"

+ }

+ }

+ }

+]

+```

+## Mapping data flow properties

+When transforming data in mapping data flow, you can read and write to files or tables in Microsoft Fabric Lakehouse. See the corresponding sections for details.

+- [Microsoft Fabric Lakehouse Files in mapping data flow](#microsoft-fabric-lakehouse-files-in-mapping-data-flow)

+- [Microsoft Fabric Lakehouse Table in mapping data flow](#microsoft-fabric-lakehouse-table-in-mapping-data-flow)

+For more information, see the [source transformation](data-flow-source.md) and [sink transformation](data-flow-sink.md) in mapping data flows.

+### Microsoft Fabric Lakehouse Files in mapping data flow

+To use Microsoft Fabric Lakehouse Files dataset as a source or sink dataset in mapping data flow, go to the following sections for the detailed configurations.

+#### Microsoft Fabric Lakehouse Files as a source type

+Microsoft Fabric Lakehouse connector supports the following file formats. Refer to each article for format-based settings.

+- [Avro format](format-avro.md)

+- [Delimited text format](format-delimited-text.md)

+- [JSON format](format-json.md)

+- [ORC format](format-orc.md)

+- [Parquet format](format-parquet.md)

+#### Microsoft Fabric Lakehouse Files as a sink type

+Microsoft Fabric Lakehouse connector supports the following file formats. Refer to each article for format-based settings.

+- [Avro format](format-avro.md)

+- [Delimited text format](format-delimited-text.md)

+- [JSON format](format-json.md)

+- [ORC format](format-orc.md)

+- [Parquet format](format-parquet.md)

+### Microsoft Fabric Lakehouse Table in mapping data flow

+To use Microsoft Fabric Lakehouse Table dataset as a source or sink dataset in mapping data flow, go to the following sections for the detailed configurations.

+#### Microsoft Fabric Lakehouse Table as a source type

+There are no configurable properties under source options.

+#### Microsoft Fabric Lakehouse Table as a sink type

+The following properties are supported in the Mapping Data Flows **sink** section:

+| Name | Description | Required | Allowed values | Data flow script property |

+| - | -- | -- | -- | - |

+| Update method | When you select "Allow insert" alone or when you write to a new delta table, the target receives all incoming rows regardless of the Row policies set. If your data contains rows of other Row policies, they need to be excluded using a preceding Filter transform. <br><br> When all Update methods are selected a Merge is performed, where rows are inserted/deleted/upserted/updated as per the Row Policies set using a preceding Alter Row transform. | yes | `true` or `false` | insertable <br> deletable <br> upsertable <br> updateable |

+| Optimized Write | Achieve higher throughput for write operation via optimizing internal shuffle in Spark executors. As a result, you might notice fewer partitions and files that are of a larger size | no | `true` or `false` | optimizedWrite: true |

+| Auto Compact | After any write operation has completed, Spark will automatically execute the ```OPTIMIZE``` command to re-organize the data, resulting in more partitions if necessary, for better reading performance in the future | no | `true` or `false` | autoCompact: true |

+| Merge Schema | Merge schema option allows schema evolution, i.e. any columns that are present in the current incoming stream but not in the target Delta table is automatically added to its schema. This option is supported across all update methods. | no | `true` or `false` | mergeSchema: true |

+**Example: Microsoft Fabric Lakehouse Table sink**

+```

+sink(allowSchemaDrift: true,

+ΓÇ» ΓÇ» validateSchema: false,

+ΓÇ» ΓÇ» input(

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» CustomerID as string,

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» NameStyle as string,

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» Title as string,

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» FirstName as string,

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» MiddleName as string,

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» LastName as string,

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» Suffix as string,

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» CompanyName as string,

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» SalesPerson as string,

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» EmailAddress as string,

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» Phone as string,

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» PasswordHash as string,

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» PasswordSalt as string,

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» rowguid as string,

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ModifiedDate as string

+ΓÇ» ΓÇ» ),

+ΓÇ» ΓÇ» deletable:false,

+ΓÇ» ΓÇ» insertable:true,

+ΓÇ» ΓÇ» updateable:false,

+ΓÇ» ΓÇ» upsertable:false,

+ΓÇ» ΓÇ» optimizedWrite: true,

+ΓÇ» ΓÇ» mergeSchema: true,

+ΓÇ» ΓÇ» autoCompact: true,

+ΓÇ» ΓÇ» skipDuplicateMapInputs: true,

+ΓÇ» ΓÇ» skipDuplicateMapOutputs: true) ~> CustomerTable

+```

+## Next steps

+For a list of data stores supported as sources and sinks by the copy activity, see [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats).

+You can only simulate attacks using our approved testing partners:

+- Two virtual machines

+- For this tutorial you'll need to deploy a Load Balancer, a public IP address, Bastion, and two virtual machines. For more information, see [Deploy Load Balancer with DDoS Protection](../load-balancer/tutorial-protect-load-balancer-ddos.md). You can skip the NAT Gateway step in the Deploy Load Balancer with DDoS Protection tutorial.

+In this tutorial, we'll configure DDoS Protection metrics and alerts to monitor for attacks and traffic patterns.

+> For BreakingPoint Cloud, you must first [create a BreakingPoint Cloud account](https://www.ixiacom.com/products/breakingpoint-cloud).

+| Alert (alert type) | Description | MITRE tactics<br>([Learn more](#intentions)) | Severity |

+| | | :-: | - |

+| **A logon from a malicious IP has been detected. [seen multiple times]** | A successful remote authentication for the account [account] and process [process] occurred, however the logon IP address (x.x.x.x) has previously been reported as malicious or highly unusual. A successful attack has probably occurred. Files with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory. | - | High |

+| **Addition of Guest account to Local Administrators group** | Analysis of host data has detected the addition of the built-in Guest account to the Local Administrators group on %{Compromised Host}, which is strongly associated with attacker activity. | - | Medium |

+| **An event log was cleared** | Machine logs indicate a suspicious event log clearing operation by user: '%{user name}' in Machine: '%{CompromisedEntity}'. The %{log channel} log was cleared. | - | Informational |

+| **Antimalware Action Failed** | Microsoft Antimalware has encountered an error when taking an action on malware or other potentially unwanted software. | - | Medium |

+| **Antimalware Action Taken** | Microsoft Antimalware for Azure has taken an action to protect this machine from malware or other potentially unwanted software. | - | Medium |

+| **Antimalware broad files exclusion in your virtual machine**<br>(VM_AmBroadFilesExclusion) | Files exclusion from antimalware extension with broad exclusion rule was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Such exclusion practically disabling the Antimalware protection.<br>Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware. | - | Medium |

+| **Antimalware disabled and code execution in your virtual machine**<br>(VM_AmDisablementAndCodeExecution) | Antimalware disabled at the same time as code execution on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.<br>Attackers disable antimalware scanners to prevent detection while running unauthorized tools or infecting the machine with malware. | - | High |

+| **Antimalware disabled in your virtual machine**<br>(VM_AmDisablement) | Antimalware disabled in your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.<br>Attackers might disable the antimalware on your virtual machine to prevent detection. | Defense Evasion | Medium |

+| **Antimalware file exclusion and code execution in your virtual machine**<br>(VM_AmFileExclusionAndCodeExecution) | File excluded from your antimalware scanner at the same time as code was executed via a custom script extension on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.<br>Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running unauthorized tools or infecting the machine with malware. | Defense Evasion, Execution | High |

+| **Antimalware file exclusion and code execution in your virtual machine**<br>(VM_AmTempFileExclusionAndCodeExecution) | Temporary file exclusion from antimalware extension in parallel to execution of code via custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.<br>Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware. | Defense Evasion, Execution | High |

+| **Antimalware file exclusion in your virtual machine**<br>(VM_AmTempFileExclusion) | File excluded from your antimalware scanner on your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.<br>Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running unauthorized tools or infecting the machine with malware. | Defense Evasion | Medium |

+| **Antimalware real-time protection was disabled in your virtual machine**<br>(VM_AmRealtimeProtectionDisabled) | Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.<br>Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware. | Defense Evasion | Medium |

+| **Antimalware real-time protection was disabled temporarily in your virtual machine**<br>(VM_AmTempRealtimeProtectionDisablement) | Real-time protection temporary disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.<br>Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware. | Defense Evasion | Medium |

+| **Antimalware real-time protection was disabled temporarily while code was executed in your virtual machine**<br>(VM_AmRealtimeProtectionDisablementAndCodeExec) | Real-time protection temporary disablement of the antimalware extension in parallel to code execution via custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.<br>Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware. | - | High |

+| **Antimalware scans blocked for files potentially related to malware campaigns on your virtual machine (Preview)**<br>(VM_AmMalwareCampaignRelatedExclusion) | An exclusion rule was detected in your virtual machine to prevent your antimalware extension scanning certain files that are suspected of being related to a malware campaign. The rule was detected by analyzing the Azure Resource Manager operations in your subscription. Attackers might exclude files from antimalware scans to prevent detection while running arbitrary code or infecting the machine with malware. | Defense Evasion | Medium |

+| **Antimalware temporarily disabled in your virtual machine**<br>(VM_AmTemporarilyDisablement) | Antimalware temporarily disabled in your virtual machine. This was detected by analyzing Azure Resource Manager operations in your subscription.<br>Attackers might disable the antimalware on your virtual machine to prevent detection. | - | Medium |

+| **Antimalware unusual file exclusion in your virtual machine**<br>(VM_UnusualAmFileExclusion) | Unusual file exclusion from antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.<br>Attackers might exclude files from the antimalware scan on your virtual machine to prevent detection while running arbitrary code or infecting the machine with malware. | Defense Evasion | Medium |

+| **Communication with suspicious domain identified by threat intelligence**<br>(AzureDNS_ThreatIntelSuspectDomain) | Communication with suspicious domain was detected by analyzing DNS transactions from your resource and comparing against known malicious domains identified by threat intelligence feeds. Communication to malicious domains is frequently performed by attackers and could imply that your resource is compromised. | Initial Access, Persistence, Execution, Command And Control, Exploitation | Medium |

+| **Detected actions indicative of disabling and deleting IIS log files** | Analysis of host data detected actions that show IIS log files being disabled and/or deleted. | - | Medium |

+| **Detected anomalous mix of upper and lower case characters in command-line** | Analysis of host data on %{Compromised Host} detected a command line with anomalous mix of upper and lower case characters. This kind of pattern, while possibly benign, is also typical of attackers trying to hide from case-sensitive or hash-based rule matching when performing administrative tasks on a compromised host. | - | Medium |

+| **Detected change to a registry key that can be abused to bypass UAC** | Analysis of host data on %{Compromised Host} detected that a registry key that can be abused to bypass UAC (User Account Control) was changed. This kind of configuration, while possibly benign, is also typical of attacker activity when trying to move from unprivileged (standard user) to privileged (for example administrator) access on a compromised host. | - | Medium |

+| **Detected decoding of an executable using built-in certutil.exe tool** | Analysis of host data on %{Compromised Host} detected that certutil.exe, a built-in administrator utility, was being used to decode an executable instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using a tool such as certutil.exe to decode a malicious executable that will then be subsequently executed. | - | High |

+| **Detected enabling of the WDigest UseLogonCredential registry key** | Analysis of host data detected a change in the registry key HKLM\SYSTEM\ CurrentControlSet\Control\SecurityProviders\WDigest\ "UseLogonCredential". Specifically this key has been updated to allow logon credentials to be stored in clear text in LSA memory. Once enabled, an attacker can dump clear text passwords from LSA memory with credential harvesting tools such as Mimikatz. | - | Medium |

+| **Detected encoded executable in command line data** | Analysis of host data on %{Compromised Host} detected a base-64 encoded executable. This has previously been associated with attackers attempting to construct executables on-the-fly through a sequence of commands, and attempting to evade intrusion detection systems by ensuring that no individual command would trigger an alert. This could be legitimate activity, or an indication of a compromised host. | - | High |

+| **Detected obfuscated command line** | Attackers use increasingly complex obfuscation techniques to evade detections that run against the underlying data. Analysis of host data on %{Compromised Host} detected suspicious indicators of obfuscation on the commandline. | - | Informational |

+| **Detected possible execution of keygen executable** | Analysis of host data on %{Compromised Host} detected execution of a process whose name is indicative of a keygen tool; such tools are typically used to defeat software licensing mechanisms but their download is often bundled with other malicious software. Activity group GOLD has been known to make use of such keygens to covertly gain back door access to hosts that they compromise. | - | Medium |

+| **Detected possible execution of malware dropper** | Analysis of host data on %{Compromised Host} detected a filename that has previously been associated with one of activity group GOLD's methods of installing malware on a victim host. | - | High |

+| **Detected possible local reconnaissance activity** | Analysis of host data on %{Compromised Host} detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing reconnaissance activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession in the way that has occurred here is rare. | - | |

+| **Detected potentially suspicious use of Telegram tool** | Analysis of host data shows installation of Telegram, a free cloud-based instant messaging service that exists both for mobile and desktop system. Attackers are known to abuse this service to transfer malicious binaries to any other computer, phone, or tablet. | - | Medium |

+| **Detected suppression of legal notice displayed to users at logon** | Analysis of host data on %{Compromised Host} detected changes to the registry key that controls whether a legal notice is displayed to users when they log on. Microsoft security analysis has determined that this is a common activity undertaken by attackers after having compromised a host. | - | Low |

+| **Detected suspicious combination of HTA and PowerShell** | mshta.exe (Microsoft HTML Application Host) which is a signed Microsoft binary is being used by the attackers to launch malicious PowerShell commands. Attackers often resort to having an HTA file with inline VBScript. When a victim browses to the HTA file and chooses to run it, the PowerShell commands and scripts that it contains are executed. Analysis of host data on %{Compromised Host} detected mshta.exe launching PowerShell commands. | - | Medium |

+| **Detected suspicious commandline arguments** | Analysis of host data on %{Compromised Host} detected suspicious commandline arguments that have been used in conjunction with a reverse shell used by activity group HYDROGEN. | - | High |

+| **Detected suspicious commandline used to start all executables in a directory** | Analysis of host data has detected a suspicious process running on %{Compromised Host}. The commandline indicates an attempt to start all executables (*.exe) that may reside in a directory. This could be an indication of a compromised host. | - | Medium |

+| **Detected suspicious credentials in commandline** | Analysis of host data on %{Compromised Host} detected a suspicious password being used to execute a file by activity group BORON. This activity group has been known to use this password to execute Pirpi malware on a victim host. | - | High |

+| **Detected suspicious document credentials** | Analysis of host data on %{Compromised Host} detected a suspicious, common precomputed password hash used by malware being used to execute a file. Activity group HYDROGEN has been known to use this password to execute malware on a victim host. | - | High |

+| **Detected suspicious execution of VBScript.Encode command** | Analysis of host data on %{Compromised Host} detected the execution of VBScript.Encode command. This encodes the scripts into unreadable text, making it more difficult for users to examine the code. Microsoft threat research shows that attackers often use encoded VBscript files as part of their attack to evade detection systems. This could be legitimate activity, or an indication of a compromised host. | - | Medium |

+| **Detected suspicious execution via rundll32.exe** | Analysis of host data on %{Compromised Host} detected rundll32.exe being used to execute a process with an uncommon name, consistent with the process naming scheme previously seen used by activity group GOLD when installing their first stage implant on a compromised host. | - | High |

+| **Detected suspicious file cleanup commands** | Analysis of host data on %{Compromised Host} detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing post-compromise self-cleanup activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession, followed by a delete command in the way that has occurred here is rare. | - | High |

+| **Detected suspicious file creation** | Analysis of host data on %{Compromised Host} detected creation or execution of a process that has previously indicated post-compromise action taken on a victim host by activity group BARIUM. This activity group has been known to use this technique to download more malware to a compromised host after an attachment in a phishing doc has been opened. | - | High |

+| **Detected suspicious named pipe communications** | Analysis of host data on %{Compromised Host} detected data being written to a local named pipe from a Windows console command. Named pipes are known to be a channel used by attackers to task and communicate with a malicious implant. This could be legitimate activity, or an indication of a compromised host. | - | High |

+| **Detected suspicious network activity** | Analysis of network traffic from %{Compromised Host} detected suspicious network activity. Such traffic, while possibly benign, is typically used by an attacker to communicate with malicious servers for downloading of tools, command-and-control and exfiltration of data. Typical related attacker activity includes copying remote administration tools to a compromised host and exfiltrating user data from it. | - | Low |

+| **Detected suspicious new firewall rule** | Analysis of host data detected a new firewall rule has been added via netsh.exe to allow traffic from an executable in a suspicious location. | - | Medium |

+| **Detected suspicious use of Cacls to lower the security state of the system** | Attackers use myriad ways like brute force, spear phishing etc. to achieve initial compromise and get a foothold on the network. Once initial compromise is achieved they often take steps to lower the security settings of a system. CaclsΓÇöshort for change access control list is Microsoft Windows native command-line utility often used for modifying the security permission on folders and files. A lot of time the binary is used by the attackers to lower the security settings of a system. This is done by giving Everyone full access to some of the system binaries like ftp.exe, net.exe, wscript.exe etc. Analysis of host data on %{Compromised Host} detected suspicious use of Cacls to lower the security of a system. | - | Medium |

+| **Detected suspicious use of FTP -s Switch** | Analysis of process creation data from the %{Compromised Host} detected the use of the FTP "-s:filename" switch. This switch is used to specify an FTP script file for the client to run. Malware or malicious processes are known to use this FTP switch (-s:filename) to point to a script file, which is configured to connect to a remote FTP server and download more malicious binaries. | - | Medium |

+| **Detected suspicious use of Pcalua.exe to launch executable code** | Analysis of host data on %{Compromised Host} detected the use of pcalua.exe to launch executable code. Pcalua.exe is component of the Microsoft Windows "Program Compatibility Assistant", which detects compatibility issues during the installation or execution of a program. Attackers are known to abuse functionality of legitimate Windows system tools to perform malicious actions, for example using pcalua.exe with the -a switch to launch malicious executables either locally or from remote shares. | - | Medium |

+| **Detected the disabling of critical services** | The analysis of host data on %{Compromised Host} detected execution of "net.exe stop" command being used to stop critical services like SharedAccess or the Windows Security app. The stopping of either of these services can be indication of a malicious behavior. | - | Medium |

+| **Digital currency mining related behavior detected** | Analysis of host data on %{Compromised Host} detected the execution of a process or command normally associated with digital currency mining. | - | High |

+| **Dynamic PS script construction** | Analysis of host data on %{Compromised Host} detected a PowerShell script being constructed dynamically. Attackers sometimes use this approach of progressively building up a script in order to evade IDS systems. This could be legitimate activity, or an indication that one of your machines has been compromised. | - | Medium |

+| **Executable found running from a suspicious location** | Analysis of host data detected an executable file on %{Compromised Host} that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host. | - | High |

+| **Fileless attack behavior detected**<br>(VM_FilelessAttackBehavior.Windows) | The memory of the process specified contains behaviors commonly used by fileless attacks. Specific behaviors include:<br>1) Shellcode, which is a small piece of code typically used as the payload in the exploitation of a software vulnerability.<br>2) Active network connections. See NetworkConnections below for details.<br>3) Function calls to security sensitive operating system interfaces. See Capabilities below for referenced OS capabilities.<br>4) Contains a thread that was started in a dynamically allocated code segment. This is a common pattern for process injection attacks. | Defense Evasion | Low |

+| **Fileless attack technique detected**<br>(VM_FilelessAttackTechnique.Windows) | The memory of the process specified below contains evidence of a fileless attack technique. Fileless attacks are used by attackers to execute code while evading detection by security software. Specific behaviors include:<br>1) Shellcode, which is a small piece of code typically used as the payload in the exploitation of a software vulnerability.<br>2) Executable image injected into the process, such as in a code injection attack.<br>3) Active network connections. See NetworkConnections below for details.<br>4) Function calls to security sensitive operating system interfaces. See Capabilities below for referenced OS capabilities.<br>5) Process hollowing, which is a technique used by malware in which a legitimate process is loaded on the system to act as a container for hostile code.<br>6) Contains a thread that was started in a dynamically allocated code segment. This is a common pattern for process injection attacks. | Defense Evasion, Execution | High |

+| **Fileless attack toolkit detected**<br>(VM_FilelessAttackToolkit.Windows) | The memory of the process specified contains a fileless attack toolkit: [toolkit name]. Fileless attack toolkits use techniques that minimize or eliminate traces of malware on disk, and greatly reduce the chances of detection by disk-based malware scanning solutions. Specific behaviors include:<br>1) Well-known toolkits and crypto mining software.<br>2) Shellcode, which is a small piece of code typically used as the payload in the exploitation of a software vulnerability.<br>3) Injected malicious executable in process memory. | Defense Evasion, Execution | Medium |

+| **High risk software detected** | Analysis of host data from %{Compromised Host} detected the usage of software that has been associated with the installation of malware in the past. A common technique utilized in the distribution of malicious software is to package it within otherwise benign tools such as the one seen in this alert. When you use these tools, the malware can be silently installed in the background. | - | Medium |

+| **Local Administrators group members were enumerated** | Machine logs indicate a successful enumeration on group %{Enumerated Group Domain Name}\%{Enumerated Group Name}. Specifically, %{Enumerating User Domain Name}\%{Enumerating User Name} remotely enumerated the members of the %{Enumerated Group Domain Name}\%{Enumerated Group Name} group. This activity could either be legitimate activity, or an indication that a machine in your organization has been compromised and used to reconnaissance %{vmname}. | - | Informational |

+| **Malicious firewall rule created by ZINC server implant [seen multiple times]** | A firewall rule was created using techniques that match a known actor, ZINC. The rule was possibly used to open a port on %{Compromised Host} to allow for Command & Control communications. This behavior was seen [x] times today on the following machines: [Machine names] | - | High |

+| **Malicious SQL activity** | Machine logs indicate that '%{process name}' was executed by account: %{user name}. This activity is considered malicious. | - | High |

+| **Multiple Domain Accounts Queried** | Analysis of host data has determined that an unusual number of distinct domain accounts are being queried within a short time period from %{Compromised Host}. This kind of activity could be legitimate, but can also be an indication of compromise. | - | Medium |

+| **Possible credential dumping detected [seen multiple times]** | Analysis of host data has detected use of native windows tool (for example, sqldumper.exe) being used in a way that allows to extract credentials from memory. Attackers often use these techniques to extract credentials that they then further use for lateral movement and privilege escalation. This behavior was seen [x] times today on the following machines: [Machine names] | - | Medium |

+| **Potential attempt to bypass AppLocker detected** | Analysis of host data on %{Compromised Host} detected a potential attempt to bypass AppLocker restrictions. AppLocker can be configured to implement a policy that limits what executables are allowed to run on a Windows system. The command-line pattern similar to that identified in this alert has been previously associated with attacker attempts to circumvent AppLocker policy by using trusted executables (allowed by AppLocker policy) to execute untrusted code. This could be legitimate activity, or an indication of a compromised host. | - | High |

+| **PsExec execution detected**<br>(VM_RunByPsExec) | Analysis of host data indicates that the process %{Process Name} was executed by PsExec utility. PsExec can be used for running processes remotely. This technique might be used for malicious purposes. | Lateral Movement, Execution | Informational |

+| **Rare SVCHOST service group executed**<br>(VM_SvcHostRunInRareServiceGroup) | The system process SVCHOST was observed running a rare service group. Malware often uses SVCHOST to masquerade its malicious activity. | Defense Evasion, Execution | Informational |

+| **Sticky keys attack detected** | Analysis of host data indicates that an attacker may be subverting an accessibility binary (for example sticky keys, onscreen keyboard, narrator) in order to provide backdoor access to the host %{Compromised Host}. | - | Medium |

+| **Successful brute force attack**<br>(VM_LoginBruteForceSuccess) | Several sign in attempts were detected from the same source. Some successfully authenticated to the host.<br>This resembles a burst attack, in which an attacker performs numerous authentication attempts to find valid account credentials. | Exploitation | Medium/High |

+| **Suspect integrity level indicative of RDP hijacking** | Analysis of host data has detected the tscon.exe running with SYSTEM privileges - this can be indicative of an attacker abusing this binary in order to switch context to any other logged on user on this host; it's a known attacker technique to compromise more user accounts and move laterally across a network. | - | Medium |

+| **Suspect service installation** | Analysis of host data has detected the installation of tscon.exe as a service: this binary being started as a service potentially allows an attacker to trivially switch to any other logged on user on this host by hijacking RDP connections; it's a known attacker technique to compromise more user accounts and move laterally across a network. | - | Medium |

+| **Suspected Kerberos Golden Ticket attack parameters observed** | Analysis of host data detected commandline parameters consistent with a Kerberos Golden Ticket attack. | - | Medium |

+| **Suspicious Account Creation Detected** | Analysis of host data on %{Compromised Host} detected creation or use of a local account %{Suspicious account name} : this account name closely resembles a standard Windows account or group name '%{Similar To Account Name}'. This is potentially a rogue account created by an attacker, so named in order to avoid being noticed by a human administrator. | - | Medium |

+| **Suspicious Activity Detected**<br>(VM_SuspiciousActivity) | Analysis of host data has detected a sequence of one or more processes running on %{machine name} that have historically been associated with malicious activity. While individual commands may appear benign the alert is scored based on an aggregation of these commands. This could either be legitimate activity, or an indication of a compromised host. | Execution | Medium |

+| **Suspicious authentication activity**<br>(VM_LoginBruteForceValidUserFailed) | Although none of them succeeded, some of them used accounts were recognized by the host. This resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a dictionary of predefined account names and passwords in order to find valid credentials to access the host. This indicates that some of your host account names might exist in a well-known account name dictionary. | Probing | Medium |

+| **Suspicious code segment detected** | Indicates that a code segment has been allocated by using non-standard methods, such as reflective injection and process hollowing. The alert provides more characteristics of the code segment that have been processed to provide context for the capabilities and behaviors of the reported code segment. | - | Medium |

+| **Suspicious double extension file executed** | Analysis of host data indicates an execution of a process with a suspicious double extension. This extension may trick users into thinking files are safe to be opened and might indicate the presence of malware on the system. | - | High |

+| **Suspicious download using Certutil detected [seen multiple times]** | Analysis of host data on %{Compromised Host} detected the use of certutil.exe, a built-in administrator utility, for the download of a binary instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using certutil.exe to download and decode a malicious executable that will then be subsequently executed. This behavior was seen [x] times today on the following machines: [Machine names] | - | Medium |

+| **Suspicious download using Certutil detected** | Analysis of host data on %{Compromised Host} detected the use of certutil.exe, a built-in administrator utility, for the download of a binary instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using certutil.exe to download and decode a malicious executable that will then be subsequently executed. | - | Medium |

+| **Suspicious PowerShell Activity Detected** | Analysis of host data detected a PowerShell script running on %{Compromised Host} that has features in common with known suspicious scripts. This script could either be legitimate activity, or an indication of a compromised host. | - | High |

+| **Suspicious PowerShell cmdlets executed** | Analysis of host data indicates execution of known malicious PowerShell PowerSploit cmdlets. | - | Medium |

+| **Suspicious process executed [seen multiple times]** | Machine logs indicate that the suspicious process: '%{Suspicious Process}' was running on the machine, often associated with attacker attempts to access credentials. This behavior was seen [x] times today on the following machines: [Machine names] | - | High |

+| **Suspicious process executed** | Machine logs indicate that the suspicious process: '%{Suspicious Process}' was running on the machine, often associated with attacker attempts to access credentials. | - | High |

+| **Suspicious process name detected [seen multiple times]** | Analysis of host data on %{Compromised Host} detected a process whose name is suspicious, for example corresponding to a known attacker tool or named in a way that is suggestive of attacker tools that try to hide in plain sight. This process could be legitimate activity, or an indication that one of your machines has been compromised. This behavior was seen [x] times today on the following machines: [Machine names] | - | Medium |

+| **Suspicious process name detected** | Analysis of host data on %{Compromised Host} detected a process whose name is suspicious, for example corresponding to a known attacker tool or named in a way that is suggestive of attacker tools that try to hide in plain sight. This process could be legitimate activity, or an indication that one of your machines has been compromised. | - | Medium |

+| **Suspicious process termination burst**<br>(VM_TaskkillBurst) | Analysis of host data indicates a suspicious process termination burst in %{Machine Name}. Specifically, %{NumberOfCommands} processes were killed between %{Begin} and %{Ending}. | Defense Evasion | Low |

+| **Suspicious SQL activity** | Machine logs indicate that '%{process name}' was executed by account: %{user name}. This activity is uncommon with this account. | - | Medium |

+| **Suspicious SVCHOST process executed** | The system process SVCHOST was observed running in an abnormal context. Malware often uses SVCHOST to masquerade its malicious activity. | - | High |

+| **Suspicious system process executed**<br>(VM_SystemProcessInAbnormalContext) | The system process %{process name} was observed running in an abnormal context. Malware often uses this process name to masquerade its malicious activity. | Defense Evasion, Execution | High |

+| **Suspicious Volume Shadow Copy Activity** | Analysis of host data has detected a shadow copy deletion activity on the resource. Volume Shadow Copy (VSC) is an important artifact that stores data snapshots. Some malware and specifically Ransomware, targets VSC to sabotage backup strategies. | - | High |

+| **Suspicious WindowPosition registry value detected** | Analysis of host data on %{Compromised Host} detected an attempted WindowPosition registry configuration change that could be indicative of hiding application windows in nonvisible sections of the desktop. This could be legitimate activity, or an indication of a compromised machine: this type of activity has been previously associated with known adware (or unwanted software) such as Win32/OneSystemCare and Win32/SystemHealer and malware such as Win32/Creprote. When the WindowPosition value is set to 201329664, (Hex: 0x0c00 0c00, corresponding to X-axis=0c00 and the Y-axis=0c00) this places the console app's window in a non-visible section of the user's screen in an area that is hidden from view below the visible start menu/taskbar. Known suspect Hex value includes, but not limited to c000c000 | - | Low |

+| **Suspiciously named process detected** | Analysis of host data on %{Compromised Host} detected a process whose name is very similar to but different from a very commonly run process (%{Similar To Process Name}). While this process could be benign attackers are known to sometimes hide in plain sight by naming their malicious tools to resemble legitimate process names. | - | Medium |

+| **Unusual config reset in your virtual machine**<br>(VM_VMAccessUnusualConfigReset) | An unusual config reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.<br>While this action may be legitimate, attackers can try utilizing VM Access extension to reset the configuration in your virtual machine and compromise it. | Credential Access | Medium |

