+1. [Create the VPN gateway and subnet](../vpn-gateway/tutorial-create-gateway-portal.md). Select a route-based VPN type.

+### Flex Consumption Plan

+The [Flex Consumption plan](../flex-consumption-plan.md) is an Azure Functions hosting plan that provides many of the benefits of the Consumption plan, including a serverless billing model, while also adding useful features, such as private networking, instance memory size selection, and full support for managed identity authentication.

+Azure Storage is currently the only supported [storage provider](durable-functions-storage-providers.md) for Durable Functions when hosted in the Flex Consumption plan.

+You should follow these performance recommendations when hosting Durable Functions in the Flex Consumption plan:

+* Set the [always ready instance count](../flex-consumption-how-to.md#set-always-ready-instance-counts) for the `durable` group to `1`. This ensures that there is always one instance ready to handle Durable Functions related requests, thus reducing the application's cold start.

+* Reduce the [queue polling interval](durable-functions-azure-storage-provider.md#queue-polling) to 10 seconds or less. Since this plan type is more sensitive to queue polling delays, lowering the polling interval will help increase the frequency of polling operations, thus ensuring requests are handled faster. However, more frequent polling operations will lead to a higher Azure Storage account cost.

+> Entity functions and related functionality are only available in [Durable Functions 2.0](durable-functions-versions.md#migrate-from-1x-to-2x) and above. They are currently supported in .NET in-proc, .NET isolated worker, JavaScript, and Python, but not in PowerShell or Java. Furthermore, entity functions for .NET Isolated are supported when using the Azure Storage or Netherite state providers, but not when using the MSSQL state provider.

+| Durable Entities support | ✅ Fully supported | ✅ Fully supported | ⚠️ Supported except when using .NET Isolated |

+| [Flex Consumption plan](../flex-consumption-plan.md) | ✅ Fully supported ([see notes](./durable-functions-azure-storage-provider.md#flex-consumption-plan)) |❌ Not supported | ❌ Not supported |

+> - The MSSQL backend was designed to maximize application portability and control over your data. It uses [Microsoft SQL Server](https://www.microsoft.com/sql-server/) to persist all task hub data so that users get the benefits of a modern, enterprise-grade database management system (DBMS) infrastructure. To learn more about when to use the MSSQL storage provider, see the [storage providers overview](durable-functions-storage-providers.md).

+>

+> - The MSSQL backend currently isn't supported by Durable Functions when running on the [Flex Consumption plan](../flex-consumption-plan.md).

+>

+> - The Netherite backend currently isn't supported by Durable Functions when running on the [Flex Consumption plan](../flex-consumption-plan.md).

+Microsoft Azure is a hyperscale public multitenant cloud services platform that provides you with access to a feature-rich environment incorporating the latest cloud innovations such as artificial intelligence, machine learning, IoT services, big-data analytics, intelligent edge, and many more to help you increase efficiency and unlock insights into your operations and performance.

+A multitenant cloud platform implies that multiple customer applications and data are stored on the same physical hardware. Azure uses logical isolation to segregate your applications and data from other customers. This approach provides the scale and economic benefits of multitenant cloud services while rigorously helping prevent other customers from accessing your data or applications.

+Azure addresses the perceived risk of resource sharing by providing a trustworthy foundation for assuring multitenant, cryptographically certain, logically isolated cloud services using a common set of principles:

+**[Vaults](/azure/key-vault/general/overview)** provide a multitenant, low-cost, easy to deploy, zone-resilient (where available), and highly available key management solution suitable for most common cloud application scenarios. Vaults can store and safeguard [secrets, keys, and certificates](/azure/key-vault/general/about-keys-secrets-certificates). They can be either software-protected (standard tier) or HSM-protected (premium tier). For a comparison between the standard and premium tiers, see the [Azure Key Vault pricing page](https://azure.microsoft.com/pricing/details/key-vault/). Software-protected secrets, keys, and certificates are safeguarded by Azure, using industry-standard algorithms and key lengths. If you require extra assurances, you can choose to safeguard your secrets, keys, and certificates in vaults protected by multitenant HSMs. The corresponding HSMs are validated according to the [FIPS 140 standard](/azure/compliance/offerings/offering-fips-140-2), and have an overall Security Level 2 rating, which includes requirements for physical tamper evidence and role-based authentication.

+Vaults enable support for [customer-managed keys](../security/fundamentals/encryption-models.md) (CMK) where you can control your own keys in HSMs, and use them to encrypt data at rest for [many Azure services](../security/fundamentals/encryption-customer-managed-keys-support.md). As mentioned previously, you can [import or generate encryption keys](/azure/key-vault/keys/hsm-protected-keys) in HSMs ensuring that keys never leave the HSM boundary to support *bring your own key (BYOK)* scenarios.

+As mentioned previously, managed HSM supports [importing keys generated](/azure/key-vault/managed-hsm/hsm-protected-keys-byok) in your on-premises HSMs, ensuring the keys never leave the HSM protection boundary, also known as *bring your own key (BYOK)* scenario. Managed HSM supports integration with Azure services such as [Azure Storage](../storage/common/customer-managed-keys-overview.md), [Azure SQL Database](/azure/azure-sql/database/transparent-data-encryption-byok-overview), [Azure Information Protection](/azure/information-protection/byok-price-restrictions), and others. For a more complete list of Azure services that work with Managed HSM, see [Data encryption models](../security/fundamentals/encryption-customer-managed-keys-support.md).

+Managed HSM enables you to use the established Azure Key Vault API and management interfaces. You can use the same application development and deployment patterns for all your applications irrespective of the key management solution: multitenant vault or single-tenant managed HSM.

+These technologies are described in the rest of this section. **They enable Azure Hypervisor to offer strong security assurances for tenant separation in a multitenant cloud.**

+The Azure Hypervisor makes extensive use of these processor facilities to provide isolation between partitions. The emergence of speculative side channel attacks has identified potential weaknesses in some of these processor isolation capabilities. In a multitenant architecture, any cross-VM attack across different tenants involves two steps: placing an adversary-controlled VM on the same Host as one of the victim VMs, and then breaching the logical isolation boundary to perform a side-channel attack. Azure provides protection from both threat vectors by using an advanced VM placement algorithm enforcing memory and process separation for logical isolation, and secure network traffic routing with cryptographic certainty at the Hypervisor. As discussed in section titled *[Exploitation of vulnerabilities in virtualization technologies](#exploitation-of-vulnerabilities-in-virtualization-technologies)* later in the article, the Azure Hypervisor has been architected to provide robust isolation directly within the hypervisor that helps mitigate many sophisticated side channel attacks.

+The Azure Hypervisor defined security boundaries provide the base level isolation primitives for strong segmentation of code, data, and resources between potentially hostile multitenants on shared hardware. These isolation primitives are used to create multitenant resource isolation scenarios including:

+The logical isolation of tenant infrastructure in a public multitenant cloud is [fundamental to maintaining security](https://azure.microsoft.com/solutions/network-security/). The overarching principle for a virtualized solution is to allow only connections and communications that are necessary for that virtualized solution to operate, blocking all other ports and connections by default. Azure [Virtual Network](../virtual-network/virtual-networks-overview.md) (VNet) helps ensure that your private network traffic is logically isolated from traffic belonging to other customers. Virtual Machines (VMs) in one VNet can't communicate directly with VMs in a different VNet even if both VNets are created by the same customer. [Networking isolation](../security/fundamentals/isolation-choices.md#networking-isolation) ensures that communication between your VMs remains private within a VNet. You can connect your VNets via [VNet peering](../virtual-network/virtual-network-peering-overview.md) or [VPN gateways](../vpn-gateway/vpn-gateway-about-vpngateways.md), depending on your connectivity options, including bandwidth, latency, and encryption requirements.

+A multitenant cloud platform implies that multiple customer applications and data are stored on the same physical hardware. Azure uses [logical isolation](../security/fundamentals/isolation-choices.md) to segregate your applications and data from other customers. This approach provides the scale and economic benefits of multitenant cloud services while rigorously helping enforce controls designed to keep other customers from accessing your data or applications. If you're migrating from traditional on-premises physically isolated infrastructure to the cloud, this section addresses concerns that may be of interest to you.

+A multitenant cloud platform implies that multiple customer applications and data are stored on the same physical hardware. Azure uses logical isolation to segregate your applications and data from other customers. This approach provides the scale and economic benefits of multitenant cloud services while rigorously helping prevent other customers from accessing your data or applications.

+Azure addresses the perceived risk of resource sharing by providing a trustworthy foundation for assuring multitenant, cryptographically certain, logically isolated cloud services using a common set of principles:

+Azure is a hyperscale public multitenant cloud services platform that provides you with access to a feature-rich environment incorporating the latest cloud innovations such as artificial intelligence, machine learning, IoT services, big-data analytics, intelligent edge, and many more to help you increase efficiency and unlock insights into your operations and performance.

+A multitenant cloud platform implies that multiple customer applications and data are stored on the same physical hardware. Azure uses logical isolation to segregate your applications and data from other customers. This approach provides the scale and economic benefits of multitenant cloud services while rigorously helping prevent other customers from accessing your data or applications.

+Azure addresses the perceived risk of resource sharing by providing a trustworthy foundation for assuring multitenant, cryptographically certain, logically isolated cloud services using a common set of principles:

+While the current CMVP FIPS 140 implementation guidance precludes a FIPS 140 validation for a cloud service, cloud service providers can obtain and operate FIPS 140 validated cryptographic modules for the computing elements that comprise their cloud services. Azure is built with a combination of hardware, commercially available operating systems (Linux and Windows), and Azure-specific version of Windows. Through the Microsoft [Security Development Lifecycle (SDL)](https://www.microsoft.com/securityengineering/sdl/), all Azure services use FIPS 140 approved algorithms for data security because the operating system uses FIPS 140 approved algorithms while operating at a hyper scale cloud. The corresponding crypto modules are FIPS 140 validated as part of the Microsoft [Windows FIPS validation program](/windows/security/threat-protection/fips-140-validation#modules-used-by-windows-server). Moreover, you can store your own cryptographic keys and other secrets in FIPS 140 validated hardware security modules (HSMs) under your control, also known as [customer-managed keys](../security/fundamentals/encryption-models.md#server-side-encryption-using-customer-managed-keys-in-azure-key-vault-and-azure-managed-hsm).

+## [1.0.5] (CDN: November 4, 2024, npm: November 7)

+[1.0.5]: https://www.npmjs.com/package/azure-maps-drawing-tools/v/1.0.5

+### [3.5.0] (CDN: November 4, 2024, npm: November 7)

+[3.5.0]: https://www.npmjs.com/package/azure-maps-control/v/3.5.0

+ >Azure VMware Solution default is Dedupe and Compression.

+ >Compression only provides slightly better performance.

+<a name="ultra-disk-backup">Ultra disks</a> | Supported with [Enhanced policy](backup-azure-vms-enhanced-policy.md).[Learn about the disk considerations for Azure VM](/azure/virtual-machines/disks-types#ultra-disk-limitations). <br><br> - Configuration of Ultra disk protection is supported via Recovery Services vault and via virtual machine blade. <br><br> - File-level restore is currently not supported for machines using Ultra disks. <br><br> - GRS vaults and Cross-Region Restore are currently supported in the following regions for machines using Ultra Disks: South Central US, Brazil South, Canada East, Canada Central, East US2, South East Asia, West US, Central US, Korea South, Korea Central, South Central US, West Europe, North Central US, East Asia, USGov Texas, USGov Arizona, USGov Texas, West US2, North Europe, East US, West Central US, East US.

+<a name="premium-ssd-v2-backup">Premium SSD v2</a> | Supported with [Enhanced policy](backup-azure-vms-enhanced-policy.md). [Learn about the disk considerations for Azure VM](/azure/virtual-machines/disks-types#regional-availability). <br><br> - Configuration of Premium SSD v2 disk protection is supported via Recovery Services vault and via virtual machine blade. <br><br> - File-level restore is currently not supported for machines using Premium SSD v2 disks. <br><br> - GRS vaults and Cross-Region Restore are currently supported in the following regions for machines using Premium SSDv2 Disks: Brazil South, Central US, East Asia, East US, East US2, North Central US, North Europe, South Central US, South East Asia, UK South, UK West, West Europe, West US, West US3.

+| `Hold` | `HoldFailed` |

+| `StartMediaStreaming` | `MediaStreamingStarted` / `MediaStreamingFailed` |

+| `StopMediaStreaming` | `MediaStreamingStopped` / `MediaStreamingFailed` |

+| `StartTranscription` | `TranscriptionStarted` / `TranscriptionFailed` |

+| `UpdateTranscription` | `TranscriptionUpdated` / `TranscriptionFailed` |

+| `StopTranscription` | `TranscriptionStopped` / `TranscriptionFailed` |

+## Logging

+Code interpreter sessions don't support logging directly. Your application that's interacting with the sessions can log requests to the session pool management API and its responses.

