+| [Azure AD MFA authentication](multi-factor-auth-technical-profile.md) | GA | |

+>App passwords don't work for accounts that are required to use modern authentication.

+> [!NOTE]

+> Azure AD uses device authentication to evaluate device filter rules. For a device that is unregistered with Azure AD, all device properties are considered as null values and the device attributes cannot be determined since the device does not exist in the directory. The best way to target policies for unregistered devices is by using the negative operator since the configured filter rule would apply. If you were to use a positive operator, the filter rule would only apply when a device exists in the directory and the configured rule matches the attribute on the device.

+The following client apps support this setting, this list isn't exhaustive and is subject to change::

+The following client apps are confirmed to support this setting, this list isn't exhaustive and is subject to change:

+- Yammer (Android, iOS, and iPadOS)

+When licenses required for Conditional Access expire, policies aren't automatically disabled or deleted so customers can migrate away from Conditional Access policies without a sudden change in their security posture. Remaining policies can be viewed and deleted, but no longer updated.

+[Security defaults](../fundamentals/concept-fundamentals-security-defaults.md) help protect against identity-related attacks and are available for all customers.

+# Customer intent: As a tenant administrator, I want to set up MFA requirement for B2B guest users to protect my apps and resources.

+When collaborating with external B2B guest users, itΓÇÖs a good idea to protect your apps with multi-factor authentication (MFA) policies. Then external users will need more than just a user name and password to access your resources. In Azure Active Directory (Azure AD), you can accomplish this goal with a Conditional Access policy that requires MFA for access. MFA policies can be enforced at the tenant, app, or individual guest user level, the same way that they're enabled for members of your own organization. The resource tenant is always responsible for Azure AD Multi-Factor Authentication for users, even if the guest userΓÇÖs organization has Multi-Factor Authentication capabilities.

+>

+- **Access to Azure AD Premium edition**, which includes Conditional Access policy capabilities. To enforce MFA, you need to create an Azure AD Conditional Access policy. MFA policies are always enforced at your organization, regardless of whether the partner has MFA capabilities.

+1. Select **New user**, and then select **Invite external user**.

+ :::image type="content" source="media/tutorial-mfa/tutorial-mfa-new-user.png" alt-text="Screenshot showing where to select the new guest user option.":::

+ :::image type="content" source="media/tutorial-mfa/tutorial-mfa-new-user-identity.png" alt-text="Screenshot showing where to enter the guest email.":::

+1. You should be able to access the Azure portal using only your sign-in credentials. No other authentication is required.

+1. On the **Users and groups** page, choose **Select users and groups**, and then choose **Guest or external users**. You can assign the policy to different [external user types](authentication-conditional-access.md#assigning-conditional-access-policies-to-external-user-types-preview), built-in [directory roles](../conditional-access/concept-conditional-access-users-groups.md#include-users), or users and groups.

+ :::image type="content" source="media/tutorial-mfa/tutorial-mfa-user-access.png" alt-text="Screenshot showing selecting all guest users.":::

+ :::image type="content" source="media/tutorial-mfa/tutorial-mfa-app-access.png" alt-text="Screenshot showing the Cloud apps page and the Select option." lightbox="media/tutorial-mfa/tutorial-mfa-app-access.png":::

+1. On the **Select** page, choose **Microsoft Azure Management**, and then choose **Select**.

+1. On the **New** page, in the **Access controls** section, choose the link under **Grant**.

+1. On the **Grant** page, choose **Grant access**, select the **Require multi-factor authentication** check box, and then choose **Select**.

+ :::image type="content" source="media/tutorial-mfa/tutorial-mfa-grant-access.png" alt-text="Screenshot showing the Require multi-factor authentication option.":::

+1. Under **Enable policy**, select **On**.

+ :::image type="content" source="media/tutorial-mfa/tutorial-mfa-enable-policy.png" alt-text="Screenshot showing the Enable policy option set to On.":::

+1. Select **Create**.

+ :::image type="content" source="media/tutorial-mfa/tutorial-mfa-what-if.png" alt-text="Screenshot that highlights where to select the What if option on the Conditional Access - Policies page.":::

+ :::image type="content" source="media/tutorial-mfa/tutorial-mfa-what-if-user.png" alt-text="Screenshot showing a guest user selected.":::

+1. Select the link under **Cloud apps, actions, or authentication content**. Choose **Select apps**, and then choose the link under **Select**.

+ :::image type="content" source="media/tutorial-mfa/tutorial-mfa-what-if-app.png" alt-text="Screenshot showing the Microsoft Azure Management app selected." lightbox="media/tutorial-mfa/tutorial-mfa-what-if-app.png":::

+ :::image type="content" source="media/tutorial-mfa/tutorial-mfa-whatif-4.png" alt-text="Screenshot showing the results of the What If evaluation.":::

+1. You should see a request for additional authentication methods. It can take some time for the policy to take effect.

+ :::image type="content" source="media/tutorial-mfa/mfa-required.PNG" alt-text="Screenshot showing the More information required message.":::

+# Customer intent: As a tenant administrator, I want to update the sign-in information for a guest user.

+In this article, you'll learn how to update the [guest user's](user-properties.md) sign-in information after they've redeemed your invitation for B2B collaboration. There might be times when you'll need to update their sign-in information, for example when:

+To manage these scenarios previously, you had to manually delete the guest userΓÇÖs account from your directory and reinvite the user. Now you can use the Azure portal, PowerShell or the Microsoft Graph invitation API to reset the user's redemption status and reinvite the user while keeping the user's object ID, group memberships, and app assignments. When the user redeems the new invitation, the [UPN](../hybrid/plan-connect-userprincipalname.md#what-is-userprincipalname) of the user doesn't change, but the user's sign-in name changes to the new email. Then the user can sign in using the new email or an email you've added to the `otherMails` property of the user object.

+ - Select **Edit properties**.

+ - Select the **Contact Information** tab.

+1. On the **Overview** tab, underΓÇ»**My Feed**, select the **Manage (resend invitation / reset status)** link in the **B2B collaboration** tile.

+ :::image type="content" source="media/reset-redemption-status/user-profile-b2b-collaboration.png" alt-text="Screenshot of the guest user's profile overview." lightbox="media/reset-redemption-status/user-profile-b2b-collaboration.png":::

+1. In the **Manage invitations** pane, under **Redemption status**, set **Reset invitation status? (Preview)** to **Yes**.

+1. Select **Yes** to confirm.

+To use the [Microsoft Graph invitation API](/graph/api/resources/invitation), set the `resetRedemption` property to `true` and specify the new email address in the `invitedUserEmailAddress` property.

+- [B2B for Azure AD integrated apps](configure-saas-apps.md)

+- [Get support for B2B collaboration](../fundamentals/active-directory-troubleshooting-support-howto.md)

+- [Use audit logs and access reviews](auditing-and-reporting.md)

+# Customer intent: As a tenant administrator, I want to modify the user flow language, when the users are signing up via the self-service sign-up user flow.

+Language customization in Azure Active Directory (Azure AD) allows your user flow to accommodate different languages to suit your user's needs. Microsoft provides the translations for [36 languages](#supported-languages). In this article, you'll learn how to customize the attribute names on the [attribute collection page](self-service-sign-up-user-flow.md#select-the-layout-of-the-attribute-collection-form), even if your experience is provided for only a single language.

+By default, language customization is enabled for users signing up to ensure a consistent sign-up experience. You can use languages to modify the strings displayed to users as part of the attribute collection process during sign-up. If you're using [custom user attributes](user-flow-add-custom-attributes.md), you need to provide your [own translations](#customize-your-strings).

+## Customize your strings

+7. Select **Download defaults** (or **Download overrides** if you've previously edited this language).

+ :::image type="content" source="media/user-flow-customize-language/language-customization-download-defaults.png" alt-text="Screenshot of downloading the default language customization json file." lightbox="media/user-flow-customize-language/language-customization-download-defaults.png":::

+1. For every string that you want to change, change `Override` to `true`. If the `Override` value isn't changed to `true`, the entry is ignored.

+1. Save the file and [upload your changes](#upload-your-changes).

+ :::image type="content" source="media/user-flow-customize-language/language-customization-upload-override.png" alt-text="Screenshot of uploading the language customization json file.":::

+If you want to provide a set list of values for responses, you need to create a `LocalizedCollections` attribute. `LocalizedCollections` is an array of `Name` and `Value` pairs. The order for the items will be the order they're displayed. To add `LocalizedCollections`, use the following format:

+1. Select **User flows** and select the user flow that you want to enable for translations.

+1. The changes are saved to your user flow automatically and you'll find the override under the **Configured** tab.

+1. To remove or download your customized override file, select the language and expand the **Attribute collection page**.

+ :::image type="content" source="media/user-flow-customize-language/language-customization-remove-download-overrides.png" alt-text="Screenshot of removing or downloading the language customization json file.":::

+Chrome and Firefox both request for their set language. If it's a supported language, it's displayed before the default. Microsoft Edge currently doesn't request a language and goes straight to the default language.

+## Next steps

+- [Add an API connector to a user flow](self-service-sign-up-add-api-connector.md)

+- [Define custom attributes for user flows](user-flow-add-custom-attributes.md)

+ If you would like to include a syntax check for text answers to questions, you can also specify a custom regex pattern.

+|employeeLeaveDateTime|DateTimeOffset|Yes|Yes|Yes|

+|taskDefinitionId | A string referencing a taskDefinition that determines which task to run. |

+|executionSequence | A read-only integer that states in what order the task will run in a workflow. For more information about executionSequence and workflow order, see: [Configure Scope](understanding-lifecycle-workflows.md#configure-scope). |

+### Send onboarding reminder email

+Lifecycle Workflows allow you to automate the sending of onboarding reminder emails to managers of new hires in your organization. You're able to customize the task name and description for this task in the Azure portal.

+The Azure AD prerequisite to run the **Send onboarding reminder email** task is:

+- A populated manager attribute for the user.

+- A populated manager's mail attribute for the user.

+For Microsoft Graph the parameters for the **Send onboarding reminder email** task are as follows:

+|Parameter |Definition |

+|||

+|category | joiner |

+|displayName | Send onboarding reminder email (Customizable by user) |

+|description | Send onboarding reminder email to userΓÇÖs manager (Customizable by user) |

+|taskDefinitionId | 3C860712-2D37-42A4-928F-5C93935D26A1 |

+```Example for usage within the workflow

+{

+ "category": "joiner",

+ "continueOnError": true,

+ "description": "Send onboarding reminder email to userΓÇÖs manager",

+ "displayName": "Send onboarding reminder email",

+ "isEnabled": true,

+ "taskDefinitionId": "3C860712-2D37-42A4-928F-5C93935D26A1",

+ "arguments": []

+}

+```

+When a compatible user joins your organization, Lifecycle Workflows allow you to automatically generate a Temporary Access Pass(TAP), and have it sent to the new user's manager.

+With this task in the Azure portal, you're able to give the task a name and description. You must also set:

+|category | joiner, leaver |

+|arguments | Argument contains a name parameter that is the "groupID", and a value parameter that is the group ID of the group you're adding the user to. |

+|category | joiner, leaver |

+|argument | Argument contains a name parameter that is the "teamID", and a value parameter that is the team ID of the existing team you're adding a user to. |

+|category | joiner, leaver |

+|category | joiner, leaver |

+|argument | Argument contains a name parameter that is the "LogicAppURL", and a value parameter that is the Logic App HTTP trigger. |

+|category | joiner, leaver |

+|argument | Argument contains a name parameter that is the "groupID", and a value parameter that is the group Id(s) of the group or groups you're removing the user from. |

+Allows users to be removed from every cloud-only group they're a member of. Dynamic and Privileged Access Groups not supported. To control access to on-premises applications and resources, you need to enable group writeback. For more information, see [Azure AD Connect group writeback](../hybrid/how-to-connect-group-writeback-v2.md).

+|category | joiner, leaver |

+|arguments | Argument contains a name parameter that is the "teamID", and a value parameter that is the Teams ID of the Teams you're removing the user from. |

+Allows users to be removed from every static team they're a member of. You're able to customize the task name and description for this task in the Azure portal.

+1. On the *Enable staged rollout feature* page, select the options you want to enable: [Password Hash Sync](./whatis-phs.md), [Pass-through authentication](./how-to-connect-pta.md), [Seamless single sign-on](./how-to-connect-sso.md), or [Certificate-based Authentication](../authentication/active-directory-certificate-based-authentication-get-started.md). For example, if you want to enable **Password Hash Sync** and **Seamless single sign-on**, slide both controls to **On**.

+1. To automate the configuration within Amazon Business, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.

+ 

+1. After adding extension to the browser, click on **Set up Amazon Business** will direct you to the Amazon Business Single Sign-On application. From there, provide the admin credentials to sign in to Amazon Business Single Sign-On. The browser extension will automatically configure the application for you and automate steps 3-17.

+ 

+1. If you want to set up Amazon Business manually, in a different web browser window, sign in to your Amazon Business company site as an administrator.

+* An [InVision Enterprise account](https://www.invisionapp.com/) with SSO enabled.

+1. Sign in to your [InVision Enterprise account](https://www.invisionapp.com/) as an Admin or Owner. Open the **Team Settings** drawer on the bottom left and select **Settings**.

+* A [Juno Journey tenant](https://app.junojourney.com/login).

+ > These values are not real. Update these values with the actual Reply URL and Sign-on URL. Contact [Mobile Xpense Client support team](https://www.mobilexpense.com/contact) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+To configure single sign-on on **Mobile Xpense** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Mobile Xpense support team](https://www.mobilexpense.com/contact). They set this setting to have the SAML SSO connection set properly on both sides.

+In this section, you create a user called Britta Simon in Mobile Xpense. Work with [Mobile Xpense support team](https://www.mobilexpense.com/contact) to add the users in the Mobile Xpense platform. Users must be created and activated before you use single sign-on.

+

+* Enable **Force Azure Login** checkbox, if you wish to sign in through Azure AD credentials only.

+* **Enable Use of Application Proxy** checkbox, if you have configured your on-premise atlassian application in an App Proxy setup.

+ * For App proxy setup , follow the steps on the [Azure AD App Proxy Documentation](../app-proxy/what-is-application-proxy.md).

+ > These values are placeholders. Update these values with the actual Identifier and Sign on URL. Contact the [Predictix Price Reporting support team](https://www.infor.com/customer-center) to get the values. You can also refer to the patterns shown in the **Basic SAML Configuration** dialog box in the Azure portal.

+To configure single sign-on on the Predictix Price Reporting side, you need to send the certificate that you downloaded and the URLs that you copied from the Azure portal to the [Predictix Price Reporting support team](https://www.infor.com/customer-center). This team ensures the SAML SSO connection is set properly on both sides.

+Next, you need to create a user named Britta Simon in Predictix Price Reporting. Work with the [Predictix Price Reporting support team](https://www.infor.com/customer-center) to add users. Users need to be created and activated before you use single sign-on.

+1. Log in to [Admin Center](https://support.zendesk.com/hc/en-us/articles/4581766374554#topic_hfg_dyz_1hb), click **Apps and integrations** in the sidebar, then select **APIs > Zendesk APIs**.

+## Troubleshooting

+The following link describes the most common issues with `az aks command invoke` and how to fix them:

+https://learn.microsoft.com/troubleshoot/azure/azure-kubernetes/resolve-az-aks-command-invoke-failures

+ Title: Use a public load balancer

+# Use a public standard load balancer in Azure Kubernetes Service (AKS)

+The [Azure Load Balancer][az-lb] operates at layer 4 of the Open Systems Interconnection (OSI) model that supports both inbound and outbound scenarios. It distributes inbound flows that arrive at the load balancer's front end to the back end pool instances.

+A **public** load balancer integrated with AKS serves two purposes:

+1. To provide outbound connections to the cluster nodes inside the AKS virtual network. To do this, it translates the private IP address to a public IP address that is part of its *Outbound Pool*.

+This document covers integration with public load balancer. For internal load balancer integration, see the [AKS internal load balancer documentation](internal-lb.md).

+Azure Load Balancer is available in two SKUs: *Basic* and *Standard*. By default, *Standard* SKU is used when you create an AKS cluster. The *Standard* SKU gives you access to added functionality, such as a larger backend pool, [multiple node pools](use-multiple-node-pools.md), [Availability Zones](availability-zones.md), and is [secure by default][azure-lb]. It's the recommended load balancer SKU for AKS.

+This article assumes you have an AKS cluster with the *Standard* SKU Azure Load Balancer. If you need an AKS cluster, create one [using the Azure CLI][aks-quickstart-cli], [Azure PowerShell][aks-quickstart-powershell], or [the Azure portal][aks-quickstart-portal].

+> If you prefer not to leverage the Azure Load Balancer to provide outbound connection and instead have your own gateway, firewall, or proxy for that purpose, you can skip the creation of the load balancer outbound pool and respective frontend IP by using [**outbound type as UserDefinedRouting (UDR)**](egress-outboundtype.md). The outbound type defines the egress method for a cluster and defaults to type `loadBalancer`.

+After creating an AKS cluster with outbound type `LoadBalancer` (default), the cluster is ready to use the load balancer to expose services.

+To do this, you can create a public service of type `LoadBalancer`. Start by creating a service manifest named `public-svc.yaml`.

+Deploy the public service manifest by using [kubectl apply][kubectl-apply] and specify the name of your YAML manifest.

+The Azure Load Balancer will be configured with a new public IP that will front this new service. Since the Azure Load Balancer can have multiple frontend IPs, each new service deployed will get a new dedicated frontend IP to be uniquely accessed.

+You can use the following command to confirm your service is created and the load balancer is configured.

+When you view the service details, the public IP address created for this service on the load balancer is shown in the *EXTERNAL-IP* column. It may take a few minutes for the IP address to change from *\<pending\>* to an actual public IP address.

+When using the standard public load balancer, there's a set of options you can customize at creation time or by updating the cluster. These options allow you to customize the load balancer to meet your workloads needs and should be reviewed accordingly. With the standard load balancer, you can:

+* Set or scale the number of managed outbound IPs

+* Bring your own custom [outbound IPs or outbound IP prefix](#provide-your-own-outbound-public-ips-or-prefixes)

+> Only one outbound IP option (managed IPs, bring your own IP, or IP prefix) can be used at a given time.

+Azure Load Balancer provides outbound connectivity from a virtual network in addition to inbound. Outbound rules make it simple to configure network address translation for the public standard load balancer.

+Like all load balancer rules, outbound rules follow the same syntax as load balancing and inbound NAT rules:

+An outbound rule configures outbound NAT for all virtual machines identified by the backend pool to be translated to the frontend. Parameters provide additional control over the outbound NAT algorithm.

+While an outbound rule can be used with a single public IP address, outbound rules ease the configuration burden for scaling outbound NAT. You can use multiple IP addresses to plan for large-scale scenarios, and you can use outbound rules to mitigate SNAT exhaustion prone patterns. Each additional IP address provided by a frontend provides 64k ephemeral ports for the load balancer to use as SNAT ports.

+To update an existing cluster, run the following command. This parameter can also be set at cluster creation time to have multiple managed outbound public IPs.

+The above example sets the number of managed outbound public IPs to *2* for the *myAKSCluster* cluster in *myResourceGroup*.

+You can also use the **`load-balancer-managed-ip-count`** parameter to set the initial number of managed outbound public IPs when creating your cluster by appending the **`--load-balancer-managed-outbound-ip-count`** parameter and setting it to your desired value. The default number of managed outbound public IPs is *1*.

+When you use a *Standard* SKU load balancer, the AKS cluster automatically creates a public IP in the AKS-managed infrastructure resource group and assigns it to the load balancer outbound pool by default.

+A public IP created by AKS is considered an AKS-managed resource. This means the lifecycle of that public IP is intended to be managed by AKS and requires no user action directly on the public IP resource. Alternatively, you can assign your own custom public IP or public IP prefix at cluster creation time. Your custom IPs can also be updated on an existing cluster's load balancer properties.

+* Custom public IP addresses must be created and owned by the user. Managed public IP addresses created by AKS cannot be reused as a bring your own custom IP as it can cause management conflicts.

+* You must ensure the AKS cluster identity (Service Principal or Managed Identity) has permissions to access the outbound IP, as per the [required public IP permissions list](kubernetes-service-principal.md#networking).

+* Make sure you meet the [pre-requisites and constraints](../virtual-network/ip-services/public-ip-address-prefix.md#limitations) necessary to configure outbound IPs or outbound IP prefixes.

+You can also use public IP prefixes for egress with your *Standard* SKU load balancer. The following example uses the [az network public-ip prefix show][az-network-public-ip-prefix-show] command to list the IDs of your public IP prefixes.

+You can bring your own IP addresses or IP prefixes for egress at cluster creation time to support scenarios like adding egress endpoints to an allowlist. Append the same parameters shown above to your cluster creation step to define your own public IPs and IP prefixes at the start of a cluster's lifecycle.

+> If you have applications on your cluster that can establish a large number of connections to small set of destinations, such as many instances of a frontend application connecting to a database, you may have a scenario very susceptible to encounter SNAT port exhaustion. SNAT port exhaustion happens when an application runs out of outbound ports to use to establish a connection to another application or host. If you have a scenario where you may encounter SNAT port exhaustion, we highly recommended that you increase the allocated outbound ports and outbound frontend IPs on the load balancer to prevent SNAT port exhaustion. See below for information on how to properly calculate outbound ports and outbound frontend IP values.

+By default, AKS sets *AllocatedOutboundPorts* on its load balancer to `0`, which enables [automatic outbound port assignment based on backend pool size][azure-lb-outbound-preallocatedports] when creating a cluster. For example, if a cluster has 50 or fewer nodes, 1024 ports are allocated to each node. As the number of nodes in the cluster is increased, fewer ports will be available per node. To show the *AllocatedOutboundPorts* value for the AKS cluster load balancer, use `az network lb outbound-rule list`.

+The following example output shows that automatic outbound port assignment based on backend pool size is enabled for the cluster.

+To configure a specific value for *AllocatedOutboundPorts* and outbound IP address when creating or updating a cluster, use `load-balancer-outbound-ports` and either `load-balancer-managed-outbound-ip-count`, `load-balancer-outbound-ips`, or `load-balancer-outbound-ip-prefixes`. Before setting a specific value or increasing an existing value for either for outbound ports and outbound IP address, you must calculate the appropriate number of outbound ports and IP addresses. Use the following equation for this calculation rounded to the nearest integer: `64,000 ports per IP / <outbound ports per node> * <number of outbound IPs> = <maximum number of nodes in the cluster>`.

+* If the default values are used and the cluster has 48 nodes, each node will have 1024 ports available.

+* If the default values are used and the cluster scales from 48 to 52 nodes, each node will be updated from 1024 ports available to 512 ports available.

+* If outbound ports is set to 1,000 and outbound IP count is set to 2, then the cluster can support a maximum of 128 nodes: `64,000 ports per IP / 1,000 ports per node * 2 IPs = 128 nodes`.