+| **Unusual process execution detected** | Analysis of host data on %{Compromised Host} detected the execution of a process by %{User Name} that was unusual. Accounts such as %{User Name} tend to perform a limited set of operations, this execution was determined to be out of character and may be suspicious. | - | High |

+| **Unusual user password reset in your virtual machine**<br>(VM_VMAccessUnusualPasswordReset) | An unusual user password reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.<br>While this action may be legitimate, attackers can try utilizing the VM Access extension to reset the credentials of a local user in your virtual machine and compromise it. | Credential Access | Medium |

+| **Unusual user SSH key reset in your virtual machine**<br>(VM_VMAccessUnusualSSHReset) | An unusual user SSH key reset was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.<br>While this action may be legitimate, attackers can try utilizing VM Access extension to reset SSH key of a user account in your virtual machine and compromise it. | Credential Access | Medium |

+| **VBScript HTTP object allocation detected** | Creation of a VBScript file using Command Prompt has been detected. The following script contains HTTP object allocation command. This action can be used to download malicious files. | | |

+| **Suspicious installation of GPU extension in your virtual machine (Preview)** <br> (VM_GPUDriverExtensionUnusualExecution) | Suspicious installation of a GPU extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers may use the GPU driver extension to install GPU drivers on your virtual machine via the Azure Resource Manager to perform cryptojacking. | Impact | Low |

+| Alert (alert type) | Description | MITRE tactics<br>([Learn more](#intentions)) | Severity |

+| | | :-: | - |

+| **Exposed Postgres service with trust authentication configuration in Kubernetes detected (Preview)**<br>(K8S_ExposedPostgresTrustAuth) | Kubernetes cluster configuration analysis detected exposure of a Postgres service by a load balancer. The service is configured with trust authentication method, which doesn't require credentials. | InitialAccess | Medium |

+| **Exposed Postgres service with risky configuration in Kubernetes detected (Preview)**<br>(K8S_ExposedPostgresBroadIPRange) | Kubernetes cluster configuration analysis detected exposure of a Postgres service by a load balancer with a risky configuration. Exposing the service to a wide range of IP addresses poses a security risk. | InitialAccess | Medium |

+| **Attempt to create a new Linux namespace from a container detected**<br>(K8S.NODE_NamespaceCreation) ^{[1](#footnote1)} | Analysis of processes running within a container in Kubernetes cluster detected an attempt to create a new Linux namespace. While this behavior might be legitimate, it might indicate that an attacker tries to escape from the container to the node. Some CVE-2022-0185 exploitations use this technique. | PrivilegeEscalation | Medium |

+| **A history file has been cleared**<br>(K8S.NODE_HistoryFileCleared) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected that the command history log file has been cleared. Attackers may do this to cover their tracks. The operation was performed by the specified user account. | DefenseEvasion | Medium |

+| **Abnormal activity of managed identity associated with Kubernetes (Preview)**<br>(K8S_AbnormalMiActivity) | Analysis of Azure Resource Manager operations detected an abnormal behavior of a managed identity used by an AKS addon. The detected activity isn\'t consistent with the behavior of the associated addon. While this activity can be legitimate, such behavior might indicate that the identity was gained by an attacker, possibly from a compromised container in the Kubernetes cluster. | Lateral Movement | Medium |

+| **Abnormal Kubernetes service account operation detected**<br>(K8S_ServiceAccountRareOperation) | Kubernetes audit log analysis detected abnormal behavior by a service account in your Kubernetes cluster. The service account was used for an operation, which isn't common for this service account. While this activity can be legitimate, such behavior might indicate that the service account is being used for malicious purposes. | Lateral Movement, Credential Access | Medium |

+| **An uncommon connection attempt detected**<br>(K8S.NODE_SuspectConnection) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected an uncommon connection attempt utilizing a socks protocol. This is very rare in normal operations, but a known technique for attackers attempting to bypass network-layer detections. | Execution, Exfiltration, Exploitation | Medium |

+| **Anomalous pod deployment (Preview)**<br>(K8S_AnomalousPodDeployment) ^{[3](#footnote3)} | Kubernetes audit log analysis detected pod deployment which is anomalous based on previous pod deployment activity. This activity is considered an anomaly when taking into account how the different features seen in the deployment operation are in relations to one another. The features monitored include the container image registry used, the account performing the deployment, day of the week, how often this account performs pod deployments, user agent used in the operation, whether this is a namespace to which pod deployments often occur, and other features. Top contributing reasons for raising this alert as anomalous activity are detailed under the alert's extended properties. | Execution | Medium |

+| **Anomalous secret access (Preview)**<br>(K8S_AnomalousSecretAccess) ^{[2](#footnote2)} | Kubernetes audit log analysis detected secret access request which is anomalous based on previous secret access activity. This activity is considered an anomaly when taking into account how the different features seen in the secret access operation are in relations to one another. The features monitored by this analytics include the user name used, the name of the secret, the name of the namespace, user agent used in the operation, or other features. Top contributing reasons for raising this alert as anomalous activity are detailed under the alert extended properties. | CredentialAccess | Medium |

+| **Attempt to stop apt-daily-upgrade.timer service detected**<br>(K8S.NODE_TimerServiceDisabled) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected an attempt to stop apt-daily-upgrade.timer service. Attackers have been observed stopping this service to download malicious files and grant execution privileges for their attacks. This activity can also happen if the service is updated through normal administrative actions. | DefenseEvasion | Informational |

+| **Behavior similar to common Linux bots detected (Preview)**<br>(K8S.NODE_CommonBot) | Analysis of processes running within a container or directly on a Kubernetes node, has detected the execution of a process normally associated with common Linux botnets. | Execution, Collection, Command And Control | Medium |

+| **Command within a container running with high privileges**<br>(K8S.NODE_PrivilegedExecutionInContainer) ^{[1](#footnote1)} | Machine logs indicate that a privileged command was run in a Docker container. A privileged command has extended privileges on the host machine. | PrivilegeEscalation | Low |

+| **Container running in privileged mode**<br>(K8S.NODE_PrivilegedContainerArtifacts) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected the execution of a Docker command that is running a privileged container. The privileged container has full access to the hosting pod or host resource. If compromised, an attacker may use the privileged container to gain access to the hosting pod or host. | PrivilegeEscalation, Execution | Low |

+| **Container with a sensitive volume mount detected**<br>(K8S_SensitiveMount) | Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node. | Privilege Escalation | Medium |

+| **CoreDNS modification in Kubernetes detected**<br>(K8S_CoreDnsModification) ^{[2](#footnote2)} ^{[3](#footnote3)} | Kubernetes audit log analysis detected a modification of the CoreDNS configuration. The configuration of CoreDNS can be modified by overriding its configmap. While this activity can be legitimate, if attackers have permissions to modify the configmap, they can change the behavior of the cluster's DNS server and poison it. | Lateral Movement | Low |

+| **Creation of admission webhook configuration detected**<br>(K8S_AdmissionController) ^{[3](#footnote3)} | Kubernetes audit log analysis detected a new admission webhook configuration. Kubernetes has two built-in generic admission controllers: MutatingAdmissionWebhook and ValidatingAdmissionWebhook. The behavior of these admission controllers is determined by an admission webhook that the user deploys to the cluster. The usage of such admission controllers can be legitimate, however attackers can use such webhooks for modifying the requests (in case of MutatingAdmissionWebhook) or inspecting the requests and gain sensitive information (in case of ValidatingAdmissionWebhook). | Credential Access, Persistence | Low |

+| **Detected file download from a known malicious source**<br>(K8S.NODE_SuspectDownload) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a download of a file from a source frequently used to distribute malware. | PrivilegeEscalation, Execution, Exfiltration, Command And Control | Medium |

+| **Detected suspicious file download**<br>(K8S.NODE_SuspectDownloadArtifacts) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious download of a remote file. | Persistence | Low |

+| **Detected suspicious use of the nohup command**<br>(K8S.NODE_SuspectNohup) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious use of the nohup command. Attackers have been seen using the command nohup to run hidden files from a temporary directory to allow their executables to run in the background. It's rare to see this command run on hidden files located in a temporary directory. | Persistence, DefenseEvasion | Medium |

+| **Detected suspicious use of the useradd command**<br>(K8S.NODE_SuspectUserAddition) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious use of the useradd command. | Persistence | Medium |

+| **Digital currency mining container detected**<br>(K8S_MaliciousContainerImage) ^{[3](#footnote3)} | Kubernetes audit log analysis detected a container that has an image associated with a digital currency mining tool. | Execution | High |

+| **Digital currency mining related behavior detected**<br>(K8S.NODE_DigitalCurrencyMining) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected an execution of a process or command normally associated with digital currency mining. | Execution | High |

+| **Docker build operation detected on a Kubernetes node**<br>(K8S.NODE_ImageBuildOnNode) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a build operation of a container image on a Kubernetes node. While this behavior might be legitimate, attackers might build their malicious images locally to avoid detection. | DefenseEvasion | Low |

+| **Excessive role permissions assigned in Kubernetes cluster (Preview)**<br>(K8S_ServiceAcountPermissionAnomaly) ^{[3](#footnote3)} | Analysis of the Kubernetes audit logs detected an excessive permissions role assignment to your cluster. The listed permissions for the assigned roles are uncommon to the specific service account. This detection considers previous role assignments to the same service account across clusters monitored by Azure, volume per permission, and the impact of the specific permission. The anomaly detection model used for this alert takes into account how this permission is used across all clusters monitored by Microsoft Defender for Cloud. | Privilege Escalation | Low |

+| **Executable found running from a suspicious location (Preview)**<br>(K8S.NODE_SuspectExecutablePath) | Analysis of processes running within a container or directly on a Kubernetes node, has detected an executable file that is running from a location associated with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised system. | Execution | Medium |

+| **Exposed Kubeflow dashboard detected**<br>(K8S_ExposedKubeflow) | The Kubernetes audit log analysis detected exposure of the Istio Ingress by a load balancer in a cluster that runs Kubeflow. This action might expose the Kubeflow dashboard to the internet. If the dashboard is exposed to the internet, attackers can access it and run malicious containers or code on the cluster. Find more details in the following article: <https://aka.ms/exposedkubeflow-blog> | Initial Access | Medium |

+| **Exposed Kubernetes dashboard detected**<br>(K8S_ExposedDashboard) | Kubernetes audit log analysis detected exposure of the Kubernetes Dashboard by a LoadBalancer service. Exposed dashboard allows an unauthenticated access to the cluster management and poses a security threat. | Initial Access | High |

+| **Exposed Kubernetes service detected**<br>(K8S_ExposedService) | The Kubernetes audit log analysis detected exposure of a service by a load balancer. This service is related to a sensitive application that allows high impact operations in the cluster such as running processes on the node or creating new containers. In some cases, this service doesn't require authentication. If the service doesn't require authentication, exposing it to the internet poses a security risk. | Initial Access | Medium |

+| **Exposed Redis service in AKS detected**<br>(K8S_ExposedRedis) | The Kubernetes audit log analysis detected exposure of a Redis service by a load balancer. If the service doesn't require authentication, exposing it to the internet poses a security risk. | Initial Access | Low |

+| **Indicators associated with DDOS toolkit detected**<br>(K8S.NODE_KnownLinuxDDoSToolkit) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected file names that are part of a toolkit associated with malware capable of launching DDoS attacks, opening ports and services, and taking full control over the infected system. This could also possibly be legitimate activity. | Persistence, LateralMovement, Execution, Exploitation | Medium |

+| **K8S API requests from proxy IP address detected**<br>(K8S_TI_Proxy) ^{[3](#footnote3)} | Kubernetes audit log analysis detected API requests to your cluster from an IP address that is associated with proxy services, such as TOR. While this behavior can be legitimate, it's often seen in malicious activities, when attackers try to hide their source IP. | Execution | Low |

+| **Kubernetes events deleted**<br>(K8S_DeleteEvents) ^{[2](#footnote2)} ^{[3](#footnote3)} | Defender for Cloud detected that some Kubernetes events have been deleted. Kubernetes events are objects in Kubernetes that contain information about changes in the cluster. Attackers might delete those events for hiding their operations in the cluster. | Defense Evasion | Low |

+| **Kubernetes penetration testing tool detected**<br>(K8S_PenTestToolsKubeHunter) | Kubernetes audit log analysis detected usage of Kubernetes penetration testing tool in the AKS cluster. While this behavior can be legitimate, attackers might use such public tools for malicious purposes. | Execution | Low |

+| **Manipulation of host firewall detected**<br>(K8S.NODE_FirewallDisabled) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a possible manipulation of the on-host firewall. Attackers will often disable this to exfiltrate data. | DefenseEvasion, Exfiltration | Medium |

+| **Microsoft Defender for Cloud test alert (not a threat).**<br>(K8S.NODE_EICAR) ^{[1](#footnote1)} | This is a test alert generated by Microsoft Defender for Cloud. No further action is needed. | Execution | High |

+| **New container in the kube-system namespace detected**<br>(K8S_KubeSystemContainer) ^{[3](#footnote3)} | Kubernetes audit log analysis detected a new container in the kube-system namespace that isn't among the containers that normally run in this namespace. The kube-system namespaces shouldn't contain user resources. Attackers can use this namespace for hiding malicious components. | Persistence | Low |

+| **New high privileges role detected**<br>(K8S_HighPrivilegesRole) ^{[3](#footnote3)} | Kubernetes audit log analysis detected a new role with high privileges. A binding to a role with high privileges gives the user\group high privileges in the cluster. Unnecessary privileges might cause privilege escalation in the cluster. | Persistence | Low |

+| **Possible attack tool detected**<br>(K8S.NODE_KnownLinuxAttackTool) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious tool invocation. This tool is often associated with malicious users attacking others. | Execution, Collection, Command And Control, Probing | Medium |

+| **Possible backdoor detected**<br>(K8S.NODE_LinuxBackdoorArtifact) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious file being downloaded and run. This activity has previously been associated with installation of a backdoor. | Persistence, DefenseEvasion, Execution, Exploitation | Medium |

+| **Possible command line exploitation attempt**<br>(K8S.NODE_ExploitAttempt) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a possible exploitation attempt against a known vulnerability. | Exploitation | Medium |

+| **Possible credential access tool detected**<br>(K8S.NODE_KnownLinuxCredentialAccessTool) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a possible known credential access tool was running on the container, as identified by the specified process and commandline history item. This tool is often associated with attacker attempts to access credentials. | CredentialAccess | Medium |

+| **Possible Cryptocoinminer download detected**<br>(K8S.NODE_CryptoCoinMinerDownload) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected download of a file normally associated with digital currency mining. | DefenseEvasion, Command And Control, Exploitation | Medium |

+| **Possible data exfiltration detected**<br>(K8S.NODE_DataEgressArtifacts) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a possible data egress condition. Attackers will often egress data from machines they have compromised. | Collection, Exfiltration | Medium |

+| **Possible Log Tampering Activity Detected**<br>(K8S.NODE_SystemLogRemoval) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a possible removal of files that tracks user's activity during the course of its operation. Attackers often try to evade detection and leave no trace of malicious activities by deleting such log files. | DefenseEvasion | Medium |

+| **Possible password change using crypt-method detected**<br>(K8S.NODE_SuspectPasswordChange) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a password change using the crypt method. Attackers can make this change to continue access and gain persistence after compromise. | CredentialAccess | Medium |

+| **Potential port forwarding to external IP address**<br>(K8S.NODE_SuspectPortForwarding) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected an initiation of port forwarding to an external IP address. | Exfiltration, Command And Control | Medium |

+| **Potential reverse shell detected**<br>(K8S.NODE_ReverseShell) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a potential reverse shell. These are used to get a compromised machine to call back into a machine an attacker owns. | Exfiltration, Exploitation | Medium |

+| **Privileged container detected**<br>(K8S_PrivilegedContainer) | Kubernetes audit log analysis detected a new privileged container. A privileged container has access to the node's resources and breaks the isolation between containers. If compromised, an attacker can use the privileged container to gain access to the node. | Privilege Escalation | Low |

+| **Process associated with digital currency mining detected**<br>(K8S.NODE_CryptoCoinMinerArtifacts) ^{[1](#footnote1)} | Analysis of processes running within a container detected the execution of a process normally associated with digital currency mining. | Execution, Exploitation | Medium |

+| **Process seen accessing the SSH authorized keys file in an unusual way**<br>(K8S.NODE_SshKeyAccess) ^{[1](#footnote1)} | An SSH authorized_keys file was accessed in a method similar to known malware campaigns. This access could signify that an actor is attempting to gain persistent access to a machine. | Unknown | Low |

+| **Role binding to the cluster-admin role detected**<br>(K8S_ClusterAdminBinding) | Kubernetes audit log analysis detected a new binding to the cluster-admin role which gives administrator privileges. Unnecessary administrator privileges might cause privilege escalation in the cluster. | Persistence | Low |

+| **Security-related process termination detected**<br>(K8S.NODE_SuspectProcessTermination) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected an attempt to terminate processes related to security monitoring on the container. Attackers will often try to terminate such processes using predefined scripts post-compromise. | Persistence | Low |

+| **SSH server is running inside a container**<br>(K8S.NODE_ContainerSSH) ^{[1](#footnote1)} | Analysis of processes running within a container detected an SSH server running inside the container. | Execution | Medium |

+| **Suspicious file timestamp modification**<br>(K8S.NODE_TimestampTampering) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious timestamp modification. Attackers will often copy timestamps from existing legitimate files to new tools to avoid detection of these newly dropped files. | Persistence, DefenseEvasion | Low |

+| **Suspicious request to Kubernetes API**<br>(K8S.NODE_KubernetesAPI) ^{[1](#footnote1)} | Analysis of processes running within a container indicates that a suspicious request was made to the Kubernetes API. The request was sent from a container in the cluster. Although this behavior can be intentional, it might indicate that a compromised container is running in the cluster. | LateralMovement | Medium |

+| **Suspicious request to the Kubernetes Dashboard**<br>(K8S.NODE_KubernetesDashboard) ^{[1](#footnote1)} | Analysis of processes running within a container indicates that a suspicious request was made to the Kubernetes Dashboard. The request was sent from a container in the cluster. Although this behavior can be intentional, it might indicate that a compromised container is running in the cluster. | LateralMovement | Medium |

+| **Potential crypto coin miner started**<br>(K8S.NODE_CryptoCoinMinerExecution) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a process being started in a way normally associated with digital currency mining. | Execution | Medium |

+| **Suspicious password access**<br>(K8S.NODE_SuspectPasswordFileAccess) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected suspicious attempt to access encrypted user passwords. | Persistence | Informational |

+| **Suspicious use of DNS over HTTPS**<br>(K8S.NODE_SuspiciousDNSOverHttps) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected the use of a DNS call over HTTPS in an uncommon fashion. This technique is used by attackers to hide calls out to suspect or malicious sites. | DefenseEvasion, Exfiltration | Medium |

+| **A possible connection to malicious location has been detected.**<br>(K8S.NODE_ThreatIntelCommandLineSuspectDomain) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a connection to a location that has been reported to be malicious or unusual. This is an indicator that a compromise may have occurred. | InitialAccess | Medium |

+| **Possible malicious web shell detected.**<br>(K8S.NODE_Webshell) ^{[1](#footnote1)} | Analysis of processes running within a container detected a possible web shell. Attackers will often upload a web shell to a compute resource they have compromised to gain persistence or for further exploitation. | Persistence, Exploitation | Medium |

+| **Burst of multiple reconnaissance commands could indicate initial activity after compromise**<br>(K8S.NODE_ReconnaissanceArtifactsBurst) ^{[1](#footnote1)} | Analysis of host/device data detected execution of multiple reconnaissance commands related to gathering system or host details performed by attackers after initial compromise. | Discovery, Collection | Low |

+| **Suspicious Download Then Run Activity**<br>(K8S.NODE_DownloadAndRunCombo) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a file being downloaded then run in the same command. While this isn't always malicious, this is a very common technique attackers use to get malicious files onto victim machines. | Execution, CommandAndControl, Exploitation | Medium |

+| **Digital currency mining activity**<br>(K8S.NODE_CurrencyMining) ^{[1](#footnote1)} | Analysis of DNS transactions detected digital currency mining activity. Such activity, while possibly legitimate user behavior, is frequently performed by attackers following compromise of resources. Typical related attacker activity is likely to include the download and execution of common mining tools. | Exfiltration | Low |

+| **Access to kubelet kubeconfig file detected**<br>(K8S.NODE_KubeConfigAccess) ^{[1](#footnote1)} | Analysis of processes running on a Kubernetes cluster node detected access to kubeconfig file on the host. The kubeconfig file, normally used by the Kubelet process, contains credentials to the Kubernetes cluster API server. Access to this file is often associated with attackers attempting to access those credentials, or with security scanning tools which check if the file is accessible. | CredentialAccess | Medium |

+| **Access to cloud metadata service detected**<br>(K8S.NODE_ImdsCall) ^{[1](#footnote1)} | Analysis of processes running within a container detected access to the cloud metadata service for acquiring identity token. The container doesn't normally perform such operation. While this behavior might be legitimate, attackers might use this technique to access cloud resources after gaining initial access to a running container. | CredentialAccess | Medium |

+| **MITRE Caldera agent detected**<br>(K8S.NODE_MitreCalderaTools) ^{[1](#footnote1)} | Analysis of processes running within a container or directly on a Kubernetes node, has detected a suspicious process. This is often associated with the MITRE 54ndc47 agent which could be used maliciously to attack other machines. | Persistence, PrivilegeEscalation, DefenseEvasion, CredentialAccess, Discovery, LateralMovement, Execution, Collection, Exfiltration, Command And Control, Probing, Exploitation | Medium |

+| Required roles and permissions: | No other roles needed aside from what is required for the security explorer. <br><br> To access the dashboard with more than 1000 subscriptions, you must have tenant-level permissions, which include one of the following roles: **Global Reader**, **Global Administrator**, **Security Administrator**, or **Security Reader**. |

+In order to view the dashboard, you must enable Defender CSPM and also enable the sensitive data discovery extension button underneath. In addition, to receive the alerts for data sensitivity, you must also enable the Defender for Storage plan for storage related alerts or Defender for Databases for database related alerts.

+- To view the dashboard, you must have either one of the following scenarios:

+**Sensitive resources status over time** - displays how data security evolves over time with a graph that shows the number of sensitive resources affected by alerts, attack paths, and recommendations within a defined period (last 30, 14, or 7 days).

+## Remediate recommendations using Workflow Automation

+You can remediate recommendations generated by Defender for APIs using workflow automations.

+1. In an eligible recommendation, select one or more unhealthy resources.

+2. Select **Trigger logic app**.

+3. Confirm the **Selected subscription**.

+4. Select a relevant logic app from the list.

+5. Select **Trigger**.

+You can browse the [Microsoft Defender for Cloud GitHub](https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Workflow%20automation/Defender%20for%20API) repository for available workflow automation.

+|Pricing:|**Microsoft Defender for Storage** pricing applies to commercial clouds. Learn more about [pricing and availability per region.](https://azure.microsoft.com/pricing/details/defender-for-cloud/)<br>|

+|<br><br> Supported storage types:|[Blob Storage](https://azure.microsoft.com/products/storage/blobs/)ΓÇ»(Standard/Premium StorageV2, including Data Lake Gen2): Activity monitoring, Malware Scanning, Sensitive Data Discovery<br>Azure Files (over REST API and SMB): Activity monitoring |

+Ensure that your SSM Agent has the managed policy [AmazonSSMManagedInstanceCore](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html), which enables core functionality for the AWS Systems Manager service.

+**You must have the SSM Agent for auto provisioning Arc agent on EC2 machines. If the SSM doesn't exist, or is removed from the EC2, the Arc provisioning wonΓÇÖt be able to procced.**

+> [!NOTE]

+> As part of the cloud formation template that is run during the onboarding process, an automation process is created and triggered every 30 days, over all the EC2s that existed during the initial run of the cloud formation. The goal of this scheduled scan is to ensure that all the relevant EC2s have an IAM profile with the required IAM policy that allows Defender for Cloud to access, manage, and provide the relevant security features (including the Arc agent provisioning). The scan does not apply to EC2s that were created after the run of the cloud formation.

+To ensure a smooth transition, we've taken measures to maintain the consistency of the Product/Service name, SKU, and Meter IDs. Impacted customers will receive an informational Azure Service Notification to communicate the changes.

+Organizations that retrieve cost data by calling our APIs, will need to update the values in their calls to accomodate the change. For example, in this filter function, the values will return no information:

+```json

+"filter": {

+ "dimensions": {

+ "name": "MeterCategory",

+ "operator": "In",

+ "values": [

+ "Advanced Threat Protection",

+ "Advanced Data Security",

+ "Azure Defender",

+ "Security Center"

+ ]

+ }

+ }

+```

+| SOC TSP **(deprecated)** | PCI DSS v3.2.1 | PCI DSS v3.2.1 |

+| SWIFT CSP CSCF v2022 |||

+If you're using [Enterprise IoT security](eiot-defender-for-endpoint.md) in Microsoft 365 Defender, alerts for Enterprise IoT devices detected by Microsoft Defender for Endpoint are available in Microsoft 365 Defender only.

+Alerts triggered by [Enterprise IoT sensors](eiot-sensor.md) are shown in the Azure portal only.

+Users working in hybrid environments might be managing OT alerts in [Defender for IoT](https://portal.azure.com/#view/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/~/Getting_started) on the Azure portal, the OT sensor, and an on-premises management console.

+In addition to the default behavior, you might want to help your SOC and OT management teams triage and remediate alerts faster. Sign into an OT sensor or an on-premises management console as an **Admin** user to use the following options:

+|**Mute** | - OT network sensors <br><br>- On-premises management console <br><br>*Unmuting* an alert is available only on the OT sensor. | Mute an alert when you want to close it and not see again for the same traffic, but without adding the alert allowed traffic. <br><br>For example, when the Operational engine triggers an alert indicating that the PLC Mode was changed on a device. The new mode might indicate that the PLC isn't secure, but after investigation, it's determined that the new mode is acceptable. <br><br>Muting an alert closes it, but doesn't add an item to the sensor event timeline. Detected traffic is included in data mining reports, but not when calculating data for other sensor reports. <br><br>Muting an alert is available for selected alerts only, mostly those triggered by the *Anomaly*, *Protocol Violation*, or *Operational* engines. |

+ Title: Microsoft Defender for IoT billing

+description: Learn how you're billed for the Microsoft Defender for IoT service.

+#CustomerIntent: As a Defender for IoT customer, I want to understand how I'm billed for Defender for IoT services so that I can best plan my deployment.

+# Defender for IoT billing

+**OT monitoring** is billed using site-based licenses, where each license applies to an individual site, based on the site size. A site is a physical location, such as a facility, campus, office building, hospital, rig, and so on. Each site can contain any number of network sensors, all which monitor devices detected in connected networks.

+**Enterprise IoT** monitoring supports 5 devices per Microsoft 365 E5 (ME5) or E5 Security license, or is available as standalone, per-device licenses for Microsoft Defender for Endpoint P2 customers.

+To evaluate Defender for IoT, start a free trial as follows:

+- **For OT networks**, use a trial license for 60 days. Deploy one or more Defender for IoT sensors on your network to monitor traffic, analyze data, generate alerts, learn about network risks and vulnerabilities, and more. An OT trial supports a **Large** site license for 60 days. For more information, see [Start a Microsoft Defender for IoT trial](getting-started.md).

+- **For Enterprise IoT networks**, use a trial, standalone license for 90 days as an add-on to Microsoft Defender for Endpoint. Trial licenses support 100 devices. For more information, see [Securing IoT devices in the enterprise](concept-enterprise.md) and [Enable Enterprise IoT security with Defender for Endpoint](eiot-defender-for-endpoint.md).

+We recommend that you have a sense of how many devices you want to monitor so that you know how many OT sites you need to license, or if you need any standalone licenses for enterprise IoT security.

+- **Enterprise IoT monitoring**: Five devices are supported for each ME5/E5 Security user license. If you have more devices to monitor, and are a Defender for Endpoint P2 customer, purchase extra, standalone licenses for each device you want to monitor.

+ Title: Securing IoT devices | Microsoft Defender for IoT

+description: Learn how integrating Microsoft Defender for Endpoint and Microsoft Defender for IoT's security content enhances your IoT network security.

+#CustomerIntent: As a Defender for IoT customer, I want to understand how I can secure my enterprise IoT devices with Microsoft Defender for IoT so that I can protect my organization from IoT threats.

+The number of IoT devices continues to grow exponentially across enterprise networks, such as the printers, Voice over Internet Protocol (VoIP) devices, smart TVs, and conferencing systems scattered around many office buildings.

+[Microsoft Defender for IoT](./index.yml) seamlessly integrates with [Microsoft 365 Defender](/microsoft-365/security/defender) and [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) to provide both IoT device discovery and security value for IoT devices, including purpose-built alerts, recommendations, and vulnerability data.

+## Enterprise IoT security in Microsoft 365 Defender

+Enterprise IoT security in Microsoft 365 Defender provides IoT-specific security value, including alerts, risk and exposure levels, vulnerabilities, and recommendations in Microsoft 365 Defender.

+- If you're a Microsoft 365 E5 (ME5)/ E5 Security and Defender for Endpoint P2 customer, [toggle on support](eiot-defender-for-endpoint.md) for **Enterprise IoT Security** in the Microsoft 365 Defender portal.

+- If you don't have ME5/E5 Security licenses, but you're a Microsoft Defender for Endpoint customer, start with a [free trial](billing.md#free-trial) or purchase standalone, per-device licenses to gain the same IoT-specific security value.

+The following image shows the architecture and extra features added with **Enterprise IoT security** in Microsoft 365 Defender:

+- [Get started with enterprise IoT monitoring in Microsoft 365 Defender](eiot-defender-for-endpoint.md)

+- [Defender for IoT subscription billing](billing.md)

+- [Device discovery overview](/microsoft-365/security/defender-endpoint/device-discovery)

+## Frequently asked questions

+This section provides a list of frequently asked questions about securing Enterprise IoT networks with Microsoft Defender for IoT.

+### What is the difference between OT and Enterprise IoT?

+- **Operational Technology (OT)**: OT network sensors use agentless, patented technology to discover, learn, and continuously monitor network devices for a deep visibility into Operational Technology (OT) / Industrial Control System (ICS) risks. Sensors carry out data collection, analysis, and alerting on-site, making them ideal for locations with low bandwidth or high latency.

+- **Enterprise IoT**: Enterprise IoT provides visibility and security for IoT devices in the corporate environment.

+ Enterprise IoT network protection extends agentless features beyond operational environments, providing coverage for all IoT devices in your environment. For example, an enterprise IoT environment might include printers, cameras, and purpose-built, proprietary, devices.