+## Billing

+Code interpreter sessions are billed based on the duration of each session. See [Billing](billing.md#dynamic-sessions) for more information.

+ --image myregistry.azurecr.io/my-container-image:1.0 \

+To check on the status of the session pool, use the `az containerapp sessionpool show` command:

+```bash

+az containerapp sessionpool show \

+ --name <SESSION_POOL_NAME> \

+ --resource-group <RESOURCE_GROUP> \

+ --query "properties.poolManagementEndpoint" \

+ --output tsv

+```

+ "apiVersion": "2024-08-02-preview",

+ "secrets": [

+ {

+ "name": "registrypassword",

+ "value": "<REGISTRY_PASSWORD>"

+ }

+ ],

+ "registryCredentials": {

+ "server": "myregistry.azurecr.io",

+ "username": "myregistry",

+ "passwordSecretRef": "registrypassword"

+ },

+| `secrets` | `[{ "name": "registrypassword", "value": "<REGISTRY_PASSWORD>" }]` | A list of secrets. |

+| `customContainerTemplate.registryCredentials.server` | `myregistry.azurecr.io` | The container registry server hostname. |

+| `customContainerTemplate.registryCredentials.username` | `myregistry` | The username to log in to the container registry. |

+| `customContainerTemplate.registryCredentials.passwordSecretRef` | `registrypassword` | The name of the secret that contains the password to log in to the container registry. |

+#### Image caching

+When a session pool is created or updated, Azure Container Apps caches the container image in the pool. This caching helps speed up the process of creating new sessions.

+Any changes to the image aren't automatically reflected in the sessions. To update the image, update the session pool with a new image tag. Use a unique tag for each image update to ensure that the new image is pulled.

+### Using managed identity

+A managed identity from Microsoft Entra ID allows your custom container session pools and their sessions to access other Microsoft Entra protected resources. For more about managed identities in Microsoft Entra ID, see [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md).

+You can enable managed identities for your custom container session pools. Both system-assigned and user-assigned managed identities are supported.

+There are two ways to use managed identities with custom container session pools:

+* **Image pull authentication**: Use the managed identity to authenticate with the container registry to pull the container image.

+* **Resource access**: Use the session pool's managed identity in a session to access other Microsoft Entra protected resources. Due to its security implications, this capability is disabled by default.

+ > [!IMPORTANT]

+ > If you enable access to managed identity in a session, any code or programs running in the session can create Entra tokens for the pool's managed identity. Since sessions typically run untrusted code, use this feature with caution.

+# [Azure CLI](#tab/azure-cli)

+To enable managed identity for a custom container session pool, use Azure Resource Manager.

+# [Azure Resource Manager](#tab/arm)

+To enable managed identity for a custom container session pool, add an `identity` property to the session pool resource. The `identity` property must have a `type` property with the value `SystemAssigned` or `UserAssigned`. For details on how to configure this property, see [Configure managed identities](managed-identity.md?tabs=arm%2Cdotnet#configure-managed-identities).

+The following example shows an ARM template snippet that enables a user-assigned identity for a custom container session pool and use it for image pull authentication. Before you send the request, replace the placeholders between the `<>` brackets with the appropriate values for your session pool and session identifier.

+```json

+{

+ "type": "Microsoft.App/sessionPools",

+ "apiVersion": "2024-08-02-preview",

+ "name": "my-session-pool",

+ "location": "westus2",

+ "properties": {

+ "environmentId": "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.ContainerApps/environments/<ENVIRONMENT_NAME>",

+ "poolManagementType": "Dynamic",

+ "containerType": "CustomContainer",

+ "scaleConfiguration": {

+ "maxConcurrentSessions": 10,

+ "readySessionInstances": 5

+ },

+ "dynamicPoolConfiguration": {

+ "executionType": "Timed",

+ "cooldownPeriodInSeconds": 600

+ },

+ "customContainerTemplate": {

+ "registryCredentials": {

+ "server": "myregistry.azurecr.io",

+ "identity": "<IDENTITY_RESOURCE_ID>"

+ },

+ "containers": [

+ {

+ "image": "myregistry.azurecr.io/my-container-image:1.0",

+ "name": "mycontainer",

+ "resources": {

+ "cpu": 0.25,

+ "memory": "0.5Gi"

+ },

+ "command": [

+ "/bin/sh"

+ ],

+ "args": [

+ "-c",

+ "while true; do echo hello; sleep 10;done"

+ ],

+ "env": [

+ {

+ "name": "key1",

+ "value": "value1"

+ },

+ {

+ "name": "key2",

+ "value": "value2"

+ }

+ ]

+ }

+ ],

+ "ingress": {

+ "targetPort": 80

+ }

+ },

+ "sessionNetworkConfiguration": {

+ "status": "EgressEnabled"

+ },

+ "managedIdentitySettings": [

+ {

+ "identity": "<IDENTITY_RESOURCE_ID>",

+ "lifecycle": "None"

+ }

+ ]

+ },

+ "identity": {

+ "type": "UserAssigned",

+ "userAssignedIdentities": {

+ "<IDENTITY_RESOURCE_ID>": {}

+ }

+ }

+}

+```

+This template contains the following additional settings for managed identity:

+| Parameter | Value | Description |

+||-|-|

+| `customContainerTemplate.registryCredentials.identity` | `<IDENTITY_RESOURCE_ID>` | The resource ID of the managed identity to use for image pull authentication. |

+| `managedIdentitySettings.identity` | `<IDENTITY_RESOURCE_ID>` | The resource ID of the managed identity to use in the session. |

+| `managedIdentitySettings.lifecycle` | `None` | The session lifecycle where the managed identity is available.<br><br>- `None` (default): The session can't access the identity. It's only used for image pull.<br><br>- `Main`: In addition to image pull, the main session can also access the identity. **Use with caution.** |

+## Logging

+Console logs from custom container sessions are available in the Azure Log Analytics workspace associated with the Azure Container Apps environment in a table named `AppEnvSessionConsoleLogs_CL`.

+You interact with sessions in a session pool by sending HTTP requests. Each session pool has a unique pool management endpoint.

+For code interpreter sessions, you can also use an integration with an [LLM framework](./sessions-code-interpreter.md#llm-framework-integrations).

+### Session identifiers

+To send an HTTP request to a session, you must provide a session identifier in the request. You pass the session identifier in a query parameter named `identifier` in the URL when you make a request to a session.

+* If a session with the identifier already exists, the request is sent to the existing session.

+* If a session with the identifier doesn't exist, a new session is automatically allocated before the request is sent to it.

+#### Identifier format

+The session identifier is a free-form string, meaning you can define it in any way that suits your application's needs.

+The session identifier is a string that you define that is unique within the session pool. If you're building a web application, you can use the user's ID as the session identifier. If you're building a chatbot, you can use the conversation ID.

+The identifier must be a string that is 4 to 128 characters long and can contain only alphanumeric characters and special characters from this list: `|`, `-`, `&`, `^`, `%`, `$`, `#`, `(`, `)`, `{`, `}`, `[`, `]`, `;`, `<`, and `>`.

+#### Protecting session identifiers

+The session identifier is sensitive information which you must manage securely. Your application needs to ensure each user or tenant only has access to their own sessions.

+### <a name="authentication"></a>Authentication and authorization

+When you send requests to a session using the pool management API, authentication is handled using Microsoft Entra (formerly Azure Active Directory) tokens. Only Microsoft Entra tokens from an identity belonging to the *Azure ContainerApps Session Executor* role on the session pool are authorized to call the pool management API.

+To assign the role to an identity, use the following Azure CLI command:

+> A valid token can be used to create and access any session in the pool. Keep your tokens secure and don't share them with untrusted parties. End users should access sessions through your application, not directly. They should never have access to the tokens used to authenticate requests to the session pool.

+By default, sessions are prevented from making outbound network requests. You can control network access by configuring network status settings on the session pool.

+In addition, follow the guidance in the [authentication and authorization](#authentication) section to ensure that only authorized users can access sessions and in the [protecting session identifiers](#protecting-session-identifiers) section to ensure that session identifiers are secure.

+ - **Owner** role or any custom role with `Microsoft.Authorization/roleAssignments/write` and `Microsoft.Authorization/permissions/read` permissions.

+

+ - Additionally, ensure that you enable [Allow trusted Azure service access](../../storage/common/storage-network-security.md#grant-access-to-trusted-azure-services) to the storage account when you configure the firewall.

+

+

+#### Why do I get the 'Unauthorized' error while trying to create an Export?

+When attempting to create an Export to a storage account with a firewall, the user must have the Owner role or a custom role with `Microsoft.Authorization/roleAssignments/write` and `Microsoft.Authorization/permissions/read` permissions. If these permissions are missing, you will encounter an error like:

+```json

+{

+ "error":{

+ "code":"Unauthorized",

+ "message":"The user does not have authorization to perform 'Microsoft.Authorization/roleAssignments/write' action on specified storage account, please use a storage account with sufficient permissions. If the permissions have changed recently then retry after some time."

+ }

+}

+```

+You can check for the permissions on the storage account by referring to the steps in [Check access for a user to a single Azure resource](../../role-based-access-control/check-access.md).

+#### Note: Version 1.0r2

+FOCUS 1.0r2 is a follow-up release to the FOCUS 1.0 dataset that changes how date columns are formatted, which may impact anyone who is parsing and especially modifying these values. The 1.0r2 dataset is still aligned with the FOCUS 1.0 specification. The "r2" indicates this is the second release of that 1.0 specification. The only change in this release is that all date columns now include seconds to more closely adhere to the FOCUS 1.0 specification. As an example, a 1.0 export may use "2024-01-01T00:00Z" and a 1.0r2 export would use "2024-01-01T00:00:00Z". The only difference is the extra ":00" for seconds at the end of the time segment of the ISO formatted date string.

+The connector supports the Windows versions in this [article](create-self-hosted-integration-runtime.md#prerequisites).

+The connector no longer supports P12 keyfiles. If you rely on service accounts, you are recommended to use JSON keyfiles instead. The P12CustomPwd property used for supporting the P12 keyfile was also deprecated. For more information, see this [article](https://cloud.google.com/sdk/docs/release-notes).

+The billing_on column property was removed from the Recurring_Application_Charges and UsageCharge tables due to Shopify's official deprecation of billing_on field.

+>[!NOTE]

+>Due to the [sunset of OAuth 1.0 authentication in Xero](https://devblog.xero.com/an-update-on-why-we-are-saying-goodbye-oauth-1-0a-hello-oauth-2-0-6a839230908f), please [upgrade to OAuth 2.0 authentication type](#linked-service-properties) if you are currently using OAuth 1.0 authentication type.

+# What's new in Microsoft Defender for IoT

+>

+- [Native Run as user support](https://developercommunity.visualstudio.com/t/Improve-run-as-user-support-for-Dev-Box/10719951): some of your Dev Box customization tasks require to be run as the signed in user. Native run as user support provides capability of executing customization under the user context with improved reliability, status tracking, and error reporting.

+- [Native support for WinGet & DSC](https://developercommunity.visualstudio.com/t/I-would-like-my-Dev-Box-to-run-Winget-an/10719983): all Dev Boxes will be able to use WinGet and DSC to install packages and apply configurations, without requiring a catalog to be attached.

+**Developer onboarding & experience**

+- [Region Selection Optimization for Dev Box Creation](https://developercommunity.visualstudio.com/t/Region-selection-optimization-based-on-l/10784537): as a developer, easily create your new Dev Box in an optimal region based on your location. As a dev center admin, optimize the location of existing Dev Boxes based on end user location and available capacity.

+- [Direct launch via the Windows App](https://developercommunity.visualstudio.com/t/Direct-launch-via-the-Windows-App/10784545): as a developer, quickly launch Dev Box from the developer portal on the Windows App RDP client.

+- [Cross clients multi-monitor settings](https://developercommunity.visualstudio.com/t/Dual-Screen-Settings-adjustment-setting-/10770153): as a developer, your multi-monitor settings will be shared consistently across RDP clients.

+- [Notification center for Developer Portal](https://developercommunity.visualstudio.com/t/Outage-notifications-for-Dev-Box/10720453?q=notifications): as a developer, you will get service notifications and updates right in the Developer Portal.

+- [Pin Dev Box to task view from Developer Portal](https://developercommunity.visualstudio.com/t/Ping-to-task-view-is-not-quite-working-f/10719957): as a developer, you can quickly access your Developer Box by pinning it to your Windows task view.