+* If outbound ports is set to 1,000 and outbound IP count is set to 7, then the cluster can support a maximum of 448 nodes: `64,000 ports per IP / 1,000 ports per node * 7 IPs = 448 nodes`.

+* If outbound ports is set to 4,000 and outbound IP count is set to 2, then the cluster can support a maximum of 32 nodes: `64,000 ports per IP / 4,000 ports per node * 2 IPs = 32 nodes`.

+* If outbound ports is set to 4,000 and outbound IP count is set to 7, then the cluster can support a maximum of 112 nodes: `64,000 ports per IP / 4,000 ports per node * 7 IPs = 112 nodes`.

+> After calculating the number outbound ports and IPs, verify you have additional outbound port capacity to handle node surge during upgrades. It is critical to allocate sufficient excess ports for additional nodes needed for upgrade and other operations. AKS defaults to one buffer node for upgrade operations. If using [maxSurge values][maxsurge], multiply the outbound ports per node by your maxSurge value to determine the number of ports required. For example, if you calculated you needed 4000 ports per node with 7 IP address on a cluster with a maximum of 100 nodes and a max surge of 2:

+>

+When SNAT port resources are exhausted, outbound flows fail until existing flows release SNAT ports. Load balancer reclaims SNAT ports when the flow closes and the AKS-configured load balancer uses a 30-minute idle timeout for reclaiming SNAT ports from idle flows.

+You can also use transport (for example, **`TCP keepalives`** or **`application-layer keepalives`**) to refresh an idle flow and reset this idle timeout if necessary. You can configure this timeout following the below example.

+If you expect to have numerous short-lived connections and no long-lived connection that might have long times of idle, like leveraging `kubectl proxy` or `kubectl port-forward`, consider using a low timeout value such as 4 minutes. When using TCP keepalives, it's sufficient to enable them on one side of the connection. For example, it's sufficient to enable them on the server side only to reset the idle timer of the flow. It's not necessary for both sides to start TCP keepalives. Similar concepts exist for application layer, including database client-server configurations. Check the server side for what options exist for application-specific keepalives.

+>

+> AKS enables *TCP Reset* on idle by default. We recommend you keep this configuration on and leverage it for more predictable application behavior on your scenarios.

+>

+When setting *IdleTimeoutInMinutes* to a different value than the default of 30 minutes, consider how long your workloads will need an outbound connection. Also consider that the default timeout value for a *Standard* SKU load balancer used outside of AKS is 4 minutes. An *IdleTimeoutInMinutes* value that more accurately reflects your specific AKS workload can help decrease SNAT exhaustion caused by tying up connections no longer being used.

+> Altering the values for *AllocatedOutboundPorts* and *IdleTimeoutInMinutes* may significantly change the behavior of the outbound rule for your load balancer and should not be done lightly. Check the [SNAT Troubleshooting section below][troubleshoot-snat] and review the [Load Balancer outbound rules][azure-lb-outbound-rules-overview] and [outbound connections in Azure][azure-lb-outbound-connections] before updating these values to fully understand the impact of your changes.

+The following manifest uses *loadBalancerSourceRanges* to specify a new IP range for inbound external traffic.

+> Inbound, external traffic flows from the load balancer to the virtual network for your AKS cluster. The virtual network has a network security group (NSG) which allows all inbound traffic from the load balancer. This NSG uses a [service tag][service-tags] of type *LoadBalancer* to allow traffic from the load balancer.

+By default, a service of type `LoadBalancer` [in Kubernetes](https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-type-loadbalancer) and in AKS won't persist the client's IP address on the connection to the pod. The source IP on the packet that's delivered to the pod will be the private IP of the node. To maintain the clientΓÇÖs IP address, you must set `service.spec.externalTrafficPolicy` to `local` in the service definition. The following manifest shows an example.

+|`service.beta.kubernetes.io/azure-load-balancer-disable-tcp-reset` | `true` | Disable `enableTcpReset` for SLB. Deprecated in Kubernetes 1.18 and removed in 1.20.

+If you know that you're starting many outbound TCP or UDP connections to the same destination IP address and port, and you observe failing outbound connections or are advised by support that you're exhausting SNAT ports (preallocated ephemeral ports used by PAT), you have several general mitigation options. Review these options and decide what's best for your scenario. It's possible that one or more can help manage this scenario. For detailed information, review the [outbound connections troubleshooting guide](../load-balancer/troubleshoot-outbound-connection.md).

+1. Check if your connections remain idle for a long time and rely on the default idle timeout for releasing that port. If so, the default timeout of 30 minutes might need to be reduced for your scenario.

+3. Determine if this activity is expected behavior or whether the application is misbehaving. Use [metrics](../load-balancer/load-balancer-standard-diagnostics.md) and [logs](../load-balancer/monitor-load-balancer.md) in Azure Monitor to substantiate your findings. For example, use the "Failed" category for SNAT connections metric.

+5. Evaluate if SNAT port exhaustion should be mitigated with [additional outbound IP addresses + additional allocated outbound ports](#configure-the-allocated-outbound-ports) .

+* Atomic requests (one request per connection) are generally not a good design choice. Such anti-patterns limits scale, reduces performance, and decreases reliability. Instead, reuse HTTP/S connections to reduce the numbers of connections and associated SNAT ports. The application scale will increase and performance will improve because of reduced handshakes, overhead, and cryptographic operation cost when using TLS.

+* If you're using out of cluster/custom DNS, or custom upstream servers on coreDNS, keep in mind that DNS can introduce many individual flows at volume when the client isn't caching the DNS resolvers result. Make sure to customize coreDNS first instead of using custom DNS servers, and define a good caching value.

+* UDP flows (for example, DNS lookups) allocate SNAT ports for the duration of the idle timeout. The longer the idle timeout, the higher the pressure on SNAT ports. Use short idle timeout (for example., 4 minutes).

+* Never silently abandon a TCP flow and rely on TCP timers to clean up flow. If you don't let TCP explicitly close the connection, state remains allocated at intermediate systems and endpoints and makes SNAT ports unavailable for other connections. This pattern can trigger application failures and SNAT exhaustion.

+* Don't change OS-level TCP close related timer values without expert knowledge of impact. While the TCP stack will recover, your application performance can be negatively affected when the endpoints of a connection have mismatched expectations. Wishing to change timers is usually a sign of an underlying design problem. Review following recommendations.

+## Moving from a *Basic SKU* load balancer to *Standard* SKU

+If you have an existing cluster with the *Basic* SKU load balancer, there are important behavioral differences to note when migrating to use a cluster with the *Standard* SKU load balancer.

+For example, making blue/green deployments to migrate clusters is a common practice given the `load-balancer-sku` type of a cluster can only be defined at cluster create time. However, *Basic* SKU load balancers use *Basic* SKU IP addresses, which aren't compatible with *Standard SKU* load balancers as they require *Standard SKU* IP addresses. When migrating clusters to upgrade load balancer SKUs, a new IP address with a compatible IP address SKU will be required.

+For more considerations on how to migrate clusters, visit [our documentation on migration considerations](aks-migration.md) to view a list of important topics to consider when migrating. The below limitations are also important behavioral differences to note when using *Standard* SKU load balancers in AKS.

+ * Provide your own public IPs.

+ * Provide your own public IP prefixes.

+ * Specify a number up to 100 to allow the AKS cluster to create that many *Standard* SKU public IPs in the same resource group created as the AKS cluster, which is usually named with *MC_* at the beginning. AKS assigns the public IP to the *Standard* SKU load balancer. By default, one public IP will automatically be created in the same resource group as the AKS cluster, if no public IP, public IP prefix, or number of IPs is specified. You also must allow public addresses and avoid creating any Azure policy that bans IP creation.

+* You can only use one type of load balancer SKU (*Basic* or *Standard*) in a single cluster.

+* *Standard* SKU load balancers only support *Standard* SKU IP addresses.

+Learn more about using internal load balancer for inbound traffic at the [AKS internal load balancer documentation](internal-lb.md).

+[maxsurge]: upgrade-cluster.md#customize-node-surge-upgrade

+[az-lb]: ../load-balancer/load-balancer-overview.md

+1. You upgrade the node pool.

+Let's look at an example of nodes with a high amount of memory. These nodes prioritize pods that request a high amount of memory. To ensure the resources don't sit idle, they also allow other pods to run. The following example command adds a node pool with the label *hardware=highmem* to the *myAKSCluster* in the *myResourceGroup*. All nodes in that node pool will have this label.

+For AKS clusters that use multiple node pools or Windows Server nodes, see [Upgrade a node pool in AKS][nodepool-upgrade]. To upgrade a specific node pool without doing a Kubernetes cluster upgrade, see [Upgrade a specific node pool][specific-nodepool].

+* If you're using Azure CLI, this article requires that you're running the Azure CLI version 2.34.1 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].

+* If you're using Azure PowerShell, this tutorial requires that you're running Azure PowerShell version 5.9.0 or later. Run `Get-InstalledModule -Name Az` to find the version. If you need to install or upgrade, see [Install Azure PowerShell][azure-powershell-install].

+### [Azure portal](#tab/azure-portal)

+To check which Kubernetes releases are available for your cluster:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. Navigate to your AKS cluster.

+3. Under **Settings**, select **Cluster configuration**.

+4. In **Kubernetes version**, select **Upgrade version**. This will redirect you to a new page.

+5. In **Kubernetes version**, select the version to check for available upgrades.

+If no upgrades are available, create a new cluster with a supported version of Kubernetes and migrate your workloads from the existing cluster to the new cluster. It's not supported to upgrade a cluster to a newer Kubernetes version when no upgrades are available.

+### [Azure portal](#tab/azure-portal)

+You can also manually upgrade your cluster in the Azure portal.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. Navigate to your AKS cluster.

+3. Under **Settings**, select **Cluster configuration**.

+4. In **Kubernetes version**, select **Upgrade version**. This will redirect you to a new page.

+5. In **Kubernetes version**, select your desired version and then select **Save**.

+It takes a few minutes to upgrade the cluster, depending on how many nodes you have.

+To confirm that the upgrade was successful, navigate to your AKS cluster in the Azure portal. On the **Overview** page, select the **Kubernetes version**.

+[specific-nodepool]: node-image-upgrade.md#upgrade-a-specific-node-pool

+> [!NOTE]

+> Microsoft also provides a purpose-built PowerShell module to configure gMSA on AKS. You can find more information on the module and how to use it in the article [gMSA on Azure Kubernetes Service](/virtualization/windowscontainers/manage-containers/gmsa-aks-ps-module).

+If the page loads, but you are not prompted to authenticate, use `kubectl logs POD_NAME` to display the logs of your pod and verify you see *IIS with authentication is ready*.

+> [!NOTE]

+> Windows containers won't show logs on kubectl by default. To enable Windows containers to show logs, you need to embed the Log Monitor tool on your Windows image. More information is available [here](https://github.com/microsoft/windows-container-tools).

+Use `kubectl log` to view the logs of the pod and verify the pod has administrator rights:

+[workload-identity-migration]: workload-identity-migrate-from-pod-identity.md

+ Title: Modernize your Azure Kubernetes Service (AKS) application to use workload identity

+description: In this Azure Kubernetes Service (AKS) article, you learn how to configure your Azure Kubernetes Service pod to authenticate with workload identity.

+# Modernize application authentication with workload identity

+This article focuses on pod-managed identity migration to Azure Active Directory (Azure AD) workload identity (preview) for your Azure Kubernetes Service (AKS) cluster. It also provides guidance depending on the version of the [Azure Identity][azure-identity-supported-versions] client library used by your container-based application.

+## Before you begin

+- The Azure CLI version 2.40.0 or later. Run `az --version` to find the version, and run `az upgrade` to upgrade the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

+## Migration scenarios

+This section explains the migration options available depending on what version of the Azure Identity SDK is installed.

+For either scenario, you need to have the federated trust set up before you update your application to use the workload identity. The following are the minimum steps required:

+- [Create a managed identity](#create-a-managed-identity) credential.

+- Associate the managed identity with the kubernetes service account already used for the pod-manged identity or [create a new Kubernetes service account](#create-kubernetes-service-account) and then associate it with the managed identity.

+- [Establish a federated trust relationship](#establish-federated-identity-credential-trust) between the managed identity and Azure AD.

+### Migrate from latest version

+If your cluster is already using the latest version of the Azure Identity SDK, perform the following steps to complete the authentication configuration:

+- Deploy workload identity in parallel to where the trust is setup. You can restart your application deployment to begin using the workload identity, where it injects the OIDC annotations into the application automatically.

+- After verifying the application is able to authenticate successfully, you can [remove the pod-managed identity](#remove-pod-managed-identity) annotations from your application and then remove the pod-managed identity add-on.

+## Migrate from older version

+If your cluster isn't using the latest version of the Azure Identity SDK, you have two options:

+- You can use a migration sidecar that we provide, which converts the IMDS transactions your application makes over to [OpenID Connect][openid-connect-overview] (OIDC). The migration sidecar isn't intended to be a long-term solution, but a way to get up and running quickly on workload identity. Running the migration sidecar within your application proxies the application IMDS transactions over to OIDC. Perform the following steps to:

+ - [Deploy the workload with migration sidecar](#deploy-the-workload-with-migration-sidecar) to proxy the application IMDS transactions.

+ - Once you verify the authentication transactions are completing successfully, you can [remove the pod-managed identity](#remove-pod-managed-identity) annotations from your application and then remove the pod-managed identity add-on.

+- Rewrite your application to support the latest version of the [Azure Identity][azure-identity-supported-versions] client library. Afterwards, perform the following steps:

+ - Restart your application deployment to begin authenticating using the workload identity.

+ - Once you verify the authentication transactions are completing successfully, you can [remove the pod-managed identity](#remove-pod-managed-identity) annotations from your application and then remove the pod-managed identity add-on.

+## Create a managed identity

+If you don't have a managed identity created and assigned to your pod, perform the following steps to create and grant the necessary permissions to storage, Key Vault, or whatever resources your application needs to authenticate with in Azure.

+1. Use the Azure CLI [az account set][az-account-set] command to set a specific subscription to be the current active subscription. Then use the [az identity create][az-identity-create] command to create a managed identity.

+ ```azurecli

+ az account set --subscription "subscriptionID"

+ ```

+ ```azurecli

+ az identity create --name "userAssignedIdentityName" --resource-group "resourceGroupName" --location "location" --subscription "subscriptionID"

+ ```

+ ```bash

+ export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "resourceGroupName" --name "userAssignedIdentityName" --query 'clientId' -otsv)"

+ ```

+2. Grant the managed identity the permissions required to access the resources in Azure it requires.

+3. To get the OIDC Issuer URL and save it to an environmental variable, run the following command. Replace the default values for the cluster name and the resource group name.

+ ```bash

+ export AKS_OIDC_ISSUER="$(az aks show -n myAKSCluster -g myResourceGroup --query "oidcIssuerProfile.issuerUrl" -otsv)"

+ ```

+## Create Kubernetes service account

+If you don't have a dedicated Kubernetes service account created for this application, perform the following steps to create and then annotate it with the client ID of the managed identity created in the previous step. Use the [az aks get-credentials][az-aks-get-credentials] command and replace the values for the cluster name and the resource group name.

+```azurecli

+az aks get-credentials -n myAKSCluster -g "${RESOURCE_GROUP}"

+```

+Copy and paste the following multi-line input in the Azure CLI.

+```bash

+cat <<EOF | kubectl apply -f -

+apiVersion: v1

+kind: ServiceAccount

+metadata:

+ annotations:

+ azure.workload.identity/client-id: ${USER_ASSIGNED_CLIENT_ID}

+ labels:

+ azure.workload.identity/use: "true"

+ name: ${SERVICE_ACCOUNT_NAME}

+ namespace: ${SERVICE_ACCOUNT_NAMESPACE}

+EOF

+```

+The following output resembles successful creation of the identity:

+```output

+Serviceaccount/workload-identity-sa created

+```

+## Establish federated identity credential trust

+Use the [az identity federated-credential create][az-identity-federated-credential-create] command to create the federated identity credential between the managed identity, the service account issuer, and the subject. Replace the values `resourceGroupName`, `userAssignedIdentityName`, `federatedIdentityName`, `serviceAccountNamespace`, and `serviceAccountName`.

+```azurecli

+az identity federated-credential create --name federatedIdentityName --identity-name userAssignedIdentityName --resource-group resourceGroupName --issuer ${AKS_OIDC_ISSUER} --subject system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_NAME}

+```

+> [!NOTE]

+> It takes a few seconds for the federated identity credential to be propagated after being initially added. If a token request is made immediately after adding the federated identity credential, it might lead to failure for a couple of minutes as the cache is populated in the directory with old data. To avoid this issue, you can add a slight delay after adding the federated identity credential.

+## Deploy the workload with migration sidecar

+If your application is using managed identity and still relies on IMDS to get an access token, you can use the workload identity migration sidecar to start migrating to workload identity. This sidecar is a migration solution and in the long-term applications, you should modify their code to use the latest Azure Identity SDKs that support client assertion.

+To update or deploy the workload, add these pod annotations only if you want to use the migration sidecar. You inject the following [annotation][pod-annotations] values to use the sidecar in your pod specification:

+* `azure.workload.identity/inject-proxy-sidecar` - value is `true` or `false`

+* `azure.workload.identity/proxy-sidecar-port` - value is the desired port for the proxy sidecar. The default value is `8080`.

+When a pod with the above annotations is created, the Azure Workload Identity mutating webhook automatically injects the init-container and proxy sidecar to the pod spec.

+The webhook that is already running adds the following YAML snippets to the pod deployment. The following is an example of the mutated pod spec:

+```yml

+apiVersion: v1

+kind: Pod

+metadata:

+ name: httpbin-pod

+ labels:

+ app: httpbin

+spec:

+ serviceAccountName: workload-identity-sa

+ initContainers:

+ - name: init-networking

+ image: mcr.microsoft.com/oss/azure/workload-identity/proxy-init:v0.13.0

+ securityContext:

+ capabilities:

+ add:

+ - NET_ADMIN

+ drop:

+ - ALL

+ privileged: true

+ runAsUser: 0

+ env:

+ - name: PROXY_PORT

+ value: "8080"

+ containers:

+ - name: nginx

+ image: nginx:alpine

+ ports:

+ - containerPort: 80

+ - name: proxy

+ image: mcr.microsoft.com/oss/azure/workload-identity/proxy:v0.13.0

+ ports:

+ - containerPort: 8080

+```

+This configuration applies to any configuration where a pod is being created. After updating or deploying your application, you can verify the pod is in a running state using the [kubectl describe pod][kubectl-describe] command. Replace the value `podName` with the image name of your deployed pod.

+```bash

+kubectl describe pods podName -c azwi-proxy

+```

+To verify that pod is passing IMDS transactions, use the [kubectl logs][kubelet-logs] command. Replace the value `podName` with the image name of your deployed pod:

+```bash

+kubectl logs podName

+```

+The following log output resembles successful communication through the proxy sidecar. Verify that the logs show a token is successfully acquired and the GET operation is successful.

+```output

+I0926 00:29:29.968723 1 proxy.go:97] proxy "msg"="starting the proxy server" "port"=8080 "userAgent"="azure-workload-identity/proxy/v0.13.0-12-gc8527f3 (linux/amd64) c8527f3/2022-09-26-00:19"

+I0926 00:29:29.972496 1 proxy.go:173] proxy "msg"="received readyz request" "method"="GET" "uri"="/readyz"

+I0926 00:29:30.936769 1 proxy.go:107] proxy "msg"="received token request" "method"="GET" "uri"="/metadata/identity/oauth2/token?resource=https://management.core.windows.net/api-version=2018-02-01&client_id=<client_id>"

+I0926 00:29:31.101998 1 proxy.go:129] proxy "msg"="successfully acquired token" "method"="GET" "uri"="/metadata/identity/oauth2/token?resource=https://management.core.windows.net/api-version=2018-02-01&client_id=<client_id>"

+```

+## Remove pod-managed identity

+After you've completed your testing and the application is successfully able to get a token using the proxy sidecar, you can remove the Azure AD pod-managed identity mapping for the pod from your cluster, and then remove the identity.

+1. Run the [az aks pod-identity delete][az-aks-pod-identity-delete] command to remove the identity from your pod. This should only be done after all pods in the namespace using the pod-managed identity mapping have migrated to use the sidecar.

+ ```azurecli

+ az aks pod-identity delete --name podIdentityName --namespace podIdentityNamespace --resource-group myResourceGroup --cluster-name myAKSCluster

+ ```

+## Next steps

+This article showed you how to set up your pod to authenticate using a workload identity as a migration option. For more information about Azure AD workload identity (preview), see the following [Overview][workload-identity-overview] article.

+<!-- INTERNAL LINKS -->

+[pod-annotations]: workload-identity-overview.md#pod-annotations

+[az-identity-create]: /cli/azure/identity#az-identity-create

+[az-account-set]: /cli/azure/account#az-account-set

+[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials

+[workload-identity-overview]: workload-identity-overview.md

+[az-identity-federated-credential-create]: /cli/azure/identity/federated-credential#az-identity-federated-credential-create

+[az-aks-pod-identity-delete]: /cli/azure/aks/pod-identity#az-aks-pod-identity-delete

+[azure-identity-supported-versions]: workload-identity-overview.md#dependencies

+[azure-identity-libraries]: ../active-directory/develop/reference-v2-libraries.md

+[openid-connect-overview]: ../active-directory/develop/v2-protocols-oidc.md

+[install-azure-cli]: /cli/azure/install-azure-cli

+<!-- EXTERNAL LINKS -->

+[kubectl-describe]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#describe

+| New or existing cluster deployment [runs a supported version][azure-identity-libraries] of Azure Identity client library | No migration steps are required.<br> Sample deployment resources:<br> - [Deploy and configure workload identity on a new cluster][deploy-configure-workload-identity-new-cluster]<br> - [Tutorial: Use a workload identity with an application on AKS][tutorial-use-workload-identity] |

+| New or existing cluster deployment runs an unsupported version of Azure Identity client library| Update container image to use a supported version of the Azure Identity SDK, or use the [migration sidecar][workload-identity-migration-sidecar]. |

+[workload-identity-migration-sidecar]: workload-identity-migrate-from-pod-identity.md

+- Authorizations feature is not supported in National Clouds.

+- Authorizations feature is not supported on self-hosted gateways.

+ Title: Import a GraphQL API to Azure API Management | Microsoft Docs

+description: Learn how to add an existing GraphQL service as an API in Azure API Management using the Azure portal, Azure CLI, or Azure PowerShell. Manage the API and enable queries to pass through to the GraphQL endpoint.

+- Azure CLI

+ [!INCLUDE [azure-cli-prepare-your-environment-no-header.md](../../includes/azure-cli-prepare-your-environment-no-header.md)]

+- Azure PowerShell

+ [!INCLUDE [azure-powershell-requirements-no-header](../../includes/azure-powershell-requirements-no-header.md)]

+#### [Portal](#tab/portal)

+1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.

+1. In the left menu, select **APIs** > **+ Add API**.