+### What extra security value can Enterprise IoT provide Microsoft Defender for Endpoint customers?

+Enterprise IoT is designed to help customers secure unmanaged devices throughout the organization and extend IT security to also cover IoT devices.

+While Microsoft 365 P2 customers already have visibility for discovered IoT devices in the **Device inventory** page in Defender for Endpoint, they can use enterprise IoT security to gain security value with extra alerts, recommendations and vulnerabilities for their discovered IoT devices.

+### How can I start using Enterprise IoT?

+Microsoft E5 (ME5) and E5 Security customers already have devices supported for enterprise IoT security. If you only have a Defender for Endpoint P2 license, you can purchase standalone, per-device licenses for enterprise IoT monitoring, or use a trial.

+For more information, see:

+- [Get started with enterprise IoT monitoring in Microsoft 365 Defender](eiot-defender-for-endpoint.md)

+- [Manage enterprise IoT monitoring support with Microsoft Defender for IoT](manage-subscriptions-enterprise.md)

+### What permissions do I need to use Enterprise IoT security with Defender for IoT?

+For information on required permissions, see [Prerequisites](eiot-defender-for-endpoint.md#prerequisites).

+### Which devices are billable?

+For more information, see [Devices monitored by Defender for IoT](architecture.md#devices-monitored-by-defender-for-iot).

+### How should I estimate the number of devices I want to monitor?

+For more information, see [Calculate monitored devices for Enterprise IoT monitoring](manage-subscriptions-enterprise.md#calculate-monitored-devices-for-enterprise-iot-monitoring).

+### How can I cancel Enterprise IoT?

+For more information, see [Turn off enterprise IoT security](manage-subscriptions-enterprise.md#turn-off-enterprise-iot-security).

+### What happens when the trial ends?

+If you haven't added a standalone license by the time your trial ends, your trial is automatically canceled, and you lose access to Enterprise IoT security features.

+For more information, see [Defender for IoT subscription billing](billing.md).

+### How can I resolve billing issues associated with my Defender for IoT plan?

+For any billing or technical issues, open a support ticket for Microsoft 365 Defender.

+Defender for IoT device inventory is available in the following locations:

+|**Azure portal** | OT devices detected from all cloud-connected OT sensors. | - If you also use [Microsoft Sentinel](iot-solution.md), incidents in Microsoft Sentinel are linked to related devices in Defender for IoT. <br><br>- Use Defender for IoT [workbooks](workbooks.md) for visibility into all cloud-connected device inventory, including related alerts and vulnerabilities. <br><br>- If you have a [legacy Enterprise IoT plan](whats-new.md#enterprise-iot-protection-now-included-in-microsoft-365-e5-and-e5-security-licenses) on your Azure subscription, the Azure portal also includes devices detected by Microsoft Defender for Endpoint agents. If you have an [Enterprise IoT sensor](eiot-sensor.md), the Azure portal also includes devices detected by the Enterprise IoT sensor. |

+| **Microsoft 365 Defender** | Enterprise IoT devices detected by Microsoft Defender for Endpoint agents | Correlate devices across Microsoft 365 Defender in purpose-built alerts, vulnerabilities, and recommendations. |

+|

+- [Defender for Endpoint device discovery](/microsoft-365/security/defender-endpoint/device-discovery)

+For example, any devices with the same IP and MAC address detected in the same zone are consolidated and identified as a single device in the device inventory. If you have separate devices from recurring IP addresses that are detected by multiple sensors, you want each of these devices to be identified separately. In such cases, [onboard your OT sensors](onboard-sensors.md) to different zones so that each device is identified as a separate and unique device, even if they have the same IP address. Devices that have the same MAC addresses, but different IP addresses aren't merged, and continue to be listed as unique devices.

+|**Authorization** * |Editable. Determines whether or not the device is marked as *authorized*. This value might need to change as the device security changes. |

+ Title: Get started with enterprise IoT monitoring in Microsoft 365 Defender | Microsoft Defender for IoT

+description: Learn how to get added value for enterprise IoT devices in Microsoft 365 Defender.

+#CustomerIntent: As a Microsoft 365 administrator, I want to understand how to turn on support for enterprise IoT monitoring in Microsoft 365 Defender and where I can find the added security value so that I can keep my EIoT devices safe.

+# Get started with enterprise IoT monitoring in Microsoft 365 Defender

+This article describes how [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) customers can monitor enterprise IoT devices in their environment, using added security value in Microsoft 365 Defender.

+While IoT device inventory is already available for Defender for Endpoint P2 customers, turning on enterprise IoT security adds alerts, recommendations, and vulnerability data, purpose-built for IoT devices in your enterprise network.

+IoT devices include printers, cameras, VOIP phones, smart TVs, and more. Turning on enterprise IoT security means, for example, that you can use a recommendation in Microsoft 365 Defender to open a single IT ticket for patching vulnerable applications across both servers and printers.

+- Access to the Microsoft 365 Defender portal as a [Security administrator](../../active-directory/roles/permissions-reference.md#security-administrator)

+- One of the following licenses:

+ - A Microsoft 365 E5 (ME5) or E5 Security license

+ - Microsoft Defender for Endpoint P2, with an extra, standalone **Microsoft Defender for IoT - EIoT Device License - add-on** license, available for purchase or trial from the Microsoft 365 admin center.

+ > [!TIP]

+ > If you have a standalone license, you don't need to toggle on **Enterprise IoT Security** and can skip directly to [View added security value in Microsoft 365 Defender](#view-added-security-value-in-microsoft-365-defender).

+ >

+ For more information, see [Enterprise IoT security in Microsoft 365 Defender](concept-enterprise.md#enterprise-iot-security-in-microsoft-365-defender).

+## Turn on enterprise IoT monitoring

+This procedure describes how to turn on enterprise IoT monitoring in Microsoft 365 Defender, and is relevant only for ME5/E5 Security customers.

+Skip this procedure if you have one of the following types of licensing plans:

+- Customers with legacy Enterprise IoT pricing plan and an ME5/E5 Security license.

+- Customers with standalone, per-device licenses added on to Microsoft Defender for Endpoint P2. In such cases, the Enterprise IoT security setting is turned on as read-only.

+**To turn on enterprise IoT monitoring**:

+1. In [Microsoft 365 Defender](https://security.microsoft.com/), select **Settings** \> **Device discovery** \> **Enterprise IoT**.

+1. Toggle the Enterprise IoT security option to **On**. For example:

+ :::image type="content" source="media/enterprise-iot/eiot-toggle-on.png" alt-text="Screenshot of Enterprise IoT toggled on in Microsoft 365 Defender.":::

+This procedure describes how to view related alerts, recommendations, and vulnerabilities for a specific device in Microsoft 365 Defender, when the **Enterprise IoT security** option is turned on.

+1. In [Microsoft 365 Defender](https://security.microsoft.com/), select **Assets** \> **Devices** to open the **Device inventory** page.

+1. On the device details page, explore the following tabs to view data added by the enterprise IoT security for your device:

+Microsoft 365 Defender customers with an Enterprise IoT network sensor can see all discovered devices in the **Device inventory** in either Microsoft 365 Defender or Defender for IoT. You'll also get extra security value from more alerts, vulnerabilities, and recommendations in Microsoft 365 Defender for the newly discovered devices.

+If you're a Defender for IoT customer working solely in the Azure portal, an Enterprise IoT network sensor provides extra device visibility to Enterprise IoT devices, such as Voice over Internet Protocol (VoIP) devices, printers, and cameras, which might not be covered by your OT network sensors.

+- To view Defender for IoT data in Microsoft 365 Defender, including devices, alerts, recommendations, and vulnerabilities, you must have **Enterprise IoT security** turned on in [Microsoft 365 Defender](eiot-defender-for-endpoint.md).

+ If you only want to view data in the Azure portal, you don't need Microsoft 365 Defender. You can also turn on **Enterprise IoT security** in Microsoft 365 Defender after registering your network sensor to bring [extra device visibility and security value](concept-enterprise.md#enterprise-iot-security-in-microsoft-365-defender) to your organization.

+- Identify the devices and subnets you want to monitor so that you understand where to place an Enterprise IoT sensor in your network. You might want to deploy multiple Enterprise IoT sensors.

+ Identify the interfaces that you want to monitor, which are usually the interfaces with no IP address listed. Interfaces with incoming traffic show an increasing number of RX packets.

+This section describes how to register an Enterprise IoT sensor in Defender for IoT. When you're done registering your sensor, you continue on with installing the Enterprise IoT monitoring software on your sensor machine.

+1. Copy the command to a safe location, where you're able to copy it to your physical appliance or VM in order to [install sensor software](#install-enterprise-iot-sensor-software).

+ :::image type="content" source="media/tutorial-get-started-eiot/proxy.png" alt-text="Screenshot of the Set up a proxy server screen.":::

+If you're a Defender for Endpoint customer with a [legacy Enterprise IoT plan](whats-new.md#enterprise-iot-protection-now-included-in-microsoft-365-e5-and-e5-security-licenses), you're able to view all detected devices in the **Device inventory** pages, in both Defender for IoT and Microsoft 365 Defender. Detected devices include both devices detected by Defender for Endpoint and devices detected by the Enterprise IoT sensor.

+If you want to cancel enterprise IoT security with Microsoft 365 Defender, do so from the Microsoft 365 Defender portal. For more information, see [Turn off enterprise IoT security](manage-subscriptions-enterprise.md#turn-off-enterprise-iot-security).

+- If you have **Enterprise IoT security** [turned on in Microsoft 365 Defender](eiot-defender-for-endpoint.md), alerts for Enterprise IoT devices detected by Microsoft Defender for Endpoint are available in Defender for Endpoint only.

+- **To have alerts in Defender for IoT**, you must have an [OT](onboard-sensors.md) onboarded, and network data streaming into Defender for IoT.

+ | **Last activity** | The last time the alert was changed, including manual updates for severity or status, or automated changes for device updates or device/alert deduplication |

+For example, while the total number of alerts appears above the grid, you might want more specific information about alert count breakdown, such as the number of alerts with a specific severity, protocol, or site.

+You might want to export a selection of alerts to a CSV file for offline sharing and reporting.

+If you're looking to manage support for enterprise IoT security, see [Manage enterprise IoT monitoring support with Microsoft Defender for IoT](manage-subscriptions-enterprise.md).

+This article is relevant for commercial Defender for IoT customers. If you're a government customer, contact your Microsoft sales representative for more information.

+- A [Security admin](../../role-based-access-control/built-in-roles.md#security-admin), [Contributor](../../role-based-access-control/built-in-roles.md#contributor), or [Owner](../../role-based-access-control/built-in-roles.md#owner) user role for the Azure subscription that you're using for the integration

+1. In the **Plan settings** pane, select the Azure subscription where you want to add a plan. You can only add a single subscription, and you need a [Security admin](../../role-based-access-control/built-in-roles.md#security-admin), [Contributor](../../role-based-access-control/built-in-roles.md#contributor), or [Owner](../../role-based-access-control/built-in-roles.md#owner) role for the selected subscription.

+ When you're finished, select **Save**. If you've selected to download the on-premises management console activation file, the file is downloaded and you're prompted to save it locally. You use it later, when [activating your on-premises management console](ot-deploy/activate-deploy-management.md#activate-the-on-premises-management-console).

+## Cancel a Defender for IoT plan for OT networks

+You might need to cancel a Defender for IoT plan from your Azure subscription, for example, if you need to work with a different subscription, or if you no longer need the service.

+**To cancel an OT network plan**:

+If the number of actual devices detected by Defender for IoT exceeds the number of committed devices currently listed on your subscription, you might see a warning message in the Azure portal and on your OT sensor that you have exceeded the maximum number of devices for your subscription.

+This warning indicates you need to update the number of committed devices on the relevant subscription to the actual number of devices being monitored. Select the link in the warning message to take you to the **Plans and pricing** page, with the **Edit plan** pane already open.

+If you have multiple legacy subscriptions and are migrating to a Microsoft 365 plan, you'll first need to consolidate your sensors to a single subscription. To do this, you need to register the sensors under the new subscription and remove them from the original subscription.

+ - For sensors monitoring overlapping network segments, create the activation file under the same zone. Identical devices that are detected in more than one sensor in a zone are merged into one device.

+1. If relevant, cancel the Defender for IoT plan from the previous subscription. For more information, see [Cancel a Defender for IoT plan for OT networks](#cancel-a-defender-for-iot-plan-for-ot-networks).

+Changes to your plan will take effect one hour after confirming the change. This change appears on your next monthly statement, and you're charged based on the length of time each plan was in effect.

+ Title: Manage EIoT monitoring support | Microsoft Defender for IoT

+description: Learn how to manage your EIoT monitoring support with Microsoft Defender for IoT.

+#CustomerIntent: As a Defender for IoT customer, I want to understand how to manage my EIoT monitoring support with Microsoft Defender for IoT so that I can best plan my deployment.

+# Manage enterprise IoT monitoring support with Microsoft Defender for IoT

+Enterprise IoT security monitoring with Defender for IoT is supported by a Microsoft 365 E5 (ME5) or E5 Security license, or extra standalone, per-device licenses purchased as add-ons to Microsoft Defender for Endpoint.

+This article describes how to:

+- Calculate the devices detected in your environment so that you can understand if you need extra, standalone licenses.

+- Cancel support for enterprise IoT monitoring with Microsoft Defender for IoT

+- One of the following sets of licenses:

+ - A Microsoft 365 E5 (ME5) or E5 Security license and a Microsoft Defender for Endpoint P2 license

+ - A Microsoft Defender for Endpoint P2 license alone

+ For more information, see [Enterprise IoT security in Microsoft 365 Defender](concept-enterprise.md#enterprise-iot-security-in-microsoft-365-defender).

+- Access to the Microsoft 365 Defender portal as a [Global administrator](../../active-directory/roles/permissions-reference.md#global-administrator)

+## Obtain a standalone, Enterprise IoT trial license

+This procedure describes how to start using a trial, standalone license for enterprise IoT monitoring, for customers who have a Microsoft Defender for Endpoint P2 license only.

+Customers with ME5/E5 Security plans have support for enterprise IoT monitoring available on by default, and don't need to start a trial. For more information, see [Get started with enterprise IoT monitoring in Microsoft 365 Defender](eiot-defender-for-endpoint.md).

+Start your enterprise IoT trial using the [Microsoft Defender for IoT - EIoT Device License - add-on wizard](https://signup.microsoft.com/get-started/signup?products=b2f91841-252f-4765-94c3-75802d7c0ddb&ali=1&bac=1) or via the Microsoft 365 admin center.

+**To start an Enterprise IoT trial**:

+1. Go to the [Microsoft 365 admin center](https://portal.office.com/AdminPortal/Home#/catalog) > **Marketplace**.

+1. Search for the **Microsoft Defender for IoT - EIoT Device License - add-on** and filter the results by **Other services**. For example:

+ :::image type="content" source="media/enterprise-iot/eiot-standalone.png" alt-text="Screenshot of the Marketplace search results for the EIoT Device License.":::

+ > [!IMPORTANT]

+ > The prices shown in this image are for example purposes only and are not intended to reflect actual prices.

+ >

+1. Under **Microsoft Defender for IoT - EIoT Device License - add-on**, select **Details**.

+1. On the **Microsoft Defender for IoT - EIoT Device License - add-on** page, select **Start free trial**. On the **Check out** page, select **Try now**.

+> [!TIP]

+> Make sure to [assign your licenses to specific users]/microsoft-365/admin/manage/assign-licenses-to-users to start using them.

+>

+For more information, see [Free trial](billing.md#free-trial).

+## Calculate monitored devices for Enterprise IoT monitoring

+Use the following procedure to calculate how many devices you need to monitor if:

+- You're an ME5/E5 Security customer and thinks you need to monitor more devices than the devices allocated per ME5/E5 Security license

+- You're a Defender for Endpoint P2 customer who's purchasing standalone enterprise IoT licenses

+1. In [Microsoft 365 Defender](https://security.microsoft.com/), select **Assets** \> **Devices** to open the **Device inventory** page.

+1. Round up your total to a multiple of 100 and compare it against the number of licenses you have.

+- You have 320 ME5 licenses, which cover **1600** devices

+You need **79** standalone devices to cover the gap.

+## Purchase standalone licenses

+Purchase standalone, per-device licenses if you're an ME5/E5 Security customer who needs more than the five devices allocated per license, or if you're a Defender for Endpoint customer who wants to add enterprise IoT security to your organization.

+**To purchase standalone licenses**:

+1. Go to the [Microsoft 365 admin center](https://portal.office.com/AdminPortal/Home#/catalog) **Billing > Purchase services**. If you don't have this option, select **Marketplace** instead.

+1. Search for the **Microsoft Defender for IoT - EIoT Device License - add-on** and filter the results by **Other services**. For example:

+ :::image type="content" source="media/enterprise-iot/eiot-standalone.png" alt-text="Screenshot of the Marketplace search results for the EIoT Device License.":::

+ > [!IMPORTANT]

+ > The prices shown in this image are for example purposes only and are not intended to reflect actual prices.

+ >

+1. On the **Microsoft Defender for IoT - EIoT Device License - add-on** page, enter your selected license quantity, select a billing frequency, and then select **Buy**.

+For more information, see the [Microsoft 365 admin center help](/microsoft-365/admin/).

+## Turn off enterprise IoT security

+This procedure describes how to turn off enterprise IoT monitoring in Microsoft 365 Defender, and is supported only for customers who don't have any standalone, per-device licenses added on to Microsoft 365 Defender.

+Turn off the **Enterprise IoT security** option if you're no longer using the service.

+**To turn off enterprise IoT monitoring**:

+1. In [Microsoft 365 Defender](https://security.microsoft.com/), select **Settings** \> **Device discovery** \> **Enterprise IoT**.

+1. Toggle the option to **Off**.

+You stop getting security value in Microsoft 365 Defender, including purpose-built alerts, vulnerabilities, and recommendations.

+### Cancel a legacy Enterprise IoT plan

+If you have a legacy Enterprise IoT plan, are *not* an ME5/E5 Security customer, and no longer to use the service, cancel your plan as follows:

+1. In [Microsoft 365 Defender](https://security.microsoft.com/) portal, select **Settings** \> **Device discovery** \> **Enterprise IoT**.

+1. Select **Cancel plan**. This page is available only for legacy Enterprise IoT plan customers.

+The cancellation takes effect one hour after confirming the change. This change appears on your next monthly statement, and you're charged based on the length of time the plan was in effect.

+- [Securing IoT devices in the enterprise](concept-enterprise.md)

+The Internet of Things (IoT) supports billions of connected devices that use both operational technology (OT) and IoT networks. IoT/OT devices and networks are often built using specialized protocols, and might prioritize operational challenges over security.

+Microsoft Defender for IoT is a unified security solution built specifically to identify IoT and OT devices, vulnerabilities, and threats. Use Defender for IoT to secure your entire IoT/OT environment, including existing devices that might not have built-in security agents.

+If your IoT and OT devices don't have embedded security agents, they might remain unpatched, misconfigured, and invisible to IT and security teams. Unmonitored devices can be soft targets for threat actors looking to pivot deeper into corporate networks.

+ - Detect advanced threats that you might have missed by static indicators of compromise (IOCs), such as zero-day malware, fileless malware, and living-off-the-land tactics.

+ You might have hybrid network requirements where you can deliver some data to the cloud and other data must remain on-premises.

+IoT and industrial control system (ICS) devices can be secured using both embedded protocols and proprietary, custom, or nonstandard protocols. If you have devices that run on protocols that aren't supported by Defender for IoT out-of-the-box, use the Horizon Open Development Environment (ODE) SDK to develop dissector plug-ins to decode network traffic for your protocols.

+Extend Defender for IoT's agentless security features beyond OT environments to enterprise IoT devices by using enterprise IoT security with Microsoft Defender for Endpoint, and view related alerts, vulnerabilities, and recommendations for IoT devices in Microsoft 365 Defender.

+Microsoft Defender for IoT uses [Azure Role-Based Access Control (RBAC)](../../role-based-access-control/index.yml) to provide access to Defender for IoT monitoring services and data on the Azure portal.

+| **Onboard [OT](onboard-sensors.md) or [Enterprise IoT sensors](eiot-sensor.md)** <br>Apply per subscription only | - | Γ£ö | Γ£ö | Γ£ö |

+| **[View values on the Plans and pricing page](how-to-manage-subscriptions.md)** <br>Apply per subscription only| Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| **[Modify values on the Plans and pricing page](how-to-manage-subscriptions.md)** <br>Apply per subscription only| - | Γ£ö | Γ£ö | Γ£ö |

+| **[View values on the Sites and sensors page](how-to-manage-sensors-on-the-cloud.md)** <br>Apply per subscription only | Γ£ö | Γ£ö | Γ£ö | Γ£ö|

+| **[Modify values on the Sites and sensors page](how-to-manage-sensors-on-the-cloud.md#sensor-management-options-from-the-azure-portal)** , including remote OT sensor updates<br>Apply per subscription only | - | Γ£ö | Γ£ö | Γ£ö|

+| **Enterprise IoT networks** | [Enterprise IoT protection now included in Microsoft 365 E5 and E5 Security licenses](#enterprise-iot-protection-now-included-in-microsoft-365-e5-and-e5-security-licenses) |

+### Enterprise IoT protection now included in Microsoft 365 E5 and E5 Security licenses

+Enterprise IoT (EIoT) security with Defender for IoT discovers unmanaged IoT devices and also provides added security value, including continuous monitoring, vulnerability assessments and tailored recommendations specifically designed for Enterprise IoT devices. Seamlessly integrated with Microsoft 365 Defender, Microsoft Defender Vulnerability Management, and Microsoft Defender for Endpoint on the Microsoft 365 Defender portal, it ensures a holistic approach to safeguarding an organization's network.

+Defender for IoT EIoT monitoring is now automatically supported as part of the Microsoft 365 E5 (ME5) and E5 Security plans, covering up to five devices per user license. For example, if your organization possesses 500 ME5 licenses, you can use Defender for IoT to monitor up to 2500 EIoT devices. This integration represents a significant leap toward fortifying your IoT ecosystem within the Microsoft 365 environment.

+- **Customers who have ME5 or E5 Security plans but aren't yet using Defender for IoT for their EIoT devices** must [toggle on support](eiot-defender-for-endpoint.md) in the Microsoft 365 Defender portal.

+- **New customers** without an ME5 or E5 Security plan can purchase a standalone, **Microsoft Defender for IoT - EIoT Device License - add-on** license, as an add-on to Microsoft Defender for Endpoint P2. Purchase standalone licenses from the Microsoft admin center.

+- **Existing customers with both legacy Enterprise IoT plans and ME5/E5 Security plans** are automatically switched to the new licensing method. Enterprise IoT monitoring is now bundled into your license, at no extra charge, and with no action item required from you.

+- **Customers with legacy Enterprise IoT plans and no ME5/E5 Security plans** can continue to use their existing plans until the plans expire.

+Trial licenses are available for Defender for Endpoint P2 customers as standalone licenses. Trial licenses support 100 number of devices for 90 days.

+For more information, see:

+- [Securing IoT devices in the enterprise](concept-enterprise.md)

+- [Enable Enterprise IoT security with Defender for Endpoint](eiot-defender-for-endpoint.md)

+- [Defender for IoT subscription billing](billing.md)

+Use the following procedures to authenticate with Microsoft Entra ID. You can follow along in [Azure Cloud Shell](../cloud-shell/get-started.md), on an Azure virtual machine, or on your local machine.

+- DDL changes replication is supported only when migrating to a v8.0 Azure Database for MySQL Flexible Server target server and when you have selected the option for **Replicate data definition and administration statements for selected objects** on DMS UI. The replication feature supports replicating data definition and administration statements that occur after the initial load and are logged in the binary log to the target.

+* Online migration now supports DDL statement replication when migrating to a v8.0 Azure Database for MySQL Flexible Server target server. For target server engine version v5.x, DDL statement replication is not supported currently.

+ * Statement replication is supported for databases, tables, and schema objects (views, routines, triggers) selected for schema migration when configuring an Azure DMS migration activity. Data definition and administration statements for databases, tables, and schema objects that arenΓÇÖt selected wonΓÇÖt be replicated. Selecting an entire server for migration will replicate statements for any tables, databases, and schema objects that are created on the source server after the initial load has completed.

+ * Azure DMS statement replication supports all of the Data Definition statements listed [here](https://dev.mysql.com/doc/refman/8.0/en/sql-data-definition-statements.html), with the exception of the following commands:

+ ΓÇó LOGFILE GROUP statements

+ ΓÇó SERVER statements

+ ΓÇó SPATIAL REFERENCE SYSTEM statements

+ ΓÇó TABLESPACE statements

+ * Azure DMS statement replication supports all of the Data Administration ΓÇô Account Management statements listed [here](https://dev.mysql.com/doc/refman/8.0/en/account-management-statements.html), with the exception of the following commands:

+ * SET DEFAULT ROLE

+ * SET PASSWORD

+ * Azure DMS statement replication supports all of the Data Administration ΓÇô Table Maintenance statements listed [here](https://dev.mysql.com/doc/refman/8.0/en/table-maintenance-statements.html), with the exception of the following commands:

+ * REPAIR TABLE

+ * ANALYZE TABLE

+ * CHECKSUM TABLE

+* Online migration now supports DDL statement replication when migrating to a v8.0 Azure Database for MySQL Flexible Server target server. For target server engine version v5.x, DDL statement replication is not supported currently.

+ * Statement replication is supported for databases, tables, and schema objects (views, routines, triggers) selected for schema migration when configuring an Azure DMS migration activity. Data definition and administration statements for databases, tables, and schema objects that arenΓÇÖt selected wonΓÇÖt be replicated. Selecting an entire server for migration will replicate statements for any tables, databases, and schema objects that are created on the source server after the initial load has completed.

+ * Azure DMS statement replication supports all of the Data Definition statements listed [here](https://dev.mysql.com/doc/refman/8.0/en/sql-data-definition-statements.html), with the exception of the following commands:

+ ΓÇó LOGFILE GROUP statements

+ ΓÇó SERVER statements

+ ΓÇó SPATIAL REFERENCE SYSTEM statements

+ ΓÇó TABLESPACE statements

+ * Azure DMS statement replication supports all of the Data Administration ΓÇô Account Management statements listed [here](https://dev.mysql.com/doc/refman/8.0/en/account-management-statements.html), with the exception of the following commands:

+ * SET DEFAULT ROLE

+ * SET PASSWORD

+ * Azure DMS statement replication supports all of the Data Administration ΓÇô Table Maintenance statements listed [here](https://dev.mysql.com/doc/refman/8.0/en/table-maintenance-statements.html), with the exception of the following commands:

+ * REPAIR TABLE

+ * ANALYZE TABLE

+ * CHECKSUM TABLE

+- [AddToNetworkGroup](#addtonetworkgroup)

+- [Mutate](#mutate-preview)

+ might prevent an audit or deny effect from triggering. These effects are only available with a

+## AddToNetworkGroup

+AddToNetworkGroup is used in Azure Virtual Network Manager to define dynamic network group membership. This effect is specific to _Microsoft.Network.Data_ [policy mode](./definition-structure.md#resource-provider-modes) definitions only.

+With network groups, your policy definition includes your conditional expression for matching virtual networks meeting your criteria, and specifies the destination network group where any matching resources are placed. The addToNetworkGroup effect is used to place resources in the destination network group.

+To learn more, go to [Configuring Azure Policy with network groups in Azure Virtual Network Manager](../../../virtual-network-manager/concept-azure-policy-integration.md).

+ - Specifying a long evaluation delay might cause the recorded compliance state of the resource to

+ - Specifying a long evaluation delay might cause the recorded compliance state of the resource to

+## Mutate (preview)

+Mutation is used in Azure Policy for Kubernetes to remediate AKS cluster components, like pods. This effect is specific to _Microsoft.Kubernetes.Data_ [policy mode](./definition-structure.md#resource-provider-modes) definitions only.

+To learn more, go to [Understand Azure Policy for Kubernetes clusters](./policy-for-kubernetes.md).

+### Mutate properties

+- **mutationInfo** (optional)

+ - Can't be used with `constraint`, `constraintTemplate`, `apiGroups`, or `kinds`.

+ - Cannot be parameterized.

+ - **sourceType** (required)

+ - Defines the type of source for the constraint. Allowed values: _PublicURL_ or _Base64Encoded_.

+ - If _PublicURL_, paired with property `url` to provide location of the mutation template. The location must be publicly accessible.

+ > [!WARNING]

+ > Don't use SAS URIs or tokens in `url` or anything else that could expose a secret.

+A resource can be affected by several assignments. These assignments might be at the same scope or at

+controller webhook_ for [Open Policy Agent](https://www.openpolicyagent.org/) (OPA), to apply at-scale enforcements and safeguards on your cluster components in a centralized, consistent manner. Cluster components include pods, containers, and namespaces.

+Azure Policy makes it possible to manage and report on the compliance state of your Kubernetes cluster components from one place. By using Azure Policy's Add-On or Extension, governing your cluster components is enhanced with Azure Policy features, like the ability to use [selectors](./assignment-structure.md#resource-selectors-preview) and [overrides](./assignment-structure.md#overrides-preview) for safe policy rollout and rollback.

+- [Azure Kubernetes Service (AKS)](../../../aks/intro-kubernetes.md), through **Azure PolicyΓÇÖs **Add-On** for AKS**

+- [Azure Arc enabled Kubernetes](../../../azure-arc/kubernetes/overview.md), through **Azure PolicyΓÇÖs **Extension** for Arc**

+By installing Azure PolicyΓÇÖs add-on or extension on your Kubernetes clusters, Azure Policy enacts the following functions:

+- Checks with Azure Policy service for policy assignments to the cluster.

+- Deploys policy definitions into the cluster as [constraint template](https://open-policy-agent.github.io/gatekeeper/website/docs/howto/#constraint-templates) and [constraint](https://open-policy-agent.github.io/gatekeeper/website/docs/howto/#constraints) custom resources or as a mutation template resource (depending on policy definition content).

+- Reports auditing and compliance details back to Azure Policy service.

+1. Configure your Kubernetes cluster and install the [Azure Kubernetes Service (AKS)](#install-azure-policy-add-on-for-aks) add-on or Azure Policy's Extension for [Arc-enabled Kubernetes clusters](#install-azure-policy-extension-for-azure-arc-enabled-kubernetes) (depending on your cluster type).