+- [In product prerequisites](https://developercommunity.visualstudio.com/t/User-License-Assignment-as-Pre-requisite/10523902?q=pre-requisits): as a dev center admin, you will get a dynamic prerequisites page that highlights any missing requirements and helps you track the progress you are making in setting up the Dev Box service.

+- [New Supported Regions](https://devblogs.microsoft.com/develop-from-the-cloud/microsoft-dev-box-regional-availability/): as a dev center admin, you will be able to enable your development team to create dev boxes in new regions including [UAE North](https://developercommunity.visualstudio.com/t/Support-for-Dev-Box-in-UAE-North/10781448) and [Spain Central](https://developercommunity.visualstudio.com/t/Dev-Box-support-in-Spain-Central/10781449).

+- [Expand IPs within existing subnets](https://developercommunity.visualstudio.com/t/Expand-IPs-within-existing-Subnets-in-a/10781464): as a dev center admin, you will be able to expand IP ranges in subnets that are running out of IP addresses.

+- [RRS Integration into QMS](https://developercommunity.visualstudio.com/t/Automatically-approve-higher-amounts-of/10781465): as a dev center admin for a trusted customer, you will be able to request and get larger amount of quota automatically approved through QMS.

+- [Hibernation on disconnect:](https://developercommunity.visualstudio.com/t/Customize-hibernation-options/10640621?entry=suggestion&q=hibernation+disconnect) as a dev center admin, reduce cost of compute by enabling dev boxes to hibernate on disconnect based on active working hours of developers.

+- [Project Policy](https://developercommunity.visualstudio.com/t/Curation-for-Dev-Center-and-Projects-und/10719953): as a dev center admin, set up guardrails around resources that different projects should and shouldn't access.

+- [Developer offboarding](https://developercommunity.visualstudio.com/t/Provide-a-means-to-do-external-cleanup/10670632?q=delete+unused+): as a dev center admin, configure your Dev Box service to offload users from Dev Boxes when they leave the organization and switch between teams.

+- [Firewall Service Tags](https://developercommunity.visualstudio.com/t/Dev-Box:-Advanced-notice-and-notificatio/10704156?q=firewall): as IT administrator working on setting up Dev Box for your organization, quickly configure traffic roles by utilizing Service Tags in your Firewall set up.

+- [Visual Studio 2022 RDP optimizations](https://developercommunity.microsoft.com/t/VS-and-VS-Code-optimizations-for-Dev-Box/10720946): as a developer, type and navigate your code without any noticeable latency.

+- [Auto network repair](https://developercommunity.visualstudio.com/t/Enable-Network-Adapter-after-wrongly-dis/10656306): as a developer, if you lose connectivity to your Dev Box due to miss configuring your Dev Box network adapter, Dev Box will automatically reset your network connection.

+- [Azure region optimizations based on user locations:](https://developercommunity.visualstudio.com/t/Move-VM-to-different-poolregion/10277787) as a dev center admin, optimize the location of existing Dev Boxes based on end user location and available capacity.

+- [Startup optimizations](https://developercommunity.visualstudio.com/t/Startup-optimizations-for-Dev-box/10781438): as a developer, you will experience a more reliable and stable Dev Box startup experience.

+- [Backup SKUs:](https://developercommunity.visualstudio.com/t/Back-up-SKUs-in-case-of-capacity-outage/10720451) as a developer, you will be able to smoothly resume working on existing dev boxes during service outages by opting to using a fallback SKU.

+- [Outage notifications:](https://developercommunity.visualstudio.com/t/Outage-notifications-for-Dev-Box/10720453) developers and admins can stay informed about ongoing service outages via outage notification shared within the developer and Azure status portals including [Azure Service Health](https://azure.microsoft.com/get-started/azure-portal/service-health) and [Azure Status](https://azure.status.microsoft/status) portals.

+This roadmap outlines our current priorities, and we remain flexible to adapt based on customer feedback. We invite you to [share your thoughts and suggest more capabilities you would like to see](https://aka.ms/DevBox/Feedback). Your insights help us refine our focus and deliver even greater value.

+- [What is Microsoft Dev Box?](overview-what-is-microsoft-dev-box.md)

+This article describes a sample scenario for using multiple instances of client applications to read events from an event hub. It also gives you details about features of event processor client, which allows you to receive events from multiple partitions at once and load balance with other consumers that use the same event hub and consumer group.

+* Gateway Transit: If you deploy two peered hub virtual networks connected to one circuit, you need to make sure to set the Allow Gateway Transit on the virtual network peering to false, otherwise you will experience connectivity issues.

+* Use Remote Gateway: If you deploy a spoke vnet peered to two hub vnets, you can only use one hub gateway as the remote gateway. If you use both as a remote gateway, you will experience connectivity issues.

+| **[Flo Networks](https://flo.net/microsoft)** | &check; | &check; | Dallas<br/>Los Angeles<br/>Miami<br/>Queretaro(Mexico City)<br/>Sao Paulo<br/>Washington DC<br/>**Locations are listed under Neutrona (company name is Neutrona Networks) Networks and Transtelco as providers for circuit creation* |

+ Title: Use service principals to automate workflows in Firmware analysis

+description: Learn about how to use service principals to automate workflows for Firmware Analysis.

+# How to Use Service Principals to Automate Workflows in Firmware analysis

+Many users of the firmware analysis service may need to automate their workflow. The command `az login` creates an interactive login experience with two-factor authentication that makes it difficult for users to fully automate their workflow. A service principal [Apps & service principals in Microsoft Entra ID](/entra/identity-platform/app-objects-and-service-principals) is a secure identity with proper permissions that authenticates to Azure in the command line without requiring two-factor authentication or an interactive log-in. This article explains how to create a service principal and use it to interact with the firmware analysis service. For more information on creating service principals, visit [Create Azure service principals using the Azure CLI](/cli/azure/azure-cli-sp-tutorial-1#create-a-service-principal). To authenticate securely, we recommend creating a service principal and authenticating using certificates. To learn more, visit [Create a service principal containing a certificate using Azure CLI](/cli/azure/azure-cli-sp-tutorial-3).

+1. Log in to your Azure account using the portal.

+2. Navigate to your subscription and assign yourself `User Access Administrator` or `Role Based Access Control Administrator` permissions, or higher, in your subscription. This gives you permission to create a service principal.

+3. Navigate to your command line

+ 1. Log in, specifying the tenant ID during login

+ ```azurecli

+ az login --tenant <TENANT_ID>

+ ```

+ 3. Switch to your subscription where you have proper permissions to create a service principal

+

+ ```azurecli

+ az account set --subscription <SUBSCRIPTION_ID>

+ ```

+ 5. Create service principal, assigning it the proper permissions at the proper scope. We recommend assigning your service principal the Firmware Analysis Admin role at the Subscription level.

+ ```azurecli

+ az ad sp create-for-rbac --name <SERVICE_PRINCIPAL_NAME> --role "Firmware Analysis Admin" --scopes /subscriptions/<SUBSCRIPTION_ID>

+ ```

+4. Note down your service principalΓÇÖs client ID (ΓÇ£`appId`ΓÇ¥), tenant ID (ΓÇ£`tenant`ΓÇ¥), and secret (ΓÇ£`password`ΓÇ¥) in a safe place. YouΓÇÖll need this for the next step.

+5. Log in to your service principal

+ ```azurecli

+ az login --service-principal --username $clientID --password $secret --tenant $tenantID

+ ```

+6. Once logged in, refer to the following Quickstarts for scripts to interact with the Firmware analysis service via Azure PowerShell, Azure CLI, or Python:

+ - [Upload firmware using Azure CLI](quickstart-upload-firmware-using-azure-command-line-interface.md)

+ - [Upload firmware using Azure PowerShell](quickstart-upload-firmware-using-powershell.md)

+ - [Upload firmware using Python](quickstart-upload-firmware-using-python.md)

+This article addresses frequent questions about Firmware analysis.

+* UEFI file system

+ Title: Interpreting extractor paths from SBOM view in Firmware analysis

+description: Learn how to interpret extractor paths from the SBOM view in Firmware analysis results.

+# Overview of How Firmware Images are Structured

+A firmware image is a collection of files and file systems containing software that operates hardware. Often, it includes compressed files, executables, and system files. These file systems may or may not include other file systems within each file. For example, a firmware image thatΓÇÖs a .zip file may include individual files such as executables within it but may also include other compressed file systems, such as a SquashFS file. You can visualize it like the following:

+*Each circle represents a file that may or may not have more file systems within it. The extractor repeatedly extracts each circle until there are no more circles (files) within it to be extracted.*

+If the large, encompassing oval represents the firmware image, the three circles within the large oval may represent individual file systems within this firmware image. The circles may even represent executables with embedded file systems within them.

+Because of the complex structure of firmware images ΓÇô any given layer could be an executable or a file system with another embedded executable or file system ΓÇô we need a comprehensive way to present the extraction results to accurately reflect a firmware imageΓÇÖs structure.

+**How the Extractor Works**

+The Firmware Analysis extractor identifies and decompresses data found within firmware images. There are multiple types of extractors, one for each type of file. For a full list of file formats that Firmware Analysis supports, check [Firmware analysis Frequently Asked Questions](firmware-analysis-faq.md).

+For example, a `ZipArchive` extractor would extract a `ZipArchive` file. The extractor extracts the image as it sits on the disk in your system, and you will need to correlate the file path to the structure of files on your build environment. When you upload your firmware images to the Firmware Analysis service, the extractor recursively extracts the image until it cannot extract further. This means that the original firmware image is decompressed into individual files, and each individual file is sent again to the extractor to see if they can be further decompressed. This repeats until the extractor cannot decompress further.

+Sometimes, there may be numerous files concatenated into one. Extractor will identify that there are numerous files in that one file, and use the appropriate extractor to extract each file, then put each file into its own respective directory. This means that if there were four files that were compiled with `GZip`, and they were concatenated into one file, extractor will identify that there are four `GZip` files at that level of extraction. Extractor will put the first `GZip` file into a directory named `GZipExtractor/1`, the second into a directory named `GZipExtractor/2`, and so on.

+## Interpret File Paths Created by the Extractor

+In the Firmware Analysis service, the SBOM view of the analysis results contains the file paths:

+Here is an example of a file path that might be seen in analysis results, and how to visualize the path in a file-system structure:

+The following file-system structure is a visual representation of the SBOM file path:

+In this sample file path, a `ZipArchiveExtractor` extracted a `ZipArchive`, and it puts the contents into a directory named `ZipArchiveExtractor/1`. Again, the ΓÇÿ1ΓÇÖ means that this was the first ΓÇô and possibly, the only ΓÇô `ZipArchive` file at this level of extraction. The extractor assigns a default name called `zip-root` to the `ZipArchive` file.

+> [!Note]

+> Usually, you can assume that a subdirectory with the suffix `-root` is created by Extractor and does not actually exist in your environment. It is just a subdirectory created by Extractor to hold the contents of that file type.

+>

+Within `zip-root` is the `adhoc` file:

+Within the `adhoc` file is the `lede-17.01.4-arc770-generic-nsim-initramfs.elf` file:

+Since the `lede…` file ends with `.extracted`, this means that there is something within this `.elf` file that needs to be extracted further. The next extractor used was a `CPIOArchiveExtractor`, which means that there was a `CPIOArchive` file system embedded in the `.elf` file. The contents of the `CPIOArchive` file were placed in a `cpio-root` subdirectory:

+and within the `CPIOArchive` file, there was a `bin` file, and that `bin` file had a file named `busybox` within it:

+## Locate the Path in your Environment

+Since the first extractor that was used was a `ZipArchiveExtractor`, this means that everything exists in a `Zip` file. Locate the `Zip` file, and within that, the full path on your environment would be `/adhoc/lede-17.01.4-arc770-generic-nsim-initramfs.elf.extracted/bin/busybox`. However, assume that you can only see into the first level of extraction ΓÇô the `.elf` file. To see further, you would need your own extractor to extract beyond the first layer. This means that, tangibly, the file path to go to would be: `/adhoc/lede-17.01.4-arc770-generic-nsim-initramfs.elf`.

+## Multiple Extractor Paths

+In some cases, you may notice a `(+1)` or `(+2)` next to the file path:

+When you hover over the number, youΓÇÖll see a pop-up that looks like this:

+This means that the SBOM can be found at these two executable paths.