+#### [Azure CLI](#tab/cli)

+The following example uses the [az apim api import](/cli/azure/apim/api#az-apim-api-import) command to import a GraphQL passthrough API from the specified URL to an API Management instance named *apim-hello-world*.

+```azurecli-interactive

+# API Management service-specific details

+APIMServiceName="apim-hello-world"

+ResourceGroupName="myResourceGroup"

+# API-specific details

+APIId="my-graphql-api"

+APIPath="myapi"

+DisplayName="MyGraphQLAPI"

+SpecificationFormat="GraphQL"

+SpecificationURL="<GraphQL backend endpoint>"

+# Import API

+az apim api import --path $APIPath --resource-group $ResourceGroupName \

+ --service-name $APIMServiceName --api-id $APIId \

+ --display-name $DisplayName --specification-format $SpecificationFormat --specification-url $SpecificationURL

+```

+After importing the API, if needed, you can update the settings by using the [az apim api update](/cli/azure/apim/api#az-apim-api-update) command.

+#### [PowerShell](#tab/powershell)

+The following example uses the [Import-AzApiManagementApi](/powershell/module/az.apimanagement/import-azapimanagementapi?) Azure PowerShell cmdlet to import a GraphQL passthrough API from the specified URL to an API Management instance named *apim-hello-world*.

+```powershell-interactive

+# API Management service-specific details

+$apimServiceName = "apim-hello-world"

+$resourceGroupName = "myResourceGroup"

+# API-specific details

+$apiId = "my-graphql-api"

+$apiPath = "myapi"

+$specificationFormat = "GraphQL"

+$specificationUrl = "<GraphQL backend endpoint>"

+# Get context of the API Management instance.

+$context = New-AzApiManagementContext -ResourceGroupName $resourceGroupName -ServiceName $apimServiceName

+# Import API

+Import-AzApiManagementApi -Context $context -ApiId $apiId -SpecificationFormat $specificationFormat -SpecificationUrl $specificationUrl -Path $apiPath

+```

+After importing the API, if needed, you can update the settings by using the [Set-AzApiManagementApi](/powershell/module/az.apimanagement/set-azapimanagementapi) cmdlet.

+ Title: Import an OpenAPI specification to Azure API Management | Microsoft Docs

+description: Learn how to import an OpenAPI specification to an API Management instance using the Azure portal, Azure CLI, or Azure PowerShell. Then, test the API in the Azure portal.

+This article shows how to import an "OpenAPI specification" backend API residing at `https://conferenceapi.azurewebsites.net?format=json`. This backend API is provided by Microsoft and hosted on Azure. The article also shows how to test the APIM API.

+> * Import an OpenAPI specification using the Azure portal, Azure CLI, or Azure PowerShell

+> [!NOTE]

+> API import limitations are documented in [API import restrictions and known issues](api-management-api-import-restrictions.md).

+* An API Management instance. If you don't already have one, complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md).

+* Azure CLI

+ [!INCLUDE [azure-cli-prepare-your-environment-no-header.md](../../includes/azure-cli-prepare-your-environment-no-header.md)]

+* Azure PowerShell

+ [!INCLUDE [azure-powershell-requirements-no-header](../../includes/azure-powershell-requirements-no-header.md)]

+## <a name="create-api"> </a>Import a backend API

+#### [Portal](#tab/portal)

+1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.

+1. In the left menu, select **APIs** > **+ Add API**.

+1. Under **Create from definition**, select **OpenAPI**.

+ :::image type="content" source="media/import-api-from-oas/oas-api.png" alt-text="Screenshot of creating an API from an OpenAPI specification in the portal." border="false":::

+1. Enter API settings. You can set the values during creation or configure them later by going to the **Settings** tab. The settings are explained in the [Import and publish your first API](import-and-publish.md#import-and-publish-a-backend-api) tutorial.

+1. Select **Create**.

+#### [Azure CLI](#tab/cli)

+The following example uses the [az apim api import](/cli/azure/apim/api#az-apim-api-import) command to import an OpenAPI specification from the specified URL to an API Management instance named *apim-hello-world*. To import using a path to a specification instead of a URL, use the `--specification-path` parameter.

+```azurecli-interactive

+# API Management service-specific details

+APIMServiceName="apim-hello-world"

+ResourceGroupName="myResourceGroup"

+# API-specific details

+APIId="demo-conference-api"

+APIPath="conference"

+SpecificationFormat="OpenAPI"

+SpecificationURL="https://conferenceapi.azurewebsites.net/?format=json"

+# Import API

+az apim api import --path $APIPath --resource-group $ResourceGroupName \

+ --service-name $APIMServiceName --api-id $APIId \

+ --specification-format $SpecificationFormat --specification-url $SpecificationURL

+```

+After importing the API, if needed, you can update the settings by using the [az apim api update](/cli/azure/apim/api#az-apim-api-update) command.

+#### [PowerShell](#tab/powershell)

+The following example uses the [Import-AzApiManagementApi](/powershell/module/az.apimanagement/import-azapimanagementapi?) Azure PowerShell cmdlet to import an OpenAPI specification from the specified URL to an API Management instance named *apim-hello-world*. To import using a path to a specification instead of a URL, use the `-SpecificationPath` parameter.

+```powershell-interactive

+# API Management service-specific details

+$apimServiceName = "apim-hello-world"

+$resourceGroupName = "myResourceGroup"

+# API-specific details

+$apiId = "demo-conference-api"

+$apiPath = "conference"

+$specificationFormat = "OpenAPI"

+$specificationUrl = "https://conferenceapi.azurewebsites.net/?format=json"

+# Get context of the API Management instance.

+$context = New-AzApiManagementContext -ResourceGroupName $resourceGroupName -ServiceName $apimServiceName

+# Import API

+Import-AzApiManagementApi -Context $context -ApiId $apiId -SpecificationFormat $specificationFormat -SpecificationUrl $specificationUrl -Path $apiPath

+```

+After importing the API, if needed, you can update the settings by using the [Set-AzApiManagementApi](/powershell/module/az.apimanagement/set-azapimanagementapi) cmdlet.

+> * [Create and publish a product](api-management-howto-add-products.md)

+> * [Transform and protect a published API](transform-api.md)

+ Title: Import SOAP API to Azure API Management | Microsoft Docs

+description: Learn how to import a SOAP API to Azure API Management as a WSDL specification using the Azure portal, Azure CLI, or Azure PowerShell. Then, test the API in the Azure portal.

+* An API Management instance. If you don't already have one, complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md).

+* Azure CLI

+ [!INCLUDE [azure-cli-prepare-your-environment-no-header.md](../../includes/azure-cli-prepare-your-environment-no-header.md)]

+* Azure PowerShell

+ [!INCLUDE [azure-powershell-requirements-no-header](../../includes/azure-powershell-requirements-no-header.md)]

+

+## <a name="create-api"> </a>Import a backend API

+#### [Portal](#tab/portal)

+1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.

+1. In the left menu, select **APIs** > **+ Add API**.

+ 

+#### [Azure CLI](#tab/cli)

+The following example uses the [az apim api import](/cli/azure/apim/api#az-apim-api-import) command to import a WSDL specification from the specified URL to an API Management instance named *apim-hello-world*. To import using a path to a specification instead of a URL, use the `--specification-path` parameter.

+For this example WSDL, the service name is *OrdersAPI*, and one of the available endpoints (interfaces) is *basic*.

+```azurecli-interactive

+# API Management service-specific details

+APIMServiceName="apim-hello-world"

+ResourceGroupName="myResourceGroup"

+# API-specific details

+APIId="order-api"

+APIPath="order"

+SpecificationFormat="Wsdl"

+SpecificationURL="https://fazioapisoap.azurewebsites.net/FazioService.svc?singleWsdl"

+WsdlServiceName="OrdersAPI"

+WsdlEndpointName="basic"

+# Import API

+az apim api import --path $APIPath --resource-group $ResourceGroupName \

+ --service-name $APIMServiceName --api-id $APIId \

+ --specification-format $SpecificationFormat --specification-url $SpecificationURL \

+ --wsdl-service-name $WsdlServiceName --wsdl-endpoint-name $WsdlEndpointName

+```

+#### [PowerShell](#tab/powershell)

+The following example uses the [Import-AzApiManagementApi](/powershell/module/az.apimanagement/import-azapimanagementapi?) Azure PowerShell cmdlet to import a WSDL specification from the specified URL to an API Management instance named *apim-hello-world*. To import using a path to a specification instead of a URL, use the `-SpecificationPath` parameter.

+For this example WSDL, the service name is *OrdersAPI*, and one of the available endpoints (interfaces) is *basic*.

+```powershell-interactive

+# API Management service-specific details

+$apimServiceName = "apim-hello-world"

+$resourceGroupName = "myResourceGroup"

+# API-specific det

+$apiId = "orders-api"

+$apiPath = "orders"

+$specificationFormat = "Wsdl"

+$specificationUrl = "https://fazioapisoap.azurewebsites.net/FazioService.svc?singleWsdl"

+$wsdlServiceName = "OrdersAPI"

+$wsdlEndpointName = "basic"

+# Get context of the API Management instance.

+$context = New-AzApiManagementContext -ResourceGroupName $resourceGroupName -ServiceName $apimServiceName

+# Import API

+Import-AzApiManagementApi -Context $context -ApiId $apiId -SpecificationFormat $specificationFormat -SpecificationUrl $specificationUrl -Path $apiPath -WsdlServiceName $wsdlServiceName -WsdlEndpointName $wsdlEndpointName

+```

+ Title: Import a WebSocket API to Azure API Management | Microsoft Docs

+With API ManagementΓÇÖs WebSocket API solution, API publishers can quickly add a WebSocket API in API Management via the Azure portal, Azure CLI, Azure PowerShell, and other Azure tools.

+- Azure CLI

+#### [Portal](#tab/portal)

+1. 1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.

+1. In the left menu, select **APIs** > **+ Add API**.

+1. Under **Define a new API**, select **WebSocket**.

+* WebSocket APIs support the following valid buffer types for messages: Close, BinaryFragment, BinaryMessage, UTF8Fragment, and UTF8Message.

+> If you applied the policies at higher scopes (i.e., global or product) and they were inherited by a WebSocket API through the policy, they will be skipped at runtime.

+To host your application in Azure, you need to create Azure App Service web app in Azure. You can create a web app using [Azure portal](https://portal.azure.com/), [VS Code](https://code.visualstudio.com/), [Azure Tools extension pack](https://marketplace.visualstudio.com/items?itemName=ms-vscode.vscode-node-azure-pack), or Azure CLI.

+> [Tutorial: Run Python app in custom container](./tutorial-custom-container.md)

+cd Passwordless-Connections-for-Java-Apps/Tomcat/

+Follow these steps to create an Azure Database for Postgres in your subscription. The Spring Boot app will connect to this database and store its data when running, persisting the application state no matter where you run the application.

+1. Create an Azure Postgres Database server. The server is created with an administrator account, but it won't be used because we'll use the Azure Active Directory (Azure AD) admin account to perform administrative tasks.

+ ### [Flexible Server](#tab/flexible)

+ ```azurecli-interactive

+ POSTGRESQL_ADMIN_USER=azureuser

+ # PostgreSQL admin access rights won't be used because Azure AD authentication is leveraged to administer the database.

+ POSTGRESQL_ADMIN_PASSWORD=<admin-password>

+ POSTGRESQL_HOST=<postgresql-host-name>

+ # Create a PostgreSQL server.

+ az postgres flexible-server create \

+ --resource-group $RESOURCE_GROUP \

+ --name $POSTGRESQL_HOST \

+ --location $LOCATION \

+ --admin-user $POSTGRESQL_ADMIN_USER \

+ --admin-password $POSTGRESQL_ADMIN_PASSWORD \

+ --public-network-access 0.0.0.0 \

+ --sku-name Standard_D2s_v3

+ ```

+ ### [Single Server](#tab/single)

+ # PostgreSQL admin access rights won't be used because Azure AD authentication is leveraged to administer the database.

+ ### [Flexible Server](#tab/flexible)

+ ```azurecli-interactive

+ DATABASE_NAME=checklist

+ az postgres flexible-server db create \

+ --resource-group $RESOURCE_GROUP \

+ --server-name $POSTGRESQL_HOST \

+ --database-name $DATABASE_NAME

+ ```

+ ### [Single Server](#tab/single)

+1. The sample app contains a *pom.xml* file that can generate the WAR file. Run the following command to build the app.

+ mvn clean package -f pom.xml

+ APPSERVICE_PLAN=<app-service-plan>

+ APPSERVICE_NAME=<app-service-name>

+Next, connect your app to a Postgres Database with a system-assigned managed identity using Service Connector.

+### [Flexible Server](#tab/flexible)

+To do this, run the [az webapp connection create](/cli/azure/webapp/connection/create#az-webapp-connection-create-postgres-flexible) command.

+```azurecli-interactive

+az webapp connection create postgres-flexible \

+ --resource-group $RESOURCE_GROUP \

+ --name $APPSERVICE_NAME \

+ --target-resource-group $RESOURCE_GROUP \

+ --server $POSTGRESQL_HOST \

+ --database $DATABASE_NAME \

+ --system-identity

+```

+### [Single Server](#tab/single)

+To do this, run the [az webapp connection create](/cli/azure/webapp/connection/create#az-webapp-connection-create-postgres) command.

+**Cause:** After the TCP connection has been established and a TLS handshake is done (if TLS is enabled), Application Gateway will send the probe as an HTTP GET request to the backend server. As described earlier, the default probe will be to `<protocol>://127.0.0.1:<port>/`, and it considers response status codes in the range 200 through 399 as Healthy. If the server returns any other status code, it will be marked as Unhealthy with this message.

+Learn more about [Application Gateway diagnostics and logging](./application-gateway-diagnostics.md).

+To configure mutual authentication, a trusted client CA certificate is required to be uploaded as part of the client authentication portion of an SSL profile. The SSL profile will then need to be associated to a listener in order to complete configuration of mutual authentication. There must always be a root CA certificate in the client certificate that you upload. You can upload a certificate chain as well, but the chain must include a root CA certificate in addition to as many intermediate CA certificates as you'd like. The maximum size of each uploaded file must be 25 KB or less.

+ Title: What is Azure Form Recognizer

+Below claims will appear only in the attestation token generated for Intel® Xeon® Scalable processor-based server platforms. The claims will not appear if the SGX enclave is not configured with [Key Separation and Sharing Support](https://github.com/openenclave/openenclave/issues/3054). The claim definitions can be found [here](https://github.com/openenclave/openenclave/issues/3054)

+- **x-ms-sgx-config-id**

+- **x-ms-sgx-config-svn**

+- **x-ms-sgx-isv-extended-product-id**

+- **x-ms-sgx-isv-family-id**

+| [Azure ExpressRoute](../expressroute/designing-for-high-availability-with-expressroute.md) |   |

+Neither Azure Arc-enabled data services nor any of the applicable data services store any customer data. This applies to Azure Arc-enabled SQL Managed Instance, Azure Arc-enabled PostgreSQL, and Azure Arc-enabled SQL Server.

+- To learn more about Azure Cache for Redis versions, see [Set Redis version for Azure Cache for Redis](cache-how-to-version.md)

+- To learn more about Azure Cache for Redis features: [Azure Cache for Redis Premium service tiers](cache-overview.md#service-tiers)

+> [!TIP]

+> By default, Android reloads the activity when the orientation changes or the keyboard is hidden. This results in the map state being reset (reload the map which resets the view and reloads data to initial state). To prevent this from happening, add the following to the mainfest: `android:configChanges="orientation|keyboardHidden"`. This will stop the activity from reloading and instead call `onConfigurationChanged()` when the orientation has changed or the keyboard is hidden.

+ Title: Manage Azure Monitor Agent

+description: Options for managing Azure Monitor Agent on Azure virtual machines and Azure Arc-enabled servers.

+# Manage Azure Monitor Agent

+This article provides the different options currently available to install, uninstall, and update the [Azure Monitor agent](azure-monitor-agent-overview.md). This agent extension can be installed on Azure virtual machines, scale sets, and Azure Arc-enabled servers. It also lists the options to create [associations with data collection rules](data-collection-rule-azure-monitor-agent.md) that define which data the agent should collect. Installing, upgrading, or uninstalling Azure Monitor Agent won't require you to restart your server.

+Azure Monitor Agent is implemented as an [Azure VM extension](../../virtual-machines/extensions/overview.md) with the details in the following table. You can install it by using any of the methods to install virtual machine extensions including the methods described in this article.

+The following prerequisites must be met prior to installing Azure Monitor Agent.

+ - **User-assigned**: This managed identity is recommended for large-scale deployments, configurable via [built-in Azure policies](#use-azure-policy). You can create a user-assigned managed identity once and share it across multiple VMs, which means it's more scalable than a system-assigned managed identity. If you use a user-assigned managed identity, you must pass the managed identity details to Azure Monitor Agent via extension settings:

+- **Networking**: If you use network firewalls, the [Azure Resource Manager service tag](../../virtual-network/service-tags-overview.md) must be enabled on the virtual network for the virtual machine. The virtual machine must also have access to the following HTTPS endpoints:

+> This article only pertains to agent installation or management. After you install the agent, you must review the next article to [configure data collection rules and associate them with the machines](./data-collection-rule-azure-monitor-agent.md) with agents installed. *Azure Monitor Agents can't function without being associated with data collection rules.*

+## Install

+#### [Portal](#tab/azure-portal)

+To install Azure Monitor Agent by using the Azure portal, follow the process to [create a data collection rule](data-collection-rule-azure-monitor-agent.md#create-data-collection-rule-and-association) in the Azure portal. This process creates the rule, associates it to the selected resources, and installs Azure Monitor Agent on them if it's not already installed.

+#### [PowerShell](#tab/azure-powershell)

+You can install Azure Monitor Agent on Azure virtual machines and on Azure Arc-enabled servers by using the PowerShell command for adding a virtual machine extension.

+### Install on Azure virtual machines

+Use the following PowerShell commands to install Azure Monitor Agent on Azure virtual machines. Choose the appropriate command based on your chosen authentication method.

+#### User-assigned managed identity

+- Windows

+ ```powershell

+ Set-AzVMExtension -Name AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -TypeHandlerVersion <version-number> -EnableAutomaticUpgrade $true -SettingString '{"authentication":{"managedIdentity":{"identifier-name":"mi_res_id","identifier-value":/subscriptions/<my-subscription-id>/resourceGroups/<my-resource-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<my-user-assigned-identity>"}}}'

+ ```

+- Linux

+ ```powershell

+ Set-AzVMExtension -Name AzureMonitorLinuxAgent -ExtensionType AzureMonitorLinuxAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -TypeHandlerVersion <version-number> -EnableAutomaticUpgrade $true -SettingString '{"authentication":{"managedIdentity":{"identifier-name":"mi_res_id","identifier-value":/subscriptions/<my-subscription-id>/resourceGroups/<my-resource-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<my-user-assigned-identity>"}}}'

+ ```

+#### System-assigned managed identity

+- Windows

+ ```powershell

+ Set-AzVMExtension -Name AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -TypeHandlerVersion <version-number> -EnableAutomaticUpgrade $true

+ ```

+- Linux

+ ```powershell

+ Set-AzVMExtension -Name AzureMonitorLinuxAgent -ExtensionType AzureMonitorLinuxAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -TypeHandlerVersion <version-number> -EnableAutomaticUpgrade $true

+ ```

+### Install on Azure Arc-enabled servers

+Use the following PowerShell commands to install Azure Monitor Agent on Azure Arc-enabled servers.

+- Windows

+ ```powershell

+ New-AzConnectedMachineExtension -Name AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -MachineName <arc-server-name> -Location <arc-server-location> -EnableAutomaticUpgrade

+ ```

+- Linux

+ ```powershell

+ New-AzConnectedMachineExtension -Name AzureMonitorLinuxAgent -ExtensionType AzureMonitorLinuxAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -MachineName <arc-server-name> -Location <arc-server-location> -EnableAutomaticUpgrade

+ ```

+#### [Azure CLI](#tab/azure-cli)

+You can install Azure Monitor Agent on Azure virtual machines and on Azure Arc-enabled servers by using the Azure CLI command for adding a virtual machine extension.

+Use the following CLI commands to install Azure Monitor Agent on Azure virtual machines. Choose the appropriate command based on your chosen authentication method.

+- Windows

+ ```azurecli

+ az vm extension set --name AzureMonitorWindowsAgent --publisher Microsoft.Azure.Monitor --ids <vm-resource-id> --enable-auto-upgrade true --settings '{"authentication":{"managedIdentity":{"identifier-name":"mi_res_id","identifier-value":"/subscriptions/<my-subscription-id>/resourceGroups/<my-resource-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<my-user-assigned-identity>"}}}'

+ ```

+- Linux

+ ```azurecli

+ az vm extension set --name AzureMonitorLinuxAgent --publisher Microsoft.Azure.Monitor --ids <vm-resource-id> --enable-auto-upgrade true --settings '{"authentication":{"managedIdentity":{"identifier-name":"mi_res_id","identifier-value":"/subscriptions/<my-subscription-id>/resourceGroups/<my-resource-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<my-user-assigned-identity>"}}}'

+ ```

+- Windows

+ ```azurecli

+ az vm extension set --name AzureMonitorWindowsAgent --publisher Microsoft.Azure.Monitor --ids <vm-resource-id> --enable-auto-upgrade true

+ ```

+- Linux

+ ```azurecli

+ az vm extension set --name AzureMonitorLinuxAgent --publisher Microsoft.Azure.Monitor --ids <vm-resource-id> --enable-auto-upgrade true

+ ```

+### Install on Azure Arc-enabled servers

+Use the following CLI commands to install Azure Monitor Agent on Azure Arc-enabled servers.

+- Windows

+ ```azurecli

+ az connectedmachine extension create --name AzureMonitorWindowsAgent --publisher Microsoft.Azure.Monitor --type AzureMonitorWindowsAgent --machine-name <arc-server-name> --resource-group <resource-group-name> --location <arc-server-location> --enable-auto-upgrade true

+ ```

+- Linux

+ ```azurecli

+ az connectedmachine extension create --name AzureMonitorLinuxAgent --publisher Microsoft.Azure.Monitor --type AzureMonitorLinuxAgent --machine-name <arc-server-name> --resource-group <resource-group-name> --location <arc-server-location> --enable-auto-upgrade true

+ ```

+#### [Resource Manager template](#tab/azure-resource-manager)

+You can use Resource Manager templates to install Azure Monitor Agent on Azure virtual machines and on Azure Arc-enabled servers and to create an association with data collection rules. You must create any data collection rule prior to creating the association.

+Get sample templates for installing the agent and creating the association from the following resources:

+- [Template to install Azure Monitor agent (Azure and Azure Arc)](../agents/resource-manager-agent.md#azure-monitor-agent)

+- [Template to create association with data collection rule](./resource-manager-data-collection-rules.md)

+Install the templates by using [any deployment method for Resource Manager templates](../../azure-resource-manager/templates/deploy-powershell.md), such as the following commands.