+1. [Create or use a sample Azure Policy definition for Kubernetes](#create-a-policy-definition)

+1. [Assign a definition to your Kubernetes cluster](#assign-a-policy-definition)

+1. [Wait for validation](#policy-evaluation)

+1. [Logging](#logging) and [troubleshooting](#troubleshooting-the-add-on)

+1. Review [limitations](#limitations) and [recommendations in our FAQ section](#frequently-asked-questions)

+### Prerequisites

+1. You need the Azure CLI version 2.12.0 or later installed and configured. Run `az --version` to

+ find the version. If you need to install or upgrade, see

+ [Install the Azure CLI](../../../azure-resource-manager/management/resource-providers-and-types.md#azure-cli).

+

+1. Open ports for the Azure Policy extension. The Azure Policy extension uses these domains and ports to fetch policy

+ definitions and assignments and report compliance of the cluster back to Azure Policy.

+ |Domain |Port |

+ |||

+ |`data.policy.core.windows.net` |`443` |

+ |`store.policy.core.windows.net` |`443` |

+ |`login.windows.net` |`443` |

+ |`dc.services.visualstudio.com` |`443` |

+[Azure Policy for Kubernetes](./policy-for-kubernetes.md) makes it possible to manage and report on the compliance state of your Kubernetes clusters from one place. With Azure Policy's Extension for Arc-enabled Kubernetes clusters, you can govern your Arc-enabled Kubernetes cluster components, like pods and containers.

+## Create a policy definition

+definitions. There are sample definition files available to assign in [Azure Policy's built-in policy library](../samples/built-in-policies.md) that can be used to govern your cluster components.

+Azure Policy for Kubernetes also support custom definition creation at the component-level for both Azure Kubernetes Service clusters and Azure Arc-enabled Kubernetes clusters. Constraint template and mutation template samples are available in the [Gatekeeper community library](https://github.com/open-policy-agent/gatekeeper-library/tree/master). [Azure Policy's VS Code Extension](../how-to/extension-for-vscode.md#create-policy-definition-from-constraint-template) can be used to help translate an existing constraint template or mutation template to a custom Azure Policy policy definition.

+With a [Resource Provider mode](./definition-structure.md#resource-provider-modes) of

+`Microsoft.Kubernetes.Data`, the effects [audit](./effects.md#audit), [deny](./effects.md#deny), [disabled](./effects.md#disabled), and [mutate](./effects.md#mutate-preview) are used to manage your Kubernetes clusters.

+_Audit_ and _deny_ must provide **details** properties

+As part of the _details.templateInfo_ or _details.constraintInfo_ properties in the policy definition, Azure Policy passes the URI or Base64Encoded value of these [CustomResourceDefinitions](https://open-policy-agent.github.io/gatekeeper/website/docs/howto/#constraint-templates)(CRD) to the add-on. Rego is the language that OPA and Gatekeeper support to validate a request to

+like the Azure Policy template store (`store.policy.core.windows.net`) and GitHub.

+### View the add-on mutation templates

+To view mutation templates downloaded by the add-on, run `kubectl get assign`, `kubectl get assignmetadata`, and `kubectl get modifyset`.

+## Azure Policy Add-On for AKS Changelog

+Azure PolicyΓÇÖs Add-On for AKS has a version number that indicates the image version of add-on. As feature support is newly introduced on the Add-On, the version number is increased.

+This section will help you identify which Add-On version is installed on your cluster and also share a historical table of the Azure Policy Add-On version installed per AKS cluster.

+### Identify which Add-On version is installed on your cluster

+The Azure Policy Add-On uses the standard [Semantic Versioning](https://semver.org/) schema for each version. To identify the Azure Policy Add-On version being used, you can run the following command:

+`kubectl get pod azure-policy-<unique-pod-identifier> -n kube-system -o json | jq '.spec.containers[0].image'`

+To identify the Gatekeeper version that your Azure Policy Add-On is using, you can run the following command:

+`kubectl get pod gatekeeper-controller-<unique-pod-identifier> -n gatekeeper-system -o json | jq '.spec.containers[0].image' `

+Finally, to identify the AKS cluster version that you are using, follow the linked AKS guidance for this.

+### Add-On versions available per each AKS cluster version

+#### 1.2.1

+- Released October 2023

+- Kubernetes 1.25+

+- Gatekeeper 3.13.3

+#### 1.1.0

+- Released July 2023

+- Kubernetes 1.27+

+- Gatekeeper 3.11.1

+#### 1.0.1

+- Released June 2023

+- Kubernetes 1.24+

+- Gatekeeper 3.11.1

+#### 1.0.0

+Azure Policy for Kubernetes now supports mutation to remediate AKS clusters at-scale!

+## Limitations

+ - For general Azure Policy definitions and assignment limits, please review [Azure Policy's documented limits](../../../azure-resource-manager/management/azure-subscription-service-limits.md#azure-policy-limits)

+ - Azure Policy Add-on for Kubernetes can only be deployed to Linux node pools.

+ - Maximum number of pods supported by the Azure Policy Add-on per cluster: **10,000**

+ - Maximum number of Non-compliant records per policy per cluster: **500**

+ - Maximum number of Non-compliant records per subscription: **1 million**

+ - Installations of Gatekeeper outside of the Azure Policy Add-on aren't supported. Uninstall any components installed by a previous Gatekeeper installation before enabling the Azure Policy Add-on.

+ - [Reasons for non-compliance](../how-to/determine-non-compliance.md#compliance-reasons) aren't available for the Microsoft.Kubernetes.Data [Resource Provider mode](./definition-structure.md#resource-provider-modes). Use [Component details](../how-to/determine-non-compliance.md#component-details-for-resource-provider-modes).

+ - Component-level [exemptions](./exemption-structure.md) arenΓÇÖt supported for [Resource Provider modes](./definition-structure.md#resource-provider-modes). Parameters support is available in Azure Policy definitions to exclude and include particular namespaces.

+The following limitations apply only to the Azure Policy Add-on for AKS:

+- [AKS Pod security policy](../../../aks/use-pod-security-policies.md) and the Azure Policy Add-on for AKS can't both be enabled. For more information, see [AKS pod security limitation](../../../aks/use-azure-policy.md).

+- Namespaces automatically excluded by Azure Policy Add-on for evaluation: kube-system and gatekeeper-system.

+## Frequently asked questions

+### What does the Azure Policy Add-On / Azure Policy Extension deploy on my cluster upon installation?

+The Azure Policy Add-on requires three Gatekeeper components to run: One audit pod and two webhook pod replicas. One Azure Policy pod and one Azure Policy webhook pod will also be installed.

+### How much resource consumption should I expect the Azure Policy Add-On / Extension to use on each cluster?

+The Azure Policy for Kubernetes components that run on your cluster consume more resources as the count of Kubernetes resources and policy assignments increases in the cluster, which requires audit and enforcement operations.

+The following are estimates to help you plan:

+ - For fewer than 500 pods in a single cluster with a max of 20 constraints: two vCPUs and 350 MB of memory per component.

+ - For more than 500 pods in a single cluster with a max of 40 constraints: three vCPUs and 600 MB of memory per component.

+### Can Azure Policy for Kubernetes definitions be applied on Windows pods?

+Windows pods [don't support security contexts](https://kubernetes.io/docs/concepts/security/pod-security-standards/#what-profiles-should-i-apply-to-my-windows-pods). Thus, some of the Azure Policy definitions, like disallowing root privileges, can't be escalated in Windows pods and only apply to Linux pods.

+### What type of diagnostic data gets collected by Azure Policy Add-on?

+### What are general best practices to keep in mind when installing the Azure Policy Add-On?

+ - Use system node pool with CriticalAddonsOnly taint to schedule Gatekeeper pods. For more information, see [Using system node pools](../../../aks/use-system-pools.md#system-and-user-node-pools).

+ - Secure outbound traffic from your AKS clusters. For more information, see [Control egress traffic](../../../aks/limit-egress-traffic.md) for cluster nodes.

+ - If the cluster has aad-pod-identity enabled, Node Managed Identity (NMI) pods modify the nodes' iptables to intercept calls to the Azure Instance Metadata endpoint. This configuration means any request made to the Metadata endpoint is intercepted by NMI even if the pod doesn't use aad-pod-identity.

+ - AzurePodIdentityException CRD can be configured to inform aad-pod-identity that any requests to the Metadata endpoint originating from a pod that matches labels defined in CRD should be proxied without any processing in NMI. The system pods with kubernetes.azure.com/managedby: aks label in kube-system namespace should be excluded in aad-pod-identity by configuring the AzurePodIdentityException CRD. For more information, see [Disable aad-pod-identity for a specific pod or application](https://azure.github.io/aad-pod-identity/docs/configure/application_exception). To configure an exception, install the [mic-exception YAML](https://github.com/Azure/aad-pod-identity/blob/master/deploy/infra/mic-exception.yaml).

+## Resilience

+## Resilience

+The MedTech service enables IoT devices to seamlessly integrate with FHIR&reg; services. This reference architecture is designed to accelerate adoption of Internet of Things (IoT) projects. This solution uses Azure Databricks for the Machine Learning (ML) compute. However, Azure Machine Learning Services with Kubernetes or a partner ML solution could fit into the Machine Learning Scoring Environment.

+ 2. For observation windows where the RiskAssessment is outside the acceptable range a Flag Resource should also be submitted to the FHIR service.

+15. Power BI Dashboard is updated with RiskAssessment output in under 15 minutes.

+

+[What is the MedTech service?](overview.md)

+

+[Understand the MedTech service device data processing stages](overview-of-device-data-processing-stages.md)

+

+[Choose a deployment method for the MedTech service](deploy-new-choose.md)

+

+This reference architecture shows the basic components of using the Microsoft cloud services to enable Power BI on top of Internet of Things (IoT) and FHIR&reg; data.

+[What is the MedTech service?](overview.md)

+[Understand the MedTech service device data processing stages](overview-of-device-data-processing-stages.md)

+[Choose a deployment method for the MedTech service](deploy-new-choose.md)

+When combining the MedTech service, the FHIR&reg; service, and Teams, you can enable multiple care solutions.

+[What is the MedTech service?](overview.md)

+[Understand the MedTech service device data processing stages](overview-of-device-data-processing-stages.md)

+[Choose a deployment method for the MedTech service](deploy-new-choose.md)

+* Health Data Services FHIR&reg; service.

+[Choose a deployment method for the MedTech service](deploy-new-choose.md)

+[Overview of the MedTech service device data processing stages](overview-of-device-data-processing-stages.md)

+[Frequently asked questions about the MedTech service](frequently-asked-questions.md)

+* Health Data Services FHIR&reg; service.

+[Choose a deployment method for the MedTech service](deploy-new-choose.md)

+[Overview of the MedTech service device data processing stages](overview-of-device-data-processing-stages.md)

+[Frequently asked questions about the MedTech service](frequently-asked-questions.md)

+The following diagram outlines the basic steps of the MedTech service deployment. These steps might help you analyze the deployment options and determine which deployment method is best for you.

+Using an ARM template with the **Deploy to Azure** button is an easy and fast deployment method because it automates the deployment, most configuration steps, and uses the Azure portal. The deployed MedTech service and Azure IoT Hub are fully functional including conforming and valid device and FHIR&reg; destination mappings. Use the Azure IoT Hub to create devices and send device messages to the MedTech service.

+Using the Azure portal allows you to see the details of each deployment step. The Azure portal deployment has many steps, but it provides valuable technical information that might be useful for customizing and troubleshooting your MedTech service.

+[Choose a deployment method for the MedTech service](deploy-new-choose.md)

+[Overview of the MedTech service device data processing stages](overview-of-device-data-processing-stages.md)

+[Frequently asked questions about the MedTech service](frequently-asked-questions.md)

+* Health Data Services FHIR&reg; service.

+[Choose a deployment method for the MedTech service](deploy-new-choose.md)

+[Overview of the MedTech service device data processing stages](overview-of-device-data-processing-stages.md)

+[Frequently asked questions about the MedTech service](frequently-asked-questions.md)

+* Azure Health Data Services FHIR&reg; service

+Before you complete your configuration in the **Review + create** tab, you might want to configure tags. You can do this step by selecting the **Next: Tags >** tab.

+2. The deployment process can take several minutes. The screen displays a message saying that your deployment is in progress.

+[Choose a deployment method for the MedTech service](deploy-new-choose.md)

+[Overview of the MedTech service device data processing stages](overview-of-device-data-processing-stages.md)

+[Frequently asked questions about the MedTech service](frequently-asked-questions.md)

+The MedTech service can receive messages from devices you create and manage through an IoT hub in [Azure IoT Hub](../../iot-hub/iot-concepts-and-iot-hub.md). This tutorial uses an Azure Resource Manager template (ARM template) and a **Deploy to Azure** button to deploy a MedTech service. The template also deploys an IoT hub to create and manage devices, and message routes device messages to an event hub for the MedTech service to read and process. After device data processing, the FHIR&reg; resources are persisted in the FHIR service, which is also included in the template.

+[Choose a deployment method for the MedTech service](deploy-new-choose.md)

+[Overview of the MedTech service device data processing stages](overview-of-device-data-processing-stages.md)

+[Frequently asked questions about the MedTech service](frequently-asked-questions.md)

+No. The MedTech service currently only supports the Azure Health Data Services FHIR&reg; service for the persistence of transformed device data. The open-source version of the MedTech service supports the use of different FHIR services.

+The MedTech service supports the [HL7 FHIR R4](https://www.hl7.org/implement/standards/product_brief.cfm?product_id=491) standard.

+[What is the MedTech service?](overview.md)

+[Understand the MedTech service device data processing stages](overview-of-device-data-processing-stages.md)

+[Choose a deployment method for the MedTech service](deploy-new-choose.md)

+[Choose a deployment method for the MedTech service](deploy-new-choose.md)

+[Overview of the MedTech service FHIR destination mapping](overview-of-fhir-destination-mapping.md)

+[Choose a deployment method for the MedTech service](deploy-choose-method.md)

+[How to enable diagnostic settings for the MedTech service](how-to-enable-diagnostic-settings.md)

+* Access the MedTech service predefined Azure Log Analytics queries.

+ 2. **+ Add diagnostic setting**: Create more diagnostic settings for your MedTech service (for example: you might also want to send your MedTech service metrics to another destination like a Logs Analytics workspace).

+2. Copy the below table query string into your Log Analytics workspace query area and select **Run**. Using the *AHDSMedTechDiagnosticLogs* table will provide you with all logs contained in the entire table for the selected **Time range** setting (the default value is **Last 24 hours**). The MedTech service provides five predefined queries that will be addressed in the article section titled [Accessing the MedTech service predefined Azure Log Analytics queries](#accessing-the-medtech-service-predefined-azure-log-analytics-queries).

+## Accessing the MedTech service predefined Azure Log Analytics queries

+The MedTech service comes with predefined queries that can be used anytime in your Log Analytics workspace to filter and summarize your logs for more precise investigation. The queries can also be customized and saved/shared.

+1. To access the predefined queries, select **Queries**, type *MedTech* in the **Search** area, select a predefined query by using a double-click, and select **Run** to execute the predefined query. In this example, we've selected *MedTech healthcheck exceptions*. You'll select a predefined query of your own choosing.

+ > You can click on each of the MedTech service predefined queries to see their description and access different options for running the query or placing it into the Log Analytics workspace query area.

+ :::image type="content" source="media/how-to-enable-diagnostic-settings/select-and-run-pre-defined-query.png" alt-text="Screenshot of searching, selecting, and running a MedTech service predefined query." lightbox="media/how-to-enable-diagnostic-settings/select-and-run-pre-defined-query.png":::

+2. Multiple predefined queries can be selected. In this example, we've additionally selected *Log count per MedTech log or exception type*. You'll select another predefined query of your own choosing.

+ :::image type="content" source="media/how-to-enable-diagnostic-settings/select-and-run-additional-pre-defined-query.png" alt-text="Screenshot of searching, selecting, and running a MedTech service and additional predefined query." lightbox="media/how-to-enable-diagnostic-settings/select-and-run-additional-pre-defined-query.png":::

+3. Only the highlighted predefined query will be executed.

+ :::image type="content" source="media/how-to-enable-diagnostic-settings/results-of-select-and-run-additional-pre-defined-query.png" alt-text="Screenshot of results of running a MedTech service and additional predefined query." lightbox="media/how-to-enable-diagnostic-settings/results-of-select-and-run-additional-pre-defined-query.png":::

+> Any changes that you've made to the predefined queries are not saved and will have to be recreated if you leave your Log Analytics workspace without saving custom changes you've made to the predefined queries.

+[Frequently asked questions about the MedTech service](frequently-asked-questions.md)

+[How to use custom functions with the MedTech service device mapping](how-to-use-custom-functions.md)

+[Overview of the FHIR destination mapping](overview-of-fhir-destination-mapping.md)

+[Overview of the MedTech service scenario-based mappings samples](overview-of-samples.md)

+[Overview of the MedTech service device mapping](overview-of-device-mapping.md)

+[Overview of the MedTech service FHIR destination mapping](overview-of-fhir-destination-mapping.md)

+[Overview of the MedTech service scenario-based mappings samples](overview-of-samples.md)

+[Receive device messages through Azure IoT Hub](device-messages-through-iot-hub.md)

+[Overview of the FHIR destination mapping](overview-of-fhir-destination-mapping.md)

+[Overview of the MedTech service scenario-based mappings samples](overview-of-samples.md)

+[Overview of the MedTech service device mapping](overview-of-device-mapping.md)

+[Overview of the MedTech service FHIR destination mapping](overview-of-fhir-destination-mapping.md)

+[Overview of the MedTech service scenario-based mappings samples](overview-of-samples.md)

+[How to configure the MedTech service metrics](how-to-configure-metrics.md)

+[How to enable diagnostic settings for the MedTech service](how-to-enable-diagnostic-settings.md)

+[Choose a deployment method for the MedTech service](deploy-choose-method.md)

+[Overview of the MedTech service device mapping](overview-of-device-mapping.md)

+[Overview of the MedTech service FHIR destination mapping](overview-of-fhir-destination-mapping.md)

+[Overview of the MedTech service scenario-based mappings samples](overview-of-samples.md)

+[How to use CalculatedContent templates with the MedTech service device mapping](how-to-use-calculatedcontent-templates.md)

+[How to use IotJsonPathContent templates with the MedTech service device mapping](how-to-use-iotjsonpathcontent-templates.md)

+[How to use custom functions with the MedTech service device mapping](how-to-use-custom-functions.md)

+[Overview of the MedTech service FHIR destination mapping](overview-of-fhir-destination-mapping.md)

+[Overview of the MedTech service scenario-based mappings samples](overview-of-samples.md)

+[Overview of the MedTech service device mapping](overview-of-device-mapping.md)

+[How to use CalculatedContent templates with the MedTech service device mapping](how-to-use-calculatedcontent-templates.md)

+[How to use IotJsonPathContent templates with the MedTech service device mapping](how-to-use-iotjsonpathcontent-templates.md)

+[How to use custom functions with the MedTech service device mapping](how-to-use-custom-functions.md)

+[Overview of the MedTech service scenario-based mappings samples](overview-of-samples.md)

+[What is MedTech service?](overview.md)

+[Overview of the MedTech service device data processing stages](overview-of-device-data-processing-stages.md)

+[Choose a deployment method for the MedTech service](deploy-choose-method.md)

+[Overview of the MedTech service device mapping](overview-of-device-mapping.md)

+[Overview of the MedTech service FHIR destination mapping](overview-of-fhir-destination-mapping.md)

+[Overview of the MedTech service device data processing stages](overview-of-device-data-processing-stages.md)

+[Choose a deployment method for the MedTech service](deploy-choose-method.md)

+[Frequently asked questions about the MedTech service](frequently-asked-questions.md)

+[Frequently asked questions about the MedTech service](frequently-asked-questions.md)

+[Frequently asked questions about the MedTech service](frequently-asked-questions.md)

+IoT Central applications created after April 2023 initially have a single IoT hub. If the IoT hub becomes unavailable, the application becomes unavailable. However, IoT Central automatically scales the application and adds a new IoT hub for each 10,000 connected devices. If you require multiple IoT hubs for applications with fewer than 10,000 devices, submit a request to [IoT Central customer support](../../iot/iot-support-help.md?toc=%2Fazure%2Fiot-central%2Ftoc.json&bc=%2Fazure%2Fiot-central%2Fbreadcrumb%2Ftoc.json).

+To allow a principal to perform an operation, you must assign them a role that grants them permissions to perform that operations. All these roles and operations allow you to manage permissions only for *data plane* operations. For *management plane* operations, see [Azure built-in roles](../../role-based-access-control/built-in-roles.md) and [Secure access to your managed HSMs](secure-your-managed-hsm.md).

+To assign management plane roles (Azure RBAC) you can use Azure portal or any of the other management interfaces such as Azure CLI or Azure PowerShell. To assign managed HSM data plane roles you must use Azure CLI. For more information on management plane roles, see [Azure built-in roles](../../role-based-access-control/built-in-roles.md). For more information on Managed HSM data plane roles, see [Local RBAC built-in roles for Managed HSM](built-in-roles.md).

+In order to ensure a timely response is received, HTTP/S health probes have built-in timeouts. The following are the timeout durations for TCP and HTTP/S probes:

+* TCP probe timeout duration: N/A (probes will fail once the configured probe interval duration has passed and the next probe has beeen sent)

+* HTTP/S probe timeout duration: 30 seconds

+For HTTP/S probes, if the configured interval is longer than the above timeout period, the health probe will timeout and fail if no response is received during the timeout period. For example, if an HTTP health probe is configured with a probe interval of 120 seconds (every 2 minutes), and no probe response is received within the first 30 seconds, the probe will have reached its timeout period and fail.

+Use [Get-AzLoadBalancerInboundNatRuleConfig](/powershell/module/az.network/get-azloadbalancerinboundnatruleconfig) to place the newly created inbound NAT rule information into a variable.

+Use [Get-AzNetworkInterface](/powershell/module/az.network/get-aznetworkinterface) to place the network interface information into a variable.

+Use [Set-AzNetworkInterfaceIpConfig](/powershell/module/az.network/set-aznetworkinterfaceipconfig) to add the newly created inbound NAT rule to the IP configuration of the network interface.

+To save the configuration to the network interface, use [Set-AzNetworkInterface](/powershell/module/az.network/set-aznetworkinterface).

+## Add the inbound NAT rule to a virtual machine

+$NatRule = @{

+ Name = 'MyInboundNATrule'

+ LoadBalancer = $lb

+}

+$NatRuleConfig = Get-AzLoadBalancerInboundNatRuleConfig @NatRule

+$NetworkInterface = @{

+ ResourceGroupName = 'myResourceGroup'

+ Name = 'MyNIC'

+ }

+ $NIC = Get-AzNetworkInterface @NetworkInterface

+

+ $IPconfig = @{

+ Name = 'Ipconfig'

+ LoadBalancerInboundNatRule = $NatRuleConfig

+}

+$NIC | Set-AzNetworkInterfaceIpConfig @IPconfig

+$NIC | Set-AzNetworkInterface

+ * [Windows](https://github.com/Azure/azure-functions-core-tools/releases): Use the Microsoft Installer (MSI) version, which is `func-cli-X.X.XXXX-x*.msi`.

+| QnA GPT Similarity Evaluation | GPT Similarity | Measures similarity between user-provided ground truth answers and the model predicted answer using GPT Model. | Yes | question, answer, ground truth (context not needed) | 1 to 5, with 1 being the worst and 5 being the best. |

+ Title: The overview of tools in prompt flow

+description: The overview of tools in prompt flow displays an index table for tools and the instructions for custom tool package creation and tool package usage.

+# The overview of tools in prompt flow (preview)

+This table provides an index of tools in prompt flow. If existing tools can't meet your requirements, you can [develop your own custom tool and make a tool package](https://microsoft.github.io/promptflow/how-to-guides/develop-a-tool/create-and-use-tool-package.html).

+> [!IMPORTANT]

+> Prompt flow is currently in public preview. This preview is provided without a service-level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+| Tool name | Description | Environment | Package Name |

+||--|-|--|

+| [Python](./python-tool.md) | Run Python code. | Default | [promptflow-tools](https://pypi.org/project/promptflow-tools/) |

+| [LLM](./llm-tool.md) | Use Open AI's Large Language Model for text completion or chat. | Default | [promptflow-tools](https://pypi.org/project/promptflow-tools/) |

+| [Prompt](./prompt-tool.md) | Craft prompt using Jinja as the templating language. | Default | [promptflow-tools](https://pypi.org/project/promptflow-tools/) |

+| [Embedding](./embedding-tool.md) | Use Open AI's embedding model to create an embedding vector representing the input text. | Default | [promptflow-tools](https://pypi.org/project/promptflow-tools/) |

+| [Open Source LLM](./open-source-llm-tool.md) | Use an Open Source model from the Azure Model catalog, deployed to an Azure Machine Learning Online Endpoint for LLM Chat or Completion API calls. | Default | [promptflow-tools](https://pypi.org/project/promptflow-tools/) |

+| [Serp API](./serp-api-tool.md) | Use Serp API to obtain search results from a specific search engine. | Default | [promptflow-tools](https://pypi.org/project/promptflow-tools/) |

+| [Content Safety (Text)](./content-safety-text-tool.md) | Use Azure Content Safety to detect harmful content. | Default | [promptflow-contentsafety](https://pypi.org/project/promptflow-contentsafety/) |

+| [Faiss Index Lookup](./faiss-index-lookup-tool.md) | Search vector based query from the FAISS index file. | Default | [promptflow-vectordb](https://pypi.org/project/promptflow-vectordb/) |

+| [Vector DB Lookup](./vector-db-lookup-tool.md) | Search vector based query from existing Vector Database. | Default | [promptflow-vectordb](https://pypi.org/project/promptflow-vectordb/) |

+| [Vector Index Lookup](./vector-index-lookup-tool.md) | Search text or vector based query from Azure Machine Learning Vector Index. | Default | [promptflow-vectordb](https://pypi.org/project/promptflow-vectordb/) |

+To discover more custom tools that developed by the open source community, see [more custom tools](https://microsoft.github.io/promptflow/integrations/tools/https://docsupdatetracker.net/index.html).

+For the tools that should be utilized in the custom environment, see [Custom tool package creation and usage](../how-to-custom-tool-package-creation-and-usage.md#prepare-runtime) to prepare the runtime. Then the tools can be displayed in the tool list.

+ Title: Transparency Note for Auto-Generate Prompt Variants in Prompt Flow

+description: Transparency Note for Auto-Generate Prompt Variants in Prompt Flow

+# Transparency Note for Auto-Generate Prompt Variants in Prompt Flow

+## What is a Transparency Note?

+An AI system includes not only the technology, but also the people who use it, the people who are affected by it, and the environment in which it's deployed. Creating a system that is fit for its intended purpose requires an understanding of how the technology works, what its capabilities and limitations are, and how to achieve the best performance. Microsoft's Transparency Notes are intended to help you understand how our AI technology works, the choices system owners can make that influence system performance and behavior, and the importance of thinking about the whole system, including the technology, the people, and the environment. You can use Transparency Notes when developing or deploying your own system, or share them with the people who will use or be affected by your system.

+Microsoft's Transparency Notes are part of a broader effort at Microsoft to put our AI Principles into practice. To find out more, see the [Microsoft's AI principles](https://www.microsoft.com/ai/responsible-ai).

+## The basics of Auto-Generate Prompt Variants in Prompt Flow

+### Introduction

+Prompt engineering is at the center of building applications using Large Language Models. Microsoft's Prompt Flow offers rich capabilities to interactively edit, bulk test, and evaluate prompts with built-in flows to pick the best prompt. With the Auto-Generate Prompt Variants feature in Prompt Flow, we provide the ability to automatically generate variations of a user's base prompt with help of large language models and allow users to test them in Prompt Flow to reach the optimal solution for the user's model and use case needs.

+### Key terms

+| **Term** | **Definition** |

+| | |

+| Prompt flow | Prompt Flow offers rich capabilities to interactively edit prompts and bulk test them with built-in evaluation flows to pick the best prompt. More information available at [What is prompt flow](./overview-what-is-prompt-flow.md) |

+| Prompt engineering | The practice of crafting and refining input prompts to elicit more desirable responses from a large language model, particularly in large language models. |

+| Prompt variants | Different versions or modifications of a given input prompt designed to test or achieve varied responses from a large language model. |

+| Base prompt | The initial or primary prompt that serves as a starting point for eliciting response from large language models. In this case it is provided by the user and is modified to create prompt variants. |

+| System prompt | A predefined prompt generated by a system, typically to initiate a task or seek specific information. This is not visible but is used internally to generate prompt variants. |

+## Capabilities

+### System behavior

+The Auto-Generate Prompt Variants feature, as part of the Prompt Flow experience, provides the ability to automatically generate and easily assess prompt variations to quickly find the best prompt for your use case. This feature further empowers Prompt Flow's rich set of capabilities to interactively edit and evaluate prompts, with the goal of simplifying prompt engineering.

+When provided with the user's base prompt the Auto-Generate Prompt Variants feature generates several variations using the generative power of Azure OpenAI models and an internal system prompt. While Azure OpenAI provides content management filters, we recommend verifying any prompts generated before using them in production scenarios.

+### Use cases

+#### Intended uses

+Auto-Generate Prompt Variants can be used in the following scenarios. The system's intended use is:

+**Generate new prompts from a provided base prompt**: "Generate Variants" feature will allow the users of prompt flow to automatically generate variants of their provided base prompt with help of LLMs (Large Language Models).

+#### Considerations when choosing a use case

+**Do not use Auto-Generate Prompt Variants for decisions that might have serious adverse impacts.**

+Auto-Generate Prompt Variants was not designed or tested to recommend items that require additional considerations related to accuracy, governance, policy, legal, or expert knowledge as these often exist outside the scope of the usage patterns carried out by regular (non-expert) users. Examples of such use cases include medical diagnostics, banking, or financial recommendations, hiring or job placement recommendations, or recommendations related to housing.

+## Limitations

+Explicitly in the generation of prompt variants, it is important to understand that while AI systems are incredibly valuable tools, they are **non-deterministic**. This means that perfect **accuracy** (the measure of how well the system-generated events correspond to real events that happened in a space) of predictions is not possible. A good model will have high accuracy, but it will occasionally output incorrect predictions. Failure to understand this limitation can lead to over-reliance on the system and unmerited decisions that can impact stakeholders.

+Furthermore, the prompt variants that are generated using LLMs, are returned to the user as is. It is encouraged to evaluate and compare these variants to determine the best prompt for a given scenario. There are **additional concerns** here because many of the evaluations offered in the Prompt Flow ecosystems also depend on LLMs, potentially further decreasing the utility of any given prompt. Manual review is strongly recommended.