+ set resourceGroup=myResourceGroup

+ set subscription=123e4567-e89b-12d3-a456-426614174000

+ set workspace=default

+ set firmwareID=sampleFirmwareID

+ for /f "tokens=*" %i in ('az firmwareanalysis workspace generate-upload-url --resource-group %resourceGroup% --subscription %subscription% --workspace-name %workspace% --firmware-id %firmwareID% --query "url"') do set sasURL=%i

+ az storage blob upload -f pathToFile --blob-url %sasURL%

+set filePath="/path/to/image"

+set resourceGroup="myResourceGroup"

+set workspace="default"

+set fileName="file1"

+set vendor="vendor1"

+set model="model"

+set version="test"

+for /f "tokens=*" %i in ('az firmwareanalysis firmware create --resource-group %resourceGroup% --workspace-name %workspace% --file-name %fileName% --vendor %vendor% --model %model% --version %version% --query "name"') do set FWID=%i

+for /f "tokens=*" %i in ('az firmwareanalysis workspace generate-upload-url --resource-group %resourceGroup% --workspace-name %workspace% --firmware-id %FWID% --query "url"') do set URL=%i

+az storage blob upload -f %filePath% --blob-url %URL%

+set resourceGroup="myResourceGroup"

+set workspace="default"

+set FWID="yourFirmwareID"

+for /f "tokens=*" %i in ('az firmwareanalysis firmware show --resource-group %resourceGroup% --workspace-name %workspace% --firmware-id %FWID% --query "id"') do set ID=%i

+echo Successfully created a firmware image with the firmware ID of %FWID%, recognized in Azure by this resource ID: %ID%.

+for /f "tokens=*" %i in ('az resource wait --ids %ID% --custom "properties.status=='Ready'" --timeout 10800') do set WAIT=%i

+for /f "tokens=*" %i in ('az resource show --ids %ID% --query "properties.status"') do set STATUS=%i

+echo Firmware analysis completed with status: %STATUS%

+ Title: What's new in Firmware analysis

+description: Learn about the latest updates for Firmware analysis.

+# What's new in Firmware analysis

+This article lists new features and feature enhancements in the Firmware analysis service.

+Noted features are in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## October 2024

+- **Support for UEFI images**: Firmware analysis service now analyzes UEFI images and identifies PKFail instances.

+- **New upload form with drag and drop**: You can now upload files with the new drag and drop functionality.

+- **Enhanced navigation menu**: Firmware analysis service in the Azure portal now has a menu blade for improved navigation.

+- **Race condition resolution**: Resolved a race condition that occasionally prevented the UI from fully populating the firmware list on initial load.

+- **Certificate encoding update**: Deprecated the encoding value for certificates to avoid confusion. Now also reporting DER certificates in embedded binaries as well as flat files.

+- **Paged analysis results**: Added support to fetch analysis results in pages to ensure safe retrieval of very large data sets.

+- **Additional bug fixes and improvements**: Multiple bug fixes for filters, styling, and accessibility.

+## March 2024

+- **Azure CLI and PowerShell commands**: Automate your workflow of analyzing firmware images by using the [Firmware Analysis Azure CLI](/cli/azure/service-page/firmware%20analysis) or the [Firmware Analysis PowerShell commands](/powershell/module/az.firmwareanalysis).

+- **User choice in resource group**: Pick your own resource group or create a new resource group during the onboarding process.

+ :::image type="content" source="media/whats-new-firmware-analysis/pick-resource-group.png" alt-text="Screenshot that shows resource group picker while onboarding." lightbox="media/whats-new-firmware-analysis/pick-resource-group.png":::

+- **New UI format with Firmware inventory**: Subtabs to organize Getting started, Subscription management, and Firmware inventory.

+ :::image type="content" source="media/whats-new-firmware-analysis/firmware-inventory-tab.png" alt-text="Screenshot that shows the firmware inventory in the new UI." lightbox="media/whats-new-firmware-analysis/firmware-inventory-tab.png":::

+- **Enhanced documentation**: Updates to [Tutorial: Analyze an IoT/OT firmware image](tutorial-analyze-firmware.md) documentation addressing the new onboarding experience.

+## January 2024

+- **PDF report generator**: Addition of a **Download as PDF** capability on the **Overview page** that generates and downloads a PDF report of the firmware analysis results.

+ :::image type="content" source="media/whats-new-firmware-analysis/overview-pdf-download.png" alt-text="Screenshot that shows the new Download as PDF button." lightbox="media/whats-new-firmware-analysis/overview-pdf-download.png":::

+- **Reduced analysis time**: Analysis time has been shortened by 30-80%, depending on image size.

+- **CODESYS libraries detection**: Firmware analysis now detects the use of CODESYS libraries, which Microsoft recently identified as having high-severity vulnerabilities. These vulnerabilities can be exploited for attacks such as remote code execution (RCE) or denial of service (DoS). For more information, see [Multiple high severity vulnerabilities in CODESYS V3 SDK could lead to RCE or DoS](https://www.microsoft.com/en-us/security/blog/2023/08/10/multiple-high-severity-vulnerabilities-in-codesys-v3-sdk-could-lead-to-rce-or-dos/).

+- **Enhanced documentation**: Addition of documentation addressing the following concepts:

+ - [Azure role-based access control for Firmware Analysis](firmware-analysis-rbac.md), which explains roles and permissions needed to upload firmware images and share analysis results, and an explanation of how the **FirmwareAnalysisRG** resource group works

+ - [Frequently asked questions](firmware-analysis-FAQ.md)

+- **Improved filtering for each report**: Each subtab report now includes more fine-grained filtering capabilities.

+- **Firmware metadata**: Addition of a collapsible tab with firmware metadata that is available on each page.

+ :::image type="content" source="media/whats-new-firmware-analysis/overview-firmware-metadata.png" alt-text="Screenshot that shows the new metadata tab in the Overview page." lightbox="media/whats-new-firmware-analysis/overview-firmware-metadata.png":::

+- **Improved version detection**: Improved version detection of the following libraries:

+ - pcre

+ - pcre2

+ - net-tools

+ - zebra

+ - dropbear

+ - bluetoothd

+ - WolfSSL

+ - sqlite3

+- **Added support for file systems**: Firmware analysis now supports extraction of the following file systems. For more information, see [Firmware analysis FAQs](firmware-analysis-faq.md#what-types-of-firmware-images-does-firmware-analysis-support):

+ - ISO

+ - RomFS

+ - Zstandard and non-standard LZMA implementations of SquashFS

+## July 2023

+Microsoft Defender for IoT Firmware Analysis is now available in public preview. Defender for IoT can analyze your device firmware for common weaknesses and vulnerabilities, and provide insight into your firmware security. This analysis is useful whether you build the firmware in-house or receive firmware from your supply chain.

+For more information, see [Firmware analysis for device builders](overview-firmware-analysis.md).

+| US Gov Virginia | | | |

+ * Azure HDInsight now supports OAuth-based authentication for accessing Azure Blob storage by leveraging Azure Active Directory (AAD) and managed identities (MSI). With this enhancement, HDInsight uses user-assigned managed identities to access Azure blob storage. For more information, see [Managed identities for Azure resources](/entra/identity/managed-identities-azure-resources/overview).

+* HDInsight service is transitioning to use standard load balancers for all its cluster configurations because of [deprecation announcement](https://azure.microsoft.com/updates/azure-basic-load-balancer-will-be-retired-on-30-september-2025-upgrade-to-standard-load-balancer#main) of Azure basic load balancer.

+ * This change will be rolled out in a phased manner for different regions.

+ > [!NOTE]

+ > When using your own Virtual Network (custom VNet) during cluster creation, please be advised that the cluster creation will not succeed once this change is enabled. We recommend referring to the [migration guide to recreate the cluster](./load-balancer-migration-guidelines.md).

+ > For any assistance, contact [support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview).

+* nistP384

+[Azure Migrate](migrate-services-overview.md) helps you to migrate to Azure. Azure Migrate provides a centralized hub to track discovery, assessment, and migration of on-premises infrastructure, applications, and data to Azure. The hub provides Azure tools for assessment and migration, as well as Partner independent software vendor (ISV) offerings.

+- [Create](./create-manage-projects.md) an Azure Migrate project.

+- [Add](how-to-assess.md) the Azure Migrate: Discovery and assessment tool if you've already created a project.

+- Set up an Azure Migrate appliance for [VMware vSphere](how-to-set-up-appliance-vmware.md), which discovers the on-premises servers, and sends metadata and performance data to Azure Migrate: Discovery and assessment. [Learn more](migrate-appliance.md).

+- [Import](./tutorial-discover-import.md) the server metadata in comma-separated values (CSV) format or [import your RVTools XLSX file](./tutorial-import-vmware-using-rvtools-xlsx.md).

+**Performance-based** | For RVTools and CSV file-based assessments and performance-based assessments, the assessment considers the **In Use MiB** and **Storage In Use** respectively for storage configuration of each VM. For appliance-based assessments and performance-based assessments, the assessment considers the collected CPU & memory performance data of on-premises servers. | **Recommended Node size**: Based on CPU and memory utilization data along with node type, storage type, and FTT setting that you select for the assessment.

+1. On the **Overview** page > **Servers, databases and web apps**, select **Assess and migrate servers**.

+1. In **Azure Migrate: Discovery and assessment**, select **Assess**.

+1. Select **Edit** to review the assessment properties.

+ - The **Storage type** is defaulted to **vSAN** and **Azure NetApp Files (ANF) - Standard**, **ANF - Premium**, and **ANF - Ultra** tiers. ANF is an external storage type in AVS that will be used when storage is the limiting factor considering the configuration/performance of the incoming VMs. When performance metrics are provided using the Azure Migrate appliance or the CSV, the assessment selects the tier that satisfies the performance requirements of the incoming VMsΓÇÖ disks. If the assessment is performed using a RVTools file or without providing performance metrics like throughput and IOPS, **ANF - Standard** tier is used for assessment by default.

+ - If you select to use a reserved instance, you can't specify '**Discount (%)**. [Learn more](../azure-vmware/reserved-instance.md).

+ - In **FTT setting, RAID level**, select the Failure to Tolerate and RAID combination. The selected FTT option, combined with the on-premises server disk requirement, determines the total vSAN storage required in AVS.

+ - In **Memory overcommit factor**, specify the ratio of memory over commit on the cluster. A value of 1 represents 100% memory use, 0.5, for example, is 50%, and 2 would be using 200% of available memory. You can only add values from 0.5 to 10 up to one decimal place.

+ - In **Dedupe and compression factor**, specify the anticipated deduplication and compression factor for your workloads. Actual value can be obtained from on-premises vSAN or storage config and this might vary by workload. A value of 3 would mean 3x so for 300 GB disk only 100 GB storage would be used. A value of 1 would mean no dedupe or compression. You can only add values from 1 to 10 up to one decimal place.

+1. Select **Save** if you make changes.

+ :::image type="content" source="./media/tutorial-assess-vmware-azure-vmware-solution/avs-view-all-inline.png" alt-text="Assessment properties" lightbox="./media/tutorial-assess-vmware-azure-vmware-solution/avs-view-all-expanded.png":::

+1. In **Assess Servers**, select **Next**.

+1. Select the appliance, and select the servers you want to add to the group. Then select **Next**.

+1. In **Review + create assessment**, review the assessment details, and select **Create Assessment** to create the group and run the assessment.

+ - Utilization includes up front factoring in the following cluster management overheads such as the vCenter Server, NSX Manager (large), NSX Edge, if HCX is deployed also the HCX Manager and IX appliance consuming ~ 44vCPU (11 CPU), 75 GB of RAM and 722 GB of storage before compression and deduplication.

+You can select **Sizing assumptions** to understand the assumptions that went in node sizing and resource utilization calculations. You can also edit the assessment properties, or recalculate the assessment.

+1. In **Windows, Linux and SQL Server** > **Azure Migrate: Discovery and assessment**, select the number next to **Azure VMware Solution**.

+1. In **Assessments**, select an assessment to open it. As an example (estimations and costs, for example, only):

+ :::image type="content" source="./media/tutorial-assess-vmware-azure-vmware-solution/avs-assessment-summary-inline.png" alt-text="Assessment Summary" lightbox="./media/tutorial-assess-vmware-azure-vmware-solution/avs-assessment-summary-expanded.png":::

+1. Review the assessment summary. You can select **Sizing assumptions** to understand the assumptions that went in node sizing and resource utilization calculations. You can also edit the assessment properties, or recalculate the assessment.

+ :::image type="content" source="./media/tutorial-assess-vmware-azure-vmware-solution/avs-utilization-inline.png" alt-text="Screenshot of AVS Utilization summary." lightbox="./media/tutorial-assess-vmware-azure-vmware-solution/avs-utilization-expanded.png":::

+2. [Review](concepts-azure-vmware-solution-assessment-calculation.md#server-properties) the server status:

+ - **Ready for AVS**: The server can be migrated as-is to Azure (AVS) without any changes. It starts in AVS with full AVS support.