+- PowerShell

+ ```powershell

+ New-AzResourceGroupDeployment -ResourceGroupName "<resource-group-name>" -TemplateFile "<template-filename.json>" -TemplateParameterFile "<parameter-filename.json>"

+ ```

+- Azure CLI

+ ```azurecli

+ az deployment group create --resource-group "<resource-group-name>" --template-file "<path-to-template>" --parameters "@<parameter-filename.json>"

+ ```

+## Uninstall

+#### [Portal](#tab/azure-portal)

+To uninstall Azure Monitor Agent by using the Azure portal, go to your virtual machine, scale set, or Azure Arc-enabled server. Select the **Extensions** tab and select **AzureMonitorWindowsAgent** or **AzureMonitorLinuxAgent**. In the dialog that opens, select **Uninstall**.

+#### [PowerShell](#tab/azure-powershell)

+### Uninstall on Azure virtual machines

+Use the following PowerShell commands to uninstall Azure Monitor Agent on Azure virtual machines.

+- Windows

+ ```powershell

+ Remove-AzVMExtension -Name AzureMonitorWindowsAgent -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name>

+ ```

+- Linux

+ ```powershell

+ Remove-AzVMExtension -Name AzureMonitorLinuxAgent -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name>

+ ```

+### Uninstall on Azure Arc-enabled servers

+Use the following PowerShell commands to uninstall Azure Monitor Agent on Azure Arc-enabled servers.

+- Windows

+ ```powershell

+ Remove-AzConnectedMachineExtension -MachineName <arc-server-name> -ResourceGroupName <resource-group-name> -Name AzureMonitorWindowsAgent

+ ```

+- Linux

+ ```powershell

+ Remove-AzConnectedMachineExtension -MachineName <arc-server-name> -ResourceGroupName <resource-group-name> -Name AzureMonitorLinuxAgent

+ ```

+#### [Azure CLI](#tab/azure-cli)

+### Uninstall on Azure virtual machines

+Use the following CLI commands to uninstall Azure Monitor Agent on Azure virtual machines.

+- Windows

+ ```azurecli

+ az vm extension delete --resource-group <resource-group-name> --vm-name <virtual-machine-name> -name AzureMonitorWindowsAgent

+ ```

+- Linux

+ ```azurecli

+ az vm extension delete --resource-group <resource-group-name> --vm-name <virtual-machine-name> -name AzureMonitorLinuxAgent

+ ```

+### Uninstall on Azure Arc-enabled servers

+Use the following CLI commands to uninstall Azure Monitor Agent on Azure Arc-enabled servers.

+- Windows

+ ```azurecli

+ az connectedmachine extension delete --name AzureMonitorWindowsAgent --machine-name <arc-server-name> --resource-group <resource-group-name>

+ ```

+- Linux

+ ```azurecli

+ az connectedmachine extension delete --name AzureMonitorLinuxAgent --machine-name <arc-server-name> --resource-group <resource-group-name>

+ ```

+#### [Resource Manager template](#tab/azure-resource-manager)

+N/A

+## Update

+#### [Portal](#tab/azure-portal)

+To perform a one-time update of the agent, you must first uninstall the existing agent version. Then install the new version as described.

+We recommend that you enable automatic update of the agent by enabling the [Automatic Extension Upgrade](../../virtual-machines/automatic-extension-upgrade.md) feature. Go to your virtual machine or scale set, select the **Extensions** tab and select **AzureMonitorWindowsAgent** or **AzureMonitorLinuxAgent**. In the dialog that opens, select **Enable automatic upgrade**.

+#### [PowerShell](#tab/azure-powershell)

+### Update on Azure virtual machines

+To perform a one-time update of the agent, you must first uninstall the existing agent version, then install the new version as described.

+We recommend that you enable automatic update of the agent by enabling the [Automatic Extension Upgrade](../../virtual-machines/automatic-extension-upgrade.md) feature by using the following PowerShell commands.

+- Windows

+ ```powershell

+ Set-AzVMExtension -ExtensionName AzureMonitorWindowsAgent -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Publisher Microsoft.Azure.Monitor -ExtensionType AzureMonitorWindowsAgent -TypeHandlerVersion <version-number> -Location <location> -EnableAutomaticUpgrade $true

+ ```

+- Linux

+ ```powershell

+ Set-AzVMExtension -ExtensionName AzureMonitorLinuxAgent -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Publisher Microsoft.Azure.Monitor -ExtensionType AzureMonitorLinuxAgent -TypeHandlerVersion <version-number> -Location <location> -EnableAutomaticUpgrade $true

+ ```

+### Update on Azure Arc-enabled servers

+To perform a one-time upgrade of the agent, use the following PowerShell commands.

+- Windows

+ ```powershell

+ $target = @{"Microsoft.Azure.Monitor.AzureMonitorWindowsAgent" = @{"targetVersion"=<target-version-number>}}

+ Update-AzConnectedExtension -ResourceGroupName $env.ResourceGroupName -MachineName <arc-server-name> -ExtensionTarget $target

+ ```

+- Linux

+ ```powershell

+ $target = @{"Microsoft.Azure.Monitor.AzureMonitorLinuxAgent" = @{"targetVersion"=<target-version-number>}}

+ Update-AzConnectedExtension -ResourceGroupName $env.ResourceGroupName -MachineName <arc-server-name> -ExtensionTarget $target

+ ```

+We recommend that you enable automatic update of the agent by enabling the [Automatic Extension Upgrade](../../azure-arc/servers/manage-automatic-vm-extension-upgrade.md#manage-automatic-extension-upgrade) feature by using the following PowerShell commands.

+- Windows

+ ```powershell

+ Update-AzConnectedMachineExtension -ResourceGroup <resource-group-name> -MachineName <arc-server-name> -Name AzureMonitorWindowsAgent -EnableAutomaticUpgrade

+ ```

+- Linux

+ ```powershell

+ Update-AzConnectedMachineExtension -ResourceGroup <resource-group-name> -MachineName <arc-server-name> -Name AzureMonitorLinuxAgent -EnableAutomaticUpgrade

+ ```

+#### [Azure CLI](#tab/azure-cli)

+- Windows

+ ```azurecli

+ az vm extension set -name AzureMonitorWindowsAgent --publisher Microsoft.Azure.Monitor --vm-name <virtual-machine-name> --resource-group <resource-group-name> --enable-auto-upgrade true

+ ```

+- Linux

+ ```azurecli

+ az vm extension set -name AzureMonitorLinuxAgent --publisher Microsoft.Azure.Monitor --vm-name <virtual-machine-name> --resource-group <resource-group-name> --enable-auto-upgrade true

+ ```

+### Update on Azure Arc-enabled servers

+- Windows

+ ```azurecli

+ az connectedmachine upgrade-extension --extension-targets "{\"Microsoft.Azure.Monitor.AzureMonitorWindowsAgent\":{\"targetVersion\":\"<target-version-number>\"}}" --machine-name <arc-server-name> --resource-group <resource-group-name>

+ ```

+- Linux

+ ```azurecli

+ az connectedmachine upgrade-extension --extension-targets "{\"Microsoft.Azure.Monitor.AzureMonitorWindowsAgent\":{\"targetVersion\":\"<target-version-number>\"}}" --machine-name <arc-server-name> --resource-group <resource-group-name>

+ ```

+- Windows

+ ```azurecli

+ az connectedmachine extension update --name AzureMonitorWindowsAgent --machine-name <arc-server-name> --resource-group <resource-group-name> --enable-auto-upgrade true

+ ```

+- Linux

+ ```azurecli

+ az connectedmachine extension update --name AzureMonitorLinuxAgent --machine-name <arc-server-name> --resource-group <resource-group-name> --enable-auto-upgrade true

+ ```

+#### [Resource Manager template](#tab/azure-resource-manager)

+N/A

+> As per Microsoft Identity best practices, policies for installing Azure Monitor Agent on virtual machines and scale sets rely on user-assigned managed identity. This option is the more scalable and resilient managed identity for these resources.

+- Install Azure Monitor Agent extension on the machine, and configure it to use user-assigned identity as specified by the following parameters.

+ 

+

+The initiatives or policies will apply to each virtual machine as it's created. A [remediation task](../../governance/policy/how-to/remediate-resources.md) deploys the policy definitions in the initiative to existing resources, so you can configure Azure Monitor Agent for any resources that were already created.

+

+ Title: Create and run custom availability tests by using Azure Functions

+description: This article explains how to create an Azure function with TrackAvailability() that will run periodically according to the configuration given in a TimerTrigger function.

+# Create and run custom availability tests by using Azure Functions

+This article explains how to create an Azure function with `TrackAvailability()` that will run periodically according to the configuration given in the `TimerTrigger` function with your own business logic. The results of this test will be sent to your Application Insights resource, where you can query for and alert on the availability results data. Then you can create customized tests similar to what you can do via [availability monitoring](./monitor-web-app-availability.md) in the Azure portal. By using customized tests, you can:

+- Write more complex availability tests than is possible by using the portal UI.

+- Monitor an app inside of your Azure virtual network.

+- Change the endpoint address.

+- Create an availability test even if this feature isn't available in your region.

+> This example is designed solely to show you the mechanics of how the `TrackAvailability()` API call works within an Azure function. It doesn't show you how to write the underlying HTTP test code or business logic that's required to turn this example into a fully functional availability test. By default, if you walk through this example, you'll be creating a basic availability HTTP GET test.

+>

+ - If you already have an Application Insights resource:

+

+ - By default, Azure Functions creates an Application Insights resource. But if you want to use a resource you created previously, you must specify that during creation.

+

+ On the **Monitoring** tab, select the **Application Insights** dropdown box and then enter or select the name of your resource.

+

+ :::image type="content" source="media/availability-azure-functions/app-insights-resource.png" alt-text="Screenshot that shows selecting your existing Application Insights resource on the Monitoring tab.":::

+ - If you don't have an Application Insights resource created yet for your timer-triggered function:

+ - By default, when you're creating your Azure Functions application, it will create an Application Insights resource for you. Follow the instructions on how to [create an Azure Functions resource](../../azure-functions/functions-create-scheduled-function.md#create-a-function-app).

+

+ > You can host your functions on a Consumption, Premium, or App Service plan. If you're testing behind a virtual network or testing nonpublic endpoints, you'll need to use the Premium plan in place of the Consumption plan. Select your plan on the **Hosting** tab. Ensure the latest .NET version is selected when you create the function app.

+1. Create a timer trigger function.

+ 1. Select **Add**. On the **Add function** pane, select the following configurations:

+ 1. **Development environment**: **Develop in portal**

+ 1. **Select a template**: **Timer trigger**

+ 1. Select **Add** to create the timer trigger function.

+ :::image type="content" source="media/availability-azure-functions/add-function.png" alt-text="Screenshot that shows how to add a timer trigger function to your function app." lightbox="media/availability-azure-functions/add-function.png":::

+Go to your deployed function app, and under **Development Tools**, select the **App Service Editor** tab.

+To create a new file, right-click under your timer trigger function (for example, **TimerTrigger1**) and select **New File**. Then enter the name of the file and select **Enter**.

+1. Create a new file called **function.proj** and paste the following code:

+ :::image type="content" source="media/availability-azure-functions/function-proj.png" alt-text=" Screenshot that shows function.proj in the App Service Editor." lightbox="media/availability-azure-functions/function-proj.png":::

+1. Create a new file called **runAvailabilityTest.csx** and paste the following code:

+1. Copy the following code into the **run.csx** file. (You'll replace the preexisting code.)

+To make sure everything is working, look at the graph on the **Availability** tab of your Application Insights resource.

+> Tests created with `TrackAvailability()` will appear with **CUSTOM** next to the test name.

+ :::image type="content" source="media/availability-azure-functions/availability-custom.png" alt-text="Screenshot that shows the Availability tab with successful results." lightbox="media/availability-azure-functions/availability-custom.png":::

+To see the end-to-end transaction details, under **Drill into**, select **Successful** or **Failed**. Then select a sample. You can also get to the end-to-end transaction details by selecting a data point on the graph.

+## Query in Log Analytics

+You can use Log Analytics to view your availability results, dependencies, and more. To learn more about Log Analytics, see [Log query overview](../logs/log-query-overview.md).

+Download the [applicationinsights-agent-3.4.3.jar](https://github.com/microsoft/ApplicationInsights-Java/releases/download/3.4.3/applicationinsights-agent-3.4.3.jar) file.

+Add `-javaagent:"path/to/applicationinsights-agent-3.4.3.jar"` to your application's JVM args.

+ - Or you can create a configuration file named `applicationinsights.json`. Place it in the same directory as `applicationinsights-agent-3.4.3.jar` with the following content:

+Add the JVM arg `-javaagent:"path/to/applicationinsights-agent-3.4.3.jar"` somewhere before `-jar`, for example:

+java -javaagent:"path/to/applicationinsights-agent-3.4.3.jar" -jar <myapp.jar>

+If you're using the *exec* form, add the parameter `-javaagent:"path/to/applicationinsights-agent-3.4.3.jar"` to the parameter list somewhere before the `"-jar"` parameter, for example:

+ENTRYPOINT ["java", "-javaagent:path/to/applicationinsights-agent-3.4.3.jar", "-jar", "<myapp.jar>"]

+If you're using the *shell* form, add the JVM arg `-javaagent:"path/to/applicationinsights-agent-3.4.3.jar"` somewhere before `-jar`, for example:

+ENTRYPOINT java -javaagent:"path/to/applicationinsights-agent-3.4.3.jar" -jar <myapp.jar>

+ <version>3.4.3</version>

+From 3.4.3, you can configure the name of a JSON file in the classpath with the `applicationinsights.runtime-attach.configuration.classpath.file` system property.

+JAVA_OPTS="$JAVA_OPTS -javaagent:path/to/applicationinsights-agent-3.4.3.jar"

+CATALINA_OPTS="$CATALINA_OPTS -javaagent:path/to/applicationinsights-agent-3.4.3.jar"

+If the file `<tomcat>/bin/setenv.sh` already exists, then modify that file and add `-javaagent:path/to/applicationinsights-agent-3.4.3.jar` to `CATALINA_OPTS`.

+set CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.4.3.jar

+set "CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.4.3.jar"

+If the file `<tomcat>/bin/setenv.bat` already exists, just modify that file and add `-javaagent:path/to/applicationinsights-agent-3.4.3.jar` to `CATALINA_OPTS`.

+Locate the file `<tomcat>/bin/tomcat8w.exe`. Run that executable and add `-javaagent:path/to/applicationinsights-agent-3.4.3.jar` to the `Java Options` under the `Java` tab.

+Add `-javaagent:path/to/applicationinsights-agent-3.4.3.jar` to the existing `JAVA_OPTS` environment variable in the file `JBOSS_HOME/bin/standalone.conf` (Linux) or `JBOSS_HOME/bin/standalone.conf.bat` (Windows):

+ JAVA_OPTS="-javaagent:path/to/applicationinsights-agent-3.4.3.jar -Xms1303m -Xmx1303m ..."

+Add `-javaagent:path/to/applicationinsights-agent-3.4.3.jar` to the existing `jvm-options` in `JBOSS_HOME/domain/configuration/host.xml`:

+ <option value="-javaagent:path/to/applicationinsights-agent-3.4.3.jar"/>

+-javaagent:path/to/applicationinsights-agent-3.4.3.jar

+Add `-javaagent:path/to/applicationinsights-agent-3.4.3.jar` to the existing `jvm-options` in `glassfish/domains/domain1/config/domain.xml`:

+ -javaagent:path/to/applicationinsights-agent-3.4.3.jar>

+-javaagent:path/to/applicationinsights-agent-3.4.3.jar

+-javaagent:path/to/applicationinsights-agent-3.4.3.jar

+By default, Application Insights Java 3.x expects the configuration file to be named `applicationinsights.json`, and to be located in the same directory as `applicationinsights-agent-3.4.3.jar`.

+If you specify a relative path, it will be resolved relative to the directory where `applicationinsights-agent-3.4.3.jar` is located.

+If you specify a relative path, it's resolved relative to the directory where `applicationinsights-agent-3.4.3.jar` is located.

+Starting from 3.4.3, you can capture `FileName`, `ClassName`, `MethodName`, and `LineNumber`, for Logback:

+`applicationinsights-agent-3.4.3.jar` is located.

+| `applicationinsights-core` | Update the version to `3.4.3` or later | |

+| `applicationinsights-web` | Update the version to `3.4.3` or later, and remove the Application Insights web filter your `web.xml` file. | |

+| `applicationinsights-web-auto` | Replace with `3.4.3` or later of `applicationinsights-web` | |

+| `applicationinsights-spring-boot-starter` | Replace with `3.4.3` or later of `applicationinsights-web` | The cloud role name will no longer default to `spring.application.name`, see the [3.x configuration docs](./java-standalone-config.md#cloud-role-name) for configuring the cloud role name. |

+-javaagent:path/to/applicationinsights-agent-3.4.3.jar

+Windows provides a variety of [performance counters](/windows/desktop/perfctrs/about-performance-counters), such as those used to gather processor, memory, and disk usage statistics. You can also define your own performance counters.

+Performance counters collection is supported if your application is running under IIS on an on-premises host or is a virtual machine to which you have administrative access. Although applications running as Azure Web Apps don't have direct access to performance counters, a subset of available counters is collected by Application Insights.

+The **Metrics** pane shows the default set of performance counters.

+

+Current default counters for ASP.NET web applications:

+Current default counters collected for ASP.NET Core web applications:

+ For more information, see [`Get-Counter`](/powershell/module/microsoft.powershell.diagnostics/get-counter).

+1. Open `ApplicationInsights.config`.

+1. Edit the performance collector directive:

+> ASP.NET Core applications don't have `ApplicationInsights.config`, so the preceding method isn't valid for ASP.NET Core applications.

+You can capture both standard counters and counters you've implemented yourself. `\Objects\Processes` is an example of a standard counter that's available on all Windows systems. `\Sales(photo)\# Items Sold` is an example of a custom counter that might be implemented in a web service.

+The format is `\Category(instance)\Counter`, or for categories that don't have instances, just `\Category\Counter`.

+The `ReportAs` parameter is required for counter names that don't match `[a-zA-Z()/-_ \.]+`. That is, they contain characters that aren't in the following sets: letters, round brackets, forward slash, hyphen, underscore, space, and dot.

+If you specify an instance, it will be collected as a dimension `CounterInstanceName` of the reported metric.

+### Collect performance counters in code for ASP.NET web applications or .NET/.NET Core console applications

+To collect system performance counters and send them to Application Insights, you can adapt the following snippet:

+Or you can do the same thing with custom metrics that you created:

+### Collect performance counters in code for ASP.NET Core web applications

+Modify the `ConfigureServices` method in your `Startup.cs` class:

+## Performance counters in Log Analytics

+You can search and display performance counter reports in [Log Analytics](../logs/log-query-overview.md).

+The **performanceCounters** schema exposes the `category`, `counter` name, and `instance` name of each performance counter. In the telemetry for each application, you'll see only the counters for that application. For example, to see what counters are available:

+

+Here, `Instance` refers to the performance counter instance, not the role or server machine instance. The performance counter instance name typically segments counters, such as processor time, by the name of the process or application.

+

+

+The next sections discuss ASP.NET and Application Insights counts.

+### What's the difference between the Exception rate and Exceptions metrics?

+* `Exception rate`: The Exception rate is a system performance counter. The CLR counts all the handled and unhandled exceptions that are thrown and divides the total in a sampling interval by the length of the interval. The Application Insights SDK collects this result and sends it to the portal.

+* `Exceptions`: The Exceptions metric is a count of the `TrackException` reports received by the portal in the sampling interval of the chart. It includes only the handled exceptions where you've written `TrackException` calls in your code. It doesn't include all [unhandled exceptions](./asp-net-exceptions.md).

+## Performance counters for applications running in Azure Web Apps and Windows containers on Azure App Service

+Both ASP.NET and ASP.NET Core applications deployed to Azure Web Apps run in a special sandbox environment. Applications deployed to Azure App Service can utilize a [Windows container](../../app-service/quickstart-custom-container.md?pivots=container-windows&tabs=dotnet) or be hosted in a sandbox environment. If the application is deployed in a Windows container, all standard performance counters are available in the container image.

+The sandbox environment doesn't allow direct access to system performance counters. However, a limited subset of counters is exposed as environment variables as described in [Perf Counters exposed as environment variables](https://github.com/projectkudu/kudu/wiki/Perf-Counters-exposed-as-environment-variables). Only a subset of counters is available in this environment. For the full list, see [Perf Counters exposed as environment variables](https://github.com/microsoft/ApplicationInsights-dotnet/blob/main/WEB/Src/PerformanceCollector/PerformanceCollector/Implementation/WebAppPerformanceCollector/CounterFactory.cs).

+The Application Insights SDK for [ASP.NET](https://nuget.org/packages/Microsoft.ApplicationInsights.Web) and [ASP.NET Core](https://nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore) detects if code is deployed to a web app or a non-Windows container. The detection determines whether it collects performance counters in a sandbox environment or utilizes the standard collection mechanism when hosted on a Windows container or virtual machine.

+* For applications that target the .NET Framework, all versions of the SDK support performance counters.

+* SDK versions 2.8.0 and later support the CPU/Memory counter in Linux. No other counter is supported in Linux. To get system counters in Linux (and other non-Windows environments), use [EventCounters](eventcounters.md).

+Like other metrics, you can [set an alert](../alerts/alerts-log.md) to warn you if a performance counter goes outside a limit you specify. To set an alert, open the **Alerts** pane and select **Add Alert**.

+* [Exception tracking](./asp-net-exceptions.md)

+ Title: 'Application Insights: Languages, platforms, and integrations | Microsoft Docs'

+description: Languages, platforms, and integrations that are available for Application Insights.

+Supported platforms and frameworks are listed here.

+### Azure service integration (portal enablement, Azure Resource Manager deployments)

+* [Azure Virtual Machines and Azure Virtual Machine Scale Sets](./azure-vm-vmss-apps.md)

+* [JavaScript - web](./javascript.md)

+> OpenTelemetry-based instrumentation is available in preview for [C#, Node.js, and Python](opentelemetry-enable.md). Review the limitations noted at the beginning of each language's official documentation. If you require a full-feature experience, use the existing Application Insights SDKs.

+* [LogStash plug-in](https://github.com/Azure/azure-diagnostics-tools/tree/master/Logstash/logstash-output-applicationinsights)

+Several other community-supported Application Insights SDKs exist. However, Azure Monitor only provides support when you use the supported instrumentation options listed on this page. We're constantly assessing opportunities to expand our support for other languages. Follow [Azure Updates for Application Insights](https://azure.microsoft.com/updates/?query=application%20insights) for the latest SDK news.

+ Title: Resources, roles, and access control in Application Insights | Microsoft Docs

+You can control who has read and update access to your data in [Application Insights][start] by using [Azure role-based access control (Azure RBAC)](../../role-based-access-control/role-assignments-portal.md).

+> Assign access to users in the resource group or subscription to which your application resource belongs, not in the resource itself. Assign the Application Insights Component Contributor role. This role ensures uniform control of access to web tests and alerts along with your application resource. [Learn more](#access).