+### Technical limitations, operational factors, and ranges

+As mentioned previously, the Auto-Generate Prompt Variants feature does not provide a measurement or evaluation of the provided prompt variants. It is strongly recommended that the user of this feature evaluates the suggested prompts in the way which best aligns with their specific use case and requirements.

+The Auto-Generate Prompt Variants feature is limited to generating a maximum of five variations from a given base prompt. If more are required, additional prompt variants can be generated after modifying the original base prompt.

+Auto-Generate Prompt Variants only supports Azure OpenAI models at this time. In addition to limiting users to only the models which are supported by Azure OpenAI, it also limits content to what is acceptable in terms of the Azure OpenAI's content management policy. Uses outside of this policy are not supported by this feature.

+## System performance

+Performance for the Auto-Generate Prompt Variants feature is determined by the user's use case in each individual scenario ΓÇô in this way the feature does not evaluate each prompt or generate metrics.

+Operating in the Prompt Flow ecosystem, which focuses on Prompt Engineering, provides a strong story for error handling. Often retrying the operation will resolve an error. One error which might arise specific to this feature is response filtering from the Azure OpenAI resource for content or harm detection, this would happen in the case that content in the base prompt is determined to be against Azure OpenAI's content management policy. To resolve these errors please update the base prompt in accordance with the guidance at [Azure OpenAI Service content filtering](/azure/ai-services/openai/concepts/content-filter).

+### Best practices for improving system performance

+To improve performance there are several parameters which can be modified, depending on the use cases and requirements of the prompt requirements:

+- **Model**: The choice of models used with this feature will impact the performance. As general guidance, the GPT-4 model is more powerful than the GPT-3.5 and would thus be expected to generate more performant prompt variants.

+- **Number of Variants**: This parameter specifies how many variants to generate. A larger number of variants will produce more prompts and therefore the likelihood of finding the best prompt for the use case.

+- **Base Prompt**: Since this tool generates variants of the provided base prompt, a strong base prompt can set up the tool to provide the maximum value for your case. Please review the guidelines at Prompt engineering techniques with [Azure OpenAI](/azure/ai-services/openai/concepts/advanced-prompt-engineering).

+## Evaluation of Auto-Generate Prompt Variants

+### Evaluation methods

+The Auto-Generate Prompt Variants feature been testing by the internal development team, targeting fit for purpose and harm mitigation.

+### Evaluation results

+Evaluation of harm management showed staunch support for the combination of system prompt and Azure Open AI content management policies in actively safe-guarding responses. Additional opportunities to minimize the chance and risk of harms can be found in the Microsoft documentation: [Azure OpenAI Service abuse monitoring](/azure/ai-services/openai/concepts/abuse-monitoring) and [Azure OpenAI Service content filtering](/azure/ai-services/openai/concepts/content-filter).

+Fit for purpose testing supported the quality of generated prompts from creative purposes (poetry) and chat-bot agents. The reader is cautioned from drawing sweeping conclusions given the breadth of possible base prompt and potential use cases. As previously mentioned, please use evaluations appropriate to the required use cases and ensure a human reviewer is part of the process.

+## Evaluating and integrating Auto-Generate Prompt Variants for your use

+The performance of the Auto-Generate Prompt Variants feature will vary depending on the base prompt and use case in it is used. True usage of the generated prompts will depend on a combination of the many elements of the system in which the prompt is used.

+To ensure optimal performance in their scenarios, customers should conduct their own evaluations of the solutions they implement using Auto-Generate Prompt Variants. Customers should, generally, follow an evaluation process that:

+- Uses internal stakeholders to evaluate any generated prompt.

+- Uses internal stakeholders to evaluate results of any system which uses a generated prompt.

+- Incorporates KPI (Key Performance Indicators) and metrics monitoring when deploying the service using generated prompts meets evaluation targets.

+## Learn more about responsible AI

+- [Microsoft AI principles](https://www.microsoft.com/ai/responsible-ai)

+- [Microsoft responsible AI resources](https://www.microsoft.com/ai/responsible-ai-resources)

+- [Microsoft Azure Learning courses on responsible AI](/training/paths/responsible-ai-business-principles/)

+## Learn more about Auto-Generate Prompt Variants

+ - [What is prompt flow](./overview-what-is-prompt-flow.md)

+Create an Azure Database for MariaDB with the az mariadb server create command. Remember that the name of your MariaDB Server must be unique across Azure, so replace the placeholder value in brackets with your own unique value:

+**Azure recommended to minimize cost** | You can get the most cost efficient and compatible target recommendation in Azure across Azure IaaS and Azure PaaS targets. | For SQL Servers, sizing and cost comes from the *Recommended report* with optimization strategy - minimize cost from Azure SQL assessment.<br/><br/> For web apps, sizing and cost comes from Azure App Service and Azure Kubernetes Service assessments depending on web app readiness and minimum cost. <br/><br/>For general servers, sizing and cost comes from Azure VM assessment.

+**Modernize to PaaS (Platform as a Service)** | You can get a PaaS preferred recommendation that means, the logic identifies workloads best fit for PaaS targets. <br/><br/>General servers are recommended with a quick lift and shift recommendation to Azure IaaS. | For SQL Servers, sizing and cost comes from the *Recommended report* with optimization strategy - *Modernize to PaaS* from Azure SQL assessment.<br/><br/> For web apps, sizing and cost comes from Azure App Service and Azure Kubernetes Service assessments, with a preference to App Service. For general servers, sizing and cost comes from Azure VM assessment.

+| | Compute(PaaS) | Azure App Service or Azure Kubernetes Service | Plan cost from Azure App Service and/or Node pool cost from Azure Kubernetes Service. |

+| | Azure App Service security cost | Defender for App Service | For web apps recommended for App Service or App Service containers, the Defender for App Service cost for that region is added. |

+**Azure recommended to minimize cost** | You can get the most cost efficient and compatible target recommendation in Azure across Azure IaaS and Azure PaaS targets. | For SQL Servers, sizing and cost comes from the *Recommended report* with optimization strategy - minimize cost from Azure SQL assessment.<br/><br/> For web apps, sizing and cost comes from Azure App Service and Azure Kubernetes Service assessments depending on web app readiness and minimum cost.<br/><br/> For general servers, sizing and cost comes from Azure VM assessment.

+**Modernize to PaaS (Platform as a Service)** | You can get a PaaS preferred recommendation that means, the logic identifies workloads best fit for PaaS targets.<br/><br/> General servers are recommended with a quick lift and shift recommendation to Azure IaaS. | For SQL Servers, sizing and cost comes from the *Instance to Azure SQL MI* report.<br/><br/> For web apps, sizing and cost comes from Azure App Service and Azure Kubernetes Service assessments, with a preference to App Service. <br/><br/> For general servers, sizing and cost comes from Azure VM assessment.<br/><br/>

+- Azure App Service and App Service Container:

+- Azure Kubernetes Service:

+ - **Estimated cost by savings options**: This card includes the cost of the recommended AKS node pools. It is recommended that the web apps are migrated using 3 year Reserved Instance or 3 year Savings Plan to maximize savings.

+ - **Distribution by recommended Node pool SKU**: This card covers the recommended SKUs for AKS node pools.

+| **60005**:SSHOperationTimeout | The operation took longer than expected either due to network latency issues or due to the lack of latest updates on the server.| - Ensure that the impacted server has the latest kernel and OS updates installed.<br/>- Ensure that there is no network latency between the appliance and the server. It is recommended to have the appliance and source server on the same domain to avoid latency issues.<br/> - Connect to the impacted server from the appliance and run the commands [documented here](./troubleshoot-appliance.md) to check if they return null or empty data.<br/>- If the issue persists, submit a Microsoft support case providing the appliance machine ID (available in the footer of the appliance configuration manager). |

+Install Windows PowerShell 5.1 at this location on the server. Following the instructios in [Install and Configure WMF 5.1](/previous-versions/powershell/scripting/windows-powershell/install/installing-windows-powershell) about how to install PowerShell in Windows Server.

+1. Go to the server that's reporting this error.

+1. Search and select **Run** from the **Start** menu. In the **Run** dialog, enter **wmimgmt.msc** in the **Open** text box, and select **Enter**.

+1. The wmimgmt console opens where you can find **WMI Control (Local)** in the left pane. Right-click it, and select **Properties** from the menu.

+1. In the **WMI Control (Local) Properties** dialog, select the **Securities** tab.

+1. On the **Securities** tab, select **Security** to open the **Security for ROOT** dialog.

+1. Select **Advanced** to open the **Advanced Security Settings for Root** dialog.

+1. Select **Add** to open the **Permission Entry for Root** dialog.

+1. Click **Select a principal** to open the **Select Users, Computers, Service Accounts, or Groups** dialog.

+ ````

+ Invoke-VMScript -VM $vm -ScriptText "powershell.exe 'Get-WmiObject Win32_Process'" -GuestCredential $credential

+ Invoke-VMScript -VM $vm -ScriptText "powershell.exe 'netstat -ano -p tcp'" -GuestCredential $credential

+ ````

+You get this error if the discovered servers don't appear in the portal or if the server data is outdated.

+| **60005**:SSHOperationTimeout | The operation took longer than expected either due to network latency issues or due to the lack of latest updates on the server.| - Ensure that the impacted server has the latest kernel and OS updates installed.<br/>- Ensure that there is no network latency between the appliance and the server. It is recommended to have the appliance and source server on the same domain to avoid latency issues.<br/> - Connect to the impacted server from the appliance and run the commands [documented here](./troubleshoot-appliance.md) to check if they return null or empty data.<br/>- If the issue persists, submit a Microsoft support case providing the appliance machine ID (available in the footer of the appliance configuration manager). |

+Install Windows PowerShell 5.1 at this location on the server. Following the instructios in [Install and Configure WMF 5.1](/previous-versions/powershell/scripting/windows-powershell/install/installing-windows-powershell) about how to install PowerShell in Windows Server.

+1. Go to the server that's reporting this error.

+1. Select **Advanced** to open the **Advanced Security Settings for Root** dialog.

+ ````

+ ````

+|**30001**: Unable to connect to SQL Server from the appliance.|1. The appliance doesn't have a network line of sight to SQL Server.<br/>2. The firewall is blocking the connection between SQL Server and the appliance.|1. Make SQL Server reachable from the appliance.<br/>2. Allow incoming connections from the appliance to SQL Server.| - |

+**Application servers** | Enable PowerShell remoting on the application servers: sign in to the application server and follow [these instructions to turn on PowerShell remoting](/powershell/module/microsoft.powershell.core/enable-psremoting). <br/><br/> Ensure that PowerShell 5.1 is installed on the application server. Follow the instructions in [Install and Configure WMF 5.1](/previous-versions/powershell/scripting/windows-powershell/wmf/setup/install-configure) on the application server. <br/><br/> If the Microsoft Web Deployment tool isn't already installed on the machine running the App Containerization tool and the application server, install it. You can [download the tool](https://aka.ms/webdeploy3.6).

+6. Specify a name for the target container for each selected application. Specify the container name as <*name:tag*>, where *tag* is used for the container image. For example, you can specify the target container name as *appname:v1*.

+4. You can monitor the progress of the build by selecting **Build in Progress** under the status column. The link will become active a couple minutes after you trigger the build process.

+ If you don't have an App Service plan or want to create a new App Service plan to use, you can create one by selecting **Create new App Service plan**.

+ - If you want to use an Azure key vault to manage your application secrets, specify the key vault that you want to use.

+ - If you don't have an Azure key vault or want to create a new key vault, you can create one by selecting **Create new Azure Key Vault**.

+ If you don't have an Azure file share or want to create a new Azure file share, you can create one by selecting **Create new Storage Account and file share**.

+In this article, you'll learn how to containerize ASP.NET applications and migrate them to [Azure Kubernetes Service (AKS)](https://azure.microsoft.com/services/kubernetes-service/) using the Azure Migrate: App Containerization tool. The containerization process doesn't require access to your codebase and provides an easy way to containerize existing applications. The tool works by using the running state of the applications on a server to determine the application components and helps you package them in a container image. The containerized application can then be deployed on Azure Kubernetes Service (AKS).

+**Application servers** | Enable PowerShell remoting on the application servers: Sign in to the application server and follow [these](/powershell/module/microsoft.powershell.core/enable-psremoting) instructions to turn on PowerShell remoting. <br/><br/> Ensure that PowerShell 5.1 is installed on the application server. Follow the instruction in [Install and Configure WMF 5.1](/previous-versions/powershell/scripting/windows-powershell/wmf/setup/install-configure) to download and install PowerShell 5.1 on the application server. <br/><br/> Install the Microsoft Web Deploy tool on the machine running the App Containerization helper tool and application server if not already installed. You can download the tool from [here](https://aka.ms/webdeploy3.6).

+2. If you see a warning stating that says your connection isn't private, select **Advanced** and choose to proceed to the website. This warning appears as the web interface uses a self-signed TLS/SSL certificate.

+2. Select **Validate** to verify that the application server is reachable from the machine running the tool and that the credentials are valid. Upon successful validation, the status column will show the status as **Mapped**.

+5. **Specify container name**: Specify a name for the target container for each selected application. The container name should be specified as <*name:tag*> where the tag is used for container image. For example, you can specify the target container name as *appname:v1*.

+> If you're using AKS 1.23+, edit the scripts as shown below before building the docker image, to ensure a seamless migration.

+> ```

+> to

+> # Run entrypoint script.