+ - **Ready with conditions**: There might be some compatibility issues, for example, internet protocol or deprecated OS in VMware and need to be remediated before migrating to Azure VMware Solution. To fix any readiness problems, follow the remediation guidance the assessment suggests.

+ - **Not ready for AVS**: The VM won't start in AVS. For example, if the on-premises VMware VM has an external device attached such as a cd-rom the VMware vMotion operation fails (if using VMware vMotion).

+ - **Unknown**: For servers imported via a CSV or RVTools file, the default migration tool is unknown. Though for VMware vSphere VMs, it's suggested to use the VMware Hybrid Cloud Extension (HCX) solution.

+4. Select an **AVS readiness** status. You can view VM readiness details, and drill down to see VM details, including compute, storage, and network settings.

+ - As the pricing for Azure VMware Solution is per node, the total cost doesn't have compute cost and storage cost distribution.

+2. Review Estimated AVS cost: This cost indicates the estimated monthly AVS cost that would be incurred for hosting the VMs imported or discovered. It includes categorical costs of the AVS nodes, external storage costs, and the associated networking costs (if applicable).

+- **On-premises vs AVS (Azure VMware Solution)**: If you build a business case to *Migrate to AVS*, you see this report which covers the AVS and on-premises footprint of the workloads for migrating to AVS.

+#### AVS cost estimate

+**Estimated AVS cost**: This card includes the total cost of ownership for hosting all workloads on AVS including the AVS nodes cost (which includes storage cost), networking, and labor cost. The node cost is computed by taking the most cost optimum AVS node SKU. The infrastructure settings used are as follows:

+

+- The number and SKU of AVS hosts used in a business case aligns to the SKUs available in the given region and optimized to use the least number of nodes required to host all VMs ready to be migrated.

+- Azure NetApp File (ANF) is used when it can be used to optimize the number of AVS hosts required. ANF Standard tier is used when the VMs have been imported using RVTools. For an Azure Migrate appliance-based business case, the tier of ANF used in the business case depends on the IOPS & throughput data for VMs.

+ - CPU over-subscription of 4:1

+ - Memory overcommit of 100%

+ - Compression and deduplication factor of 1.5. You can learn more about this [here](concepts-azure-vmware-solution-assessment-calculation.md#whats-in-an-azure-vmware-solution-assessment).

+**Compute and license cost**: This card shows the comparison of compute and license cost when using Azure hybrid benefit and without Azure hybrid benefit.

+#### Savings and optimization:

+

+**Savings with 3-year RI**: This card shows the node cost with 3-year RI.

+**Savings with Azure Hybrid Benefit & Extended Security Updates**: This card displays the estimated maximum savings when using Azure hybrid benefit and with extended security updates over a period of one year.

+#### Arc cost estimate

+#### Arc savings

+ - **Threat protection and Savings using MDC**: The report also includes the savings by using Microsoft Defender for Cloud to secure your on-premises server. You can mitigate threats 50% faster and improve your security posture with Microsoft Defender for cloud.

+- To import servers using a RVTools file, [follow this tutorial](tutorial-import-vmware-using-rvtools-xlsx.md).

+ - If you discovered servers using an imported RVTools XLSX or CSV file, select **Imported servers**.

+ Target settings | **Storage type** | Defaulted to vSAN & ANF - Standard, ANF - Premium, and ANF - Ultra tiers. ANF will be used when external storage can reduce the cost by reducing the number of nodes required. ANF - Standard will be used by default when IOPS/throughput for storage is not provided.

+ VM size | **Node type** | Defaulted to use all the nodes available in a given region.

+ VM size | **FTT setting, RAID level** | Select the Failure to Tolerate and RAID combination. The selected FTT option, combined with the on-premises server disk requirement, determines the total vSAN storage required in AVS.

+ VM size | **Dedupe and compression factor** | Specify the anticipated dedupe and compression factor for your workloads. The actual value can be obtained from on-premises vSAN or storage config and this might vary by workload. A value of 3 would mean 3x so for a 300 GB disk only 100 GB storage would be used. A value of 1 would mean no dedupe or compression. You can only add values from 1 to 10 up to one decimal place.

+ :::image type="content" source="../media/tutorial-assess-vmware-azure-vmware-solution/avs-view-all-inline.png" alt-text="Assessment properties" lightbox="../media/tutorial-assess-vmware-azure-vmware-solution/avs-view-all-expanded.png":::

+1. In **Assessments**, select an assessment to open it. As an example (estimations and costs, for example, only):

+ :::image type="content" source="../media/tutorial-assess-vmware-azure-vmware-solution/avs-assessment-summary-inline.png" alt-text="Assessment Summary" lightbox="../media/tutorial-assess-vmware-azure-vmware-solution/avs-assessment-summary-expanded.png":::

+## Update (November 2024)

+- AVS assessments now support cost assessments with AV64 SKU and Azure NetApp Files (ANF) as an external storage option. [Learn more](how-to-create-azure-vmware-solution-assessment.md).

+- Support for cost of SKUs when porting on-premises VCF subscription to AVS.

+| Poland Central | 175 | 177 |

+| Poland Central | 141 | 129 | 141 | 155 |

+| Poland Central | 113 | 112 |

+| Poland Central | 210 | 123 | 129 |

+| Poland Central | 306 | 297 | 303 | 286 |

+| Poland Central | 277 | 279 |

+| Poland Central | 28 | 35 | 34 | 23 |

+| Source | Germany North | Germany West Central | Poland Central | Switzerland North | Switzerland West |

+| Poland Central | 13 | 22 | | 25 | 27 |

+| Poland Central | 29 | 34 | 26 |

+| Poland Central | 41 | 31 | 35 |

+| Poland Central | 267 | 261 |

+| Poland Central | 151 | 165 | 173 |

+| Poland Central | 237 | 205 |

+| Poland Central | 69 | 146 | 134 | 136 |

+| Poland Central | 180 | 163 |

+# Deploy Confidential Containers in an Azure Red Hat OpenShift (ARO) cluster (Preview)

+# Confidential Containers with Azure Red Hat OpenShift (Preview)

+| 1.29.7 | 3 | Calico v3.27.4<br>metrics-server v0.7.2<br>Multus v4.0.2<br>azure-arc-servers v1.1.0<br>CoreDNS v1.9.4<br>etcd v3.5.15<br>sriov-dp v3.7.0<br>Csi-nfs v4.9.0<br>csi-volume v0.1.0<br>metallb v0.14.5-3 | [Azure Linux 2.0.20240731](https://github.com/microsoft/azurelinux/releases/tag/2.0.20240731-2.0) | No breaking changes | Extended Available patches 1.29.4-1 |

+| 1.29.6 | 4 | Calico v3.27.4<br>metrics-server v0.7.2<br>Multus v4.0.2<br>azure-arc-servers v1.1.0<br>CoreDNS v1.9.4<br>etcd v3.5.15<br>sriov-dp v3.7.0<br>Csi-nfs v4.9.0<br>csi-volume v0.1.0<br>metallb v0.14.5-3 | [Azure Linux 2.0.20240731](https://github.com/microsoft/azurelinux/releases/tag/2.0.20240731-2.0) | No breaking changes | |

+| 1.28.12 | 3 | Calico v3.27.4<br>metrics-server v0.7.2<br>Multus v4.0.2<br>azure-arc-servers v1.1.0<br>CoreDNS v1.9.4<br>etcd v3.5.15<br>sriov-dp v3.7.0<br>Csi-nfs v4.9.0<br>csi-volume v0.1.0<br>metallb v0.14.5-3 | [Azure Linux 2.0.20240731](https://github.com/microsoft/azurelinux/releases/tag/2.0.20240731-2.0) | No breaking changes | Extended Available patches 1.28.9-2, 1.28.0-6 |

+| 1.28.11 | 4 | Calico v3.27.4<br>metrics-server v0.7.2<br>Multus v4.0.2<br>azure-arc-servers v1.1.0<br>CoreDNS v1.9.4<br>etcd v3.5.15<br>sriov-dp v3.7.0<br>Csi-nfs v4.9.0<br>csi-volume v0.1.0<br>metallb v0.14.5-3 | [Azure Linux 2.0.20240731](https://github.com/microsoft/azurelinux/releases/tag/2.0.20240731-2.0) | No breaking changes | |

+| 1.27.13 | 3 | Calico v3.27.4<br>metrics-server v0.7.2<br>Multus v4.0.2<br>azure-arc-servers v1.1.0<br>CoreDNS v1.9.4<br>etcd v3.5.15<br>sriov-dp v3.7.0<br>Csi-nfs v4.9.0<br>csi-volume v0.1.0<br>metallb v0.14.5-3 | [Azure Linux 2.0.20240425](https://github.com/microsoft/azurelinux/releases/tag/2.0.20240425-2.0) | No breaking changes | Extended Available patches 1.27.3-7, 1.27.1-8 |

+| 1.27.9 | 5 | Calico v3.27.4<br>metrics-server v0.7.2<br>Multus v4.0.2<br>azure-arc-servers v1.1.0<br>CoreDNS v1.9.4<br>etcd v3.5.15<br>sriov-dp v3.7.0<br>Csi-nfs v4.9.0<br>csi-volume v0.1.0<br>metallb v0.14.5-3 | [Azure Linux 2.0.20240425](https://github.com/microsoft/azurelinux/releases/tag/2.0.20240425-2.0) | No breaking changes | |

+## injectArtifactStoreDetails considerations

+In some cases, third-party helm charts maynot be fully compliant with AOSM requirements for registryURL. In this case, the injectArtifactStoreDetails feature can be used to avoid making changes to helm packages.

+### How to enable

+To use injectArtifactStoreDetails, set the installOptions parameter in the NF resource roleOrverrides section to true, then use whatever registryURL value is needed to keep the registry URL valid. See following example of injectArtifactStoreDetails parameter enabled.

+```bash

+resource networkFunction 'Microsoft.HybridNetwork/networkFunctions@2023-09-01' = {

+ name: nfName

+ location: location

+ properties: {

+ nfviType: 'AzureArcKubernetes'

+ networkFunctionDefinitionVersionResourceReference: {

+ id: nfdvId

+ idType: 'Open'

+ }

+ allowSoftwareUpdate: true

+ nfviId: nfviId

+ deploymentValues: deploymentValues

+ configurationType: 'Open'

+ roleOverrideValues: [

+ // Use inject artifact store details feature on test app 1

+ '{"name":"testapp1", "deployParametersMappingRuleProfile":{"helmMappingRuleProfile":{"options":{"installOptions":{"atomic":"false","wait":"false","timeout":"60","injectArtifactStoreDetails":"true"},"upgradeOptions": {"atomic": "false", "wait": "true", "timeout": "100", "injectArtifactStoreDetails": "true"}}}}}'

+ ]

+ }

+}

+```

+ Title: Services that support customer managed keys (CMKs) in Azure Key Vault and Azure Managed HSM

+description: Services that support customer managed keys (CMKs) in Azure Key Vault and Azure Managed HSM

+# Services that support customer managed keys (CMKs) in Azure Key Vault and Azure Managed HSM

+The following services support server-side encryption with customer managed keys in [Azure Key Vault](/azure/key-vault/) and [Azure Managed HSM](/azure/key-vault/managed-hsm/). For implementation details, see the service-specific documentation or the service's [Microsoft Cloud Security Benchmark: security baseline](/security/benchmark/azure/security-baselines-overview) (section DP-5).