+## Resources, groups, and subscriptions

+First, let's define some terms:

+* **Resource**: An instance of an Azure service. Your Application Insights resource collects, analyzes, and displays the telemetry data sent from your application. Other types of Azure resources include web apps, databases, and VMs.

+ To see your resources, open the [Azure portal][portal], sign in, and select **All resources**. To find a resource, enter part of its name in the filter field.

+ 

+* [Resource group][group]: Every resource belongs to one group. A group is a convenient way to manage related resources, particularly for access control. For example, in one resource group you could put a web app, an Application Insights resource to monitor the app, and an Azure Storage resource to keep exported data.

+* [Subscription](https://portal.azure.com): To use Application Insights or other Azure resources, you sign in to an Azure subscription. Every resource group belongs to one Azure subscription, where you choose your price package. If it's an organization subscription, the owner can choose the members and their access permissions.

+* [Microsoft account][account]: The username and password that you use to sign in to Azure subscriptions, Xbox Live, Outlook.com, and other Microsoft services.

+Along with the resource you created for your application, there are also separate hidden resources for alerts and web tests. They're attached to the same [resource group](#resource-group) as your Application Insights resource. You might also have put other Azure services in there, such as websites or storage.

+## Provide access to another user

+The user must have a [Microsoft account][account] or access to their [organizational Microsoft account](../../active-directory/fundamentals/sign-up-organization.md). You can provide access to individuals and also to user groups defined in Azure Active Directory.

+#### Go to a resource group or directly to the resource itself

+Assign the Contributor role to Azure RBAC.

+For detailed steps, see [Assign Azure roles by using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

+Where applicable, the link connects to the associated official reference documentation.

+| [Application Insights Component Contributor](../../role-based-access-control/built-in-roles.md#application-insights-component-contributor) |Can edit Application Insights resources. |

+| [Application Insights Snapshot Debugger](../../role-based-access-control/built-in-roles.md#application-insights-snapshot-debugger) | Gives the user permission to use Application Insights Snapshot Debugger features. This role isn't included in the Owner or Contributor roles. |

+| [Data Purger](../../role-based-access-control/built-in-roles.md#data-purger) | Special role for purging personal data. For more information, see [Manage personal data in Log Analytics and Application Insights](../logs/personal-data-mgmt.md). |

+| Azure ExpressRoute administrator | Can create, delete, and manage express routes.|

+| [Log Analytics Contributor](../../role-based-access-control/built-in-roles.md#log-analytics-contributor) | Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs, reading storage account keys to be able to configure collection of logs from Azure Storage, creating and configuring Automation accounts, adding solutions, and configuring Azure diagnostics on all Azure resources. |

+| [Log Analytics Reader](../../role-based-access-control/built-in-roles.md#log-analytics-reader) | Log Analytics Reader can view and search all monitoring data and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. |

+| Resource Policy Contributor (preview) | Backfilled users from Enterprise Agreements, with rights to create/modify resource policy, create support tickets, and read resource/hierarchy. |

+| [User Access administrator](../../role-based-access-control/built-in-roles.md#user-access-administrator) | Allows a user to manage access for other users to Azure resources.|

+| [Website Contributor](../../role-based-access-control/built-in-roles.md#website-contributor) | Lets you manage websites (not web plans) but not access to them.|

+Editing includes creating, deleting, and updating:

+If the user you want isn't in the directory, you can invite anyone with a Microsoft account. If they use services like Outlook.com, OneDrive, Windows Phone, or Xbox Live, they have a Microsoft account.

+See the article [Azure role-based access control (Azure RBAC)](../../role-based-access-control/role-assignments-portal.md).

+Because certain roles can be linked to notifications and email alerts, it can be helpful to be able to generate a list of users who belong to a given role. To help with generating these types of lists, the following sample queries can be adjusted to fit your specific needs.

+ Title: Application Insights Agent overview | Microsoft Docs

+description: Learn how to use Application Insights Agent to monitor website performance without redeploying the website. It works with ASP.NET web apps hosted on-premises, in VMs, or on Azure.

+> This guidance is recommended for on-premises and non-Azure cloud deployments of Application Insights Agent. We recommend a [different deployment approach for Azure virtual machines and Azure virtual machine scale sets](./azure-vm-vmss-apps.md).

+Application Insights Agent is located in the [PowerShell Gallery](https://www.powershellgallery.com/packages/Az.ApplicationMonitor).

+

+- To get started with concise code samples, see [Get started](status-monitor-v2-get-started.md).

+- For a deep dive on how to get started, see the [detailed instructions](status-monitor-v2-detailed-instructions.md).

+This section provides answers to common questions.

+### Does Application Insights Agent support proxy installations?

+Yes. There are multiple ways to download Application Insights Agent:

+- If your computer has internet access, you can onboard to the PowerShell Gallery by using `-Proxy` parameters.

+- You can also manually download the module and either install it on your computer or use it directly.

+Each of these options is described in the [detailed instructions](status-monitor-v2-detailed-instructions.md).

+### Does Status Monitor v2 support ASP.NET Core applications?

+ Yes. Starting from [Application Insights Agent 2.0.0-beta1](https://www.powershellgallery.com/packages/Az.ApplicationMonitor/2.0.0-beta1), ASP.NET Core applications hosted in IIS are supported.

+### How do I verify that the enablement succeeded?

+ - You can use the [Get-ApplicationInsightsMonitoringStatus](./status-monitor-v2-api-reference.md#get-applicationinsightsmonitoringstatus) cmdlet to verify that enablement succeeded.

+ - Use [Live Metrics](./live-stream.md) to quickly determine if your app is sending telemetry.

+

+The release note updates are listed here.

+- Updated the Application Insights .NET/.NET Core SDK to 2.20.1-redfield

+- Enabled SQL query collection

+Updated the Application Insights .NET/.NET Core SDK to 2.18.1-redfield

+Added the ASP.NET Core auto-instrumentation feature

+* [Use Log Analytics](../logs/log-query-overview.md) for more advanced queries.

+* [Add web client telemetry](./javascript.md) to see exceptions from webpage code and to enable trace calls.

+* [Add the Application Insights SDK to your code](./asp-net.md) so that you can insert trace and log calls.

+| Retrieve | [Azure CLI](/cli/azure/monitor/metrics)<br>[Azure PowerShell cmdlets](/powershell/module/az.monitor)<br>[REST API](./rest-api-walkthrough.md) or client library<br>[.NET](/dotnet/api/overview/azure/Monitor.Query-readme)<br>[Go](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/monitor/azquery)<br>[Java](/jav) |

+Azure Monitor managed service for Prometheus supports recording rules and alert rules using PromQL queries. Metrics recorded by recording rules are stored back in the Azure Monitor workspace and can be queried by dashboard or by other rules. Alerts fired by alert rules can trigger actions or notifications, as defined in the [action groups](/azure/azure-monitor/alerts/action-groups) configured for the alert rule. You can also view fired and resolved Prometheus alerts in the Azure portal along with other alert types. For your AKS cluster, a set of [predefined Prometheus alert rules](/azure/azure-monitor/containers/container-insights-metric-alerts) and [recording rules ](/azure/azure-monitor/essentials/prometheus-metrics-scrape-default#recording-rules)is provided to allow easy quick start.

+Instead of calling the REST API directly, you can also use the Azure Monitor Query SDK. The SDK contains idiomatic client libraries for the following ecosystems:

+- [.NET](/dotnet/api/overview/azure/Monitor.Query-readme)

+- [Go](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/monitor/azquery)

+- [Java](/java/api/overview/azure/monitor-query-readme)

+- [JavaScript](/javascript/api/overview/azure/monitor-query-readme)

+- [Python](/python/api/overview/azure/monitor-query-readme)

+Each client library is a wrapper around the REST API that allows you to retrieve log data from the workspace.

+ Title: Azure Monitor Logs cost calculations and options

+# Azure Monitor Logs cost calculations and options

+| **Retrieve** | Access log query results from a:<ul><li>Command line via the [Azure CLI](/cli/azure/monitor/log-analytics) or [Azure PowerShell cmdlets](/powershell/module/az.operationalinsights).</li><li>Custom app via the [REST API](https://dev.loganalytics.io/) or client library for [.NET](/dotnet/api/overview/azure/Monitor.Query-readme), [Go](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/monitor/azquery), [Java](/java/api/overview/azure/monitor-query-readme), [JavaScript](/javascript/api/overview/azure/monitor-query-readme), or [Python](/python/api/overview/azure/monitor-query-readme).</li></ul> |

+- Azure Monitor Query SDK. Retrieve log data from the workspace via an idiomatic client library for the following ecosystems:

+ - [.NET](/dotnet/api/overview/azure/Monitor.Query-readme)

+ - [Go](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/monitor/azquery)

+ - [Java](/java/api/overview/azure/monitor-query-readme)

+ - [JavaScript](/javascript/api/overview/azure/monitor-query-readme)

+ - [Python](/python/api/overview/azure/monitor-query-readme)

+ | Brazil South | France Central | UAE North | South Africa North | Australia East |

+- The Dependency Agent requires the Azure Monitor Agent to be installed on the same machine.

+ - Dependency Agent supports the same [Windows versions that Azure Monitor Agent supports](../agents/agents-overview.md#supported-operating-systems), except Windows Server 2008 SP2 and Azure Stack HCI.

+If you want to stop monitoring your VMs for a while or remove VM insights entirely, see [Disable monitoring of your VMs in VM insights](../vm/vminsights-optout.md).

+ >[!NOTE]

+ >By default, the `.snapshot` directory path is hidden from NFSv4.1 clients. Enabling the **Hide snapshot path** option will hide the .snapshot directory from NFSv3 clients; the directory will still be accessible.

+* Germany North

+| Maximum number of files ([`maxfiles`](#maxfiles)) per volume | 106,255,630 | Yes |

+If you have allocated at least 4 TiB of quota for a volume, you can initiate a support request to increase the maxfiles (inodes) limit beyond 106,255,630. For every 106,255,630 files you increase (or a fraction thereof), you need to increase the corresponding volume quota by 4 TiB. For example, if you increase the maxfiles limit from 106,255,630 files to 212,511,260 files (or any number in between), you need to increase the volume quota from 4 TiB to 8 TiB.

+You can increase the `maxfiles` limit to 531,278,150 if your volume quota is at least 20 TiB.

+* Converting a volume from NFSv3 to NFSv4.1 will cause the `.snapshot` directory to be hidden from NFSv4.1 clients. The directory will still be accessible.

+* Converting a volume from NFSv4.1 to NFSv3 will cause the `.snapshot` directory to be visible. You can modify the properties of the volume to [hide the snapshot path](snapshots-edit-hide-path.md).

+## Why is the `.snapshot` directory not visible in an NFSv4.1 volume, but it is visible in an NFSv3 volume?

+By design, the .snapshot directory is never visible to NFSv4.1 clients. By default, the `.snapshot `directory will be visible to NFSv3 clients. To hide the `.snapshot` directory from NFSv3 clients, edit the properties of the volume to [hide the snapshot path](snapshots-edit-hide-path.md).

+## Subscription filters

+> [!IMPORTANT]

+> After you apply a subscription filter in the Azure portal settings page, you will only see subscriptions that match the filter across all portal experiences. You won't be able to work with other subscriptions that are excluded from the selected filter. Any new subscriptions that are created after the filter was applied may not be shown if the filter criteria don't match. To see them, you must update the filter criteria to include other subscriptions in the portal, or select **Advanced filters** and use the **Default** filter to always show all subscriptions.

+>

+> Certain features, such as **Management groups** or **Security Center**, may show subscriptions that don't match your filter criteria. However, you won't be able to perform operations on those subscriptions (such as moving a subscription between management groups) unless you adjust your filters to include the subscriptions that you want to work with.

+### Advanced filters

+# How to Configure a custom domain for Azure SignalR Service

+In addition to the default domain provided with Azure SignalR Service, you can also add a custom DNS domain to your service. In this article, you'll learn how to add a custom domain to your SignalR Service.

+To configure a custom domain, you need to:

+1. Add a custom domain certificate.

+1. Create a DNS CNAME record.

+1. Add the custom domain.

+## Prerequisites

+- A custom domain registered through an Azure App Service or a third party registrar.

+- An Azure account with an active subscription.

+ - If you don't have one, you [can create one for free](https://azure.microsoft.com/free/).

+- An Azure Resource Group.

+- An Azure SignalR Service resource.

+- An Azure Key Vault instance.

+- A custom domain SSL certificate stored in your Key Vault instance. See [Get started with Key Vault certificates](../key-vault/certificates/certificate-scenarios.md)

+- An Azure DNS zone. (Optional)

+Before you can add a custom domain, you need to add a custom SSL certificate. Your SignalR Service accesses the certificate stored in your key vault through a managed identity.

+There are three steps to adding a domain certificate.

+1. Enable managed identity in your SignalR Service.

+1. Give the managed identity access to your key vault.

+1. Add a custom certificate to your SignalR Service.

+You can use either a system-assigned or user-assigned managed identity. This article demonstrates using a system-assigned managed identity.

+1. In the Azure portal, go to your SignalR service resource.

+1. Select **Identity** from the menu on the left.

+1. On the **System assigned** table, set **Status** to **On**.

+1. Select **Save**, and then select **Yes** when prompted to enable system-assigned managed identity.

+Once the identity is created, the **Object (principal) ID** is displayed. SignalR Service will use the object ID of the system-assigned managed identity to access the key vault. The name of the managed identity is the same as the name of the SignalR Service instance. In the next section, you'll need to search for the principal (managed identity) using the name or Object ID.

+### Give the managed identity access to your key vault

+SignalR Service uses a [managed identity](~/articles/active-directory/managed-identities-azure-resources/overview.md) to access your key vault. You must give the managed identity permission to access your key vault.

+The steps to grant permission depends whether you selected *vault access policy* or *Azure role-based access control* as your key vault permission model.

+If you're using **Vault access policy** as your key vault permission model, follow this procedure to add a new access policy.

+1. Select **Access policies** from the menu on the left.

+1. Select **Create**.

+ :::image type="content" source="media/howto-custom-domain/portal-key-vault-access-policies.png" alt-text="Screenshot of Key Vault's access policy page.":::

+1. In the **Permissions** tab:

+ 1. Select **Get** under **Secret permissions**.

+ 1. Select **Get** under **Certificate permissions**.

+1. Select **Next** to go to the **Principal** tab.

+ :::image type="content" source="media/howto-custom-domain/portal-key-vault-create-access-policy.png" alt-text="Screenshot of Permissions tab of Key Vault's Create an access policy page.":::

+1. Enter the Object ID of the managed identity into the search box.

+1. Select the managed identity from the search results.

+1. Select the **Review + create** tab.

+ :::image type="content" source="media/howto-custom-domain/portal-key-vault-create-access-policy-principal.png" alt-text="Screenshot of the Principal tab of Key Vault's Create an access policy page.":::

+1. Select **Create** from the **Review + create** tab.

+The managed identity for your SignalR Service instance is listed in the access policies table.

+When using the **Azure role-based access control** permission model, follow this procedure to assign a role to the SignalR Service managed identity. To complete this procedure, you must be a member of the [Azure built-in **Owner**](~/articles/role-based-access-control/built-in-roles.md#owner) role.

+1. Search for the SignalR Service resource name or the user assigned identity name. Select **Select**.

+### Add a custom certificate to your SignalR Service

+Use the following steps to add the custom certificate to your SignalR Service:

+1. In the Azure portal, go to your SignalR Service resource.

+1. Enter a name of the custom certificate.

+1. Select **Select from your Key Vault** to choose a key vault certificate. After selection the following **Key Vault Base URI**, **Key Vault Secret Name** should be automatically filled. Alternatively you can also fill in these fields manually.

+The SignalR Service will fetch the certificate and validate its content. When it succeeds, the certificate's **Provisioning State** will be **Succeeded**.

+ :::image type="content" alt-text="Screenshot of an added custom certificate." source="media/howto-custom-domain/portal-custom-certificate-added.png" :::

+## Create a custom domain CNAME record

+You must create a CNAME record for your custom domain in an Azure DNS Zone or with your third-party registrar service. The CNAME record creates an alias from your custom domain to the default domain of SignalR Service. The SignalR Service uses the record to validate the ownership of your custom domain.

+For example, if your default domain is `contoso.service.signalr.net`, and your custom domain is `contoso.example.com`, you need to create a CNAME record on `example.com`.

+Once you've created the CNAME record, you can perform a DNS lookup to see the CNAME information.

+In example, the output from the linux dig (DNS lookup) command should look similar to this output:

+ contoso.example.com. 0 IN CNAME contoso.service.signalr.net.

+If you're using Azure DNS Zone, see [manage DNS records](~/articles/dns/dns-operations-recordsets-portal.md) to learn how to add a CNAME record.

+If you're using other DNS providers, follow the provider's guide to create a CNAME record.

+Now add the custom domain to your SignalR Service.

+1. In the Azure portal, go to your SignalR Service resource.

+1. Enter a name for the custom domain.

+1. Enter the full domain name of your custom domain, for example, `contoso.com`.

+To verify the custom domain, you can use the health API. The health API is a public endpoint that returns the health status of your SignalR Service instance. The health API is available at `https://<your custom domain>/api/health`.

+## Access Key Vault in private network

+If you've configured a [Private Endpoint](../private-link/private-endpoint-overview.md) to your key vault, your SignalR Service won't be able to access your key vault via a public network. You can give your SignalR Service access to your key vault through a private network by creating a [Shared Private Endpoint](./howto-shared-private-endpoints-key-vault.md).

+After you create a Shared Private Endpoint, you can add a custom certificate as described in the [Add a custom certificate to your SignalR Service](#add-a-custom-certificate-to-your-signalr-service) section above.

+>[!IMPORTANT]

+>**You don't have to change the domain in your key vault URI**. For example, if your key vault base URI is `https://contoso.vault.azure.net`, you'll use this URI to configure a custom certificate.

+You don't have to explicitly allow SignalR Service IP addresses in key vault firewall settings. For more info, see [Key Vault private link diagnostics](../key-vault/general/private-link-diagnostics.md).

+## Cleanup

+If you don't plan to use the resources you've created in this article, you can delete the Resource Group.

+>[!CAUTION]

+> Deleting the resource group deletes all resources contained within it. If resources outside the scope of this article exist in the specified resource group, they will also be deleted.

+Azure SignalR Service can access your Key Vault in a private network through Shared Private Endpoints. This way, your Key Vault isn't exposed on a public network.

+You can create private endpoints through Azure SignalR Service APIs for shared access to a resource integrated with [Azure Private Link service](https://azure.microsoft.com/services/private-link/). These endpoints, called *shared private link resources*, are created inside the SignalR execution environment and aren't accessible outside this environment.

+In this article, you'll learn how to create a shared private endpoint to Key Vault.

+## Prerequisites

+You'll need the following resources to complete this article:

+- An Azure resource group.

+- An Azure SignalR Service instance.

+- An Azure Key Vault instance.

+The examples in this article use the following naming convention, although you can use your own names instead.

+- The resource ID of this Azure SignalR Service is _/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.SignalRService/signalr/contoso-signalr_.

+- The resource ID of Azure Key Vault is _/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.KeyVault/vaults/contoso-kv_.

+- The rest of the examples show how the *contoso-signalr* service can be configured so that its outbound calls to Key Vault go through a private endpoint rather than public network.

+## Create a shared private link resource to the Key Vault

+1. Select **Networking**.

+1. Select the **Private access** tab.

+1. Select **Add shared private endpoint** in the **Shared private endpoints** section.

+ Enter the following information:

+ | Field | Description |

+ | -- | -- |

+ | **Name** | The name of the shared private endpoint. |

+ | **Type** | Select *Microsoft.KeyVault/vaults* |

+ | **Subscription** | The subscription containing your Key Vault. |

+ | **Resource** | Enter the name of your Key Vault resource. |

+ | **Request Message** | Enter "please approve" |

+When you've successfully added the private endpoint, the provisioning state will be **Succeeded**. The connection state will be **Pending** until you approve the endpoint on the Key Vault side.

+Make the following API call with the [Azure CLI](/cli/azure/) to create a shared private link resource:

+```azurecli

+The process of creating an outbound private endpoint is a long-running (asynchronous) operation. As in all asynchronous Azure operations, the `PUT` call returns an `Azure-AsyncOperation` header value that looks like the following text:

+You can poll for the status by manually querying the `Azure-AsyncOperationHeader` value:

+```azurecli

+## Approve the private endpoint connection for the Key Vault

+1. Go to your Key Vault resource

+1. Select the **Networking**.

+1. Select the **Private endpoint connections** tab.

+ After the asynchronous operation has succeeded, there should be a request for a private endpoint connection with the request message from the previous API call.

+1. Select the private endpoint that SignalR Service created, then select **Approve**.

+1. Select **Yes** to approve the connection.

+1. List private endpoint connections.

+ ```azurecli

+ There should be a pending private endpoint connection. Note its ID.

+ ```azurecli

+## Verify the shared private endpoint is functional

+After a few minutes, the approval propagates to the SignalR Service, and the connection state is set to *Approved*. You can check the state using either Azure portal or Azure CLI.

+```azurecli

+The command will return a JSON object, where the connection state is shown as "status" in the "properties" section.

+When the "Provisioning State" (`properties.provisioningState`) of the resource is `Succeeded` and "Connection State" (`properties.status`) is `Approved`, the shared private link resource is functional, and the SignalR Service can communicate over the private endpoint.

+When the private endpoint between the SignalR Service and Azure Key Vault is functional, the value of the provisioning state is **Succeeded**, and the connection state is **Approved**.

+## Cleanup

+If you don't plan to use the resources you've created in this article, you can delete the Resource Group.

+>[!CAUTION]

+> Deleting the resource group deletes all resources contained within it. If resources outside the scope of this article exist in the specified resource group, they will also be deleted.

+## Next steps

+When you're using [serverless mode](concept-service-mode.md#serverless-mode) in Azure SignalR Service, you can create outbound [private endpoint connections](../private-link/private-endpoint-overview.md) to an upstream service.

+Upstream services, such as Azure Web App and Azure Functions, can be configured to accept connections from a list of virtual networks and refuse outside connections that originate from a public network. To reach these endpoints, you can create an outbound private endpoint connection.

+In this article, you'll learn how to create a shared private endpoint with an outbound private endpoint connection to secure outbound traffic to an upstream Azure Function instance.

+You create private endpoints of secured resources through the SignalR Service APIs. These endpoints, called *shared private link resources*, allow you to share access to a resource, such as an Azure Function integrated with the [Azure Private Link service](https://azure.microsoft.com/services/private-link/). These private endpoints are created inside the SignalR Service execution environment and aren't accessible outside this environment.

+## Prerequisites

+You'll need the following resources to complete the steps in this article:

+- An Azure Resource Group

+- An Azure SignalR Service instance (must not be in free tier)

+- An Azure Function instance

+- > [!NOTE]

+> * The resource ID of the SignalR Service is _/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/contoso/providers/Microsoft.SignalRService/signalr/contoso-signalr_.