+4. **Track build status**: You can also monitor progress of the build step by selecting the **Build in Progress** link under the status column. The link takes a couple of minutes to be active after you've triggered the build process.

+ ```

+ - If you don't have an AKS cluster or would like to create a new AKS cluster to deploy the application to, you can choose to create on from the tool by selecting **Create new AKS cluster**.

+ - If you'd like to use an Azure Key Vault for managing your application secrets, then specify the Azure Key Vault that you'd want to use.

+ - If you don't have an Azure Key Vault or would like to create a new Key Vault, you can choose to create on from the tool by selecting **Create new Azure Key Vault**.

+ - If you don't have an Azure file share or would like to create a new Azure file share, you can choose to create on from the tool by selecting **Create new Storage Account and file share**.

+ - **Storage**: For any application folders that were configured for Persistent Volume storage, specify whether the volume should be shared across application instances or should be initialized individually with each instance in the container. By default, all application folders on Persistent Volumes are configured as shared.

+ Title: Assess ASP.NET web apps for migration to Azure Kubernetes Service

+description: Assessments of ASP.NET web apps to Azure Kubernetes Service using Azure Migrate

+# Assess ASP.NET web apps for migration to Azure Kubernetes Service (preview)

+This article shows you how to assess ASP.NET web apps for migration to [Azure Kubernetes Service (AKS)](../aks/intro-kubernetes.md) using Azure Migrate. Creating an assessment for your ASP.NET web app provides key insights such as **app-readiness**, **target right-sizing** and **cost** to host and run these apps month over month.

+In this tutorial, you'll learn how to:

+> [!div class="checklist"]

+> * Choose a set of discovered ASP.NET web apps to assess for migration to AKS.

+> * Provide assessment configurations such as Azure Reserved Instances, target region etc.

+> * Get insights about the migration readiness of their assessed apps.

+> * Get insights on the AKS Node SKUs that can optimally host and run these apps.

+> * Get the estimated cost of running these apps on AKS.

+> [!NOTE]

+> Tutorials show you the simplest deployment path for a scenario so that you can quickly set up a proof-of-concept. Tutorials use default options where possible and don't show all possible settings and paths.

+## Prerequisites

+- Deploy and configure the Azure Migrate appliance in your [VMware](./tutorial-discover-vmware.md), [Hyper-V](./tutorial-discover-hyper-v.md) or [physical environment](./tutorial-discover-physical.md).

+- Check the [appliance requirements](./migrate-appliance.md#appliancevmware) and [URL access](./migrate-appliance.md#url-access) to be provided.

+- Follow [these steps](./how-to-discover-sql-existing-project.md) to discover ASP.NET web apps running on your environment.

+## Create an assessment

+1. On the **Servers, databases and web apps** page, select **Assess** and then select **Web apps on Azure**.

+ :::image type="content" source="./media/tutorial-assess-aspnet-aks/hub-assess-webapps.png" alt-text="Screenshot of selecting web app assessments.":::

+2. On the **Basics** tab, select the **Scenario** dropdown and select **Web apps to AKS**.

+ :::image type="content" source="./media/tutorial-assess-aspnet-aks/create-basics-scenario.png" alt-text="Screenshot of selecting the scenario for web app assessment.":::

+3. On the same tab, select **Edit** to modify assessment settings. See the table below to update the various assessment settings.

+ :::image type="content" source="./media/tutorial-assess-aspnet-aks/create-basics-settings.png" alt-text="Screenshot of changing the target settings for web app assessment.":::

+ | Setting | Possible Values | Comments |

+ | | | |

+ | Target Location | All locations supported by AKS | Used to generate regional cost for AKS. |

+ | Environment Type | Production <br> Dev/Test | Allows you to toggle between Pay-As-You-Go and Pay-As-You-Go Dev/Test [offers](https://azure.microsoft.com/support/legal/offer-details/). |

+ | Offer/Licensing program | Pay-As-You-Go <br> Enterprise Agreement | Allows you to toggle between Pay-As-You-Go and Enterprise Agreement [offers](https://azure.microsoft.com/support/legal/offer-details/). |

+ | Currency | All common currencies such as USD, INR, GBP, Euro | We generate the cost in the currency selected here. |

+ | Discount Percentage | Numeric decimal value | Use this to factor in any custom discount agreements with Microsoft. This is disabled if Savings options are selected. |

+ | EA subscription | Subscription ID | Select the subscription ID for which you have an Enterprise Agreement. |

+ | Savings options | 1 year reserved <br> 3 years reserved <br> 1 year savings plan <br> 3 years savings plan <br> None | Select a savings option if you have opted for [Reserved Instances](../cost-management-billing/reservations/save-compute-costs-reservations.md) or [Savings Plan](https://azure.microsoft.com/pricing/offers/savings-plan-compute/). |

+ | Category | All <br> Compute optimized <br> General purpose <br> GPU <br> High performance compute <br> Isolated <br> Memory optimized <br> Storage optimized | Selecting a particular SKU category will ensure we recommend the best AKS Node SKUs from that category. |

+ | AKS pricing tier | Standard | Pricing tier for AKS |

+4. After reviewing the assessment settings, select **Next**.

+5. Select the list of servers which host the web apps to be assessed. Provide a name to this group of servers as well as the assessment. You can also filter web apps discovered by a specific appliance, in case your project has more than one.

+ :::image type="content" source="./media/tutorial-assess-aspnet-aks/create-server-selection.png" alt-text="Screenshot of selecting servers containing the web apps to be assessed.":::

+6. Select **Next** to review the high-level assessment details. Select **Create assessment**.

+ :::image type="content" source="./media/tutorial-assess-aspnet-aks/create-review.png" alt-text="Screenshot of reviewing the high-level assessment details before creation.":::

+## View assessment insights

+The assessment can take around 10 minutes to complete.

+1. On the **Servers, databases and web apps** page, select the hyperlink next to **Web apps on Azure**.

+ :::image type="content" source="./media/tutorial-assess-aspnet-aks/hub-view-assessments.png" alt-text="Screenshot of clicking the hyperlink to see the list of web app assessments.":::

+2. On the **Assessments** page, use the search bar to filter for your assessment. It should be in the **Ready** state.

+ :::image type="content" source="./media/tutorial-assess-aspnet-aks/assessment-list.png" alt-text="Screenshot of filtering for the created assessment.":::

+ | Assessment State | Definition |

+ | | |

+ | Creating | The assessment creation is in progress. It takes around 10 minutes to complete. |

+ | Ready | The assessment has successfully been created. |

+ | Invalid | There was an error in the assessment computation. |

+### Assessment overview

+On the **Overview** page, you're provided with the following details:

+1. **Assessed entities**: This section provides the count of servers, web servers and web apps that are part of this assessment.

+2. **Migration readiness**: The assessed web apps will have one of the following statuses:

+ | Status | Definition |

+ | | |

+ | *Ready* | The web app is ready to be migrated |

+ | *Ready with conditions* | The web app needs minor changes to be ready for migration |

+ | *Not ready* | The web app needs major/breaking changes to be ready for migration |

+ | *Unknown* | The web app discovery data was either incomplete or corrupt to calculate readiness |

+> [!NOTE]

+> Web apps that are either *Ready* or *Ready with conditions* are recommended for migration.

+3. **Monthly cost estimate**: This section provides the month over month cost projection of running your migration-ready web apps on AKS.

+You can update the **Settings** of the assessment after it's created. This triggers a recalculation.

+Selecting the **Export assessment** option exports the entire assessment to an Excel spreadsheet.

+### Assessment details

+#### Readiness

+On the **Readiness** tab, you see the list of web apps assessed. For each web app, you see the readiness status, the cluster and the recommended AKS Node SKU.

+Select the readiness condition of an app to see the migration warnings or issues. For apps that are *Ready with conditions*, you'll only see warnings. For apps that are *Not ready*, you'll see errors and potentially warnings.

+For each issue or warning, you're provided the description, cause and mitigation steps along with useful documentation/blogs for reference.

+Selecting the recommended cluster for the app opens the **Cluster details** page. This page surfaces details such as the number of system and user node pools, the SKU for each node pool as well as the web apps recommended for this cluster. Typically, an assessment will only generate a single cluster. The number of clusters increases when the web apps in the assessment start hitting AKS cluster limits.

+#### Cost details

+On the **Cost details** tab, you see the breakdown of the monthly cost estimate distributed across AKS node pools. AKS pricing is intrinsically dependent on the node pool costs.

+For each node pool, you see the associated node SKU, node count and the number of web apps recommended to be scheduled, along with the cost. By default, there will be at least 2 node pools:

+1. *System*: Used to host critical system pods such as `CoreDNS`.

+2. *User*: As ASP.NET framework apps need a Windows node to run, the assessment recommends at least one additional Windows-based node pool.

+## Next steps

+- [Modernize](./tutorial-modernize-asp-net-aks.md) your ASP.NET web apps at-scale to Azure Kubernetes Service.

+- Optimize [Windows Dockerfiles](/virtualization/windowscontainers/manage-docker/optimize-windows-dockerfile?context=/azure/aks/context/aks-context).

+- [Review and implement best practices](../aks/best-practices.md) to build and manage apps on AKS.

+This article shows you how to assess discovered ASP.NET web apps running on IIS web servers in preparation for migration to Azure App Service Code and Azure App Service Containers, using the Azure Migrate: Discovery and assessment tool. [Learn more](../app-service/overview.md) about Azure App Service.

+> Tutorials show the quickest path for trying out a scenario and use default options where possible.

+To run an assessment, follow these steps:

+2. On **Azure Migrate: Discovery and assessment**, select **Assess** and choose the assessment type as **Web apps on Azure**.

+ :::image type="content" source="./media/tutorial-assess-webapps/assess-web-apps.png" alt-text="Screenshot of Overview page for Azure Migrate.":::

+3. In **Create assessment**, the assessment type is pre-selected as **Web apps on Azure** and the discovery source defaulted to **Servers discovered from Azure Migrate appliance**. Select the **Scenario** as **Web apps to App Service**.

+ :::image type="content" source="./media/tutorial-assess-webapps/create-assess-scenario.png" alt-text="Screenshot of Create assessment page for Azure Migrate.":::

+ The following are included in Azure App Service assessment properties:

+ :::image type="content" source="./media/tutorial-assess-webapps/settings.png" alt-text="Screenshot of assessment settings for Azure Migrate.":::

+ **Environment type** | Type of environment in which it's running.

+ **Offer** | The [Azure offer](https://azure.microsoft.com/support/legal/offer-details/) in which you're enrolled. The assessment estimates the cost for that offer.

+ **Currency** | The billing currency for your account.

+ **Discount (%)** | Any subscription-specific discounts that you receive on top of the Azure offer. The default setting is 0%.

+ **EA subscription** | Specifies that an Enterprise Agreement (EA) subscription is used for cost estimation. Takes into account the discount applicable to the subscription. <br/><br/> Retain the default settings for reserved instances and discount (%) properties.

+ **Savings options (Compute)** | The Savings option the assessment must consider.

+ **Isolation required** | Select **Yes** if you want your web apps to run in a private and dedicated environment in an Azure datacenter.

+ - In **Savings options (Compute)**, specify the savings option that you want the assessment to consider, helping to optimize your Azure Compute cost.

+ - [Azure reservations](../cost-management-billing/reservations/save-compute-costs-reservations.md) (one year or three year reserved) are a good option for the most consistently running resources.

+ - [Azure Savings Plan](../cost-management-billing/savings-plan/savings-plan-compute-overview.md) (one year or three year savings plan) provides additional flexibility and automated cost optimization. Ideally post migration, you could use Azure reservation and savings plan at the same time (reservation is consumed first), but in the Azure Migrate assessments, you can only see cost estimates of 1 savings option at a time.

+ - When you select *None*, the Azure Compute cost is based on the Pay-as-you-go rate or based on actual usage.

+ - You need to select Pay-as-you-go in offer/licensing program to be able to use Reserved Instances or Azure Savings Plan. When you select any savings option other than *None*, the **Discount (%)** setting isn't applicable.

+1. Select **Save** if you made any changes.

+1. In **Select servers to assess** > **Assessment name**, specify a name for the assessment.

+1. In **Select or create a group**, select **Create New** and specify a group name. You can also use an existing group.

+1. Select the appliance and select the servers that you want to add to the group. Select **Next**.

+ :::image type="content" source="./media/tutorial-assess-webapps/server-selection.png" alt-text="Screenshot of selected servers.":::

+1. In **Review + create assessment**, review the assessment details, and select **Create Assessment** to create the group and run the assessment.

+ :::image type="content" source="./media/tutorial-assess-webapps/create-app-review.png" alt-text="Screenshot of create assessment.":::

+1. After the assessment is created, go to **Servers, databases and web apps** > **Azure Migrate: Discovery and assessment**. Refresh the tile data by selecting the **Refresh** option on top of the tile. Wait for the data to refresh.

+1. Select the number next to **Web apps on Azure** in the **Assessment** section.

+To view an assessment, follow these steps:

+1. In **Servers, databases and web apps** > **Azure Migrate: Discovery and assessment**, select the number next to the Web apps on Azure assessment.

+2. Select the assessment name, which you wish to view.

+

+ :::image type="content" source="./media/tutorial-assess-webapps/overview.png" alt-text="Screenshot of Overview screen.":::

+ The **Overview** screen contains 3 sections: Essentials, Assessed entities, and Migration scenario.

+ **Essentials**

+ The **Essentials** section displays the group the assessed entity belongs to, its status, the location, discovery source, and currency in US dollars.

+ **Assessed entities**

+ This section displays the number of servers selected for the assessments, number of Azure app services in the selected servers, and the number of distinct Sprint Boot app instances that were assessed.

+ **Migration scenario**

+ This section provides a pictorial representation of the number of apps that are ready, ready with conditions, and not ready. You can see two graphical representations, one for *All Web applications to App Service Code* and the other for *All Web applications to App Service Containers*. In addition, it also lists the number of apps ready to migrate and the estimated cost for the migration for the apps that are ready to migrate.

+3. Review the assessment summary. You can also edit the assessment properties or recalculate the assessment.

+Review the Readiness for the web apps by following these steps:

+1. In **Assessments**, select the name of the assessment that you want to view.

+1. Select **View more details** to view more details about each app and instances. Review the Azure App service Code and Azure App service Container readiness column in the table for the assessed web apps:

+ :::image type="content" source="./media/tutorial-assess-webapps/code-readiness.png" alt-text="Screenshot of Azure App Service Code readiness.":::

+ 1. If there are non-critical compatibility issues, such as degraded or unsupported features that don't block the migration to a specific target deployment type, the readiness is marked as **Ready with conditions** (hyperlinked) with **warning** details and recommended remediation guidance.

+ 1. If the discovery is still in progress or there are any discovery issues for a web app, the readiness is marked as **Unknown** as the assessment couldn't compute the readiness for that web app.

+ 1. If the assessment isn't up-to-date, the status shows as **Outdated**. Select the corresponding assessment and select **Recalculate assessment**. The assessment is recalculated and the Readiness overview screen is updated with the results of the recalculated assessments.

+1. Select the Readiness status to open the **Migration issues and warnings** pane with details of the cause of the issue and recommended action.

+ :::image type="content" source="./media/tutorial-assess-webapps/code-check.png" alt-text="Screenshot of recommended actions.":::

+1. Review the recommended SKU for the web apps, which is determined as per the matrix below:

+ **Readiness** | **Determine size estimate** | **Determine cost estimates**

+The assessment summary shows the estimated monthly costs for hosting your web apps.

+Select the **Cost details** tab to view a monthly cost estimate depending on the SKUs.

+## Update (November 2023)

+- Public Preview: Assess your ASP.NET web apps for migration to Azure Kubernetes Service (AKS). Using this feature, you get insights such as app readiness, cluster rightsizing and cost of running these web apps on AKS. [Learn more](tutorial-assess-aspnet-aks.md).

+- Public Preview: Assess your ASP.NET web apps for migration to Azure App Service Containers. [Learn more](tutorial-assess-webapps.md).

+- Public Preview: Get the total cost of ownership (TCO) comparison for your ASP.NET web apps running on AKS and App Service Containers in Azure Migrate Business Case. [Learn more](how-to-build-a-business-case.md).

+- Geo-restore: is available only if you configured your server for geo-redundant storage and it allows you to restore your server to either a geo-paired region or any other azure supported region where flexible server is available. Currently, Geo-restore is not supported for regions like `Brazil South`, `USGov Virginia` and `West US 3`.

+You can restore a server to it's [geo-paired region](overview.md#azure-regions) where the service is available if you have configured your server for geo-redundant backups or any other azure supported region where flexible server is available. Ability to restore to any non-paired Azure supported region (except `Brazil South`, `USGov Virginia` and `West US 3)` is known as "Universal Geo-restore"

+> If you are geo-restoring a flexible server configured with zone redundant high availability, the restored server will be configured in the geo-paired region and the same zone as your primary server and deployed as a single flexible server in a non-HA mode. Refer to [zone redundant high availability](concepts-high-availability.md) for flexible server.

+- **How is my backup data protected?**

+Azure database for MySQL Flexible server protects your backup data by blocking any operations that could lead to loss of recovery points for the duration of configured retention period. Backup's taken during the retention period can only be read for the purpose of restoration and is deleted post retention period. Additionally, all backups in Azure Database for MySQL Flexible server is encrypted using AES 256-bit encryption for the data stored at rest.

+Planned events like scaling of compute and minor version upgrades happen on the primary and the standby at the same time. You can set the [scheduled maintenance window](./concepts-maintenance.md) for HA servers as you do for flexible servers. The amount of downtime will be the same as the downtime for the Azure Database for MySQL - Flexible Server when HA is disabled. </br>

+In Azure Database for MySQL - Flexible Server, the default value for `lower_case_table_names` is 1 for MySQL version 5.7. If you need to adjust this setting, we recommend reaching out to our [support team](https://azure.microsoft.com/support/create-ticket/) for guidance. It's important to understand that once parameter value changed to 2, it's not allowed to revert from 2 back to 1.

+For MySQL version 8.0, please note that changing the lower_case_table_names setting after the server is initialized is prohibited. [Learn more](https://dev.mysql.com/doc/refman/8.0/en/identifier-case-sensitivity.html). In Azure Database for MySQL - Flexible Server version 8.0, the default value for `lower_case_table_names` is 1. If you wish to modify this parameter to 2, we suggest creating a MySQL 5.7 server, contacting our [support team](https://azure.microsoft.com/support/create-ticket/) for assistance with the change, and later, if needed, you can upgrade the server to version 8.0.

+## November 2023

+- **Universal Geo Restore in Azure Database for MySQL - Flexible Server (General Availability)**

+Universal Geo Restore feature will allow you to restore a source server instance to an alternate region from the list of Azure supported regions where flexible server is [available](./overview.md#azure-regions). If a large-scale incident in a region results in unavailability of database application, then you can use this feature as a disaster recovery option to restore the server to an Azure supported target region, which is different than the source server region. [Learn more](concepts-backup-restore.md#restore)

+ Title: "Migrate MySQL on-premises or Virtual Machine (VM) workload to Azure Database for MySQL - Flexible Server using Azure MySQL Import CLI"

+description: This tutorial describes how to use the Azure MySQL Import CLI to migrate MySQL on-premises or VM workload to Azure Database for MySQL - Flexible Server.

+ - mvc

+ - devx-track-azurecli

+ - mode-api

+ms.devlang: azurecli

+# Migrate MySQL on-premises or Virtual Machine (VM) workload to Azure Database for MySQL - Flexible Server using Azure MySQL Import CLI

+Azure MySQL Import enables you to migrate your MySQL on-premises or Virtual Machine (VM) workload seamlessly to Azure Database for MySQL - Flexible Server. It uses a user-provided physical backup file and restores the source server's physical data files to the target server offering a simple and fast migration path. Post MySQL Import operation, you can take advantage of the benefits of Flexible Server, including better price & performance, granular control over database configuration, and custom maintenance windows.

+Based on user-inputs, it takes up the responsibility of provisioning your target Flexible Server and then restoring the user-provided physical backup of the source server stored in the Azure Blob storage account to the target Flexible Server instance.

+This tutorial shows how to use the Azure MySQL Import CLI command to migrate your Migrate MySQL on-premises or Virtual Machine (VM) workload to Azure Database for MySQL - Flexible Server.

+## Launch Azure Cloud Shell

+The [Azure Cloud Shell](../../cloud-shell/overview.md) is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.

+As the feature is currently in private preview, this tutorial requires you to install Azure Edge Build and use the CLI locally, see [Install Azure Edge Build CLI](https://github.com/Azure/azure-cli#edge-builds).

+## Setup

+You must sign in to your account using the [az sign-in](/cli/azure/reference-index#az-login) command. Note the **id** property, which refers to your Azure account's **Subscription ID**.

+```azurecli-interactive

+az login

+```

+Select the specific subscription under your account where you want to deploy the target Flexible Server using the [az account set](/cli/azure/account#az-account-set) command. Note the **id** value from the **az login** output to use as the value for the **subscription** argument in the command. To get all your subscriptions, use [az account list](/cli/azure/account#az-account-list).

+```azurecli-interactive

+az account set --subscription <subscription id>

+```

+## Prerequisites

+* Source server should have the following parameters:

+ * Lower_case_table_names = 1

+ * Innodb_file_per_table = ON

+ * System tablespace name should be ibdata1.

+ * System tablespace size should be greater than or equal to 12 MB. (MySQL Default)

+ * Innodb_page_size = 16348 (MySQL Default)

+ * Only INNODB engine is supported.

+* Take a physical backup of your MySQL workload using Percona XtraBackup

+The following are the steps for using Percona XtraBackup to take a full backup :

+ * Install Percona XtraBackup on the on-premises or VM workload, see [Installing Percona XtraBackup 2.4]( https://docs.percona.com/percona-xtrabackup/2.4/installation.html).

+ * For instructions for taking a Full backup with Percona XtraBackup 2.4, see [Full backup]( https://docs.percona.com/percona-xtrabackup/2.4/backup_scenarios/full_backup.html).

+ * [Create an Azure Blob container](../../storage/blobs/storage-quickstart-blobs-portal.md#create-a-container) and get the Shared Access Signature (SAS) Token ([Azure portal](../../ai-services/translator/document-translation/how-to-guides/create-sas-tokens.md?tabs=Containers#create-sas-tokens-in-the-azure-portal) or [Azure CLI](../../storage/blobs/storage-blob-user-delegation-sas-create-cli.md)) for the container. Ensure that you grant Add, Create and Write in the **Permissions** drop-down list. Copy and paste the Blob SAS token and URL values in a secure location. They're only displayed once and can't be retrieved once the window is closed.

+* Upload the full backup file to your Azure Blob storage. Follow steps [here]( ../../storage/common/storage-use-azcopy-blobs-upload.md#upload-a-file).

+* For performing an online migration, capture and store the bin-log position of the backup file taken using Percona XtraBackup by running the **cat xtrabackup_info** command and copying the bin_log pos output.

+## Limitations

+* Source server configuration isn't migrated. You must configure the target Flexible server appropriately.

+* Users and privileges aren't migrated as part of MySQL Import. You must take a manual dump of users and privileges before initiating MySQL Import to migrate logins post import operation by restoring them on the target Flexible Server.

+* High Availability (HA) enabled Flexible Servers are returned as HA disabled servers to increase the speed of migration operation post the import migration. Enable HA for your target Flexible Server post migration.

+## Recommendations for an optimal migration experience

+* Consider keeping the Azure Blob storage account and the target Flexible Server to be deployed in the same region for better import performance.

+* Recommended SKU configuration for target Azure Database for MySQL Flexible Server ΓÇô

+ * Setting Burstable SKU for target isn't recommended in order to optimize migration time when running the MySQL Import operation. We recommend scaling to General Purpose/ Business Critical for the course of the import operation, post, which you can scale down to Burstable SKU.

+## Trigger a MySQL Import operation to migrate from Azure Database for MySQL -Flexible Server

+Trigger a MySQL Import operation with the `az mysql flexible-server import create` command. The following command creates a target Flexible Server and performs instance-level import from backup file to target destination using your Azure CLI's local context:

+```azurecli

+az mysql flexible-server import create --data-source-type

+ --data-source

+ --data-source-sas-token

+ --resource-group

+ --name

+ --sku-name

+ --tier

+ --version

+ --location

+ [--data-source-backup-dir]

+ [--storage-size]

+ [--mode]

+ [--admin-password]

+ [--admin-user]

+ [--auto-scale-iops {Disabled, Enabled}]

+ [--backup-identity]

+ [--backup-key]

+ [--backup-retention]

+ [--database-name]

+ [--geo-redundant-backup {Disabled, Enabled}]

+ [--high-availability {Disabled, SameZone, ZoneRedundant}]

+ [--identity]

+ [--iops]

+ [--key]

+ [--private-dns-zone]

+ [--public-access]

+ [--resource-group]

+ [--standby-zone]

+ [--storage-auto-grow {Disabled, Enabled}]

+ [--subnet]

+ [--subnet-prefixes]

+ [--tags]

+ [--vnet]

+ [--zone]

+The following example takes in the data source information for your source MySQL serverΓÇÖs backup file and target Flexible Server information, creates a target Flexible Server named `test-flexible-server` in the `westus` location and performs an import from backup file to target.

+azurecli-interactive

+az mysql flexible-server import create --data-source-type "azure_blob" --data-source "https://onprembackup.blob.core.windows.net/onprembackup" --data-source-backup-dir "mysql_backup_percona" ΓÇô-data-source-token "{sas-token}" --resource-group "test-rg" --name "test-flexible-server" ΓÇô-sku-name Standard_D2ds_v4 --tier GeneralPurpose ΓÇô-version 5.7 -ΓÇôlocation "westusΓÇ¥

+```

+Here are the details for the arguments above:

+**Setting** | **Sample value** | **Description**

+||

+data-source-type | azure_blob | The type of data source that serves as the source destination for triggering MySQL Import. Accepted values: [azure_blob]. Description of accepted values- azure_blob: Azure Blob storage.

+data-source | {resourceID} | The resource ID of the Azure Blob container.

+data-source-backup-dir | mysql_percona_backup | The directory of the Azure Blob storage container in which the backup file was uploaded. This value is required only when the backup file isn't stored in the root folder of Azure Blob container.

+data-source-sas-token | {sas-token} | The Shared Access Signature (SAS) token generated for granting access to import from the Azure Blob storage container.

+resource-group | test-rg | The name of the Azure resource group of the target Azure Database for MySQL Flexible Server.

+mode | Offline | The mode of MySQL import. Accepted values: [Offline]; Default value: Offline.

+location | westus | The Azure location for the source Azure Database for MySQL Flexible Server.

+name | test-flexible-server | Enter a unique name for your target Azure Database for MySQL Flexible Server. The server name can contain only lowercase letters, numbers, and the hyphen (-) character. It must contain from 3 to 63 characters. Note: This server is deployed in the same subscription, resource group, and region as the source.

+admin-user | adminuser | The username for the administrator sign-in for your target Azure Database for MySQL Flexible Server. It can't be **azure_superuser**, **admin**, **administrator**, **root**, **guest**, or **public**.

+admin-password | *password* | The administrator user's password for your target Azure Database for MySQL Flexible Server. It must contain between 8 and 128 characters. Your password must contain characters from three categories: English uppercase letters, English lowercase letters, numbers, and nonalphanumeric characters.

+sku-name|GP_Gen5_2|Enter the name of the pricing tier and compute configuration for your target Azure Database for MySQL Flexible Server. Follows the convention {pricing tier}*{compute generation}*{vCores} in shorthand. See the [pricing tiers](../flexible-server/concepts-service-tiers-storage.md#service-tiers-size-and-server-types) for more information.

+tier | Burstable | Compute tier of the target Azure Database for MySQL Flexible Server. Accepted values: Burstable, GeneralPurpose, MemoryOptimized; Default value: Burstable.

+public-access | 0.0.0.0 | Determines the public access for the target Azure Database for MySQL Flexible Server. Enter single or range of IP addresses to be included in the allowed list of IPs. IP address ranges must be dash-separated and not contain any spaces. Specifying 0.0.0.0 allows public access from any resources deployed within Azure to access your server. Setting it to "None" sets the server in public access mode but doesn't create a firewall rule.

+vnet | myVnet | Name or ID of a new or existing virtual network. If you want to use a vnet from different resource group or subscription, provide a resource ID. The name must be between 2 to 64 characters. The name must begin with a letter or number, end with a letter, number or underscore, and can contain only letters, numbers, underscores, periods, or hyphens.

+subnet | mySubnet | Name or resource ID of a new or existing subnet. If you want to use a subnet from different resource group or subscription, provide resource ID instead of name. Note that the subnet is delegated to flexibleServers. After delegation, this subnet can't be used for any other type of Azure resources.

+private-dns-zone | myserver.private.contoso.com | The name or ID of new or existing private dns zone. You can use the private dns zone from same resource group, different resource group, or different subscription. If you want to use a zone from different resource group or subscription, provide resource Id. CLI creates a new private dns zone within the same resource group as virtual network if not provided by users.

+key | key identifier of testKey | The resource ID of the primary keyvault key for data encryption.

+identity | testIdentity | The name or resource ID of the user assigned identity for data encryption.

+storage-size | 32 | The storage capacity of the target Azure Database for MySQL Flexible Server. The minimum is 20 GiB, and max is 16 TiB.

+tags | key=value | Provide the name of the Azure resource group.

+version | 5.7 | Server major version of the target Azure Database for MySQL Flexible Server.

+high-availability | ZoneRedundant | Enable (ZoneRedundant or SameZone) or disable the high availability feature for the target Azure Database for MySQL Flexible Server. Accepted values: Disabled, SameZone, ZoneRedundant; Default value: Disabled.

+zone | 1 | Availability zone into which to provision the resource.

+standby-zone | 3 | The availability zone information of the standby server when high Availability is enabled.

+storage-auto-grow | Enabled | Enable or disable auto grow of storage for the target Azure Database for MySQL Flexible Server. The default value is Enabled. Accepted values: Disabled, Enabled; Default value: Enabled.

+iops | 500 | Number of IOPS to be allocated for the target Azure Database for MySQL Flexible Server. You get a certain amount of free IOPS based on compute and storage provisioned. The default value for IOPS is free IOPS. To learn more about IOPS based on compute and storage, refer to IOPS in Azure Database for MySQL Flexible Server.

+## Migrate to Flexible Server with minimal downtime

+In order to perform an online migration after completing the initial seeding from backup file using MySQL import, you can configure data-in replication between the source and target by following steps [here](../flexible-server/how-to-data-in-replication.md?tabs=bash%2Ccommand-line). You can use the bin-log position captured while taking the backup file using Percona XtraBackup to set up Bin-log position based replication.

+## How long does MySQL Import take to migrate my Single Server instance?

+Benchmarked performance based on storage size.

+ | Backup file Storage Size | MySQL Import time |

+ | - |:-:|

+ | 1 GiB | 0 min 23 secs |

+ | 10 GiB | 4 min 24 secs |

+ | 100 GiB | 10 min 29 secs |

+ | 500 GiB | 13 min 15 secs |

+ | 1 TB | 22 min 56 secs |

+ | 10 TB | 2 hrs 5 min 30 secs |

+

+As the storage size increases, the time required for data copying also increases, almost in a linear relationship. However, it's important to note that copy speed can be significantly impacted by network fluctuations. Therefore, the data provided here should be taken as a reference only.

+## Next steps

+* [Manage an Azure Database for MySQL - Flexible Server using the Azure portal](../flexible-server/how-to-manage-server-portal.md)

+description: Learn which versions of the MySQL server are supported in the Azure Database for MySQL Service.

+In the Single Server deployment option, a gateway is used to redirect the connections to server instances. After the connection is established, the MySQL client displays the version of MySQL set in the gateway, not the actual version running on your MySQL server instance. To determine the version of your MySQL server instance, use the `SELECT VERSION();` command at the MySQL prompt. Review [Connectivity architecture](./concepts-connectivity-architecture.md#connectivity-architecture) to learn more about gateways in Azure Database for MySQL Service architecture.

+In Azure Database for MySQL Service, gateway nodes listens on port 3308 for v5.7 clients and port 3309 for v8.0 clients. In other words, if you would like to connect to v5.7 gateway client, you should use your fully qualified server name and port 3308 to connect to your server from client application. Similarly, if you would like to connect to v8.0 gateway client, you can use your fully qualified server name and port 3309 to connect to your server. Check the following example for further clarity.

+> Starting July 1, 2021, you will not be able to add new connection monitors in Connection Monitor (classic) but you can continue to use existing connection monitors created prior to July 1, 2021. To minimize service disruption to your current workloads, migrate from Connection Monitor (classic) to the new Connection Monitor in Azure Network Watcher before February 29, 2024.

+## Release: September 2023

+* General availability of [Storage auto-grow](./concepts-compute-storage.md) for Azure Database for PostgreSQL ΓÇô Flexible Server.

+* General availability of [Cross Subscription and Cross Resource Group Restore](how-to-restore-to-different-subscription-or-resource-group.md) for Azure Database for PostgreSQL ΓÇô Flexible Server.

+

+description: Learn about the information you need to create a site in an existing private mobile network.

+Azure Private 5G Core private mobile networks include one or more sites. Each site represents a physical enterprise location (for example, Contoso Corporation's Chicago factory) containing an Azure Stack Edge device that hosts a packet core instance. This how-to guide takes you through the process of collecting the information you need to create a new site.

+Choose the service plan that best fits your requirements and verify pricing and charges. See [Azure Private 5G Core pricing](https://azure.microsoft.com/pricing/details/private-5g-core/).

+ |The core technology type the packet core instance should support: 5G, 4G, or combined 4G and 5G. |**Technology type**|

+ | The IP address for the control plane interface on the access network. For 5G, this interface is the N2 interface; for 4G, it's the S1-MME interface; for combined 4G and 5G, it's the N2 and S1-MME interfaces. You identified this address in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md#allocate-subnets-and-ip-addresses). </br></br> This IP address must match the value you used when deploying the AKS-HCI cluster on your Azure Stack Edge Pro device. You did this as part of the steps in [Order and set up your Azure Stack Edge Pro device(s)](complete-private-mobile-network-prerequisites.md#order-and-set-up-your-azure-stack-edge-pro-devices). |**N2 address (Signaling)** (for 5G), **S1-MME address** (for 4G), or **S1-MME/N2 address (Signaling)** (for combined 4G and 5G). |

+ | The virtual network name on port 5 on your Azure Stack Edge Pro device corresponding to the control plane interface on the access network. For 5G, this interface is the N2 interface; for 4G, it's the S1-MME interface; for combined 4G and 5G, it's the N2/S1-MME interface; for combined 4G and 5G, it's the N2/S1-MME interface. | **ASE N2 virtual subnet** (for 5G), **ASE S1-MME virtual subnet** (for 4G), or **ASE N2/S1-MME virtual subnet** (for combined 4G and 5G). |

+ | The virtual network name on port 5 on your Azure Stack Edge Pro device corresponding to the user plane interface on the access network. For 5G, this interface is the N3 interface; for 4G, it's the S1-U interface; for combined 4G and 5G, it's the N3/S1-U interface. | **ASE N3 virtual subnet** (for 5G), **ASE S1-U virtual subnet** (for 4G), or **ASE N3/S1-U virtual subnet** (for combined 4G and 5G). |

+ | The IP address for the control plane interface on the access network. For 5G, this interface is the N2 interface; for 4G, it's the S1-MME interface; for combined 4G and 5G, it's the N2 and S1-MME interfaces. You identified this address in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md?pivots=ase-pro-2#allocate-subnets-and-ip-addresses). </br></br> This IP address must match the value you used when deploying the AKS-HCI cluster on your Azure Stack Edge Pro device. You did this as part of the steps in [Order and set up your Azure Stack Edge Pro device(s)](complete-private-mobile-network-prerequisites.md?pivots=ase-pro-2#order-and-set-up-your-azure-stack-edge-pro-devices). |**N2 address (Signaling)** (for 5G), **S1-MME address** (for 4G), or **S1-MME/N2 address (Signaling)** (for combined 4G and 5G). |

+ | The virtual network name on port 3 on your Azure Stack Edge Pro 2 corresponding to the control plane interface on the access network. For 5G, this interface is the N2 interface; for 4G, it's the S1-MME interface; for combined 4G and 5G, it's the N2/S1-MME interface. | **ASE N2 virtual subnet** (for 5G), **ASE S1-MME virtual subnet** (for 4G), or **ASE N2/S1-MME virtual subnet** (for combined 4G and 5G). |

+ | The virtual network name on port 3 on your Azure Stack Edge Pro 2 corresponding to the user plane interface on the access network. For 5G, this interface is the N3 interface; for 4G, it's the S1-U interface; for combined 4G and 5G, it's the N3/S1-U interface. | **ASE N3 virtual subnet** (for 5G), **ASE S1-U virtual subnet** (for 4G), or **ASE N3/S1-U virtual subnet** (for combined 4G and 5G). |

+## Collect UE usage tracking values

+If you want to configure UE usage tracking for your site, collect all the values in the following table to define the packet core instance's associated Event Hubs instance.

+> [!NOTE]

+> You must already have an [Azure Event Hubs instance](/azure/event-hubs) with an associated user assigned managed identity with the **Resource Policy Contributor** role before you can collect the information in the following table.

+> [!NOTE]

+> Azure Private 5G Core does not support Event Hubs with a [log compaction delete cleanup policy](/azure/event-hubs/log-compaction?source=recommendations).

+ |Value |Field name in Azure portal |

+ |||

+ |The namespace for the Azure Event Hubs instance that your site will use for UE usage tracking. |**Azure Event Hub Namespace**|

+ |The name of the Azure Event Hubs instance that your site will use for UE usage tracking.|**Event Hub name**|

+ |The user assigned managed identity that has the **Resource Policy Contributor** role for the Event Hubs instance. <br /> **Note:** The managed identity must be assigned to the Packet Core Control Plane for the site and assigned to the Event Hubs instance via the instance's **Identity and Access Management (IAM)** blade. <br /> **Note:** Only assign one managed identity to the site. This managed identity must be used for any UE usage tracking for the site after upgrade and site configuration modifications.<br /><br /> See [Use a user-assigned managed identity to capture events](/azure/event-hubs/event-hubs-capture-managed-identity) for more information on managed identities. |**User Assigned Managed Identity**|

+ | The virtual network name on port 6 (or port 5 if you plan to have more than six data networks) on your Azure Stack Edge Pro GPU device corresponding to the user plane interface on the data network. For 5G, this interface is the N6 interface; for 4G, it's the SGi interface; for combined 4G and 5G, it's the N6/SGi interface. | **ASE N6 virtual subnet** (for 5G) or **ASE SGi virtual subnet** (for 4G), or **ASE N6/SGi virtual subnet** (for combined 4G and 5G). |

+ | The network address of the subnet from which dynamic IP addresses must be allocated to user equipment (UEs), given in CIDR notation. You don't need this address if you don't want to support dynamic IP address allocation for this site. You identified this in [Allocate user equipment (UE) IP address pools](complete-private-mobile-network-prerequisites.md?pivots=ase-pro-gpu#allocate-user-equipment-ue-ip-address-pools). The following example shows the network address format. </br></br>`192.0.2.0/24` </br></br>Note that the UE subnets aren't related to the access subnet. |**Dynamic UE IP pool prefixes**|

+ | The network address of the subnet from which static IP addresses must be allocated to user equipment (UEs), given in CIDR notation. You don't need this address if you don't want to support static IP address allocation for this site. You identified this in [Allocate user equipment (UE) IP address pools](complete-private-mobile-network-prerequisites.md?pivots=ase-pro-gpu#allocate-user-equipment-ue-ip-address-pools). The following example shows the network address format. </br></br>`203.0.113.0/24` </br></br>Note that the UE subnets aren't related to the access subnet. |**Static UE IP pool prefixes**|

+ | The Domain Name System (DNS) server addresses to be provided to the UEs connected to this data network. You identified this in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md?pivots=ase-pro-gpu#allocate-subnets-and-ip-addresses). </br></br>This value might be an empty list if you don't want to configure a DNS server for the data network. In this case, UEs in this data network will be unable to resolve domain names. | **DNS Addresses** |

+ | The virtual network name on port 4 (or port 3 if you plan to have more than six data networks) on your Azure Stack Edge Pro 2 device corresponding to the user plane interface on the data network. For 5G, this interface is the N6 interface; for 4G, it's the SGi interface; for combined 4G and 5G, it's the N6/SGi interface. | **ASE N6 virtual subnet** (for 5G) or **ASE SGi virtual subnet** (for 4G), or **ASE N6/SGi virtual subnet** (for combined 4G and 5G). |

+ | The network address of the subnet from which dynamic IP addresses must be allocated to user equipment (UEs), given in CIDR notation. You don't need this address if you don't want to support dynamic IP address allocation for this site. You identified this in [Allocate user equipment (UE) IP address pools](complete-private-mobile-network-prerequisites.md?pivots=ase-pro-2#allocate-user-equipment-ue-ip-address-pools). The following example shows the network address format. </br></br>`192.0.2.0/24` </br></br>Note that the UE subnets aren't related to the access subnet. |**Dynamic UE IP pool prefixes**|

+ | The network address of the subnet from which static IP addresses must be allocated to user equipment (UEs), given in CIDR notation. You don't need this address if you don't want to support static IP address allocation for this site. You identified this in [Allocate user equipment (UE) IP address pools](complete-private-mobile-network-prerequisites.md?pivots=ase-pro-2#allocate-user-equipment-ue-ip-address-pools). The following example shows the network address format. </br></br>`203.0.113.0/24` </br></br>Note that the UE subnets aren't related to the access subnet. |**Static UE IP pool prefixes**|

+ | The Domain Name System (DNS) server addresses to be provided to the UEs connected to this data network. You identified this in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md?pivots=ase-pro-2#allocate-subnets-and-ip-addresses). </br></br>This value might be an empty list if you don't want to configure a DNS server for the data network. In this case, UEs in this data network will be unable to resolve domain names. | **DNS Addresses** |

+If you want to configure diagnostics package gathering during site creation, see [Collect values for diagnostics package gathering](gather-diagnostics.md#set-up-a-storage-account).

+If you want to access your local monitoring tools using Microsoft Entra ID, after creating a site follow the steps in [Enable Microsoft Entra ID for local monitoring tools](enable-azure-active-directory.md).

+To deploy your private mobile network using Azure Private 5G Core, you need:

+## Choose the core technology type (5G, 4G, or combined 4G and 5G)

+Choose whether each site in the private mobile network should provide coverage for 5G, 4G, or combined 4G and 5G user equipment (UEs). If you're deploying multiple sites, they can each support different core technology types.

+For each of these networks, allocate a subnet and then identify the listed IP addresses. If you're deploying multiple sites, you need to collect this information for each site.

+Depending on your networking requirements (for example, if a limited set of subnets is available), you might choose to allocate a single subnet for all of the Azure Stack Edge interfaces, marked with an asterisk (*) in the following list.

+ - Choose a port between 2 and 4 to use as the Azure Stack Edge Pro GPU device's management port as part of [setting up your Azure Stack Edge Pro device](#order-and-set-up-your-azure-stack-edge-pro-devices).*

+- One IP address for the control plane interface.

+ - For 5G, this is the N2 interface

+ - For 4G, this is the S1-MME interface.

+ - For combined 4G and 5G, this is the N2/S1-MME interface.

+- One IP address for the user plane interface.

+ - For 5G, this is the N3 interface

+ - For 4G, this is the S1-U interface.

+ - For combined 4G and 5G, this is the N3/S1-U interface.

+- One IP address for the control plane interface.

+ - For 5G, this is the N2 interface

+ - For 4G, this is the S1-MME interface.

+ - For combined 4G and 5G, this is the N2/S1-MME interface.

+- One IP address for the user plane interface.

+ - For 5G, this is the N3 interface

+ - For 4G, this is the S1-U interface.

+ - For combined 4G and 5G, this is the N3/S1-U interface.

+- One IP address for the user plane interface.

+ - For 5G, this is the N6 interface

+ - For 4G, this is the SGi interface.

+ - For combined 4G and 5G, this is the N6/SGi interface.

+You can optionally configure your Azure Stack Edge Pro device with virtual local area network (VLAN) tags. You can use this configuration to enable layer 2 traffic separation on the N2, N3 and N6 interfaces, or their 4G equivalents. For example, you might want to separate N2 and N3 traffic (which share a port on the ASE device) or separate traffic for each connected data network.

+- Static. Static IP address allocation ensures that a UE receives the same IP address every time it connects to the private mobile network. Static IP addresses are useful when you want Internet of Things (IoT) applications to be able to consistently connect to the same device. For example, you can configure a video analysis application with the IP addresses of the cameras providing video streams. If these cameras have static IP addresses, you won't need to reconfigure the video analysis application with new IP addresses each time the cameras restart. You'll allocate static IP addresses to a UE as part of [provisioning its SIM](provision-sims-azure-portal.md).

+- For each method you want to support, identify an IP address pool from which IP addresses can be allocated to UEs. You must provide each IP address pool in CIDR notation.

+| 5671 In/Outbound | Management (LAN) | Communication to Azure Event Hubs, AMQP Protocol |

+| 5672 In/Outbound | Management (LAN) | Communication to Azure Event Hubs, AMQP Protocol |

+| UDP 2152 In/Outbound | Port 3 (Access network) | Access network user plane data (N3 interface for 5G, S1-U for 4G, or N3/S1-U for combined 4G and 5G). |

+| All IP traffic | Ports 3 and 4 (Data networks) | Data network user plane data (N6 interface for 5G, SGi for 4G, or N6/SGi for combined 4G and 5G). </br> Only required on port 3 if data networks are configured on that port. |

+| 5671 In/Outbound | Management (LAN) | Communication to Azure Event Hubs, AMQP Protocol |

+| 5672 In/Outbound | Management (LAN) | Communication to Azure Event Hubs, AMQP Protocol |

+| UDP 2152 In/Outbound | Port 5 (Access network) | Access network user plane data (N3 interface for 5G, S1-U for 4G, or N3/S1-U for combined 4G and 5G). |

+| All IP traffic | Ports 5 and 6 (Data networks) | Data network user plane data (N6 interface for 5G, SGi for 4G, or N6/SGi for combined 4G and 5G)). </br> Only required on port 5 if data networks are configured on that port. |

+ If the CLI version is below 2.37.0, you must upgrade your Azure CLI to a newer version. See [How to update the Azure CLI](/cli/azure/update-azure-cli).

+You need to obtain the object ID (OID) of the custom location resource provider in your Azure tenant. You must provide this OID when you create the Kubernetes service. You can obtain the OID using the Azure CLI or the Azure Cloud Shell on the portal. You must be an owner of your Azure subscription.

+This command queries the custom location and will output an OID string. Save this string for use later when you're commissioning the Azure Stack Edge device.

+| 5. | Configure the network for your Azure Stack Edge Pro 2 device. </br> </br> **Note:** When an ASE is used in an Azure Private 5G Core service, Port 2 is used for management rather than data. The tutorial linked assumes a generic ASE that uses Port 2 for data. </br></br> If the RAN and Packet Core are on the same subnet, you do not need to configure a gateway for Port 3 or Port 4. </br></br> In addition, you can optionally configure your Azure Stack Edge Pro device to run behind a web proxy. </br></br> Verify the outbound connections from Azure Stack Edge Pro device to the Azure Arc endpoints are opened. </br></br>**Do not** configure virtual switches, virtual networks or compute IPs. | [Tutorial: Configure network for Azure Stack Edge Pro 2](/azure/databox-online/azure-stack-edge-pro-2-deploy-configure-network-compute-web-proxy?pivots=single-node.md)</br></br>[(Optionally) Configure web proxy for Azure Stack Edge Pro](/azure/databox-online/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy?pivots=single-node#configure-web-proxy)</br></br>[Azure Arc Network Requirements](/azure/azure-arc/kubernetes/quickstart-connect-cluster?tabs=azure-cli%2Cazure-cloud)</br></br>[Azure Arc Agent Network Requirements](/azure/architecture/hybrid/arc-hybrid-kubernetes)|

+| 7. | Configure certificates and configure encryption-at-rest for your Azure Stack Edge Pro 2 device. After changing the certificates, you might have to reopen the local UI in a new browser window to prevent the old cached certificates from causing problems.| [Tutorial: Configure certificates for your Azure Stack Edge Pro 2](/azure/databox-online/azure-stack-edge-pro-2-deploy-configure-certificates?pivots=single-node) |

+| 10. | Run the diagnostics tests for the Azure Stack Edge Pro 2 device in the local web UI, and verify they all pass. </br></br>You might see a warning about a disconnected, unused port. You should fix the issue if the warning relates to any of these ports:</br></br>- Port 2 - management</br>- Port 3 - access network (and optionally, data networks)</br>- Port 4 - data networks</br></br>For all other ports, you can ignore the warning. </br></br>If there are any errors, resolve them before continuing with the remaining steps. This includes any errors related to invalid gateways on unused ports. In this case, either delete the gateway IP address or set it to a valid gateway for the subnet. | [Run diagnostics, collect logs to troubleshoot Azure Stack Edge device issues](../databox-online/azure-stack-edge-gpu-troubleshoot.md) |

+| 5. | Configure the network for your Azure Stack Edge Pro GPU device.</br> </br> **Note:** When an ASE is used in an Azure Private 5G Core service, Port 2 is used for management rather than data. The tutorial linked assumes a generic ASE that uses Port 2 for data. </br></br> If the RAN and Packet Core are on the same subnet, you do not need to configure a gateway for Port 5 or Port 6. </br></br> In addition, you can optionally configure your Azure Stack Edge Pro GPU device to run behind a web proxy. </br></br> Verify the outbound connections from Azure Stack Edge Pro GPU device to the Azure Arc endpoints are opened. </br></br>**Do not** configure virtual switches, virtual networks or compute IPs. | [Tutorial: Configure network for Azure Stack Edge Pro with GPU](/azure/databox-online/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy?pivots=single-node.md)</br></br>[(Optionally) Configure web proxy for Azure Stack Edge Pro](/azure/databox-online/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy?pivots=single-node#configure-web-proxy)</br></br>[Azure Arc Network Requirements](/azure/azure-arc/kubernetes/quickstart-connect-cluster?tabs=azure-cli%2Cazure-cloud)</br></br>[Azure Arc Agent Network Requirements](/azure/architecture/hybrid/arc-hybrid-kubernetes)|

+| 7. | Configure certificates for your Azure Stack Edge Pro GPU device. After changing the certificates, you might have to reopen the local UI in a new browser window to prevent the old cached certificates from causing problems.| [Tutorial: Configure certificates for your Azure Stack Edge Pro with GPU](/azure/databox-online/azure-stack-edge-gpu-deploy-configure-certificates?pivots=single-node) |