+## AI and machine learning

+| Product, Feature, or Service | Key Vault | Managed HSM | Documentation |

+||||||

+| [Azure AI Search](/azure/search/) | Yes | | [Configure customer-managed keys for data encryption in Azure AI Search](/azure/search/search-security-manage-encryption-keys) |

+| [Azure AI services](/azure/ai-services/) | Yes | Yes | [Customer-managed keys for encryption](/azure/ai-services/encryption/cognitive-services-encryption-keys-portal) |

+| [Azure AI Studio](/azure/ai-studio) | Yes | | [Encryption of data at rest in Azure AI services](/azure/ai-studio/concepts/encryption-keys-portal) |

+| [Azure Bot Service](/azure/bot-service/) | Yes | | [Encryption of bot data in Azure Bot Service](/azure/bot-service/bot-service-encryption) |

+| [Azure Health Bot](/azure/health-bot/) | Yes | | [Configure customer-managed keys (CMK) for Azure Health Bot](/azure/health-bot/cmk) |

+| [Azure Machine Learning](/azure/machine-learning/) | Yes | | [Customer-managed keys for workspace encryption in Azure Machine Learning](/azure/machine-learning/concept-customer-managed-keys) |

+| [Azure OpenAI](/azure/ai-services/openai/) | Yes | Yes | [Azure OpenAI Service encryption of data at rest](/azure/ai-services/openai/encrypt-data-at-rest) |

+| [Content Moderator](/azure/ai-services/content-moderator/) | Yes | Yes | [Content Moderator encryption of data at rest](/azure/ai-services/content-moderator/encrypt-data-at-rest) |

+| [Dataverse](/powerapps/maker/data-platform/) | Yes | Yes | [Customer-managed keys in Dataverse](/power-platform/admin/customer-managed-key) |

+| [Dynamics 365](/dynamics365/) | Yes | Yes | [Customer-managed keys for encryption](/dynamics365/fin-ops-core/dev-itpro/sysadmin/customer-managed-keys) |

+| [Face](/azure/ai-services/computer-vision/overview-identity) | Yes | Yes | [Face service encryption of data at rest](/azure/ai-services/computer-vision/identity-encrypt-data-at-rest) |

+| [Language Understanding](/azure/ai-services/luis/what-is-luis) | Yes | Yes | [Customer-managed keys with Azure Key Vault](/azure/ai-services/luis/encrypt-data-at-rest) |

+| [Personalizer](/azure/ai-services/personalizer/) | Yes | Yes | [Encryption of data at rest in Personalizer](/azure/ai-services/personalizer/encrypt-data-at-rest) |

+| [Power Platform](/power-platform/) | Yes | Yes | [Customer-managed keys in Power Platform](/power-platform/admin/customer-managed-key) |

+| [QnA Maker](/azure/ai-services/qnamaker/) | Yes | Yes | [QnA Maker encryption of data at rest](/azure/ai-services/qnamaker/encrypt-data-at-rest) |

+| [Speech Services](/azure/ai-services/speech-service/) | Yes | Yes | [Speech service encryption of data at rest](/azure/ai-services/speech-service/speech-encryption-of-data-at-rest) |

+| [Translator Text](/azure/ai-services/translator/) | Yes | Yes | [Translator encryption of data at rest](/azure/ai-services/translator/encrypt-data-at-rest) |

+## Analytics

+| Product, Feature, or Service | Key Vault | Managed HSM | Documentation |

+||||||

+| [Azure Data Explorer](/azure/data-explorer/) | Yes | | [Configure customer-managed keys (CMK) in Azure Data Explorer](/azure/data-explorer/customer-managed-keys-portal) |

+| [Azure Data Factory](/azure/data-factory/) | Yes | Yes | [Encryption with customer-managed keys for Azure Data Factory](/azure/data-factory/enable-customer-managed-key) |

+| [Azure Data Lake Store](/azure/data-lake-store/) | Yes (RSA 2048-bit) | | |

+| [Azure Data Manager for Energy](/azure/energy-data-services/) | Yes | | [Manage data security and encryption](/azure/energy-data-services/how-to-manage-data-security-and-encryption) |

+| [Azure Databricks](/azure/databricks/) | Yes | Yes | [Customer-managed keys for managed services](/azure/databricks/security/keys/customer-managed-key-managed-services-azure) |

+| [Azure HDInsight](/azure/hdinsight/) | Yes | | [Azure HDInsight double encryption for data at rest](/azure/hdinsight/disk-encryption) |

+| [Azure Monitor Application Insights](/azure/azure-monitor/app/app-insights-overview) | Yes | | [Customer-managed keys in Azure Monitor](/azure/azure-monitor/logs/customer-managed-keys) |

+| [Azure Monitor Log Analytics](/azure/azure-monitor/logs/log-analytics-overview) | Yes | Yes | [Customer-managed keys in Azure Monitor](/azure/azure-monitor/logs/customer-managed-keys) |

+| [Azure Stream Analytics](/azure/stream-analytics/) | Yes\* | Yes | [Data protection in Azure Stream Analytics](/azure/stream-analytics/data-protection) |

+| [Azure Synapse Analytics](/azure/synapse-analytics/) | Yes (RSA 3072-bit) | Yes | [Configure encryption at rest with customer-managed keys](/azure/synapse-analytics/security/workspaces-encryption) |

+| [Microsoft Fabric](/fabric) | Yes | | [Customer-managed key (CMK) encryption and Microsoft Fabric](/fabric/security/security-scenario#customer-managed-key-cmk-encryption-and-microsoft-fabric) |

+| [Power BI Embedded](/power-bi) | Yes | | [Using your own key for Power BI encryption (Preview)](/power-bi/enterprise/service-encryption-byok) |

+## Containers

+| Product, Feature, or Service | Key Vault | Managed HSM | Documentation |

+||||||

+| [Azure Kubernetes Service](/azure/aks/) | Yes | Yes | [Enable host encryption on your AKS cluster nodes](/azure/aks/enable-host-encryption) |

+| [Azure Red Hat OpenShift](/azure/openshift/) | Yes | | [Bring your own keys (BYOK) with Azure Red Hat OpenShift](/azure/openshift/howto-byok) |

+| [Container Instances](/azure/container-instances/) | Yes | | [Encrypt data with a customer-managed key](/azure/container-instances/container-instances-encrypt-data#encrypt-data-with-a-customer-managed-key) |

+| [Container Registry](/azure/container-registry/) | Yes | | [Encrypt container images with a customer-managed key](/azure/container-registry/container-registry-customer-managed-keys) |

+## Compute

+| Product, Feature, or Service | Key Vault | Managed HSM | Documentation |

+||||||

+| [App Service](/azure/app-service/) | Yes\* | Yes | [Configure customer-managed keys for App Service](/azure/app-service/configure-encrypt-at-rest-using-cmk) |

+| [Azure Functions](/azure/azure-functions/) | Yes\* | Yes | [Configure customer-managed keys for Azure Functions](/azure/azure-functions/configure-encrypt-at-rest-using-cmk) |

+| [Azure HPC Cache](/azure/hpc-cache/) | Yes | | [Use customer-managed keys with HPC Cache](/azure/hpc-cache/customer-keys) |

+| [Azure Managed Applications](/azure/azure-resource-manager/managed-applications/) | Yes\* | Yes | [Azure managed applications overview](/azure/azure-resource-manager/managed-applications/overview) |

+| [Azure portal](/azure/azure-portal/) | Yes\* | Yes | [Security in the Azure portal](/azure/security/fundamentals/overview) |

+| [Azure VMware Solution](/azure/azure-vmware/) | Yes | Yes | [Configure customer-managed keys in Azure VMware Solution](/azure/azure-vmware/configure-customer-managed-keys) |

+| [Batch](/azure/batch/) | Yes | | [Use customer-managed keys with Batch accounts](/azure/batch/batch-customer-managed-key) |

+| [SAP HANA](/azure/sap/large-instances/hana-overview-architecture) | Yes | | |

+| [Site Recovery](/azure/site-recovery/) | Yes | | [Enable replication with customer-managed keys](/azure/site-recovery/azure-to-azure-how-to-enable-replication-cmk-disks) |

+| [Virtual Machine Scale Set](/azure/virtual-machine-scale-sets/) | Yes | Yes | [Encrypt virtual machine scale sets using the portal](/azure/virtual-machines/linux/disk-encryption-key-vault) |

+| [Virtual Machines](/azure/virtual-machines/) | Yes | Yes | [Azure Disk Encryption for Windows and Linux VMs](/azure/virtual-machines/disk-encryption#customer-managed-keys) |

+## Databases

+| Product, Feature, or Service | Key Vault | Managed HSM | Documentation |

+||||||

+| [Azure Cosmos DB](/azure/cosmos-db/) | Yes | Yes | [Configure customer-managed keys using Azure Key Vault](/azure/cosmos-db/how-to-setup-cmk), [Configure customer-managed keys using Azure Key Vault Managed HSM](/azure/cosmos-db/how-to-setup-customer-managed-keys-mhsm) |

+| [Azure Database for MySQL - Flexible Server](/azure/mysql/flexible-server/) | Yes | | [Data encryption with customer-managed keys in Azure Database for MySQL - Flexible Server](/azure/mysql/flexible-server/concepts-customer-managed-key) |

+| [Azure Database for MySQL - Single Server](/azure/mysql/single-server/) | Yes | | [Azure Database for MySQL data encryption with a customer-managed key](/previous-versions/azure/mysql/single-server/concepts-data-encryption-mysql) |

+| [Azure Database for PostgreSQL - Flexible Server](/azure/postgresql/flexible-server/) | Yes | | [Data encryption with customer-managed keys in Azure Database for PostgreSQL - Flexible Server](/azure/postgresql/flexible-server/concepts-data-encryption) |

+| [Azure Database for PostgreSQL - Single Server](/azure/postgresql/) | Yes | Yes | [Data encryption with customer-managed keys in Azure Database for PostgreSQL - Single Server](/previous-versions/azure/postgresql/single-server/concepts-data-encryption-postgresql) |

+| [Azure Managed Instance for Apache Cassandra](/azure/managed-instance-apache-cassandra/) | Yes | | [Configure customer-managed keys for encryption](/azure/managed-instance-apache-cassandra/customer-managed-keys) |

+| [Azure SQL Database](/azure/azure-sql/database/) | Yes (RSA 3072-bit) | Yes | [Bring your own key (BYOK) support for Transparent Data Encryption (TDE)](/azure/azure-sql/database/transparent-data-encryption-byok-overview) |

+| [Azure SQL Managed Instance](/azure/azure-sql/managed-instance/) | Yes (RSA 3072-bit) | Yes | [Bring your own key (BYOK) support for Transparent Data Encryption (TDE)](/azure/azure-sql/database/transparent-data-encryption-byok-overview) |

+| [SQL Server on Azure VM](/azure/azure-sql/virtual-machines/) | Yes | | [Configure Azure Key Vault integration for SQL Server on Azure VMs ](/azure/azure-sql/virtual-machines/windows/azure-key-vault-integration-configure) |

+| [SQL Server on Virtual Machines](/azure/virtual-machines/windows/sql/) | Yes | | [Transparent data encryption for SQL Server on Azure VM](/azure/virtual-machines/windows/sql/virtual-machines-windows-sql-security#transparent-data-encryption) |

+| [SQL Server Stretch Database](/azure/sql-server-stretch-database/) | Yes (RSA 3072-bit) | | |

+| [Table Storage](/azure/storage/tables/) | Yes | | [Customer-managed keys for Azure Storage encryption](/azure/storage/common/customer-managed-keys-overview) |

+## Hybrid + multicloud

+| Product, Feature, or Service | Key Vault | Managed HSM | Documentation |

+||||||

+| [Azure Stack Edge](/azure/databox-online/) | Yes | | [Protect data at rest on Azure Stack Edge Pro R](/azure/databox-online/azure-stack-edge-pro-r-security#protect-data-at-rest) |

+## Integration

+| Product, Feature, or Service | Key Vault | Managed HSM | Documentation |

+||||||

+| [Azure Health Data Services](/azure/healthcare-apis/) | Yes | | [Configure customer-managed keys for Azure Health Data Services DICOM](/azure/healthcare-apis/dicom/configure-customer-managed-keys), [Configure customer-managed keys for Azure Health Data Services FHIR](/azure/healthcare-apis/fhir/configure-customer-managed-keys) |

+| [Event Hubs](/azure/event-hubs/) | Yes | | [Configure customer-managed keys for encryption](/azure/event-hubs/configure-customer-managed-key) |

+| [Logic Apps](/azure/logic-apps/) | Yes | | |

+| [Service Bus](/azure/service-bus-messaging/) | Yes | | [Configure customer-managed keys for encryption](/azure/service-bus-messaging/configure-customer-managed-key) |

+## IoT services

+| Product, Feature, or Service | Key Vault | Managed HSM | Documentation |

+||||||

+| [Device Update for IoT Hub](/azure/iot-hub-device-update/) | Yes | Yes | [Data encryption for Device Update for IoT Hub](/azure/iot-hub-device-update/device-update-data-encryption) |

+| [IoT Hub Device Provisioning](/azure/iot-dps/) | Yes | | |

+## Management and governance

+| Product, Feature, or Service | Key Vault | Managed HSM | Documentation |

+||||||

+| [App Configuration](/azure/azure-app-configuration/) | Yes | | [Use customer-managed keys to encrypt data](/azure/azure-app-configuration/concept-customer-managed-keys) |

+| [Automation](/azure/automation/) | Yes | | [Encryption of automation assets](/azure/automation/automation-secure-asset-encryption) |

+| [Azure Migrate](/azure/migrate/) | Yes | | [Tutorial: Migrate VMware VMs to Azure](/azure/migrate/tutorial-migrate-vmware) |