+> The rest of the examples show how the *contoso-signalr* service can be configured so that its upstream calls to the function go through a private endpoint rather than public network.

+> You may use your own resource IDs in the examples.

+## Create a shared private link resource to the function

+### [Azure portal](#tab/azure-portal)

+1. In the Azure portal, go to your SignalR Service resource.

+1. Select **Networking** with the left menu.

+1. Select the **Private access** tab.

+1. Select **Add shared private endpoint** in the **Shared private endpoints** section.

+ Enter the following information:

+ | Field | Description |

+ | -- | -- |

+ | **Name** | The name of the shared private endpoint. |

+ | **Type** | Select *Microsoft.Web/sites* |

+ | **Subscription** | The subscription containing your Function app. |

+ | **Resource** | Enter the name of your Function app. |

+ | **Request Message** | Enter "please approve" |

+1. Select **Add**.

+The shared private endpoint resource will be in **Succeeded** provisioning state. The connection state is **Pending** approval at target resource side.

+### [Azure CLI](#tab/azure-cli)

+You can make the following API call to create a shared private link resource:

+```azurecli

+The process of creating an outbound private endpoint is a long-running (asynchronous) operation. As in all asynchronous Azure operations, the `PUT` call returns an `Azure-AsyncOperation` header value that looks like the following example:

+Poll this URI periodically to obtain the status of the operation by manually querying the `Azure-AsyncOperationHeader` value,

+```azurecli

+## Approve the private endpoint connection for the function

+> After you approve the private endpoint connection, the Function is no longer accessible from a public network. You may need to create other private endpoints in your virtual network to access the Function endpoint.

+### [Azure portal](#tab/azure-portal)

+1. In the Azure portal, go to your Function app.

+1. Select **Networking** from the left side menu.

+1. Select **Private endpoint connections**.

+1. Select **Private endpoints** in **Inbound Traffic**.

+1. Select the **Connection name** of the private endpoint connection.

+1. Select **Approve**.

+ Make sure that the private endpoint connection appears as shown in the following screenshot. It could take a few minutes for the status to be updated.

+### [Azure CLI](#tab/azure-cli)

+ ```azurecli

+ ```azurecli

+## Query the status of the shared private link resource

+The approval takes a few minutes to propagate to the SignalR Service. You can check the state using either the Azure portal or Azure CLI.

+### [Azure portal](#tab/azure-portal)

+### [Azure CLI](#tab/azure-cli)

+```azurecli

+The command will return a JSON structure, where the connection state is shown as "status" in the "properties" section.

+When the "Provisioning State" (`properties.provisioningState`) of the resource is `Succeeded` and "Connection State" (`properties.status`) is `Approved`, the shared private link resource is functional, and the SignalR Service can communicate over the private endpoint.

+At this point, the private endpoint between the SignalR Service and Azure Function is established.

+## Verify upstream calls are from a private IP

+Once the private endpoint is set up, you can verify incoming calls from a private IP by checking the `X-Forwarded-For` header upstream side.

+## Cleanup

+If you don't plan to use the resources you've created in this article, you can delete the Resource Group.

+>[!CAUTION]

+> Deleting the resource group deletes all resources contained within it. If resources outside the scope of this article exist in the specified resource group, they will also be deleted.

+## AV36P and AV52 node sizes available in Azure VMware Solution

+ The new node sizes increase memory and storage options to optimize your workloads. The gains in performance enable you to do more per server, break storage bottlenecks, and lower transaction costs of latency-sensitive workloads. The availability of the new nodes allow for large latency-sensitive services to be hosted efficiently on the Azure VMware Solution infrastructure.

+To create a resource guard, run the following cmdlet:

+# [CLI](#tab/cli)

+To create a resource guard, run the following command:

+ ```azurecli-interactive

+ az dataprotection resource-guard create --location "Location" --tags key1="val1" --resource-group "RgName" --resource-guard-name "ResourceGuardName"

+ ```

+To update the operations. These exclude operations from protection by the resource guard, run the following cmdlets:

+# [CLI](#tab/cli)

+To update the operations that are to be excluded from being protected by the resource guard, run the following commands:

+ ```azurecli-interactive

+ az dataprotection resource-guard update --name

+ --resource-group

+ [--critical-operation-exclusion-list {deleteProtection, getSecurityPIN, updatePolicy, updateProtection}]

+ [--resource-type {Microsoft.RecoveryServices/vaults}]

+ [--tags]

+ [--type]

+ ```

+**Example**:

+ ```azurecli

+ az dataprotection resource-guard update --resource-group "RgName" --resource-guard-name "ResourceGuardName" --resource-type "Microsoft.RecoveryServices/vaults" --critical-operation-exclusion-list deleteProtection getSecurityPIN updatePolicy

+ ```

+To enable MUA on a Recovery Services vault, run the following cmdlet:

+# [CLI](#tab/cli)

+To enable MUA on a Recovery Services vault, run the following command:

+ ```azurecli-interactive

+ az backup vault resource-guard-mapping update --resource-guard-id

+ [--ids]

+ [--name]

+ [--resource-group]

+ [--tenant-id]

+ ```

+The tenant ID is required if the resource guard exists in a different tenant.

+**Example**:

+ ```azurecli

+ az backup vault resource-guard-mapping update --resource-group RgName --name VaultName --resource-guard-id ResourceGuardId

+ ```

+To disable MUA on a Recovery Services vault, use the following cmdlet:

+# [CLI](#tab/cli)

+To disable MUA on a Recovery Services vault, run the following command:

+ ```azurecli-interactive

+ az backup vault resource-guard-mapping delete [--ids]

+ [--name]

+ [--resource-group]

+ [--tenant-id]

+ [--yes]

+ ```

+

+The tenant ID is required if the resource guard exists in a different tenant.

+**Example**:

+ ```azurecli

+ az backup vault resource-guard-mapping delete --resource-group RgName --name VaultName

+ ```

+The **ExtensionSettingsOverrides.json** is a JSON (JavaScript Object Notation) file that contains overrides for multiple settings of the Azure Backup service for SQL. For "Partial Restore as files" operation, a new JSON field `RecoveryPointTypesToBeExcludedForRestoreAsFiles` must be added. This field holds a string value that denotes which recovery point types should be excluded in the next restore as files operation.

+2. Create a new JSON file named "ExtensionSettingsOverrides.JSON", if it doesn't already exist.

+ "RecoveryPointTypesToBeExcludedForRestoreAsFiles": "ExcludeFull"

+The `RecoveryPointTypesToBeExcludedForRestoreAsFiles` only takes specific values which denote the recovery points to be excluded during restore. For SQL, these values are:

+- ExcludeFullAndIncremental (Other backup types such as logs will be downloaded, if they are present in the restore point chain)

+- ExcludeFullAndDifferentialAndIncremental (Other backup types such as logs will be downloaded, if they are present in the restore point chain)

+description: Learn how to migrate Azure Batch pools without public IP addresses (classic) and plan for feature end of support.

+## Migrate your eligible pools

+When the Batch pools without public IP addresses (classic) feature retires on March 31, 2023, existing pools that use the feature can migrate only if the pools were created in a virtual network. To migrate your eligible pools, use simplified compute node communication:

+1. Take steps to enable [simplified compute node communication](./simplified-compute-node-communication.md) on your pools.

+ If you created the pools in a virtual network, [complete the migration process](#migrate-your-eligible-pools).

+ After *March 31, 2023*, we'll stop supporting Batch pools without public IP addresses (classic). After that date, existing pool functionality, including scale-out operations, might break. The pool might actively be scaled down to zero at any time.

+Azure Batch offers Spot virtual machines (VMs) to reduce the cost of Batch workloads. Spot VMs make new types of Batch workloads possible by enabling a large amount of compute power to be used for a low cost.

+Spot VMs are offered at a reduced price compared with dedicated VMs. For pricing details, see [Batch Pricing](https://azure.microsoft.com/pricing/details/batch/).

+Batch offers two types of low-cost pre-emptible VMs:

+| | Spot VMs | Low-priority VMs |

+|-|-|-|

+- **Flexible job execution time**: If there's flexibility in the time jobs have to complete, then potential drops in capacity can be tolerated; however, with the addition of Spot VMs jobs frequently run faster and for a lower cost.

+- Spot VMs can be used with a fixed baseline of dedicated VMs. The fixed number of dedicated VMs ensures there's always some capacity to keep a job progressing.

+Keep in mind the following practices when planning your use of Spot VMs:

+- Tasks with shorter execution times tend to work best with Spot VMs. Jobs with longer tasks may be impacted more if interrupted. If long-running tasks implement checkpointing to save progress as they execute, this impact may be reduced.

+- Long-running MPI jobs that utilize multiple VMs aren't well suited to use Spot VMs, because one preempted VM can lead to the whole job having to run again.

+- Spot nodes may be marked as unusable if [network security group (NSG) rules](batch-virtual-network.md#general-virtual-network-requirements) are configured incorrectly.

+VMs may occasionally be preempted. When preemption happens, tasks that were running on the preempted node VMs are requeued and run again.

+For Virtual Machine Configuration pools, Batch also performs the following behaviors:

+- The preempted VMs have their state updated to **Preempted**.

+- The pool continually attempts to reach the target number of Spot nodes available. When replacement capacity is found, the nodes keep their IDs, but are reinitialized, going through **Creating** and **Starting** states before they're available for task scheduling.

+As with pools solely consisting of dedicated VMs, it's possible to scale a pool containing Spot VMs by calling the Resize method or by using autoscale.

+Jobs and tasks may require some extra configuration for Spot nodes:

+- The `AZ_BATCH_NODE_IS_DEDICATED` [environment variable](batch-compute-node-environment-variables.md) is available to a task application so that it can determine whether it's running on a Spot or on a dedicated node.

+- Spot VMs in Batch don't support setting a max price and don't support price-based evictions. They can only be evicted for capacity reasons.

+- Spot VMs aren't available for some clouds, VM sizes, and subscription offer types. See more about [Spot limitations](../virtual-machines/spot-vms.md#limitations).

+Compute nodes in a pool can communicate with each other, such as to run multi-instance tasks, without requiring a

+separate VNet. However, by default, nodes in a pool can't communicate with virtual machines that are outside of

+the pool, such as license or file servers.

+## General virtual network requirements

+* The VNet must be in the same subscription and region as the Batch account you use to create your pool.

+* The subnet specified for the pool must have enough unassigned IP addresses to accommodate the number of VMs targeted for the pool; that is, the sum of the `targetDedicatedNodes` and `targetLowPriorityNodes` properties of the pool. If the subnet doesn't have enough unassigned IP addresses, the pool partially allocates the compute nodes, and a resize error occurs.

+* If you aren't using [Simplified Compute Node Communication](simplified-compute-node-communication.md),

+Azure Storage endpoints need to be resolved by any custom DNS servers that serve your virtual network. Specifically,

+URLs of the form `<account>.table.core.windows.net`, `<account>.queue.core.windows.net`, and

+`<account>.blob.core.windows.net` should be resolvable.

+* Multiple pools can be created in the same virtual network or in the same subnet (as long as it has sufficient address space). A single pool can't exist across multiple virtual networks or subnets.

+Other virtual network requirements differ, depending on whether the Batch pool is in the `VirtualMachineConfiguration`

+or `CloudServiceConfiguration`. `VirtualMachineConfiguration` for Batch pools is recommended as `CloudServiceConfiguration`

+pools are [deprecated](https://azure.microsoft.com/updates/azure-batch-cloudserviceconfiguration-pools-will-be-retired-on-29-february-2024/).

+> [!IMPORTANT]

+> Batch pools can be configured in one of two communication modes. `Classic` communication

+> mode is where the Batch service initiates communication to the compute nodes.

+> [`Simplified` communication mode](simplified-compute-node-communication.md)

+> is where the compute nodes initiate communication to the Batch Service.

+## Pools in Virtual Machine Configuration

+Requirements:

+- Supported VNets: Azure Resource Manager-based (ARM) virtual networks only

+- Subnet ID: when specifying the subnet using the Batch APIs, use the *resource identifier* of the subnet. The subnet identifier is of the form:

+`/subscriptions/{subscription}/resourceGroups/{group}/providers/Microsoft.Network/virtualNetworks/{network}/subnets/{subnet}`

+- Permissions: check whether your security policies or locks on the VNet's subscription or resource group restrict a user's permissions to manage the VNet.

+- Networking resources: Batch automatically creates more networking resources in the resource group containing the VNet.

+> [!IMPORTANT]

+> For each 100 dedicated or low-priority nodes, Batch creates: one network security group (NSG), one public IP address,

+> and one load balancer. These resources are limited by the subscription's

+> [resource quotas](../../articles/azure-resource-manager/management/azure-subscription-service-limits.md).

+> For large pools, you might need to request a quota increase for one or more of these resources.

+### Network security groups for Virtual Machine Configuration pools: Batch default

+Batch will create a network security group (NSG) at the network interface level of each Virtual Machine Scale

+Set deployment within a Batch pool. For pools that don't have public IP addresses under `simplified` compute

+node communication, NSGs aren't created.

+In order to provide the necessary communication between compute nodes and the Batch service, these NSGs are

+configured such that:

+* Inbound TCP traffic on ports 29876 and 29877 from Batch service IP addresses that correspond to the

+`BatchNodeManagement` service tag. This rule is only created in `classic` pool communication mode.

+* Inbound TCP traffic on port 22 (Linux nodes) or port 3389 (Windows nodes) to permit remote access. For certain types of multi-instance tasks on Linux (such as MPI), you'll need to also allow SSH port 22 traffic for IPs in the subnet containing the Batch compute nodes. This traffic may be blocked per subnet-level NSG rules (see below).

+* Outbound any traffic on port 443 to Batch service IP addresses that correspond to the `BatchNodeManagement` service tag.

+* Outbound traffic on any port to the virtual network. This rule may be amended per subnet-level NSG rules (see below).

+* Outbound traffic on any port to the Internet. This rule may be amended per subnet-level NSG rules (see below).

+> [!IMPORTANT]

+> Use caution if you modify or add inbound or outbound rules in Batch-configured NSGs. If communication to the compute nodes in the specified subnet is denied by an NSG, the Batch service will set the state of the compute nodes to **unusable**. Additionally, no resource locks should be applied to any resource created by Batch, since this can prevent cleanup of resources as a result of user-initiated actions such as deleting a pool.

+### Network security groups for Virtual Machine Configuration pools: Specifying subnet-level rules

+If you have an NSG associated with the subnet for Batch compute nodes, you must configure this

+NSG with at least the inbound and outbound security rules that are shown in the following tables.

+> [!WARNING]

+> Batch service IP addresses can change over time. Therefore, we highly recommend that you use the `BatchNodeManagement` service tag (or a regional variant) for the NSG rules indicated in the following tables. Avoid populating NSG rules with specific Batch service IP addresses.

+#### Inbound security rules

+| Source Service Tag or IP Addresses | Destination Ports | Protocol | Pool Communication Mode | Required |

+|-|-|-|-|-|

+| `BatchNodeManagement.<region>` [service tag](../../articles/virtual-network/network-security-groups-overview.md#service-tags) | 29876-29877 | TCP | Classic | Yes |

+| Source IP addresses for remotely accessing compute nodes | 3389 (Windows), 22 (Linux) | TCP | Classic or Simplified | No |

+Configure inbound traffic on port 3389 (Windows) or 22 (Linux) only if you need to permit remote access

+to the compute nodes from outside sources. You may need to enable port 22 rules on Linux if you require

+support for multi-instance tasks with certain MPI runtimes. Allowing traffic on these ports isn't strictly

+required for the pool compute nodes to be usable. You can also disable default remote access on these ports

+through configuring [pool endpoints](pool-endpoint-configuration.md).

+#### Outbound security rules

+| Destination Service Tag | Destination Ports | Protocol | Pool Communication Mode | Required |

+|-|-|-|-|-|

+| `BatchNodeManagement.<region>` [service tag](../../articles/virtual-network/network-security-groups-overview.md#service-tags) | 443 | * | Simplified | Yes |

+| `Storage.<region>` [service tag](../../articles/virtual-network/network-security-groups-overview.md#service-tags) | 443 | TCP | Classic | Yes |

+Outbound to `BatchNodeManagement.<region>` service tag is required in `classic` pool communication mode

+if using Job Manager tasks or if your tasks must communicate back to the Batch service. For outbound to

+`BatchNodeManagement.<region>` in `simplified` pool communication mode, the Batch service currently only

+uses TCP protocol, but UDP may be required for future compatibility. For

+[pools without public IP addresses](simplified-node-communication-pool-no-public-ip.md)

+using `simplified` communication mode and with a node management private endpoint, an NSG isn't needed.

+For more information about outbound security rules for the `BatchNodeManagement` service tag, see

+[Use simplified compute node communication](simplified-compute-node-communication.md).

+## Pools in the Cloud Services Configuration

+> [!WARNING]

+> Cloud Services Configuration pools are [deprecated](https://azure.microsoft.com/updates/azure-batch-cloudserviceconfiguration-pools-will-be-retired-on-29-february-2024/). Please use Virtual Machine Configuration pools instead.

+Requirements:

+- Supported VNets: Classic VNets only

+- Subnet ID: when specifying the subnet using the Batch APIs, use the *resource identifier* of the subnet. The subnet identifier is of the form:

+`/subscriptions/{subscription}/resourceGroups/{group}/providers/Microsoft.ClassicNetwork/virtualNetworks/{network}/subnets/{subnet}`

+- Permissions: the `Microsoft Azure Batch` service principal must have the `Classic Virtual Machine Contributor` Azure role for the specified VNet.

+### Network security groups for Cloud Services Configuration pools

+The subnet must allow inbound communication from the Batch service to be able to schedule tasks on the compute nodes, and outbound communication to communicate with Azure Storage or other resources.

+You don't need to specify an NSG, because Batch configures inbound communication only from Batch IP addresses to the pool nodes. However, If the specified subnet has associated NSGs and/or a firewall, configure the inbound and outbound security rules as shown in the following tables. If communication to the compute nodes in the specified subnet is denied by an NSG, the Batch service sets the state of the compute nodes to **unusable**.

+Configure inbound traffic on port 3389 for Windows if you need to permit RDP access to the pool nodes. This rule isn't required for the pool nodes to be usable.

+**Inbound security rules**

+| Source IP addresses | Source ports | Destination | Destination ports | Protocol | Action |

+| | | | | | |

+Any <br /><br />Although this rule effectively requires "allow all", the Batch service applies an ACL rule at the level of each node that filters out all non-Batch service IP addresses. | * | Any | 10100, 20100, 30100 | TCP | Allow |

+| Optional, to allow RDP access to compute nodes. | * | Any | 3389 | TCP | Allow |

+**Outbound security rules**

+| Source | Source ports | Destination | Destination ports | Protocol | Action |

+| | | | | | |

+| Any | * | Any | 443 | Any | Allow |

+Once you've created your VNet and assigned a subnet to it, you can create a Batch pool with that VNet. Follow these steps to create a pool from the Azure portal: 

+1. Specify the remaining required settings, including the **Node size**, **Target dedicated nodes**, and **Target Spot/low-priority nodes**, and any desired optional settings.

+To ensure that the nodes in your pool work in a VNet that has forced tunneling enabled, you must add the following [user-defined routes](../virtual-network/virtual-networks-udr-overview.md) (UDR) for that subnet.

+For classic communication mode pools:

+- Ensure that outbound TCP traffic to Azure Storage on destination port 443 (specifically, URLs of the form `*.table.core.windows.net`, `*.queue.core.windows.net`, and `*.blob.core.windows.net`) isn't blocked by your on-premises network.

+For [simplified communication mode](simplified-compute-node-communication.md) pools without using node management private endpoint:

+- Ensure that outbound TCP/UDP traffic to the Azure Batch `BatchNodeManagement.<region>` service tag on destination port 443 isn't blocked by your on-premises network. Currently only TCP protocol is used, but UDP may be required for future compatibility.

+For all pools:

+- If you use virtual file mounts, review the [networking requirements](virtual-file-mount.md#networking-requirements), and ensure that no required traffic is blocked.

+For more information about Azure data disks in Windows, see this [article](../virtual-machine-scale-sets/tutorial-use-disks-powershell.md).

+- An [Azure VNet](batch-virtual-network.md) from the same subscription where you're creating your pool and IP addresses. You can only use Azure Resource Manager-based VNets. Verify that the VNet meets all of the [general VNet requirements](batch-virtual-network.md#general-virtual-network-requirements).

+- [Create a pool in a subnet of an Azure virtual network](batch-virtual-network.md).

+If desired, you can add a [start task](jobs-and-tasks.md#start-task) that will execute on each node as that node joins the pool, and each time a node is restarted or reimaged. The start task is especially useful for preparing compute nodes for the execution of tasks, like installing the applications that your tasks run on the compute nodes.

+description: Learn about the simplified compute node communication mode in the Azure Batch service and how to enable it.

+An Azure Batch pool contains one or more compute nodes that execute user-specified workloads in the form of Batch tasks. To enable Batch functionality and Batch pool infrastructure management, compute nodes must communicate with the Azure Batch service.

+Batch supports two types of node communication modes:

+- `Classic` where the Batch service initiates communication to the compute nodes

+- `Simplified` where the compute nodes initiate communication to the Batch service

+This document describes the simplified compute node communication mode and the associated network configuration requirements.

+> [!TIP]

+> Information in this document pertaining to networking resources and rules such as NSGs does not apply to

+> Batch pools with [no public IP addresses](simplified-node-communication-pool-no-public-ip.md) using the

+> node management private endpoint without Internet outbound access.

+- Public: all public regions where Batch is present except for West India and France South.

+## Compute node communication differences between Classic and Simplified

+The simplified compute node communication mode streamlines the way Batch pool infrastructure is

+managed on behalf of users. This communication mode reduces the complexity and scope of inbound

+and outbound networking connections required in baseline operations.

+Batch pools with the `classic` communication mode require the following networking rules in network

+security groups (NSGs), user-defined routes (UDRs), and firewalls when

+[creating a pool in a virtual network](batch-virtual-network.md):

+Batch pools with the `simplified` communication mode require the following networking rules in

+NSGs, UDRs, and firewalls:

+ - Destination port 443 over ANY to BatchNodeManagement.*region*

+Outbound requirements for a Batch account can be discovered using the

+[List Outbound Network Dependencies Endpoints API](/rest/api/batchmanagement/batch-account/list-outbound-network-dependencies-endpoints)

+This API will report the base set of dependencies, depending upon the Batch account pool communication mode.

+User-specific workloads may need extra rules such as opening traffic to other Azure resources (such as Azure

+Storage for Application Packages, Azure Container Registry, etc.) or endpoints like the Microsoft package

+repository for virtual file system mounting functionality.

+## Benefits of the simplified communication mode

+Azure Batch users utilizing the simplified mode benefit from simplification of networking connections and

+rules. Simplified compute node communication helps reduce security risks by removing the requirement to open

+ports for inbound communication from the internet. Only a single outbound rule to a well-known Service Tag is

+required for baseline operation.