+| 10. | Run the diagnostics tests for the Azure Stack Edge Pro GPU device in the local web UI, and verify they all pass. </br></br>You might see a warning about a disconnected, unused port. You should fix the issue if the warning relates to any of these ports:</br></br>- Port 5.</br>- Port 6.</br>- The port you chose to connect to the management network in Step 3.</br></br>For all other ports, you can ignore the warning. </br></br>If there are any errors, resolve them before continuing with the remaining steps. This includes any errors related to invalid gateways on unused ports. In this case, either delete the gateway IP address or set it to a valid gateway for the subnet. | [Run diagnostics, collect logs to troubleshoot Azure Stack Edge device issues](../databox-online/azure-stack-edge-gpu-troubleshoot.md) |

+ > **ASE N2 virtual subnet** and **ASE N3 virtual subnet** (if this site will support 5G UEs), **ASE S1-MME virtual subnet** and **ASE S1-U virtual subnet** (if this site will support 4G UEs), or **ASE N2/S1-MME virtual subnet** and **ASE N3/S1-U virtual subnet** (if this site will support both 4G and 5G UEs) must match the corresponding virtual network names on port 5 on your Azure Stack Edge Pro GPU device.

+8. If you want to enable UE Metric monitoring, use the information collected in [Collect UE Usage Tracking values](collect-required-information-for-a-site.md#collect-ue-usage-tracking-values) to fill out the **Azure Event Hub Namespace**, **Event Hub name** and **User Assigned Managed Identity** values.

+9. In the **Attached data networks** section, select **Attach data network**. Choose whether you want to use an existing data network or create a new one, then use the information you collected in [Collect data network values](collect-required-information-for-a-site.md?pivots=ase-pro-gpu#collect-data-network-values) to fill out the fields. Note the following:

+ - **ASE N6 virtual subnet** (if this site will support 5G UEs), **ASE SGi virtual subnet** (if this site will support 4G UEs), or **ASE N6/SGi virtual subnet** (if this site will support combined 4G and 5G UEs) must match the corresponding virtual network name on port 5 or 6 on your Azure Stack Edge Pro device.

+ > **ASE N2 virtual subnet** and **ASE N3 virtual subnet** (if this site will support 5G UEs), **ASE S1-MME virtual subnet** and **ASE S1-U virtual subnet** (if this site will support 4G UEs), or **ASE N2/S1-MME virtual subnet** and **ASE N3/S1-U virtual subnet** (if this site will support both 4G and 5G UEs) must match the corresponding virtual network names on port 3 on your Azure Stack Edge Pro device.

+8. If you want to enable UE Metric monitoring, select **Enable** from the **UE Metric monitoring** dropdown. Use the information collected in [Collect UE Usage Tracking values](collect-required-information-for-a-site.md#collect-ue-usage-tracking-values) to fill out the **Azure Event Hub Namespace**, **Event Hub name** and **User Assigned Managed Identity** values.

+9. In the **Attached data networks** section, select **Attach data network**. Choose whether you want to use an existing data network or create a new one, then use the information you collected in [Collect data network values](collect-required-information-for-a-site.md?pivots=ase-pro-2#collect-data-network-values) to fill out the fields. Note the following:

+ - **ASE N6 virtual subnet** (if this site will support 5G UEs), **ASE SGi virtual subnet** (if this site will support 4G UEs), or **ASE N6/SGi virtual subnet** (if this site will support combined 4G and 5G UEs) must match the corresponding virtual network name on port 3 or 4 on your Azure Stack Edge Pro device.

+10. Repeat the previous step for each additional data network you want to configure.

+11. If you decided you want to configure diagnostics packet collection or use a user assigned managed identity for HTTPS certificate for this site, select **Next : Identity >**.

+12. If you decided you want to provide a custom HTTPS certificate in [Collect local monitoring values](collect-required-information-for-a-site.md#collect-local-monitoring-values), select **Next : Local access >**. If you decided not to provide a custom HTTPS certificate at this stage, you can skip this step.

+13. In the **Local access** section, set the fields as follows:

+14. Select **Review + create**.

+15. Azure will now validate the configuration values you've entered. You should see a message indicating that your values have passed validation.

+ If the validation fails, you'll see an error message and the **Configuration** tab(s) containing the invalid configuration will be flagged with red X icons. Select the flagged tab(s) and use the error messages to correct invalid configuration before returning to the **Review + create** tab.

+16. Once your configuration has been validated, you can select **Create** to create the site. The Azure portal will display the following confirmation screen when the site has been created.

+17. Select **Go to resource group**, and confirm that it contains the following new resources:

+18. If you want to assign additional packet cores to the site, for each new packet core resource see [Create additional Packet Core instances for a site using the Azure portal](create-additional-packet-core.md).

+9. If you want to enable UE Metric monitoring, use the information collected in [Collect UE Usage Tracking values](collect-required-information-for-a-site.md#collect-ue-usage-tracking-values) to fill out the **Azure Event Hub Namespace**, **Event Hub name** and **User Assigned Managed Identity** values.

+10. In the **Attached data networks** section, select **Attach data network**. Select the existing data network you used for the site then use the information you collected in [Collect data network values](collect-required-information-for-a-site.md#collect-data-network-values) to fill out the fields. Note the following:

+11. Use the information you collected in [Collect access network values](collect-required-information-for-a-site.md#collect-access-network-values) for the site to fill out the fields in the **Access network** section.

+ > **ASE N2 virtual subnet** and **ASE N3 virtual subnet** (if this site supports 5G UEs), **ASE S1-MME virtual subnet** and **ASE S1-U virtual subnet** (if this site supports 4G UEs), or **ASE N2/S1-MME virtual subnet** and **ASE N3/S1-U virtual subnet** (if this site supports both 4G and 5G UEs) must match the corresponding virtual network names on port 5 on your Azure Stack Edge Pro device.

+12. In the **Attached data networks** section, select **Attach data network**. Select the existing data network you used for the site then use the information you collected in [Collect data network values](collect-required-information-for-a-site.md#collect-data-network-values) to fill out the fields. Note the following:

+ - **ASE N6 virtual subnet** (if this site supports 5G UEs), **ASE SGi virtual subnet** (if this site supports 4G UEs), or **ASE N6/SGi virtual subnet** (if this site supports both 4G and 5G UEs) must match the corresponding virtual network name on port 6 on your Azure Stack Edge Pro device.

+ - If you decided not to configure a DNS server, clear the **Specify DNS addresses for UEs?** checkbox.

+ - If you decided to keep NAPT disabled, ensure you configure your data network router with static routes to the UE IP pools via the appropriate user plane data IP address for the corresponding attached data network.

+ Once you've finished filling out the fields, select **Attach**.

+9. If you want to enable UE Metric monitoring, select **Enable** from the **UE Metric monitoring** dropdown. Use the information collected in [Collect UE Usage Tracking values](collect-required-information-for-a-site.md#collect-ue-usage-tracking-values) to fill out the **Azure Event Hub Namespace**, **Event Hub name** and **User Assigned Managed Identity** values.

+11. Use the information you collected in [Collect access network values](collect-required-information-for-a-site.md#collect-access-network-values) for the site to fill out the fields in the **Access network** section.

+ > [!NOTE]

+ > **ASE N2 virtual subnet** and **ASE N3 virtual subnet** (if this site supports 5G UEs), **ASE S1-MME virtual subnet** and **ASE S1-U virtual subnet** (if this site supports 4G UEs), or **ASE N2/S1-MME virtual subnet** and **ASE N3/S1-U virtual subnet** (if this site supports both 4G and 5G UEs) must match the corresponding virtual network names on port 3 on your Azure Stack Edge Pro 2 device.

+12. In the **Attached data networks** section, select **Attach data network**. Select the existing data network you used for the site then use the information you collected in [Collect data network values](collect-required-information-for-a-site.md#collect-data-network-values) to fill out the fields. Note the following:

+ - **ASE N6 virtual subnet** (if this site supports 5G UEs), **ASE SGi virtual subnet** (if this site supports 4G UEs), or **ASE N6/SGi virtual subnet** (if this site supports both 4G and 5G UEs) must match the corresponding virtual network name on port 6 on your Azure Stack Edge Pro device.

+13. Repeat the previous step for each additional data network configured on the site.

+14. If you decided to configure diagnostics packet collection or use a user assigned managed identity for HTTPS certificate for this site, select **Next : Identity >**.

+15. If you decided you want to provide a custom HTTPS certificate in [Collect local monitoring values](collect-required-information-for-a-site.md#collect-local-monitoring-values), select **Next : Local access >**. If you decided not to provide a custom HTTPS certificate for monitoring this site, you can skip this step.

+16. In the **Local access** section, set the fields as follows:

+17. Select **Review + create**.

+18. Azure will now validate the configuration values you've entered. You should see a message indicating that your values have passed validation.

+19. Once your configuration has been validated, you can select **Create** to create the packet core instance. The Azure portal will display a confirmation screen when the packet core instance has been created.

+20. Return to the **Site** overview, and confirm that it contains the new packet core instance.

+ | **Control Plane Access Interface Name** | Enter the virtual network name on port 5 on your Azure Stack Edge Pro GPU device corresponding to the control plane interface on the access network. For 5G, this interface is the N2 interface; for 4G, it's the S1-MME interface; for combined 4G and 5G, it's the N2/S1-MME interface. |

+ | **User Plane Access Interface Name** | Enter the virtual network name on port 5 on your Azure Stack Edge Pro GPU device corresponding to the user plane interface on the access network. For 5G, this interface is the N3 interface; for 4G, it's the S1-U interface; for combined 4G and 5G, it's the N3/S1-U interface. |

+ | **User Plane Data Interface Name** | Enter the virtual network name on port 6 on your Azure Stack Edge Pro GPU device corresponding to the user plane interface on the data network. For 5G, this interface is the N6 interface; for 4G, it's the SGi interface; for combined 4G and 5G, it's the N6/SGi interface. |

+ | **Core Network Technology** | Enter *5GC* for 5G, *EPC* for 4G, or *EPC + 5GC* for combined 4G and 5G. |

+ | **Control Plane Access Interface Name** | Enter the virtual network name on port 3 on your Azure Stack Edge Pro 2 device corresponding to the control plane interface on the access network. For 5G, this interface is the N2 interface; for 4G, it's the S1-MME interface; for combined 4G and 5G, it's the N2/S1-MME interface. |

+ | **User Plane Access Interface Name** | Enter the virtual network name on port 3 on your Azure Stack Edge Pro 2 device corresponding to the user plane interface on the access network. For 5G, this interface is the N3 interface; for 4G, it's the S1-U interface; for combined 4G and 5G, it's the N3/S1-U interface. |

+ | **User Plane Data Interface Name** | Enter the virtual network name on port 4 on your Azure Stack Edge Pro 2 device corresponding to the user plane interface on the data network. For 5G, this interface is the N6 interface; for 4G, it's the SGi interface; for combined 4G and 5G, it's the N6/SGi interface. |

+ | **Core Network Technology** | Enter *5GC* for 5G, *EPC* for 4G, or *EPC + 5GC* for combined 4G and 5G. |

+ Title: Perform packet capture on a packet core instance

+description: In this how-to guide, you'll learn how to perform packet capture on the control plane or data plane on a packet core instance.

+# Perform packet capture on a packet core instance

+Packet capture for control or data plane packets is performed using the **UPF Trace** tool. UPF Trace is similar to **tcpdump**, a data-network packet analyzer computer program that runs on a command line interface (CLI). You can use UPF Trace to monitor and record packets on any user plane interface on the access network (N3 interface) or data network (N6 interface) on your device, as well as the control plane (N2 interface). You can access UPF Trace using the Azure portal or the Azure CLI.

+Packet capture works by mirroring packets to a Linux kernel interface, which can then be monitored using tcpdump. In this how-to guide, you'll learn how to perform packet capture on a packet core instance.

+You must have an AP5GC site deployed to perform packet capture.

+To perform packet capture using the command line, you must:

+## Performing packet capture using the Azure portal

+## Set up a storage account

+### Start a packet capture

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Navigate to the **Packet Core Control Pane** overview page of the site you want to run a packet capture in.

+1. Select **Packet Capture** under the **Help** section on the left side. This will open a **Packet Capture** view.

+1. If this is the first time you've taken a packet capture using the portal, you will see an error message prompting you to configure a storage account. If so:

+ 1. Follow the link in the error message.

+ 1. Enter the **Storage account container URL** that was configured for diagnostics storage and select **Modify**.

+ > [!TIP]

+ > If you don't have the URL for your storage account container:

+ >

+ > 1. Navigate to your **Storage account**.

+ > 1. Select the **...** symbol on the right side of the container that you want to use for packet capture.

+ > 1. Select **Container properties** in the context menu.

+ > 1. Copy the contents of the **URL** field.

+ 1. Return to the **Packet Capture** view.

+1. Select **Start packet capture**.

+1. Fill in the details on the **Start packet capture** pane and select **Create**.

+1. The page will refresh every few seconds until the packet capture has completed. You can also use the **Refresh** button to refresh the page. If you want to stop the packet capture early, select **Stop packet capture**.

+1. Once the packet capture has completed, the AP5GC online service will save the output at the provided storage account URL.

+1. To download the packet capture output, you can use the **Copy to clipboard** button in the **Storage** or **File name** columns to copy those details and then paste them into the **Search** box in the portal. To download the output, right-click the file and select **Download**.

+## Performing packet capture using the Azure CLI

+ This should report a single interface on the control plane network (N2), a single interface on the access network (N3) and an interface for each attached data network (N6). For example:

+ n2trace

+ n6trace1 (Data Network: enterprise)

+ n6trace2 (Data Network: test)

+ > Packet capture files might be large, particularly when running packet capture on all interfaces. Specify filters when running packet capture to reduce the file size - see the tcpdump documentation for the available filters.

+ The `tcpdump` might have been stopped in the middle of writing a packet, which can cause this step to produce an error stating `unexpected EOF`. However, your file should have copied successfully, but you can check your target output file to confirm.

+ |**Control Plane Access Interface Name** | Enter the virtual network name on port 5 on your Azure Stack Edge Pro device corresponding to the control plane interface on the access network. For 5G, this interface is the N2 interface; for 4G, it's the S1-MME interface; for combined 4G and 5G, it's the N2/S1-MME interface. |

+ |**User Plane Access Interface Name** | Enter the virtual network name on port 5 on your Azure Stack Edge Pro device corresponding to the user plane interface on the access network. For 5G, this interface is the N3 interface; for 4G, it's the S1-U interface; for combined 4G and 5G, it's the N3/S1-U interface. |

+ |**User Plane Data Interface Name** | Enter the virtual network name on port 6 on your Azure Stack Edge Pro device corresponding to the user plane interface on the data network. For 5G, this interface is the N6 interface; for 4G, it's the SGi interface; for combined 4G and 5G, it's the N6/SGi interface. |

+ |**User Equipment Static Address Pool Prefix** | Enter the network address of the subnet from which static IP addresses must be allocated to User Equipment (UEs) in CIDR notation. You can omit this if you don't want to support static IP address allocation. |

+ |**Data Network Name** | Enter the name of the data network. |

+ |**Core Network Technology** | Enter *5GC* for 5G, *EPC* for 4G, or *EPC + 5GC* for combined 4G and 5G. |

+ |**Control Plane Access Interface Name** | Enter the virtual network name on port 3 on your Azure Stack Edge Pro device corresponding to the control plane interface on the access network. For 5G, this interface is the N2 interface; for 4G, it's the S1-MME interface; for combined 4G and 5G, it's the N2/S1-MME interface. |

+ |**User Plane Access Interface Name** | Enter the virtual network name on port 3 on your Azure Stack Edge Pro device corresponding to the user plane interface on the access network. For 5G, this interface is the N3 interface; for 4G, it's the S1-U interface; for combined 4G and 5G, it's the N3/S1-U interface. |

+ |**User Plane Data Interface Name** | Enter the virtual network name on port 4 on your Azure Stack Edge Pro device corresponding to the user plane interface on the data network. For 5G, this interface is the N6 interface; for 4G, it's the SGi interface; for combined 4G and 5G, it's the N6/SGi interface. |

+ |**Core Network Technology** | Enter *5GC* for 5G, *EPC* for 4G, or *EPC + 5GC* for combined 4G and 5G. |

+## Set up a storage account

+1. Select **Diagnostics Collection** under the **Help** section on the left side. This will open a **Diagnostics Collection** view.

+1. Enter the **Storage account blob URL** that was configured for diagnostics storage and append the file name that you want to give the diagnostics. For example:

+ > The **Storage account blob URL** should have been noted during creation. If it wasn't:

+ 1. To download the diagnostics package, navigate to the storage account URL, right-click the file and select **Download**.

+- [Perform packet capture on a packet core instance](data-plane-packet-capture.md)

+You can view your configured SIMs in the Azure portal.

+1. Search for and select the **Mobile Network** resource representing the private mobile network containing your SIMs.

+ :::image type="content" source="media/manage-existing-sims/sims-list-inline.png" alt-text="Screenshot of the Azure portal. It shows a list of currently provisioned SIMs for a private mobile network." lightbox="media/manage-existing-sims/sims-list-inline.png":::

+ :::image type="content" source="media/sim-group-resource.png" alt-text="Screenshot of the Azure portal. It shows a list of currently provisioned SIMs in a SIM group." lightbox="media/sim-group-resource.png":::

+## View SIM statistics

+You can also view status information for connected devices in the Azure portal.

+1. Search for and select the **Mobile Network** resource representing the private mobile network containing your SIMs.

+1. In the resource menu, select **SIMs**.

+1. Select **SIM stats** from the ribbon.

+ :::image type="content" source="media/manage-existing-sims/sim-stats-button.png" alt-text="Screenshot of the Azure portal showing the SIM stats button in the ribbon." lightbox="media/manage-existing-sims/sim-stats-button.png":::

+1. The SIM stats page displays connected, disconnected and idle devices on the mobile network with basic status information for each device.

+ :::image type="content" source="media/manage-existing-sims/sim-stats-list.png" alt-text="Screenshot of the Azure portal showing the UE information page." lightbox="media/manage-existing-sims/sim-stats-list.png":::

+

+1. Select an IMSI number from the list to view detailed information for that device, including mobile identities, location information, connection information and session information. The information shown varies depending on the device state and whether it is connected to 4G or 5G.

+ :::image type="content" source="media/manage-existing-sims/sim-stats-ue-info.png" alt-text="Screenshot of the Azure portal showing the SIM stats page." lightbox="media/manage-existing-sims/sim-stats-ue-info.png":::

+SIMs need an assigned SIM policy before they can use your private mobile network. You might want to assign a SIM policy to an existing SIM that doesn't already have one, or you might want to change the assigned SIM policy for an existing SIM. For information on configuring SIM policies, see [Configure a SIM policy](configure-sim-policy-azure-portal.md).

+Static IP address allocation ensures that a UE receives the same IP address every time it connects to the private mobile network. This is useful when you want Internet of Things (IoT) applications to be able to consistently connect to the same device. For example, you can configure a video analysis application with the IP addresses of the cameras providing video streams. If these cameras have static IP addresses, you won't need to reconfigure the video analysis application with new IP addresses each time the cameras restart.

+*SIM groups* allow you to sort SIMs into categories for easier management. Each SIM must be a member of a SIM group, but can't be a member of more than one. If you only have a small number of SIMs, you might want to add them all to the same SIM group. Alternatively, you can create multiple SIM groups to sort your SIMs. For example, you could categorize your SIMs by their purpose (such as SIMs used by specific UE types like cameras or cellphones), or by their on-site location. In this how-to guide, you'll learn how to create, delete, and view SIM groups using the Azure portal.

+You can create new SIM groups in the Azure portal. As part of creating a SIM group, you're given the option of provisioning new SIMs to add to your new SIM group. If you want to provision new SIMs, you need to [Collect SIM and SIM Group values](collect-required-information-for-private-mobile-network.md#collect-sim-and-sim-group-values) before you start.

+ - If you leave **Microsoft-managed keys (MMK)** selected, you do not need to enter any more configuration information on this tab.

+ - If you select **Customer-managed Keys (CMK)**, a new set of fields appear. You need to provide the Key URI and User-assigned identity created or collected in [Collect SIM and SIM Group values](collect-required-information-for-private-mobile-network.md#collect-sim-and-sim-group-values). These values can be updated as required after SIM group creation.

+ - If you select **Add manually**, a new **Add SIM** button appears under **Enter SIM profile configurations**. Select it, fill out the fields with the correct settings for the first SIM you want to provision, and select **Add SIM**. Repeat this process for every additional SIM you want to provision.

+ - If you select **Upload JSON file**, the **Upload SIM profile configurations** field appears. Use this field to upload your chosen JSON file.

+1. Once your configuration has been validated, you can select **Create** to create the SIM group. The Azure portal displays the following confirmation screen when the SIM group has been created.

+1. At this point, your SIMs do not have any assigned SIM policies and so won't be brought into service. If you want to begin using the SIMs, [assign a SIM policy to them](manage-existing-sims.md#assign-sim-policies). If you've configured static IP address allocation for your packet core instance(s), you might also want to [assign static IP addresses](manage-existing-sims.md#assign-static-ip-addresses) to the SIMs you've provisioned.

+ - If you want to enable UE Metric monitoring, use the information collected in [Collect UE Usage Tracking values](collect-required-information-for-a-site.md#collect-ue-usage-tracking-values) to fill out the **Azure Event Hub Namespace**, **Event Hub name** and **User Assigned Managed Identity** values.

+ > [!NOTE]

+ > You must reinstall the packet core control pane** in order to use UE Metric monitoring if it was not already configured.

+If you removed an attached data network from the packet core and it is no longer attached to any packet cores or referenced by any SIM policies, you can remove the data network from the resource group:

+> When signing in, if you see a warning in your browser that the connection isn't secure, you might be using a self-signed certificate to attest access to your local monitoring tools. We recommend following [Modify the local access configuration in a site](modify-local-access-configuration.md) to configure a custom HTTPS certificate signed by a globally known and trusted certificate authority.

+> Some packet core dashboards display different panels depending on whether the packet core instance supports 5G, 4G, or combined 4G and 5G user equipment (UEs).

+ If you have configured 4G and 5G on a single packet core, the **Overview dashboard** displays 4G and 5G KPIs individually and combined.

+ :::image type="content" source="media/packet-core-dashboards/packet-core-uplink-downlink-stats-dashboard.png" alt-text="Screenshot of the Uplink and Downlink Statistics dashboard. Panels related to throughput, packet rates, and packet size are shown." lightbox="media/packet-core-dashboards/packet-core-uplink-downlink-stats-dashboard.png":::

+- **Single stat** panels (called "Singlestat" panels in the Grafana documentation) display a single statistic. The statistic might be presented as a simple count or as a gauge. These panels indicate whether a single statistic has exceeded a threshold by their color.

+ This should report a single interface on the control plane network (N2), a single interface on the access network (N3) and an interface for each attached data network (N6). For example:

+ n2trace

+ n6trace1 (Data Network: enterprise)

+ n6trace2 (Data Network: test)

+This article helps you design and prepare for implementing a private 4G, or 5G network based on Azure Private 5G Core (AP5GC). It aims to provide an understanding of how these networks are constructed and the decisions that you need to make as you plan your network.

+[Azure private multi-access edge compute (MEC)](../private-multi-access-edge-compute-mec/overview.md) is a solution that combines Microsoft compute, networking, and application services into a deployment at enterprise premises (the edge). These edge deployments are managed centrally from the cloud. Azure Private 5G Core is an Azure service within Azure Private Multi-access Edge Compute (MEC) that provides 4G and 5G core network functions at the enterprise edge. At the enterprise edge site, devices attach across a cellular radio access network (RAN) and are connected via the Azure Private 5G Core service to upstream networks, applications, and resources. Optionally, devices might use the local compute capability provided by Azure Private MEC to process data streams at very low latency, all under the control of the enterprise.

+You might have existing IP networks at the enterprise site that the private cellular network will have to integrate with. This might mean, for example:

+Your design must reflect the enterpriseΓÇÖs rules on what networks and assets should be reachable by the RAN and UEs on the private 5G network. For example, they might be permitted to access local Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), the internet, or Azure, but not a factory operations local area network (LAN). You might need to arrange for remote access to the network so that you can troubleshoot issues without requiring a site visit. You also need to consider how the enterprise site will be connected to upstream networks such as Azure for management and/or for access to other resources and applications outside of the enterprise site.

+You need to agree with the enterprise team which IP subnets and addresses will be allowed to communicate with each other. Then, create a routing plan and/or access control list (ACL) configuration that implements this agreement on the local IP infrastructure. You might also use virtual local area networks (VLANs) to partition elements at layer 2, configuring your switch fabric to assign connected ports to specific VLANs (for example, to put the Azure Stack Edge port used for RAN access into the same VLAN as the RAN units connected to the Ethernet switch). You should also agree with the enterprise to set up an access mechanism, such as a virtual private network (VPN), that allows your support personnel to remotely connect to the management interface of each element in the solution. You also need an IP link between Azure Private 5G Core and Azure for management and telemetry.

+You should ask your RAN partner for the countries/regions and frequency bands for which the RAN is approved. You might find that you need to use multiple RAN partners to cover the countries and regions in which you provide your solution. Although the RAN, UE and packet core all communicate using standard protocols, we recommend that you perform interoperability testing for the specific 4G Long-Term Evolution (LTE) or 5G standalone (SA) protocol between Azure Private 5G Core, UEs and the RAN prior to any deployment at an enterprise customer.

+Your RAN will transmit a Public Land Mobile Network Identity (PLMN ID) to all UEs on the frequency band it is configured to use. You should define the PLMN ID and confirm your access to spectrum. In some countries/regions, spectrum must be obtained from the national/regional regulator or incumbent telecommunications operator. For example, if you're using the band 48 Citizens Broadband Radio Service (CBRS) spectrum, you might need to work with your RAN partner to deploy a Spectrum Access System (SAS) domain proxy on the enterprise site so that the RAN can continuously check that it is authorized to broadcast.

+To avoid transmission issues caused by IPv4 fragmentation, a 4G, or 5G packet core instructs UEs what MTU they should use. However, UEs do not always respect the MTU signaled by the packet core.

+RANs typically come pre-configured with an MTU of 1500. The packet coreΓÇÖs default UE MTU is 1440 bytes to allow for encapsulation overhead. These values maximize RAN interoperability, but risk that certain UEs will not observe the default MTU and will generate larger packets that require IPv4 fragmentation and that might be dropped by the network. If you are affected by this issue, it is strongly recommended to configure the RAN to use an MTU of 1560 or higher, which allows a sufficient overhead for the encapsulation and avoids fragmentation with a UE using a standard MTU of 1500.

+ Title: Monitor UE usage with Event Hubs

+# Monitor UE usage with Event Hubs

+## Prerequisites

+- You must already have an Event Hubs instance with a shared access policy. The shared access policy must have send and receive access configured.

+ > [!NOTE]

+ > Only the first shared access policy for the event hub will be used by this feature. Any additional shared access policies will be ignored.

+- You must have a user assigned managed identity that has the Resource Policy Contributor or Owner role for the Event Hubs instance and is assigned to the Packet Core Control Plane for the site.

+UE usage monitoring can be configured during [site creation](create-a-site.md) or at a later stage by [modifying your site](modify-packet-core.md).

+Azure Stream Analytics allows you to process and analyze streaming data from Event Hubs. See [Process data from your Event Hubs using Azure Stream Analytics](/azure/event-hubs/process-data-azure-stream-analytics) for more information.

+## Limit privileged administrator role assignments

+Some roles are identified as [privileged administrator roles](./role-assignments-steps.md#privileged-administrator-roles). Consider taking the following actions to improve your security posture:

+- Remove unnecessary privileged role assignments.

+- Avoid assigning a privileged administrator role when a [job function role](./role-assignments-steps.md#job-function-roles) can be used instead.

+- If you must assign a privileged administrator role, use a narrow scope, such as resource group or resource, instead of a broader scope, such as management group or subscription.

+- If you are assigning a role with permission to create role assignments, consider adding a condition to constrain the role assignment. For more information, see [Delegate the Azure role assignment task to others with conditions (preview)](delegate-role-assignments-portal.md).

+For more information, see [List or manage privileged administrator role assignments](./role-assignments-list-portal.md#list-or-manage-privileged-administrator-role-assignments).

+When creating custom roles, you can use the wildcard (`*`) character to define permissions. It's recommended that you specify `Actions` and `DataActions` explicitly instead of using the wildcard (`*`) character. The additional access and permissions granted through future `Actions` or `DataActions` might be unwanted behavior using the wildcard. For more information, see [Azure custom roles](custom-roles.md#wildcard-permissions).

+## List or manage privileged administrator role assignments

+On the **Role assignments** tab, you can list and see the count of privileged administrator role assignments at the current scope. For more information, see [Privileged administrator roles](role-assignments-steps.md#privileged-administrator-roles).

+1. In the Azure portal, click **All services** and then select the scope. For example, you can select **Management groups**, **Subscriptions**, **Resource groups**, or a resource.

+1. Click the specific resource.

+1. Click **Access control (IAM)**.

+1. Click the **Role assignments** tab and then click the **Privileged** tab to list the privileged administrator role assignments at this scope.

+ :::image type="content" source="./media/role-assignments-list-portal/access-control-role-assignments-privileged.png" alt-text="Screenshot of Access control page, Role assignments tab, and Privileged tab showing privileged role assignments." lightbox="./media/role-assignments-list-portal/access-control-role-assignments-privileged.png":::

+1. To see the count of privileged administrator role assignments at this scope, see the **Privileged** card.

+1. To manage privileged administrator role assignments, see the **Privileged** card and click **View assignments**.

+ On the **Manage privileged role assignments** page, you can add a condition to constrain the privileged role assignment or remove the role assignment. For more information, see [Delegate the Azure role assignment task to others with conditions (preview)](delegate-role-assignments-portal.md).

+ :::image type="content" source="./media/role-assignments-list-portal/access-control-role-assignments-privileged-manage.png" alt-text="Screenshot of Manage privileged role assignments page showing how to add conditions or remove role assignments." lightbox="./media/role-assignments-list-portal/access-control-role-assignments-privileged-manage.png":::

+ For best practices when using privileged administrator role assignments, see [Best practices for Azure RBAC](best-practices.md#limit-privileged-administrator-role-assignments).

+

+ 

+| [Role Based Access Administrator (Preview)](built-in-roles.md#role-based-access-control-administrator-preview) | <ul><li>Manage user access to Azure resources</li><li>Assign roles in Azure RBAC</li><li>Assign themselves or others the Owner role</li><li>Can't manage access using other ways, such as Azure Policy</li></ul> |

+For best practices when using privileged administrator role assignments, see [Best practices for Azure RBAC](best-practices.md#limit-privileged-administrator-role-assignments). For more information, see [Privileged administrator role definition](./role-definitions.md#privileged-administrator-role-definition).

+## Privileged administrator role definition

+Privileged administrator roles are roles that grant privileged administrator access, such as the ability to manage Azure resources or assign roles to other users. If a built-in or custom role includes any of the following actions, it is considered privileged. For more information, see [List or manage privileged administrator role assignments](./role-assignments-list-portal.md#list-or-manage-privileged-administrator-role-assignments).

+> [!div class="mx-tableFixed"]

+> | Action string | Description |

+> | | |

+> | `*` | Create and manage resources of all types. |

+> | `*/delete` | Delete resources of all types. |

+> | `*/write` | Write resources of all types. |

+> | `Microsoft.Authorization/denyAssignments/delete` | Delete a deny assignment at the specified scope. |

+> | `Microsoft.Authorization/denyAssignments/write` | Create a deny assignment at the specified scope. |

+> | `Microsoft.Authorization/roleAssignments/delete` | Delete a role assignment at the specified scope. |

+> | `Microsoft.Authorization/roleAssignments/write` | Create a role assignment at the specified scope. |

+> | `Microsoft.Authorization/roleDefinitions/delete` | Delete the specified custom role definition. |

+> | `Microsoft.Authorization/roleDefinitions/write` | Create or update a custom role definition with specified permissions and assignable scopes. |

+- Microsoft Defender for Cloud

+- Microsoft Defender for Cloud Apps

+- Defender for IoT

+ |Dynamics 365 | - [Microsoft Dynamics 365 production license](/office365/servicedescriptions/microsoft-dynamics-365-online-service-description). Not available for sandbox environments.<br>- At least one user assigned a Microsoft/Office 365 [E1 or greater](/power-platform/admin/enable-use-comprehensive-auditing#requirements) license. <br>- Audit logging enabled in Microsoft Purview. See [Turn auditing on or off](/purview/audit-log-enable-disable). <br>- Audit logging enabled in your Microsoft Dataverse environment. See [Microsoft Dataverse and model-driven apps activity logging](/power-platform/admin/enable-use-comprehensive-auditing). <br>- Other charges may apply. |

+|AllowDisableEnableService|Bool, default is FALSE |Dynamic|Flag to indicate if it's allowed to execute Disable/Enable feature |

+|AuxiliaryInBuildThrottlingWeight | double, default is 1 | Static|Auxiliary replica's weight against the current InBuildThrottling max limit. |

+|EnableServiceSensitivity | bool, default is False | Dynamic|Feature switch to enable/disable the replica sensitivity feature. |

+| EnforceStrictRoleMapping | bool, default is FALSE | Dynamic | The permissions mapping in the SF runtime for the ElevatedAdmin role includes all current operations and any newly introduced functionality remains accessible to ElevatedAmin; i.e. the EA role gets a "*" permission in the code - that is; a blank authorization to invoke all SF APIs. The intent is that a 'deny' rule (Security/ClientAccess MyOperation="None") won't apply to the ElevatedAdmin role by default. However; if EnforceStrictRoleMapping is set to true; existing code or cluster manifest overrides which specify "operation": "Admin" (in Security/ClientAccess section) will make "operation" in effect inaccessible to the ElevatedAdmin role. |

+## Security/ElevatedAdminClientX509Names

+| **Parameter** | **Allowed Values** | **Upgrade Policy** | **Guidance or Short Description** |

+| | | | |

+|PropertyGroup|X509NameMap, default is None|Dynamic|Certificate common names of fabric clients in elevated admin role; used to authorize privileged fabric operations. It is a comma separated list. |

+|DeleteVolume|string, default is "Admin"|Dynamic|Deletes a volume.|

+|DisableService|wstring, default is L"Admin"|Dynamic|Security configuration for disabling a service.|

+|EnableService|wstring, default is L"Admin"|Dynamic|Security configuration for enabling a service.|

+ Title: Standalone Cluster Deployment Preparation

+* [Windows PowerShell 3.0](/previous-versions/powershell/scripting/windows-powershell/install/installing-windows-powershell)

+Current doc score: 96 (2093 words and 10 false-positive issues)

+Use of the agent in migrations is managed through Azure. Both Azure PowerShell and CLI are supported, and graphical interaction is available within the Azure portal. The agent is made available as a disk image compatible with either new Windows Hyper-V or VMware virtual machines (VMs).

+- A capable Windows Hyper-V or VMware host on which to run the agent VM.<br/> See the [Recommended compute and memory resources](#recommended-compute-and-memory-resources) section in this article for details about resource requirements for the agent VM.

+> At present, Windows Hyper-V and VMware are the only supported virtualization environments for your agent VM. Other virtualization environments have not been tested and are not supported.

+Like every VM, the agent requires available compute, memory, network, and storage space resources on the host. Although overall data size might affect the time required to complete a migration, it's generally the number of files and folders that drives resource requirements.

+Although no single network configuration option works for every environment, the simplest configuration involves the deployment of an external virtual switch. The external switch type is connected to a physical adapter and allows your host operating system (OS) to share its connection with all your virtual machines (VMs). This switch allows communication between your physical network, the management operating system, and the virtual adapters on your virtual machines. This approach might be acceptable for a test environment, but is likely not sufficient for a production server.

+You can get help with [creating a virtual switch for Hyper-V virtual machines](/windows-server/virtualization/hyper-v/get-started/create-a-virtual-switch-for-hyper-v-virtual-machines) in the [Windows Server](/windows-server/) documentation. Consult the VMware support website for detailed guidance on creating a virtual switch for VMware-hosted VMs.

+At a minimum, the agent image needs 20 GiB of local storage. The amount required might increase if a large number of small files are cached during a migration.

+Images for agent VMs are hosted on Microsoft Download Center as a zip file. Download the file at [https://aka.ms/StorageMover/agent](https://aka.ms/StorageMover/agent) and extract the agent virtual hard disk (VHD) image to your virtualization host.

+The following steps describe the process for creating a VM using Microsoft Hyper-V. Consult the VMware support website for detailed guidance on creating a VMware-based VM.

+The agent is delivered with a default user account and password. Connect to the newly created agent and change the default password immediately after the agent is deployed and started.

+If bandwidth throttling is important to you, create a local virtual network with an internet connection and configure quality of service (QoS) settings. This approach allows you to expose the agent through the virtual network and to locally configure an unauthenticated network proxy server on the agent if needed.

+- Unregistration removes the managed identity of the agent from Microsoft Entra ID. The associated service principal is automatically removed, invalidating any permissions this agent might have on other Azure resources. If you check the role-based access control (RBAC) role assignments, for instance of a target storage container the agent previously had permissions to, you no longer find the service principal of the agent, because it was deleted. The assignment itself is still visible as "Unknown service principal" but this assignment no longer connects to an identity and can never be reconnected. It's simply a sign that a role assignment used to be here, of a service principal that no longer exists.

+After you deploy your agent, started it, and changed the default password of the local account:

+The agent VM is an appliance. It offers an administrative shell that limits the operations you can perform on this machine. When you connect to the agent, the shell loads and provides you with options that allow you to interact with it directly. However, the agent VM is a Linux based appliance, and copy and paste functionality often doesn't work within the default host window.

+Rather than use the host window, consider using an SSH connection instead. This approach provides the following advantages:

+- You can connect to the agent VM's shell from any management machine and don't need to be logged into the host.

+Document score: 100 (520 words and 0 issues)

+An Azure blob container without the hierarchical namespace service feature doesnΓÇÖt have a traditional file system. A standard blob container uses ΓÇ£virtualΓÇ¥ folders to mimic this functionality. When this approach is used, files in folders on the source get their path prepended to their name and placed in a flat list in the target blob container.

+When the SMB protocol is used during a data migration, Storage Mover supports the same level of file fidelity as the underlying Azure file share. Folder structure and metadata values such as file and folder timestamps, ACLs, and file attributes are maintained. When the NFS protocol is used, the Storage Mover service represents empty folders as an empty blob in the target. The metadata of the source folder is persisted in the custom metadata field of this blob, just as they are with files.

+Creating a storage mover requires you to decide on a subscription, a resource group, a region, and a name. The *[Planning for an Azure Storage Mover deployment](deployment-planning.md)* article shares best practices. Refer to the [resource naming convention](../azure-resource-manager/management/resource-name-rules.md#microsoftstoragesync) to choose a supported name.

+### [Azure CLI](#tab/CLI)

+### Prepare your Azure CLI environment

+To create a storage mover resource, use the [az storage-mover create](/cli/azure/storage-mover#az-storage-mover-create) command. You'll need to supply values for the required `--name`, `--resource-group`, `--location` parameters. The `-description` and `tags` parameters are optional.

+```azurecli-interactive

+## Log into your Azure CLI account, a browser window will appear so that you can confirm your login.

+az login

+## The Azure Storage Mover extension for CLI is not installed by default and needs to be installed manually. Install the Azure Storage Mover extension without a prompt.

+az config set extension.use_dynamic_install=yes_without_prompt

+## Set variables

+$storageMoverName = "The name of the Storage Mover resource."

+$resourceGroupName = "Name of resource group"

+$description = "A description for the storage mover."

+$location = "The geo-location where the resource lives. When not specified, the location fo the resource group will be used."

+$tags = "Resource tags. Support shorthand-syntax, json-file and yaml-file. Try '??' to show more."

+## Create a Storage Mover resource.

+az storage-mover create --Name $storageMoverName \

+ --ResourceGroupName $resourceGroupName \

+ --Location $location \

+```

+### [Azure PowerShell](#tab/powershell)

+### Prepare your Azure PowerShell environment

+- BlobDeleted events are not generated when blob versions or snapshots are deleted. A BlobDeleted event is added only when a base (root) blob is deleted.

+description: Create a Linux-based Azure Kubernetes Service (AKS) cluster, install Azure Container Storage, and create a storage pool.

+[Azure Container Storage](container-storage-introduction.md) is a cloud-based volume management, deployment, and orchestration service built natively for containers. This Quickstart shows you how to create a Linux-based [Azure Kubernetes Service (AKS)](../../aks/intro-kubernetes.md) cluster, install Azure Container Storage, and create a storage pool using Azure CLI.

+> [!IMPORTANT]

+> This Quickstart will work for most use cases. An exception is if you plan to use Azure Elastic SAN Preview as backing storage for your storage pool and you don't have owner-level access to the Azure subscription. If both these statements apply to you, use the [manual installation steps](install-container-storage-aks.md) instead. Alternatively, you can complete this Quickstart with the understanding that a storage pool won't be automatically created, and then [create an Elastic SAN storage pool manually](use-container-storage-with-elastic-san.md).

+## Getting started

+- Take note of your Azure subscription ID. We recommend using a subscription on which you have an [Owner](../../role-based-access-control/built-in-roles.md#owner) role.

+- [Launch Azure Cloud Shell](https://shell.azure.com), or if you're using a local installation, sign in to the Azure CLI by using the [az login](/cli/azure/reference-index#az-login) command.

+- If you're using Azure Cloud Shell, you might be prompted to mount storage. Select the Azure subscription where you want to create the storage account and select **Create**.

+## Install the required extensions

+Upgrade to the latest version of the `aks-preview` cli extension by running the following command.

+```azurecli-interactive

+az extension add --upgrade --name aks-preview

+```

+Add or upgrade to the latest version of k8s-extension by running the following command.

+```azurecli-interactive

+az extension add --upgrade --name k8s-extension

+```

+## Set subscription context

+Set your Azure subscription context using the `az account set` command. You can view the subscription IDs for all the subscriptions you have access to by running the `az account list --output table` command. Remember to replace `<subscription-id>` with your subscription ID.

+```azurecli-interactive

+az account set --subscription <subscription-id>

+```

+## Register resource providers

+The `Microsoft.ContainerService` and `Microsoft.KubernetesConfiguration` resource providers must be registered on your Azure subscription. To register these providers, run the following commands:

+```azurecli-interactive

+az provider register --namespace Microsoft.ContainerService --wait

+az provider register --namespace Microsoft.KubernetesConfiguration --wait

+```

+## Create a resource group

+An Azure resource group is a logical group that holds your Azure resources that you want to manage as a group. If you already have a resource group you want to use, you can skip this section.

+When you create a resource group, you're prompted to specify a location. This location is:

+* The storage location of your resource group metadata.

+* Where your resources will run in Azure if you don't specify another region during resource creation.

+Create a resource group using the `az group create` command. Replace `<resource-group-name>` with the name of the resource group you want to create, and replace `<location>` with an Azure region such as *eastus*, *westus2*, *westus3*, or *westeurope*. See this [list of Azure regions](container-storage-introduction.md#regional-availability) where Azure Container Storage is available.

+```azurecli-interactive

+az group create --name <resource-group-name> --location <location>

+```

+If the resource group was created successfully, you'll see output similar to this:

+```output

+{

+ "id": "/subscriptions/<guid>/resourceGroups/myContainerStorageRG",

+ "location": "eastus",

+ "managedBy": null,

+ "name": "myContainerStorageRG",

+ "properties": {

+ "provisioningState": "Succeeded"

+ },

+ "tags": null

+}

+```

+## Choose a data storage option for your storage pool

+Before deploying Azure Container Storage, you'll need to decide which back-end storage option you want to use to create your storage pool and persistent volumes. Three options are currently available:

+- **Azure Elastic SAN Preview**: Azure Elastic SAN preview is a good fit for general purpose databases, streaming and messaging services, CI/CD environments, and other tier 1/tier 2 workloads. Storage is provisioned on demand per created volume and volume snapshot. Multiple clusters can access a single SAN concurrently, however persistent volumes can only be attached by one consumer at a time.

+- **Azure Disks**: Azure Disks are a good fit for databases such as MySQL, MongoDB, and PostgreSQL. Storage is provisioned per target container storage pool size and maximum volume size.

+- **Ephemeral Disk**: This option uses local NVMe drives on the AKS cluster nodes and is extremely latency sensitive (low sub-ms latency), so it's best for applications with no data durability requirement or with built-in data replication support such as Cassandra. AKS discovers the available ephemeral storage on AKS nodes and acquires the drives for volume deployment.

+You'll specify the storage pool type when you install Azure Container Storage.

+## Choose a VM type for your cluster

+If you intend to use Azure Elastic SAN Preview or Azure Disks as backing storage, then you should choose a [general purpose VM type](../../virtual-machines/sizes-general.md) such as **standard_d4s_v5** for the cluster nodes. If you intend to use Ephemeral Disk, choose a [storage optimized VM type](../../virtual-machines/sizes-storage.md) with NVMe drives such as **standard_l8s_v3**. In order to use Ephemeral Disk, the VMs must have NVMe drives. You'll specify the VM type when you create the cluster in the next section.

+> You must choose a VM type that supports [Azure premium storage](../../virtual-machines/premium-storage-performance.md). Each VM should have a minimum of four virtual CPUs (vCPUs). Azure Container Storage will consume one core for I/O processing on every VM the extension is deployed to.

+## Create a new AKS cluster and install Azure Container Storage

+If you already have an AKS cluster deployed, skip this section and go to [Install Azure Container Storage on an existing AKS cluster](#install-azure-container-storage-on-an-existing-aks-cluster).

+Run the following command to create a new AKS cluster, install Azure Container Storage, and create a storage pool. Replace `<cluster-name>` and `<resource-group-name>` with your own values, and specify which VM type you want to use. You'll need a node pool of at least three Linux VMs. Replace `<storage-pool-type>` with `azureDisk`, `ephemeraldisk`, or `elasticSan`.

+Optional storage pool parameters:

+| **Parameter** | **Default** |

+|-|-|

+| --storage-pool-name | mypool-<random 7 char lowercase> |

+| --storage-pool-size | 512Gi (1Ti for Elastic SAN) |

+| --storage-pool-sku | Premium_LRS |

+| --storage-pool-option | NVMe |

+```azurecli-interactive

+az aks create -n <cluster-name> -g <resource-group-name> --node-vm-size Standard_D4s_v3 --node-count 3 --enable-azure-container-storage <storage-pool-type>

+```

+The deployment will take 10-15 minutes to complete.

+## Install Azure Container Storage on an existing AKS cluster

+If you already have an AKS cluster that meets the [VM requirements](#choose-a-vm-type-for-your-cluster), run the following command to install Azure Container Storage on the cluster and create a storage pool. Replace `<cluster-name>` and `<resource-group-name>` with your own values. Replace `<storage-pool-type>` with `azureDisk`, `ephemeraldisk`, or `elasticSan`.

+Running this command will enable Azure Container Storage on a node pool named `nodepool1`, which is the default node pool name. If you want to install it on other node pools, see [Install Azure Container Storage on specific node pools](#install-azure-container-storage-on-specific-node-pools).

+> [!IMPORTANT]

+> **If you created your AKS cluster using the Azure portal:** The cluster will likely have a user node pool and a system/agent node pool. However, if your cluster consists of only a system node pool, which is the case with test/dev clusters created with the Azure portal, you'll need to first [add a new user node pool](../../aks/create-node-pools.md#add-a-node-pool) and then label it. This is because when you create an AKS cluster using the Azure portal, a taint `CriticalAddOnsOnly` is added to the system/agent nodepool, which blocks installation of Azure Container Storage on the system node pool. This taint isn't added when an AKS cluster is created using Azure CLI.

+```azurecli-interactive

+az aks update -n <cluster-name> -g <resource-group-name> --enable-azure-container-storage <storage-pool-type>

+```

+The deployment will take 10-15 minutes to complete.

+### Install Azure Container Storage on specific node pools

+If you want to install Azure Container Storage on specific node pools, follow these instructions. The node pools must contain at least three Linux VMs each.

+1. Run the following command to view the list of available node pools. Replace `<resource-group-name>` and `<cluster-name>` with your own values.

+