+| [Azure Monitor](/azure/azure-monitor) | Yes | | [Customer-managed keys in Azure Monitor](/azure/azure-monitor/logs/customer-managed-keys) |

+## Media

+| Product, Feature, or Service | Key Vault | Managed HSM | Documentation |

+||||||

+| [Azure Communication Services](/azure/communication-services/) | Yes | | [Data encryption in Azure Communication Services](/azure/communications-gateway/security#data-retention-data-security-and-encryption-at-rest) |

+| [Media Services](/azure/media-services/) | Yes | | [Use your own encryption keys with Azure Media Services](/azure/media-services/latest/concept-use-customer-managed-keys-byok) |

+## Security

+| Product, Feature, or Service | Key Vault | Managed HSM | Documentation |

+||||||

+| [Azure Information Protection](/azure/information-protection/) | Yes | | [How are the Azure Rights Management cryptographic keys managed and secured?](/azure/information-protection/how-does-it-work#how-the-azure-rms-cryptographic-keys-are-stored-and-secured) |

+| [Microsoft Defender for Cloud](/azure/defender-for-cloud/) | Yes | | [Customer-managed keys in Azure Monitor](/azure/azure-monitor/logs/customer-managed-keys) |

+| [Microsoft Defender for IoT](/azure/defender-for-iot/) | Yes | | |

+| [Microsoft Sentinel](/azure/sentinel/) | Yes | Yes | [Encryption at rest in Microsoft Sentinel](/azure/sentinel/customer-managed-keys) |

+## Storage

+| Product, Feature, or Service | Key Vault | Managed HSM | Documentation |

+||||||

+| [Archive Storage](/azure/storage/blobs/archive-blob) | Yes | | [Customer-managed keys for Azure Storage encryption](/azure/storage/common/customer-managed-keys-overview) |

+| [Azure Backup](/azure/backup/) | Yes | Yes | [Encrypt backup data using customer-managed keys](/azure/backup/encryption-at-rest-with-cmk) |

+| [Azure Cache for Redis](/azure/azure-cache-for-redis/) | Yes\*\* | Yes | [Configure disk encryption for Azure Cache for Redis instances using customer managed keys](/azure/azure-cache-for-redis/cache-how-to-encryption) |

+| [Azure Data Box](/azure/databox/) | Yes | | [Use a customer-managed key to secure your Data Box](/azure/databox/data-box-customer-managed-encryption-key-portal) |

+| [Azure Managed Lustre](/azure/azure-managed-lustre/) | Yes | | [Use customer-managed encryption keys with Azure Managed Lustre](/azure/azure-managed-lustre/customer-managed-encryption-keys) |

+| [Azure NetApp Files](/azure/azure-netapp-files/) | Yes | Yes | [Configure customer-managed keys for Azure NetApp Files volume encryption](/azure/azure-netapp-files/configure-customer-managed-keys?tabs=azure-portal) |

+| [Blob Storage](/azure/storage/blobs/) | Yes | Yes | [Customer-managed keys for Azure Storage encryption](/azure/storage/common/customer-managed-keys-overview) |

+| [Data Lake Storage Gen2](/azure/storage/blobs/data-lake-storage-introduction/) | Yes | Yes | [Customer-managed keys for Azure Storage encryption](/azure/storage/common/customer-managed-keys-overview) |

+| [Disk Storage](/azure/virtual-machines/disks-types/) | Yes | Yes | [Azure Disk Encryption for Windows and Linux VMs](/azure/virtual-machines/disk-encryption#customer-managed-keys) |

+| [File Storage](/azure/storage/files/) | Yes | Yes | [Customer-managed keys for Azure Storage encryption](/azure/storage/common/customer-managed-keys-overview) |

+| [File Sync](/azure/storage/file-sync/file-sync-introduction) | Yes | Yes | [Customer-managed keys for Azure Storage encryption](/azure/storage/common/customer-managed-keys-overview) |

+| [Managed Disk Storage](/azure/virtual-machines/disks-types/) | Yes | Yes | [Azure Disk Encryption for Windows and Linux VMs](/azure/virtual-machines/disk-encryption#customer-managed-keys) |

+| [Premium Blob Storage](/azure/storage/blobs/) | Yes | Yes | [Customer-managed keys for Azure Storage encryption](/azure/storage/common/customer-managed-keys-overview) |

+| [Queue Storage](/azure/storage/queues/) | Yes | Yes | [Customer-managed keys for Azure Storage encryption](/azure/storage/common/customer-managed-keys-overview) |

+| [StorSimple](/azure/storsimple/) | Yes | | [Azure StorSimple security features](/azure/storsimple/storsimple-security#data-encryption) |

+| [Ultra Disk Storage](/azure/virtual-machines/disks-types/) | Yes | Yes | [Azure Disk Encryption for Windows and Linux VMs](/azure/virtual-machines/disk-encryption#customer-managed-keys) |

+## Other

+| Product, Feature, or Service | Key Vault | Managed HSM | Documentation |

+||||||

+| [Universal Print](/universal-print/) | Yes | | [Data encryption in Universal Print](/universal-print/fundamentals/universal-print-encryption) |

+## Caveats

+\* This service supports storing data in your own Key Vault, Storage Account, or other data persisting service that already supports Server-Side Encryption with Customer-Managed Key.

+\*\* Any transient data stored temporarily on disk such as pagefiles or swap files are encrypted with a Microsoft key (all tiers) or a customer-managed key (using the Enterprise and Enterprise Flash tiers). For more information, see [Configure disk encryption in Azure Cache for Redis](../../azure-cache-for-redis/cache-how-to-encryption.md).

+## Related content

+- [Data encryption models in Microsoft Azure](encryption-models.md)

+- [How encryption is used in Azure](encryption-overview.md)

+- [Double encryption](double-encryption.md)

+Server-side Encryption models refer to encryption that performed by the Azure service. In that model, the Resource Provider performs the encrypt and decrypt operations. For example, Azure Storage might receive data in plain text operations and perform the encryption and decryption internally. The Resource Provider might use encryption keys that managed by Microsoft or by the customer depending on the provided configuration.

+Each of the server-side encryption at rest models implies distinctive characteristics of key management, including where and how encryption keys are created and stored, as well as the access models and the key rotation procedures.

+For client-side encryption, consider:

+Client Encryption model refers to encryption that is performed outside of the Resource Provider or Azure by the service or calling application. The encryption can be performed by the service application in Azure, or by an application running in the customer data center. In either case, when using this encryption model, the Azure Resource Provider receives an encrypted blob of data without the ability to decrypt the data in any way or have access to the encryption keys. In this model, the key management is done by the calling service/application and is opaque to the Azure service.

+For many customers, the essential requirement is to ensure that the data is encrypted whenever it is at rest. Server-side encryption using service-managed Keys enables this model by allowing customers to mark the specific resource (Storage Account, SQL DB, etc.) for encryption and leaving all key management aspects such as key issuance, rotation, and back up to Microsoft. Most Azure services that support encryption at rest typically support this model of offloading the management of the encryption keys to Azure. The Azure resource provider creates the keys, places them in secure storage, and retrieves them when needed. The service has full access to the keys and the service has full control over the credential lifecycle management.

+Server-side encryption using service-managed keys therefore quickly addresses the need to have encryption at rest with low overhead to the customer. When available a customer typically opens the Azure portal for the target subscription and resource provider and checks a box indicating, they would like the data to be encrypted. In some Resource Managers, server-side encryption with service-managed keys is on by default.

+When Server-side encryption with service-managed keys is used, the key creation, storage, and service access are all managed by the service. Typically, the foundational Azure resource providers store the Data Encryption Keys in a store that is close to the data and quickly available and accessible while the Key Encryption Keys are stored in a secure internal store.

+## Server-side encryption using customer-managed keys in Azure Key Vault and Azure Managed HSM

+> [!NOTE]

+> For a list of services that support customer-managed keys in Azure Key Vault and Azure Managed HSM, see [Services that support CMKs in Azure Key Vault and Azure Managed HSM](encryption-customer-managed-keys-support.md).

+The server-side encryption model with customer-managed keys in Azure Key Vault involves the service accessing the keys to encrypt and decrypt as needed. Encryption-at-rest keys are made accessible to a service through an access control policy. This policy grants the service identity access to receive the key. An Azure service running on behalf of an associated subscription can be configured with an identity in that subscription. The service can perform Microsoft Entra authentication and receive an authentication token identifying itself as that service acting on behalf of the subscription. That token can then be presented to Key Vault to obtain a key to which it has been given access.

+- [Services that support CMKs in Azure Key Vault and Azure Managed HSM](encryption-customer-managed-keys-support.md)

+- **Associate SAP resources with an Azure resource ID**. This option is supported only for a data connector agent deployed via CLI. Specify the required `azure_resource_id` field in the connector configuration section on the data collector that you use to ingest data from the SAP system into Microsoft Sentinel. For more information, see [Deploy an SAP data connector agent from the command line](deploy-command-line.md) and [Connector configuration](reference-systemconfig-json.md#connector-configuration).

+The deployment procedure generates a [**systemconfig.json**](reference-systemconfig-json.md) file that contains the configuration details for the SAP data connector agent. The file is located in the `/sapcon-app/sapcon/config/system` directory on your VM.

+The deployment procedure generates a [**systemconfig.json**](reference-systemconfig-json.md) file that contains the configuration details for the SAP data connector agent. The file is located in the `/sapcon-app/sapcon/config/system` directory on your VM.

+1. (Optional) For optimal results in monitoring the SAP PAHI table, select **Configuration History**. For more information, see [Verify that the PAHI table is updated at regular intervals](preparing-sap.md#verify-that-the-pahi-table-is-updated-at-regular-intervals).

+The system configuration you defined is deployed into the Azure key vault you defined during the deployment. You can now see the system details in the table under **Configure an SAP system and assign it to a collector agent**. This table displays the associated agent name, SAP System ID (SID), and health status for systems that you added via the portal or otherwise.

+For more information, see [Database Collector in Background Processing](https://help.sap.com/doc/saphelp_nw75/7.5.5/c4/3a735b505211d189550000e829fbbd/frameset.htm) and [Configuring the Data Collector](https://help.sap.com/docs/SAP_NETWEAVER_AS_ABAP_752/3364beced9d145a5ad185c89a1e04658/c43a818c505211d189550000e829fbbd.html).

+The *systemconfig.json* file is used to configure the behavior of the Microsoft Sentinel for SAP applications data connector agent when [deployed from the command line](deploy-command-line.md). This article describes the options available in each section of the configuration file.

+Content in this article is intended for your **SAP BASIS** teams, and is only relevant when your data connector agent is deployed from the command line. We recommend [deploying your data connector agent from the portal](deploy-data-connector-agent-container.md) instead.

+The *systemconfig.ini* file is the legacy file used to configure the behavior of the Microsoft Sentinel for SAP applications data connector agent in versions earlier than June 22, 2023. This article describes the options available in each section of the configuration file.

+Content in this article is intended for your **SAP BASIS** teams. This article is not relevant if you've used the [recommended deployment procedure](deploy-data-connector-agent-container.md) from the portal. If you've installed a newer version of the agent from the command line, use the [Microsoft Sentinel solution for SAP applications `systemconfig.json` file reference](reference-systemconfig-json.md) instead.

+Selected troubleshooting procedures are only relevant when your data connector agent is [deployed via the command line](deploy-command-line.md). If you used the recommended procedure to [deploy the agent from the portal](deploy-data-connector-agent-container.md), use the portal to make any configuration changes.

+This procedure is only supported if you've deployed the [data connector agent from the command line](deploy-command-line.md).

+This procedure is only supported if you've deployed the [data connector agent from the command line](deploy-command-line.md). If you [deployed your agent via the portal](deploy-data-connector-agent-container.md#deploy-the-data-connector-agent-from-the-portal-preview), continue to maintain and change configuration settings via the portal.

+If you deployed via the command line, perform the following steps:

+This procedure is only supported if you've deployed the [data connector agent from the command line](deploy-command-line.md).

+This section is only supported if you've deployed the [data connector agent from the command line](deploy-command-line.md).

+This section is only supported if you've deployed the [data connector agent from the command line](deploy-command-line.md).

+This article provides procedures for deploying and configuring the Microsoft Sentinel for SAP data connector agent container with expert, custom, or manual configuration options. For typical deployments we recommend that you use the [portal](deploy-data-connector-agent-container.md#deploy-the-data-connector-agent-from-the-portal-preview) instead.

+This procedure describes how to deploy the Microsoft Sentinel for SAP data connector via the CLI using an expert or custom installation, such as when installing on-premises.