+The `simplified` mode also provides more fine-grained data exfiltration control over the `classic`

+communication mode since outbound communication to Storage.*region* is no longer required. You can

+explicitly lock down outbound communication to Azure Storage if necessary for your workflow. For

+example, you can scope your outbound communication rules to Azure Storage to enable your AppPackage

+storage accounts or other storage accounts for resource files or output files.

+Even if your workloads aren't currently impacted by the changes (as described in the next section), it's

+recommended to move to the `simplified` mode. Doing so will ensure your Batch workloads are ready for any

+future improvements enabled by this mode, and also for when this communication mode will move to become

+the default.

+## Potential impact between classic and simplified communication modes

+In many cases, the `simplified` communication mode won't directly affect your Batch workloads. However,

+simplified compute node communication will have an impact for the following cases:

+- Users who specify a Virtual Network as part of creating a Batch pool and do one or both of the following actions:

+- Users who enable software firewalls on compute nodes and explicitly disable outbound traffic in software firewall rules that are incompatible with simplified compute node communication.

+If either of these cases applies to you, then follow the steps outlined in the next section to ensure that

+your Batch workloads can still function under the `simplified` mode. We strongly recommend that you test and

+verify all of your changes in a dev and test environment first before pushing your changes into production.

+### Required network configuration changes for simplified communication mode

+The following set of steps is required to migrate to the new communication mode:

+1. Ensure your networking configuration as applicable to Batch pools (NSGs, UDRs, firewalls, etc.) includes a union of the modes (that is, the combined network rules of both `classic` and `simplified` modes). At a minimum, these rules would be:

+ - Destination port 443 over ANY to BatchNodeManagement.*region*

+1. If you have any other inbound or outbound scenarios required by your workflow, you'll need to ensure that your rules reflect these requirements.

+1. Use one of the following options to update your workloads to use the new communication mode.

+ - Create new pools with the `targetNodeCommunicationMode` set to `simplified` and validate that the new pools are working correctly. Migrate your workload to the new pools and delete any earlier pools.

+ - Update existing pools `targetNodeCommunicationMode` property to `simplified` and then resize all existing pools to zero nodes and scale back out.

+1. Use the [Get Pool](/rest/api/batchservice/pool/get), [List Pool](/rest/api/batchservice/pool/list) API or Portal to confirm the `currentNodeCommunicationMode` is set to the desired communication mode of `simplified`.

+1. Modify all applicable networking configuration to the Simplified Compute Node Communication rules, at the minimum (note any extra rules needed as discussed above):

+ - Destination port 443 over ANY to BatchNodeManagement.*region*

+If you follow these steps, but later want to switch back to `classic` compute node communication, you'll need to take the following actions:

+1. Create new pools or update existing pools `targetNodeCommunicationMode` property set to `classic`.

+1. Migrate your workload to these pools, or resize existing pools and scale back out (see step 3 above).

+1. See step 4 above to confirm that your pools are operating in `classic` communication mode.

+1. Optionally revert your networking configuration.

+## Specifying the node communication mode on a Batch pool

+Below are examples of how to create a Batch pool with `simplified` compute node communication.

+> [!TIP]

+> Specifying the target node communication mode is a preference indication for the Batch service and not a guarantee that it

+> will be honored. Certain configurations on the pool may prevent the Batch service from honoring the specified target node

+> communication mode, such as interaction with No public IP address, virtual networks, and the pool configuration type.

+### Azure portal

+Navigate to the Pools blade of your Batch account and click the Add button. Under `OPTIONAL SETTINGS`, you can

+select `Simplified` as an option from the pull-down of `Node communication mode` as shown below.

+ :::image type="content" source="media/simplified-compute-node-communication/add-pool-simplified-mode.png" alt-text="Screenshot that shows creating a pool with simplified mode.":::

+To update an existing pool to simplified communication mode, navigate to the Pools blade of your Batch account and

+click on the pool to update. On the left-side navigation, select `Node communication mode`. There you'll be able

+to select a new target node communication mode as shown below. After selecting the appropriate communication mode,

+click the `Save` button to update. You'll need to scale the pool down to zero nodes first, and then back out

+for the change to take effect, if conditions allow.

+ :::image type="content" source="media/simplified-compute-node-communication/update-pool-simplified-mode.png" alt-text="Screenshot that shows updating a pool to simplified mode.":::

+To display the current node communication mode for a pool, navigate to the Pools blade of your Batch account, and

+click on the pool to view. Select `Properties` on the left-side navigation and the pool node communication mode

+will be shown under the General section.

+ :::image type="content" source="media/simplified-compute-node-communication/get-pool-simplified-mode.png" alt-text="Screenshot that shows properties with a pool with simplified mode.":::

+### REST API

+This example shows how to use the [Batch Service REST API](/rest/api/batchservice/pool/add) to create a pool with

+`simplified` compute node communication.

+```http

+POST {batchURL}/pools?api-version=2022-10-01.16.0

+client-request-id: 00000000-0000-0000-0000-000000000000

+```

+#### Request body

+```json

+"pool": {

+ "id": "pool-simplified",

+ "vmSize": "standard_d2s_v3",

+ "virtualMachineConfiguration": {

+ "imageReference": {

+ "publisher": "Canonical",

+ "offer": "0001-com-ubuntu-server-jammy",

+ "sku": "22_04-lts"

+ },

+ "nodeAgentSKUId": "batch.node.ubuntu 22.04"

+ },

+ "resizeTimeout": "PT15M",

+ "targetDedicatedNodes": 2,

+ "targetLowPriorityNodes": 0,

+ "taskSlotsPerNode": 1,

+ "taskSchedulingPolicy": {

+ "nodeFillType": "spread"

+ },

+ "enableAutoScale": false,

+ "enableInterNodeCommunication": false,

+ "targetNodeCommunicationMode": "simplified"

+}

+```

+## Limitations

+The following are known limitations of the `simplified` communication mode:

+- Limited migration support for previously created pools without public IP addresses

+([V1 preview](batch-pool-no-public-ip-address.md)). These pools can only be migrated if created in a

+[virtual network](batch-virtual-network.md), otherwise they won't use simplified compute node communication, even

+if specified on the pool. For more information, see the

+[migration guide](batch-pools-without-public-ip-addresses-classic-retirement-migration-guide.md).

+- Cloud Service Configuration pools are currently not supported for simplified compute node communication and are

+[deprecated](https://azure.microsoft.com/updates/azure-batch-cloudserviceconfiguration-pools-will-be-retired-on-29-february-2024/).

+Specifying a communication mode for these types of pools aren't honored and will always result in `classic`

+communication mode. We recommend using Virtual Machine Configuration for your Batch pools. For more information, see

+[Migrate Batch pool configuration from Cloud Services to Virtual Machine](batch-pool-cloud-service-to-virtual-machine-configuration.md).

+## Connection closed or timeout

+There is a known issue on Windows 11 that might affect some types of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) connections. These connections might have handshake failures. For developers, the affected connections are likely to send multiple frames followed by a partial frame with a size of less than 5 bytes within a single input buffer. If the connection fails, your app will receive the error such as, "USP error", "Connection closed", "ServiceTimeout", or "SEC_E_ILLEGAL_MESSAGE".

+There is an out of band update available for Windows 11 that fixes these issues. The update may be manually installed by following the instructions here:

+- [Windows 11 21H2](https://support.microsoft.com/topic/october-17-2022-kb5020387-os-build-22000-1100-out-of-band-5e723873-2769-4e3d-8882-5cb044455a92)

+- [Windows 11 22H2](https://support.microsoft.com/topic/october-25-2022-kb5018496-os-build-22621-755-preview-64040bea-1e02-4b6d-bad1-b036200c2cb3)

+The issue started October 12th, 2022 and should be resolved via Windows update in November, 2022.

+```http

+```http

+```http

+```http

+```console

+```http

+```console

+```http

+```http

+```http

+```http

+```http

+```console

+```http

+```console

+```http

+```console

+```http

+```json

+```http

+```http

+```http

+```console

+```http

+```json

+```http

+GET https://{your-resource-name}.openai.azure.com/openai/deployments?api-version={api-version}

+```http

+```http

+```http

+```http

+```console

+ Title: "Features: Action and Context - Personalizer"

+# Context and Actions

+Personalizer works by learning what your application should show to users in a given context. These are the two most important pieces of information that you pass into Personalizer. The **context** represents the information you have about the current user or the state of your system, and the **actions** are the options to be chosen from.

+## Table of Contents

+* [Context](#context) Information about the current user or state of the system

+* [Actions](#actions) A list of options to choose from

+* [Features](#features) Attributes describing the Context and Actions

+* [Feature Engineering](#feature-engineering) Tips for constructing impactful features

+* [Namespaces](#namespaces) Grouping Features

+* [Examples](#json-examples) Examples of Context and Action features in JSON format

+## Context

+Information for the _context_ depends on each application and use case, but it typically may include information such as:

+* Demographic and profile information about your user.

+* Information extracted from HTTP headers such as user agent, or derived from HTTP information such as reverse geographic lookups based on IP addresses.

+* Information about the current time, such as day of the week, weekend or not, morning or afternoon, holiday season or not, etc.

+* Information extracted from mobile applications, such as location, movement, or battery level.

+* Historical aggregates of the behavior of users - such as what are the movie genres this user has viewed the most.

+* Information about the state of the system.

+Your application is responsible for loading the information about the context from the relevant databases, sensors, and systems you may have. If your context information doesn't change, you can add logic in your application to cache this information, before sending it to the Rank API.

+## Actions

+Actions represent a list of options.

+Don't send in more than 50 actions when Ranking actions. These may be the same 50 actions every time, or they may change. For example, if you have a product catalog of 10,000 items for an e-commerce application, you may use a recommendation or filtering engine to determine the top 40 a customer may like, and use Personalizer to find the one that will generate the most reward (for example, the user will add to the basket) for the current context.

+### Examples of actions

+The actions you send to the Rank API will depend on what you are trying to personalize.

+Here are some examples:

+|Purpose|Action|

+|--|--|

+|Personalize which article is highlighted on a news website.|Each action is a potential news article.|

+|Optimize ad placement on a website.|Each action will be a layout or rules to create a layout for the ads (for example, on the top, on the right, small images, big images).|

+|Display personalized ranking of recommended items on a shopping website.|Each action is a specific product.|

+|Suggest user interface elements such as filters to apply to a specific photo.|Each action may be a different filter.|

+|Choose a chat bot's response to clarify user intent or suggest an action.|Each action is an option of how to interpret the response.|

+|Choose what to show at the top of a list of search results|Each action is one of the top few search results.|

+### Load actions from the client application

+Features from actions may typically come from content management systems, catalogs, and recommender systems. Your application is responsible for loading the information about the actions from the relevant databases and systems you have. If your actions don't change or getting them loaded every time has an unnecessary impact on performance, you can add logic in your application to cache this information.

+### Prevent actions from being ranked

+In some cases, there are actions that you don't want to display to users. The best way to prevent an action from being ranked is by adding it to the [Excluded Actions](https://learn.microsoft.com/dotnet/api/microsoft.azure.cognitiveservices.personalizer.models.rankrequest.excludedactions) list, or not passing it to the Rank Request.

+In some cases, you might not want events to be trained on by default, i.e., you only want to train events when a specific condition is met. For example, The personalized part of your webpage is below the fold (users have to scroll before interacting with the personalized content). In this case you will render the entire page, but only want an event to be trained on when the user scrolls and has a chance to interact with the personalized content. For these cases, you should [Defer Event Activation](concept-active-inactive-events.md) to avoid assigning default reward (and training) events which the end user did not have a chance to interact with.

+## Features

+Both the **context** and possible **actions** are described using **features**. The features represent all information you think is important for the decision making process to maximize rewards. A good starting point is to imagine you are tasked with selecting the best action at each timestamp and ask yourself: "What information do I need to make an informed decision? What information do I have available to describe the context and each possible action?". Features can be very generic, or specific to an item.

+Personalizer does not prescribe, limit, or fix what features you can send for actions and context:

+* Over time, you may add and remove features about context and actions. Personalizer continues to learn from available information.

+* For categorical features, there is no need to pre-define the possible values.

+* For numeric features, there is no need to pre-define ranges.

+* Feature names starting with an underscore `_` will be ignored.

+* The list of features can be large (hundreds), but we recommend starting with a concise feature set and expanding as necessary.

+* **action** features may or may not have any correlation with **context** features.

+* Features that are not available should be omitted from the request. If the value of a specific feature is not available for a given request, omit the feature for this request.

+* Avoid sending features with a null value. A null value will be processed as a string with a value of "null" which is undesired.

+It's ok and natural for features to change over time. However, keep in mind that Personalizer's machine learning model adapts based on the features it sees. If you send a request containing all new features, Personalizer's model will not be able to leverage past events to select the best action for the current event. Having a 'stable' feature set (with recurring features) will help the performance of Personalizer's machine learning algorithms.

+### Context Features

+* Some context features may only be available part of the time. For example, if a user is logged into the online grocery store website, the context will contain features describing purchase history. These features will not be available for a guest user.

+* There must be at least one context feature. Personalizer does not support an empty context.

+* If the context features are identical for every request, Personalizer will choose the globally best action.

+### Action Features

+* Not all actions need to contain the same features. For example, in the online grocery store scenario, microwavable popcorn will have a "cooking time" feature, while a cucumber will not.

+* Features for a certain action ID may be available one day, but later on become unavailable.

+Examples:

+The following are good examples for action features. These will depend a lot on each application.

+* Features with characteristics of the actions. For example, is it a movie or a tv series?

+* Features about how users may have interacted with this action in the past. For example, this movie is mostly seen by people in demographics A or B, it's typically played no more than one time.

+* Features about the characteristics of how the user *sees* the actions. For example, does the poster for the movie shown in the thumbnail include faces, cars, or landscapes?

+## Supported feature types

+Personalizer supports features of string, numeric, and boolean types. It's very likely that your application will mostly use string features, with a few exceptions.

+### How feature types affects the Machine Learning in Personalizer

+* **Strings**: For string types, every key-value (feature name, feature value) combination is treated as a One-Hot feature (e.g. category:"Produce" and category:"Meat" would internally be represented as different features in the machine learning model.

+* **Numeric**: Only use numeric values when the number is a magnitude that should proportionally affect the personalization result. This is very scenario dependent. Features that are based on numeric units but where the meaning isn't linear - such as Age, Temperature, or Person Height - are best encoded as categorical strings. For example Age could be encoded as "Age":"0-5", "Age":"6-10", etc. Height could be bucketed as "Height": "<5'0", "Height": "5'0-5'4", "Height": "5'5-5'11", "Height":"6'0-6-4", "Height":">6'4".

+* **Boolean**

+* **Arrays** ONLY numeric arrays are supported.

+## Feature Engineering

+* Use categorical and string types for features that are not a magnitude.

+* Make sure there are enough features to drive personalization. The more precisely targeted the content needs to be, the more features are needed.

+* There are features of diverse *densities*. A feature is *dense* if many items are grouped in a few buckets. For example, thousands of videos can be classified as "Long" (over 5 min long) and "Short" (under 5 min long). This is a *very dense* feature. On the other hand, the same thousands of items can have an attribute called "Title", which will almost never have the same value from one item to another. This is a very non-dense or *sparse* feature.

+Having features of high density helps Personalizer extrapolate learning from one item to another. But if there are only a few features and they are too dense, Personalizer will try to precisely target content with only a few buckets to choose from.

+### Common issues with feature design and formatting

+* **Sending features with high cardinality.** Features that have unique values that are not likely to repeat over many events. For example, PII specific to one individual (such as name, phone number, credit card number, IP address) shouldn't be used with Personalizer.

+* **Sending user IDs** With large numbers of users, it's unlikely that this information is relevant to Personalizer learning to maximize the average reward score. Sending user IDs (even if non-PII) will likely add more noise to the model and is not recommended.

+* **Sending unique values that will rarely occur more than a few times**. It's recommended to bucket your features to a higher level-of-detail. For example, having features such as `"Context.TimeStamp.Day":"Monday"` or `"Context.TimeStamp.Hour":13` can be useful as there are only 7 and 24 unique values, respectively. However, `"Context.TimeStamp":"1985-04-12T23:20:50.52Z"` is very precise and has an extremely large number of unique values, which makes it very difficult for Personalizer to learn from it.

+### Improve feature sets

+Analyze the user behavior by running a [Feature Evaluation Job](how-to-feature-evaluation.md). This allows you to look at past data to see what features are heavily contributing to positive rewards versus those that are contributing less. You can see what features are helping, and it will be up to you and your application to find better features to send to Personalizer to improve results even further.

+### Expand feature sets with artificial intelligence and cognitive services

+Artificial Intelligence and ready-to-run Cognitive Services can be a very powerful addition to Personalizer.

+### Use Embeddings as Features

+Embeddings from various Machine Learning models have proven to be affective features for Personalizer

+* Embeddings from Large Language Models

+* Embeddings from Computer Vision Models

+## Namespaces

+Optionally, features can be organized using namespaces (relevant for both context and action features). Namespaces can be used to group features by topic, by source, or any other grouping that makes sense in your application. You determine if namespaces are used and what they should be. Namespaces organize features into distinct sets, and disambiguate features with similar names. You can think of namespaces as a 'prefix' that is added to feature names. Namespaces should not be nested.

+The following are examples of feature namespaces used by applications:

+* User_Profile_from_CRM

+* Time

+* Mobile_Device_Info

+* http_user_agent

+* VideoResolution

+* DeviceInfo

+* Weather

+* Product_Recommendation_Ratings

+* current_time

+* NewsArticle_TextAnalytics

+### Namespace naming conventions and guidelines

+* Namespaces should not be nested.

+* Namespaces must start with unique ASCII characters (we recommend using names namespaces that are UTF-8 based). Currently having namespaces with same first characters could result in collisions, therefore it's strongly recommended to have your namespaces start with characters that are distinct from each other.

+* Namespaces are case sensitive. For example `user` and `User` will be considered different namespaces.

+* Feature names can be repeated across namespaces, and will be treated as separate features

+* The following characters cannot be used: codes < 32 (not printable), 32 (space), 58 (colon), 124 (pipe), and 126ΓÇô140.

+* All namespaces starting with an underscore `_` will be ignored.

+## JSON Examples

+### Actions

+### Context

+### Namespaces

+In the following JSON, `user`, `environment`, `device`, and `activity` are namespaces.

+> [!Note]

+> We strongly recommend using names for feature namespaces that are UTF-8 based and start with different letters. For example, `user`, `environment`, `device`, and `activity` start with `u`, `e`, `d`, and `a`. Currently having namespaces with same first characters could result in collisions.

+ "contextFeatures": [

+ {

+ "user": {

+ "profileType":"AnonymousUser",

+ "Location": "New York, USA"

+ }

+ },

+ {

+ "environment": {

+ "monthOfYear": "8",

+ "timeOfDay": "Afternoon",

+ "weather": "Sunny"

+ }

+ },

+ {

+ "device": {

+ "mobile":true,

+ "Windows":true

+ }

+ },

+ {

+ "activity" : {

+ "itemsInCart": "3-5",

+ "cartValue": "250-300",

+ "appliedCoupon": true

+ }

+ }

+ ]

+* Personalizer Inference Explainabiltiy is now available as a Public Preview. Enabling inference explainability returns feature scores on every Rank API call, providing insight into how influential each feature is to the actions chosen by your Personalizer model. [Learn more about Inference Explainability](how-to-inference-explainability.md).

+Read more about these events and payload schema [here](../../../event-grid/communication-services-voice-video-events.md)

+To understand which events are published for different actions, refer to [this guide](../../how-tos/call-automation-sdk/actions-for-call-control.md) that provides code samples as well as sequence diagrams for various call control flows.

+Here are some articles of interest to you:

+1. Understand how your resource will be [charged for various calling use cases](../pricing.md) with examples.

+2. Learn about metrics and logs available for this service.

+1. Troubleshoot common issues.

+ Title: Azure Communication Services Call Automation how-to for managing calls with Call Automation

+description: Provides a how-to guide on using call actions to steer and manage a call with Call Automation.

+zone_pivot_groups: acs-csharp-java

+# How to control and steer calls with Call Automation

+> [!IMPORTANT]

+> Functionality described on this document is currently in private preview. Private preview includes access to SDKs and documentation for testing purposes that are not yet available publicly. Apply to become an early adopter by filling out the form for [preview access to Azure Communication Services](https://aka.ms/ACS-EarlyAdopter).

+Call Automation uses a REST API interface to receive requests for actions and provide responses to notify whether the request was successfully submitted or not. Due to the asynchronous nature of calling, most actions have corresponding events that are triggered when the action completes successfully or fails. This guide covers the actions available for steering calls, like CreateCall, Transfer, Redirect, and managing participants. Actions are accompanied with sample code on how to invoke the said action and sequence diagrams describing the events expected after invoking an action. These diagrams will help you visualize how to program your service application with Call Automation.

+Call Automation supports various other actions to manage call media and recording that aren't included in this guide.

+> [!NOTE]

+> Call Automation currently doesn't interoperate with Microsoft Teams. Actions like making, redirecting a call to a Teams user or adding them to a call using Call Automation isn't supported.

+As a pre-requisite, we recommend you to read the below articles to make the most of this guide:

+1. Call Automation [concepts guide](../../concepts/voice-video-calling/call-automation.md#call-actions) that describes the action-event programming model and event callbacks.

+2. Learn about [user identifiers](../../concepts/identifiers.md#the-communicationidentifier-type) like CommunicationUserIdentifier and PhoneNumberIdentifier used in this guide.

+For all the code samples, `client` is CallAutomationClient object that can be created as shown and `callConnection` is the CallConnection object obtained from Answer or CreateCall response. You can also obtain it from callback events received by your application.

+## [csharp](#tab/csharp)

+```csharp

+var client = new CallAutomationClient("<resource_connection_string>");

+```

+## [Java](#tab/java)

+```java

+ CallAutomationClient client = new CallAutomationClientBuilder().connectionString("<resource_connection_string>").buildClient();

+```

+--

+## Make an outbound call

+You can place a 1:1 or group call to a communication user or phone number (public or Communication Services owned number). Below sample makes an outbound call from your service application to a phone number.

+callerIdentifier is used by Call Automation as your application's identity when making an outbound a call. When calling a PSTN endpoint, you also need to provide a phone number that will be used as the source caller ID and shown in the call notification to the target PSTN endpoint.

+To place a call to a Communication Services user, you'll need to provide a CommunicationUserIdentifier object instead of PhoneNumberIdentifier.