+ ```azurecli-interactive

+ az aks nodepool list --resource-group <resource-group-name> --cluster-name <cluster-name>

+ ```

+

+2. Run the following command to install Azure Container Storage on specific node pools. Replace `<cluster-name>` and `<resource-group-name>` with your own values. Replace `<storage-pool-type>` with `azureDisk`, `ephemeraldisk`, or `elasticSan`.

+

+ ```azurecli-interactive

+ az aks update -n <cluster-name> -g <resource-group-name>ΓÇ»--enable-azure-container-storageΓÇ»<storage-pool-type> --azure-container-storage-nodepools <comma separated values of nodepool names>

+ ```

+Based on feedback from customers, we've included the following capabilities in the Azure Container Storage Preview:

+- Improve stateful application availability by using [multi-zone storage pools and ZRS disks](enable-multi-zone-redundancy.md)

+- Enable server-side encryption with [customer-managed keys](use-container-storage-with-managed-disks.md#enable-server-side-encryption-with-customer-managed-keys) (Azure Disks only)

+ Title: Enable multi-zone storage redundancy in Azure Container Storage Preview to improve stateful application availability

+description: Enable storage redundancy across multiple availability zones in Azure Container Storage Preview to improve stateful application availability. Use multi-zone storage pools and zone-redundant storage (ZRS) disks.

+# Enable multi-zone storage redundancy in Azure Container Storage Preview

+You can improve stateful application availability by using multi-zone storage pools and zone-redundant storage (ZRS) disks when using [Azure Container Storage](container-storage-introduction.md) in a multi-zone Azure Kubernetes Service (AKS) cluster. To create an AKS cluster that uses availability zones, see [Use availability zones in Azure Kubernetes Service](../../aks/availability-zones.md).

+## Prerequisites

+- This article requires version 2.0.64 or later of the Azure CLI. See [How to install the Azure CLI](/cli/azure/install-azure-cli). If you're using Azure Cloud Shell, the latest version is already installed. If you plan to run the commands locally instead of in Azure Cloud Shell, be sure to run them with administrative privileges.

+- You'll need an AKS cluster with a node pool of at least three virtual machines (VMs) for the cluster nodes, each with a minimum of four virtual CPUs (vCPUs).

+- This article assumes you've already [installed Azure Container Storage](container-storage-aks-quickstart.md) on your AKS cluster.

+- You'll need the Kubernetes command-line client, `kubectl`. It's already installed if you're using Azure Cloud Shell, or you can install it locally by running the `az aks install-cli` command.

+## Create a multi-zone storage pool

+In your storage pool definition, you can specify the zones where you want your storage capacity to be distributed across. The total storage pool capacity will be distributed evenly across the number of zones specified. For example, if two zones are specified, each zone gets half of the storage pool capacity; if three zones are specified, each zone gets one-third of the total capacity. Corresponding storage will be provisioned in each of the zones. This is useful when running workloads that offer application-level replication such as Cassandra.

+If there are no nodes available in a specified zone, the capacity will be provisioned once a node is available in that zone. Persistent volumes (PVs) can only be created from storage pool capacity from one zone.

+Valid values for `zones` are:

+- [""]

+- ["1"]

+- ["2"]

+- ["3"]

+- ["1", "2"]

+- ["1", "3"]

+- ["2", "3"]

+- ["1", "2", "3"]

+Follow these steps to create a multi-zone storage pool that uses Azure Disks. For `zones`, choose a valid value.

+1. Use your favorite text editor to create a YAML manifest file such as `code acstor-multizone-storagepool.yaml`.

+1. Paste in the following code and save the file. The storage pool **name** value can be whatever you want. For **storage**, specify the amount of storage capacity for the pool in Gi or Ti.

+ ```yml

+ apiVersion: containerstorage.azure.com/v1beta1

+ kind: StoragePool

+ metadata:

+ name: azuredisk

+ namespace: acstor

+ spec:

+ zones: ["1", "2", "3"]

+ poolType:

+ azureDisk: {}

+ resources:

+ requests:

+ storage: 1Ti

+ ```

+1. Apply the YAML manifest file to create the multi-zone storage pool.

+

+ ```azurecli-interactive

+ kubectl apply -f acstor-multizone-storagepool.yaml

+ ```

+## Use zone-redundant storage (ZRS) disks

+If your workload requires storage redundancy, you can leverage disks that use [zone-redundant storage](../../virtual-machines/disks-deploy-zrs.md), which copies your data synchronously across three Azure availability zones in the primary region.

+You can specify the disk `skuName` as either `StandardSSD_ZRS` or `Premium_ZRS` in your storage pool definition, as in the following example.

+ ```yml

+ apiVersion: containerstorage.azure.com/v1beta1

+ kind: StoragePool

+ metadata:

+ name: azuredisk

+ namespace: acstor

+ spec:

+ poolType:

+ azureDisk:

+ skuName: Premium_ZRS

+ resources:

+ requests:

+ storage: 1Ti

+ ```

+## See also

+- [What is Azure Container Storage?](container-storage-introduction.md)

+[Azure Container Storage](container-storage-introduction.md) is a cloud-based volume management, deployment, and orchestration service built natively for containers. This article shows you how to create an [Azure Kubernetes Service (AKS)](../../aks/intro-kubernetes.md) cluster, label the node pool, and install Azure Container Storage Preview on the cluster. Alternatively, you can install Azure Container Storage Preview [using a QuickStart](container-storage-aks-quickstart.md) instead of following the manual steps in this article.

+> If you already have an AKS cluster deployed, proceed to [Connect to the cluster](#connect-to-the-cluster).

+```output

+To connect to the cluster, use the Kubernetes command-line client, `kubectl`. It's already installed if you're using Azure Cloud Shell, or you can install it locally by running the `az aks install-cli` command.

+First, create a storage pool, which is a logical grouping of storage for your Kubernetes cluster, by defining it in a YAML manifest file.

+If you enabled Azure Container Storage using `az aks create` or `az aks update` commands, you might already have a storage pool. Use `kubectl get sp -n acstor` to get the list of storage pools. If you have a storage pool already available that you want to use, you can skip this section and proceed to [Display the available storage classes](#display-the-available-storage-classes).

+Follow these steps to create a storage pool with Azure Elastic SAN Preview.

+First, create a storage pool, which is a logical grouping of storage for your Kubernetes cluster, by defining it in a YAML manifest file.

+If you enabled Azure Container Storage using `az aks create` or `az aks update` commands, you might already have a storage pool. Use `kubectl get sp -n acstor` to get the list of storage pools. If you have a storage pool already available that you want to use, you can skip this section and proceed to [Display the available storage classes](#display-the-available-storage-classes).

+Follow these steps to create a storage pool using local disk.

+First, create a storage pool, which is a logical grouping of storage for your Kubernetes cluster, by defining it in a YAML manifest file.

+If you enabled Azure Container Storage using `az aks create` or `az aks update` commands, you might already have a storage pool. Use `kubectl get sp -n acstor` to get the list of storage pools. If you have a storage pool already available that you want to use, you can skip this section and proceed to [Display the available storage classes](#display-the-available-storage-classes).

+> [!IMPORTANT]

+> If you want to use your own keys to encrypt your volumes instead of using Microsoft-managed keys, don't create your storage pool using the steps in this section. Instead, go to [Enable server-side encryption with customer-managed keys](#enable-server-side-encryption-with-customer-managed-keys) and follow the steps there.

+Follow these steps to create a storage pool for Azure Disks.

+## Enable server-side encryption with customer-managed keys

+If you already created a storage pool or you prefer to use the default Microsoft-managed encryption keys, skip this section and proceed to [Display the available storage classes](#display-the-available-storage-classes).

+All data in an Azure storage account is encrypted at rest. By default, data is encrypted with Microsoft-managed keys. For more control over encryption keys, you can supply customer-managed keys (CMK) to encrypt the persistent volumes that you'll create from an Azure Disk storage pool.

+To use your own key, you must have an [Azure Key Vault](../../key-vault/general/overview.md) with a key. The Key Vault should have purge protection enabled, and it must use the Azure RBAC permission model. Learn more about [customer-managed keys on Linux](../../virtual-machines/disk-encryption.md#customer-managed-keys).

+When creating your storage pool, you must define the CMK parameters. The required CMK encryption parameters are:

+- **keyVersion** specifies the version of the key to use

+- **keyName** is the name of your key

+- **keyVaultUri** is the uniform resource identifier of the Azure Key Vault, for example `https://user.vault.azure.net`

+- **Identity** specifies a managed identity with access to the vault, for example `/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourcegroups/MC_user-acstor-westus2-rg_user-acstor-westus2_westus2/providers/Microsoft.ManagedIdentity/userAssignedIdentities/user-acstor-westus2-agentpool`

+Follow these steps to create a storage pool using your own encryption key. All persistent volumes created from this storage pool will be encrypted using the same key.

+1. Use your favorite text editor to create a YAML manifest file such as `code acstor-storagepool-cmk.yaml`.

+1. Paste in the following code, supply the required parameters, and save the file. The storage pool **name** value can be whatever you want. For **skuName**, specify the level of performance and redundancy. Acceptable values are Premium_LRS, Standard_LRS, StandardSSD_LRS, UltraSSD_LRS, Premium_ZRS, PremiumV2_LRS, and StandardSSD_ZRS. For **storage**, specify the amount of storage capacity for the pool in Gi or Ti. Be sure to supply the CMK encryption parameters.

+ ```yml

+ apiVersion: containerstorage.azure.com/v1beta1

+ kind: StoragePool

+ metadata:

+ name: azuredisk

+ namespace: acstor

+ spec:

+ poolType:

+ azureDisk:

+ skuName: Premium_LRS

+ encryption: {

+ keyVersion: "<key-version>",

+ keyName: "<key-name>",

+ keyVaultUri: "<key-vault-uri>",

+ identity: "<identity>"

+ }

+ resources:

+ requests:

+ storage: 1Ti

+ ```

+1. Apply the YAML manifest file to create the storage pool.