+When deployed via the CLI, the Microsoft Sentinel for SAP data connector is configured in the **systemconfig.json** file, which you cloned to your SAP data connector machine as part of the [deployment procedure](#perform-an-expert--custom-installation). Use the content in this section to manually configure data connector settings.

+To have this log sent to Microsoft Sentinel, you must [add it manually to the **systemconfig.json** file](sap-solution-deploy-alternate.md#define-the-sap-logs-that-are-sent-to-microsoft-sentinel). This log isn't supported when using the recommended procedure to [install the data connector agent from the portal](deploy-data-connector-agent-container.md).

+To have this log sent to Microsoft Sentinel, you must [add it manually to the **systemconfig.json** file](sap-solution-deploy-alternate.md#define-the-sap-logs-that-are-sent-to-microsoft-sentinel). This log isn't supported when using the recommended procedure to [install the data connector agent from the portal](deploy-data-connector-agent-container.md).

+To have this log sent to Microsoft Sentinel, you must [add it manually to the **systemconfig.json** file](sap-solution-deploy-alternate.md#define-the-sap-logs-that-are-sent-to-microsoft-sentinel). This log isn't supported when using the recommended procedure to [install the data connector agent from the portal](deploy-data-connector-agent-container.md).

+To have this log sent to Microsoft Sentinel, you must [add it manually to the **systemconfig.json** file](sap-solution-deploy-alternate.md#define-the-sap-logs-that-are-sent-to-microsoft-sentinel). This log isn't supported when using the recommended procedure to [install the data connector agent from the portal](deploy-data-connector-agent-container.md).

+To have this log sent to Microsoft Sentinel, you must [add it manually to the **systemconfig.json** file](sap-solution-deploy-alternate.md#define-the-sap-logs-that-are-sent-to-microsoft-sentinel). This log isn't supported when using the recommended procedure to [install the data connector agent from the portal](deploy-data-connector-agent-container.md).

+To have this log sent to Microsoft Sentinel, you must [add it manually to the **systemconfig.json** file](sap-solution-deploy-alternate.md#define-the-sap-logs-that-are-sent-to-microsoft-sentinel). This log isn't supported when using the recommended procedure to [install the data connector agent from the portal](deploy-data-connector-agent-container.md).

+| SetBlobTier | tier | Hot \| Cool \| Archive |

+> When a storage account is deleted, any linked private endpoints are also removed. These private endpoints are not automatically recreated when the storage account is recovered.

+>

+* <a id="azure-container-storage-endpoints"></a>

+ **What endpoints need to be allowlisted in the Azure Firewall for Azure Container Storage to work?**

+ To ensure Azure Container Storage functions correctly, you must allowlist specific endpoints in your Azure Firewall. These endpoints are required for Azure

+ Container Storage components to communicate with necessary Azure services. Failure to allowlist these endpoints can cause installation or runtime issues.

+

+ Endpoints to Allowlist:

+ `linuxgeneva-microsoft.azurecr.io`,

+ `eus2azreplstore137.blob.core.windows.net`,

+ `eus2azreplstore70.blob.core.windows.net`,

+ `eus2azreplstore155.blob.core.windows.net`,

+ `eus2azreplstore162.blob.core.windows.net`,

+ `*.hcp.eastus2.azmk8s.io`,

+ `management.azure.com`,

+ `login.microsoftonline.com`,

+ `packages.microsoft.com`,

+ `acs-mirror.azureedge.net`,

+ `eastus2.dp.kubernetesconfiguration.azure.com`,

+ `mcr.microsoft.com`.

+ For additional details, refer to the [Outbound network and FQDN rules for Azure Kubernetes Service (AKS) clusters](/azure/aks/outbound-rules-control-egress) documentation and [Azure Arc-enabled Kubernetes network requirements.](/azure/azure-arc/kubernetes/network-requirements?tabs=azure-cloud)

+- This article assumes that you have an Azure subscription. If you don't have an Azure subscription, then create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+[AzCopy](../../../storage/common/storage-use-azcopy-v10.md) is a command line utility that copies files to Azure Blob Storage over a standard internet, secure VPN or private Expressroute connection. In a warehouse migration project, you can use AzCopy to upload extracted, compressed, delimited text files before loading them into Azure Synapse using [PolyBase](#polybase). AzCopy can upload individual files, file selections, or file folders. If the exported files are in Parquet format, use a native Parquet reader instead.

+To authenticate to Synapse SQL, you can use two options:

+- Microsoft Entra authentication

+- SQL authentication

+SQL authentication enables legacy applications to connect to Azure Synapse SQL in a familiar way, with a user name and password. However, Microsoft Entra authentication allows you to centrally manage access to Azure Synapse resources, such as SQL pools. Azure Synapse Analytics supports disabling local authentication, such as SQL authentication, both during and after workspace creation. Once disabled, local authentication can be enabled at any time by authorized users. For more information on Microsoft Entra-only authentication, see [Disabling local authentication in Azure Synapse Analytics](active-directory-authentication.md).

+There are two administrative accounts (**SQL admin username** and **Microsoft Entra admin**) that act as administrators. To identify these administrator accounts for your SQL pools open the Azure portal, and navigate to the Properties tab of your Synapse workspace.

+- **Microsoft Entra admin**

+The **SQL admin username** and **Microsoft Entra admin** accounts have the following characteristics:

+>If a user is configured as an Microsoft Entra admin and Synapse Administrator, and then removed from the Microsoft Entra admin role, then the user will lose access to the dedicated SQL pools in Synapse. They must be removed and then added to the Synapse Administrator role to regain access to dedicated SQL pools.

+When the workspace-level firewall is properly configured, the **SQL admin username** and the **SQL Microsoft Entra admin** can connect using client tools such as SQL Server Management Studio or SQL Server Data Tools. Only the latest tools provide all the features and capabilities.

+## Related content

+- If you want to use Teams on Azure Virtual Desktop with media optimization, see [Use Microsoft Teams on Azure Virtual Desktop](../teams-on-avd.md).

+## Limitations for peerings and connected groups

+ * Can be part of two network groups with direct connectivity enabled in the same or a different hub-and-spoke configuration.

+ * This is a soft limit and can be adjusted by submitting a request using [this form](https://forms.office.com/r/xXxYrQt0NQ).

+* The service tags AzurePlatformDNS, AzurePlatformIMDS, and AzurePlatformLKM are not currently supported in security admin rules.

+* **Service Tag**: You can define specific service tags based on regions or a whole service. See the public documentation on [available service tags](../virtual-network/service-tags-overview.md#available-service-tags) for the list of supported tags. Out of this list, security admin rules currently do not support the AzurePlatformDNS, AzurePlatformIMDS, and AzurePlatformLKM service tags.

+> **User-defined routes management with Azure Virtual Network Manager is generally available in select regions. For more information and a list of regions, see [General availability](#general-availability).**

+>

+> Regions that aren't listed in the previous link are in public preview. Public previews are made available to you on the condition that you agree to the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). Some features might not be supported or might have constrained capabilities. This preview version is provided without a service level agreement, and it's not recommended for production workloads.

+Azure Virtual Network Manager allows you to describe your desired routing behavior and orchestrate user-defined routes (UDRs) to create and maintain the desired routing behavior. User-defined routes address the need for automation and simplification in managing routing behaviors. Currently, youΓÇÖd manually create User-Defined Routes (UDRs) or utilize custom scripts. However, these methods are prone to errors and overly complicated. You can utilize the Azure-managed hub in Virtual WAN. This option has certain limitations (such as the inability to customize the hub or lack of IPV6 support) not be relevant to your organization. With UDR management in your virtual network manager, you have a centralized hub for managing and maintaining routing behaviors.

+- When conflicting routing rules exist (rules with the same destination but different next hops), only one of the conflicting rules will be applied, while the others will be ignored. Any of the conflicting rules may be selected at random. It is important to note that conflicting rules within or across rule collections targeting the same virtual network or subnet are not supported.

+- When you create a routing rule with the same destination as an existing route in the route table, the routing rule is ignored.

+- When a route table with existing UDRs is present, Azure Virtual Network Manager will create a new managed route table that includes both the existing routes and new routes based on the deployed routing configuration.

+- Any additional UDRs added to a managed route table will remain unaffected and will not be deleted when the routing configuration is removed. Only routes created by Azure Virtual Network Manager will be removed.

+- If an Azure Virtual Network Manager managed UDR is manually edited in the route table, that route will be deleted when the configuration is removed from the region.

+- Azure Virtual Network Manager requires a managed resource group to store the route table. If an Azure Policy enforces specific tags or properties on resource groups, those policies must be disabled or adjusted for the managed resource group to prevent deployment issues. Furthermore, if you need to delete this managed resource group, ensure that deletion occurs prior to initiating any new deployments for resources within the same subscription.

+## General availability

+General availability of user defined routes management with Azure Virtual Network Manager is accessible in the following regions:

+- Australia Central

+- Australia Central 2

+- Australia East

+- Australia Southeast

+- Brazil South

+- Brazil Southeast

+- Canada Central

+- Canada East

+- Central India

+- Central US

+- East Asia

+- East US

+- France Central

+- Germany North

+- Germany West Central

+- Jio India Central

+- Jio India West

+- Japan East

+- Korea Central

+- Korea South

+- North Central US

+- North Europe

+- Norway East

+- Norway West

+- Poland Central

+- Qatar Central

+- South Africa North

+- South Africa West

+- South India

+- Southeast Asia

+- Sweden Central

+- Sweden South

+- Switzerland North

+- Switzerland West

+- UAE Central

+- UAE North

+- UK South

+- UK West

+- West Europe

+- West India

+- West US

+- West US 2

+- West Central US

+- Central US (EUAP)

+- East US 2 (EUAP)

+For regions undefined in the previous list, user defined routes management with Azure Virtual Network Manager remains in public preview.

+### Can I move a subscription with an Azure Virtual Network Manager to another tenant?

+Yes, but there are some considerations to keep in mind:

+- The target tenant cannot have an Azure Virtual Network Manager created.

+- The spokes virtual networks in the network group may lose their reference when changing tenants, thus losing connectivity to the hub vnet. To resolve this, after moving the subscription to another tenant, you must manually add the spokes vnets to the network group of Azure Virtual Network Manager.

+> User-defined routes management with Azure Virtual Network Manager is generally available in select regions. For more information and a list of regions, see [General availability](./concept-user-defined-route.md#general-availability).

+>

+> Regions that aren't listed in the previous link are in public preview. Public previews are made available to you on the condition that you agree to the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). Some features might not be supported or might have constrained capabilities. This preview version is provided without a service level agreement, and it's not recommended for production workloads.

+ | **Target regions** | Select **(US) West US 2**. |

+> **User-defined routes management with Azure Virtual Network Manager is generally available in select regions. For more information and a list of regions, see [General availability](./concept-user-defined-route.md#general-availability).**

+>

+> Regions that aren't listed in the previous link are in public preview. Public previews are made available to you on the condition that you agree to the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). Some features might not be supported or might have constrained capabilities. This preview version is provided without a service level agreement, and it's not recommended for production workloads.

+Virtual network peering enables you to seamlessly connect two or more [Virtual Networks](virtual-networks-overview.md) in Azure. The virtual networks appear as one for connectivity purposes. The traffic between virtual machines in peered virtual networks uses the Microsoft backbone infrastructure. Like traffic between virtual machines in the same network, traffic is routed through Microsoft's *private* network only. By default, a virtual network can be peered with up to 500 other virtual networks. Using [Azure Virtual Network Manager's connectivity configuration](../virtual-network-manager/concept-connectivity-configuration.md), you can increase this limit to peer up to 1,000 virtual networks to a single virtual network. This allows you to, for instance, create a hub-and-spoke topology with 1,000 spoke virtual networks and create a mesh of 1000 spokes virtual networks where all spoke virtual networks are directly interconnected.

+By default, a route table can contain up to 400 user-defined routes (UDRs). With Azure Virtual Network ManagerΓÇÖs [routing configuration](../virtual-network-manager/concept-user-defined-route.md), this can be expanded to 1000 UDRs per route table. This increased limit supports more advanced routing setups, such as directing traffic from on-premises data centers through a firewall to each spoke virtual network in a hub-and-spoke topology when you have a higher number of spoke virtual networks.

+This article helps you view each of the versions of the Azure VPN Client. As new client versions become available, they're added to this article. To view the version number of an installed Azure VPN Client, launch the client and select **Help**. For the list of Azure VPN Client instructions, including how to download the Azure VPN Client, see the table in [VPN Client configuration requirements](point-to-site-about.md#client).

+## <a name="client"></a>What are the client configuration requirements?

+* **Subnet name:** Use the default name, or specify a name. Example: FrontEnd