+### [csharp](#tab/csharp)

+```csharp

+Uri callBackUri = new Uri("https://<myendpoint>/Events"); //the callback endpoint where you want to receive subsequent events

+var callerIdentifier = new CommunicationUserIdentifier("<user_id>");

+CallSource callSource = new CallSource(callerIdentifier);

+callSource.CallerId = new PhoneNumberIdentifier("+16044561234"); // This is the ACS provisioned phone number for the caller

+var callThisPerson = new PhoneNumberIdentifier("+16041234567");

+var listOfPersonToBeCalled = new List<CommunicationIdentifier>();

+listOfPersonToBeCalled.Add(callThisPerson);

+var createCallOptions = new CreateCallOptions(callSource, listOfPersonToBeCalled, callBackUri);

+CreateCallResult response = await client.CreateCallAsync(createCallOptions);

+```

+### [Java](#tab/java)

+```java

+String callbackUri = "https://<myendpoint>/Events"; //the callback endpoint where you want to receive subsequent events

+List<CommunicationIdentifier> targets = new ArrayList<>(Arrays.asList(new PhoneNumberIdentifier("+16471234567")));

+CommunicationUserIdentifier callerIdentifier = new CommunicationUserIdentifier("<user_id>");

+CreateCallOptions createCallOptions = new CreateCallOptions(callerIdentifier, targets, callbackUri)

+ .setSourceCallerId("+18001234567"); // This is the ACS provisioned phone number for the caller

+Response<CreateCallResult> response = client.createCallWithResponse(createCallOptions).block();

+```

+--

+The response provides you with CallConnection object that you can use to take further actions on this call once it's connected. Once the call is answered, two events will be published to the callback endpoint you provided earlier:

+1. `CallConnected` event notifying that the call has been established with the callee.

+2. `ParticipantsUpdated` event that contains the latest list of participants in the call.

+

+## Answer an incoming call

+Once you've subscribed to receive [incoming call notifications](../../concepts/voice-video-calling/incoming-call-notification.md) to your resource, below is sample code on how to answer that call. When answering a call, it's necessary to provide a callback url. Communication Services will post all subsequent events about this call to that url.

+### [csharp](#tab/csharp)

+```csharp

+string incomingCallContext = "<IncomingCallContext_From_IncomingCall_Event>";

+Uri callBackUri = new Uri("https://<myendpoint_where_I_want_to_receive_callback_events");

+var answerCallOptions = new AnswerCallOptions(incomingCallContext, callBackUri);

+AnswerCallResult answerResponse = await client.AnswerCallAsync(answerCallOptions);

+CallConnection callConnection = answerResponse.CallConnection;

+```

+### [Java](#tab/java)

+```java

+String incomingCallContext = "<IncomingCallContext_From_IncomingCall_Event>";

+String callbackUri = "https://<myendpoint>/Events";

+

+AnswerCallOptions answerCallOptions = new AnswerCallOptions(incomingCallContext, callbackUri);

+Response<AnswerCallResult> response = client.answerCallWithResponse(answerCallOptions).block();

+```

+--

+The response provides you with CallConnection object that you can use to take further actions on this call once it's connected. Once the call is answered, two events will be published to the callback endpoint you provided earlier:

+1. `CallConnected` event notifying that the call has been established with the caller.

+2. `ParticipantsUpdated` event that contains the latest list of participants in the call.

+

+## Reject a call

+You can choose to reject an incoming call as shown below. You can provide a reject reason: none, busy or forbidden. If nothing is provided, none is chosen by default.

+# [csharp](#tab/csharp)

+```csharp

+string incomingCallContext = "<IncomingCallContext_From_IncomingCall_Event>";

+var rejectOption = new RejectCallOptions(incomingCallContext);

+rejectOption.CallRejectReason = CallRejectReason.Forbidden;

+_ = await client.RejectCallAsync(rejectOption);

+```

+# [Java](#tab/java)

+```java

+String incomingCallContext = "<IncomingCallContext_From_IncomingCall_Event>";

+RejectCallOptions rejectCallOptions = new RejectCallOptions(incomingCallContext)

+ .setCallRejectReason(CallRejectReason.BUSY);

+Response<Void> response = client.rejectCallWithResponse(rejectCallOptions).block();

+```

+--

+No events are published for reject action.

+## Redirect a call

+You can choose to redirect an incoming call to one or more endpoints without answering it. Redirecting a call will remove your application's ability to control the call using Call Automation.

+# [csharp](#tab/csharp)

+```csharp

+string incomingCallContext = "<IncomingCallContext_From_IncomingCall_Event>";

+var target = new CommunicationUserIdentifier("<user_id_of_target>"); //user id looks like 8:a1b1c1-...

+var redirectOption = new RedirectCallOptions(incomingCallContext, target);

+_ = await client.RedirectCallAsync(redirectOption);

+```

+# [Java](#tab/java)

+```java

+String incomingCallContext = "<IncomingCallContext_From_IncomingCall_Event>";

+CommunicationIdentifier target = new CommunicationUserIdentifier("<user_id_of_target>"); //user id looks like 8:a1b1c1-...

+RedirectCallOptions redirectCallOptions = new RedirectCallOptions(incomingCallContext, target);

+Response<Void> response = client.redirectCallWithResponse(redirectCallOptions).block();

+```

+--

+To redirect the call to a phone number, set the target to be PhoneNumberIdentifier.

+# [csharp](#tab/csharp)

+```csharp

+var target = new PhoneNumberIdentifier("+16041234567");

+```

+# [Java](#tab/java)

+```java

+CommunicationIdentifier target = new PhoneNumberIdentifier("+18001234567");

+```

+--

+No events are published for redirect. If the target is a Communication Services user or a phone number owned by your resource, it will generate a new IncomingCall event with 'to' field set to the target you specified.

+## Transfer a 1:1 call

+When your application answers a call or places an outbound call to an endpoint, that endpoint can be transferred to another destination endpoint. Transferring a 1:1 call will remove your application from the call and hence remove its ability to control the call using Call Automation.

+# [csharp](#tab/csharp)

+```csharp

+var transferDestination = new CommunicationUserIdentifier("<user_id>");

+var transferOption = new TransferToParticipantOptions(transferDestination);

+TransferCallToParticipantResult result = await callConnection.TransferCallToParticipantAsync(transferOption);

+```

+# [Java](#tab/java)

+```java

+CommunicationIdentifier transferDestination = new CommunicationUserIdentifier("<user_id>");

+TransferToParticipantCallOptions options = new TransferToParticipantCallOptions(transferDestination);

+Response<TransferCallResult> transferResponse = callConnectionAsync.transferToParticipantCallWithResponse(options).block();

+```

+--

+When transferring to a phone number, it's mandatory to provide a source caller ID. This ID serves as the identity of your application(the source) for the destination endpoint.

+# [csharp](#tab/csharp)

+```csharp

+var transferDestination = new PhoneNumberIdentifier("+16041234567");

+var transferOption = new TransferToParticipantOptions(transferDestination);

+transferOption.SourceCallerId = new PhoneNumberIdentifier("+16044561234");

+TransferCallToParticipantResult result = await callConnection.TransferCallToParticipantAsync(transferOption);

+```

+# [Java](#tab/java)

+```java

+CommunicationIdentifier transferDestination = new PhoneNumberIdentifier("+16471234567");

+TransferToParticipantCallOptions options = new TransferToParticipantCallOptions(transferDestination)

+ .setSourceCallerId(new PhoneNumberIdentifier("+18001234567"));

+Response<TransferCallResult> transferResponse = callConnectionAsync.transferToParticipantCallWithResponse(options).block();

+```

+--

+The below sequence diagram shows the expected flow when your application places an outbound 1:1 call and then transfers it to another endpoint.

+

+## Add a participant to a call

+You can add one or more participants (Communication Services users or phone numbers) to an existing call. When adding a phone number, it's mandatory to provide source caller ID. This caller ID will be shown on call notification to the participant being added.

+# [csharp](#tab/csharp)

+```csharp

+var addThisPerson = new PhoneNumberIdentifier("+16041234567");

+var listOfPersonToBeAdded = new List<CommunicationIdentifier>();

+listOfPersonToBeAdded.Add(addThisPerson);

+var addParticipantsOption = new AddParticipantsOptions(listOfPersonToBeAdded);

+addParticipantsOption.SourceCallerId = new PhoneNumberIdentifier("+16044561234");

+AddParticipantsResult result = await callConnection.AddParticipantsAsync(addParticipantsOption);

+```

+# [Java](#tab/java)

+```java

+CommunicationIdentifier target = new PhoneNumberIdentifier("+16041234567");

+List<CommunicationIdentifier> targets = new ArrayList<>(Arrays.asList(target));

+AddParticipantsOptions addParticipantsOptions = new AddParticipantsOptions(targets)

+ .setSourceCallerId(new PhoneNumberIdentifier("+18001234567"));

+Response<AddParticipantsResult> addParticipantsResultResponse = callConnectionAsync.addParticipantsWithResponse(addParticipantsOptions).block();

+```

+--

+To add a Communication Services user, provide a CommunicationUserIdentifier instead of PhoneNumberIdentifier. Source caller ID isn't mandatory in this case.

+AddParticipant will publish a `AddParticipantSucceeded` or `AddParticipantFailed` event, along with a `ParticipantUpdated` providing the latest list of participants in the call.

+

+

+## Remove a participant from a call

+# [csharp](#tab/csharp)

+```csharp

+var removeThisUser = new CommunicationUserIdentifier("<user_id>");

+var listOfParticipantsToBeRemoved = new List<CommunicationIdentifier>();

+listOfParticipantsToBeRemoved.Add(removeThisUser);

+var removeOption = new RemoveParticipantsOptions(listOfParticipantsToBeRemoved);

+RemoveParticipantsResult result = await callConnection.RemoveParticipantsAsync(removeOption);

+```

+# [Java](#tab/java)

+```java

+CommunicationIdentifier removeThisUser = new CommunicationUserIdentifier("<user_id>");

+RemoveParticipantsOptions removeParticipantsOptions = new RemoveParticipantsOptions(new ArrayList<>(Arrays.asList(removeThisUser)));

+Response<RemoveParticipantsResult> removeParticipantsResultResponse = callConnectionAsync.removeParticipantsWithResponse(removeParticipantsOptions).block();

+```

+--

+RemoveParticipant only generates `ParticipantUpdated` event describing the latest list of participants in the call. The removed participant is excluded if remove operation was successful.

+

+## Hang up on a call

+Hang Up action can be used to remove your application from the call or to terminate a group call by setting forEveryone parameter to true. For a 1:1 call, hang up will terminate the call with the other participant by default.

+# [csharp](#tab/csharp)

+```csharp

+_ = await callConnection.HangUpAsync(true);

+```

+# [Java](#tab/java)

+```java

+Response<Void> response1 = callConnectionAsync.hangUpWithResponse(new HangUpOptions(true)).block();

+```

+--

+CallDisconnected event is published once the hangUp action has completed successfully.

+## Get information about a call participant

+# [csharp](#tab/csharp)

+```csharp

+CallParticipant participantInfo = await callConnection.GetParticipantAsync("<user_id>")

+```

+# [Java](#tab/java)

+```java

+CallParticipant participantInfo = callConnection.getParticipant("<user_id>").block();

+```

+--

+## Get information about all call participants

+# [csharp](#tab/csharp)

+```csharp

+List<CallParticipant> participantList = (await callConnection.GetParticipantsAsync()).Value.ToList();

+```

+# [Java](#tab/java)

+```java

+List<CallParticipant> participantsInfo = Objects.requireNonNull(callConnection.listParticipants().block()).getValues();

+```

+--

+## Get latest info about a call

+# [csharp](#tab/csharp)

+```csharp

+CallConnectionProperties thisCallsProperties = callConnection.GetCallConnectionProperties();

+```

+# [Java](#tab/java)

+```java

+CallConnectionProperties thisCallsProperties = callConnection.getCallProperties().block();

+```

+--

+## Subscribe to IncomingCall event

+IncomingCall is an Azure Event Grid event for notifying incoming calls to your Communication Services resource. To learn more about it, see [this guide](../../concepts/voice-video-calling/incoming-call-notification.md).

+1. Navigate to your resource on Azure portal and select `Events` from the left side menu.

+1. Select `+ Event Subscription` to create a new subscription.

+1. Filter for Incoming Call event.

+1. Choose endpoint type as web hook and provide the public url generated for your application by ngrok. Make sure to provide the exact api route that you programmed to receive the event previously. In this case, it would be <ngrok_url>/api/incomingCall.

+1. Select create to start the creation of subscription and validation of your endpoint as mentioned previously. The subscription is ready when the provisioning status is marked as succeeded.

+This subscription currently has no filters and hence all incoming calls will be sent to your application. To filter for specific phone number or a communication user, use the Filters tab.

+2. Your Event Grid subscription to the IncomingCall should execute and call your application.

+- Learn about [Play action](../../concepts/voice-video-calling/play-Action.md) to play audio in a call.

+Create an Azure container registry instance using the [az acr create](/cli/azure/acr#az-acr-create) command. The registry name must be unique within Azure, contain 5-50 alphanumeric characters. All letters must be specified in lower case. In the following example, `mycontainerregistry007` is used. Update this to a unique value.

+ --name mycontainerregistry007 \

+ ### [Flexible Server](#tab/flexible)

+ ```properties

+ quarkus.package.type=uber-jar

+ quarkus.hibernate-orm.database.generation=drop-and-create

+ quarkus.datasource.db-kind=postgresql

+ quarkus.datasource.jdbc.max-size=8

+ quarkus.datasource.jdbc.min-size=2

+ quarkus.hibernate-orm.log.sql=true

+ quarkus.hibernate-orm.sql-load-script=import.sql

+ quarkus.datasource.jdbc.acquisition-timeout = 10

+ %dev.quarkus.datasource.username=${AZURE_CLIENT_NAME}

+ %dev.quarkus.datasource.jdbc.url=jdbc:postgresql://${DBHOST}.postgres.database.azure.com:5432/${DBNAME}?\

+ authenticationPluginClassName=com.azure.identity.providers.postgresql.AzureIdentityPostgresqlAuthenticationPlugin\

+ &sslmode=require\

+ &azure.clientId=${AZURE_CLIENT_ID}\

+ &azure.clientSecret=${AZURE_CLIENT_SECRET}\

+ &azure.tenantId=${AZURE_TENANT_ID}

+ %prod.quarkus.datasource.username=${AZURE_MI_NAME}

+ %prod.quarkus.datasource.jdbc.url=jdbc:postgresql://${DBHOST}.postgres.database.azure.com:5432/${DBNAME}?\

+ authenticationPluginClassName=com.azure.identity.providers.postgresql.AzureIdentityPostgresqlAuthenticationPlugin\

+ &sslmode=require

+ %dev.quarkus.class-loading.parent-first-artifacts=com.azure:azure-core::jar,\

+ com.azure:azure-core-http-netty::jar,\

+ io.projectreactor.netty:reactor-netty-core::jar,\

+ io.projectreactor.netty:reactor-netty-http::jar,\

+ io.netty:netty-resolver-dns::jar,\

+ io.netty:netty-codec::jar,\

+ io.netty:netty-codec-http::jar,\

+ io.netty:netty-codec-http2::jar,\

+ io.netty:netty-handler::jar,\

+ io.netty:netty-resolver::jar,\

+ io.netty:netty-common::jar,\

+ io.netty:netty-transport::jar,\

+ io.netty:netty-buffer::jar,\

+ com.azure:azure-identity::jar,\

+ com.azure:azure-identity-providers-core::jar,\

+ com.azure:azure-identity-providers-jdbc-postgresql::jar,\

+ com.fasterxml.jackson.core:jackson-core::jar,\

+ com.fasterxml.jackson.core:jackson-annotations::jar,\

+ com.fasterxml.jackson.core:jackson-databind::jar,\

+ com.fasterxml.jackson.dataformat:jackson-dataformat-xml::jar,\

+ com.fasterxml.jackson.datatype:jackson-datatype-jsr310::jar,\

+ org.reactivestreams:reactive-streams::jar,\

+ io.projectreactor:reactor-core::jar,\

+ com.microsoft.azure:msal4j::jar,\

+ com.microsoft.azure:msal4j-persistence-extension::jar,\

+ org.codehaus.woodstox:stax2-api::jar,\

+ com.fasterxml.woodstox:woodstox-core::jar,\

+ com.nimbusds:oauth2-oidc-sdk::jar,\

+ com.nimbusds:content-type::jar,\

+ com.nimbusds:nimbus-jose-jwt::jar,\

+ net.minidev:json-smart::jar,\

+ net.minidev:accessors-smart::jar,\

+ io.netty:netty-transport-native-unix-common::jar

+ ```

+ ### [Single Server](#tab/single)

+ Run the following command to build the Quarkus app image. You must tag it with the fully qualified name of your registry login server. The login server name is in the format *\<registry-name\>.azurecr.io* (must be all lowercase), for example, *mycontainerregistry007.azurecr.io*. Replace the name with your own registry name.

+ mvnw clean package -Pnative -Dquarkus.native.container-build=true -Dquarkus.container-image.build=true -Dquarkus.container-image.registry=mycontainerregistry007 -Dquarkus.container-image.name=quarkus-postgres-passwordless-app -Dquarkus.container-image.tag=v1

+ Use [docker push][docker-push] to push the image to the registry instance. Replace `mycontainerregistry007` with the login server name of your registry instance. This example creates the `quarkus-postgres-passwordless-app` repository, containing the `quarkus-postgres-passwordless-app:v1` image.

+ docker push mycontainerregistry007/quarkus-postgres-passwordless-app:v1

+ REGISTRY_SERVER=mycontainerregistry007

+Next, create a PostgreSQL Database and configure your container app to connect to a PostgreSQL Database with a system-assigned managed identity. The Quarkus app will connect to this database and store its data when running, persisting the application state no matter where you run the application.

+ ### [Flexible Server](#tab/flexible)

+ ```azurecli

+ DB_SERVER_NAME='msdocs-quarkus-postgres-webapp-db'

+ ADMIN_USERNAME='demoadmin'

+ ADMIN_PASSWORD='<admin-password>'

+ az postgres flexible-server create \

+ --resource-group $RESOURCE_GROUP \

+ --name $DB_SERVER_NAME \

+ --location $LOCATION \

+ --admin-user $DB_USERNAME \

+ --admin-password $DB_PASSWORD \

+ --sku-name GP_Gen5_2

+ ```

+ ### [Single Server](#tab/single)

+

+ ### [Flexible Server](#tab/flexible)

+ ```azurecli

+ az postgres flexible-server db create \

+ --resource-group $RESOURCE_GROUP \

+ --server-name $DB_SERVER_NAME \

+ --database-name fruits

+ ```

+ ### [Single Server](#tab/single)

+ ### [Flexible Server](#tab/flexible)

+ ```azurecli

+ az containerapp connection create postgres-flexible \

+ --resource-group $RESOURCE_GROUP \

+ --name my-container-app \

+ --target-resource-group $RESOURCE_GROUP \

+ --server $DB_SERVER_NAME \

+ --database fruits \

+ --managed-identity

+ ```

+ ### [Single Server](#tab/single)

+> [Azure for Java Developers](/java/azure/)

+For Azure Diagnostics tables, all data is written into one single table. Users specify which category they want to query. If you want to view the full-text query of your request, see [Monitor Azure Cosmos DB data by using diagnostic settings in Azure](monitor-resource-logs.md) to learn how to enable this feature.

+For [resource-specific tables](monitor-resource-logs.md), data is written into individual tables for each category of the resource. We recommend this mode because it:

+For Azure Diagnostics tables, all data is written into one single table. Users specify which category they want to query. If you want to view the full-text query of your request, see [Monitor Azure Cosmos DB data by using diagnostic settings in Azure](../monitor-resource-logs.md) to learn how to enable this feature.

+For [resource-specific tables](../monitor-resource-logs.md), data is written into individual tables for each category of the resource. We recommend this mode because it:

+* Firewall, VNET, Data plane RBAC or private endpoint settings.

+For Azure Diagnostics tables, all data is written into one single table. Users specify which category they want to query. If you want to view the full-text query of your request, see [Monitor Azure Cosmos DB data by using diagnostic settings in Azure](../monitor-resource-logs.md) to learn how to enable this feature.

+For [resource-specific tables](../monitor-resource-logs.md), data is written into individual tables for each category of the resource. We recommend this mode because it:

+For Azure Diagnostics tables, all data is written into one single table. Users specify which category they want to query. If you want to view the full-text query of your request, see [Monitor Azure Cosmos DB data by using diagnostic settings in Azure](../monitor-resource-logs.md) to learn how to enable this feature.

+For [resource-specific tables](../monitor-resource-logs.md), data is written into individual tables for each category of the resource. We recommend this mode because it:

+The following code creates a client connection to your API for MongoDB and tests to make sure it's valid.

+* Provision an Azure Cosmos DB account with [periodic backup mode](configure-periodic-backup-restore.md).

+Each tenant is distinct and separate from other tenants. You can allow users from other tenants to access your billing account by using one of the following methods:

+- Creating guest users in your tenants and assigning the appropriate billing role.

+- Associating the other tenant to your tenant and assigning the appropriate billing role.

+|Pricing:|Free<br> Some features of the inventory page, such as the [software inventory](#access-a-software-inventory) require paid solutions to be in-place|

+ Title: Reference list of attack paths and cloud security graph components

+# Reference list of attack paths and cloud security graph components

+This article lists the attack paths, connections and insights you might see in Microsoft Defender for Cloud related to Defender for Cloud Security Posture Management (CSPM). What you are shown in your environment depends on the resources you're protecting and your customized configuration. You will need to [enable Defender for CSPM](enable-enhanced-security.md#enable-defender-plans-to-get-the-enhanced-security-features) to view your attack paths. Learn more about [the cloud security graph, attack path analysis, and the cloud security explorer?](concept-attack-path.md).

+Prerequisite: [Enable agentless scanning](enable-vulnerability-assessment-agentless.md).

+Prerequisite: [Enable agentless scanning](enable-vulnerability-assessment-agentless.md).

+Prerequisite: [Enable Microsoft Defender for SQL servers on machines](defender-for-sql-usage.md).

+Prerequisite: [Enable Microsoft Defender for SQL servers on machines](defender-for-sql-usage.md).

+Prerequisite: [Enable Defender for Containers](defender-for-containers-enable.md), and install the relevant agents in order to view attack paths that are related to containers. This will also give you the ability to [query](how-to-manage-cloud-security-explorer.md#build-a-query-with-the-cloud-security-explorer) containers data plane workloads in security explorer.

+## Cloud security graph components list

+This section lists all of the cloud security graph components (connections & insights) that can be used in queries with the [cloud security explorer](concept-attack-path.md).

+<iframe src="https://aka.ms/docs/player?id=36a5c440-00e6-4bd8-be1f-a27fbd007119" width="1080" height="530" allowFullScreen="true" frameBorder="0"></iframe>

+Defender for Cloud's contextual security capabilities assists security teams to assess the risk behind each security issue, and identify the highest risk issues that need to be resolved soonest. Defender for Cloud assists security teams to reduce the risk of an impactful breach to their environment in the most effective way.

+All of these capabilities are available as part of the [Defender Cloud Security Posture Management](concept-cloud-security-posture-management.md) plan and the requiring the enablement of [agentless scanning for VMs](concept-agentless-data-collection.md)

+Learn how to use the [cloud security explorer](how-to-manage-cloud-security-explorer.md), or check out the [cloud security graph components list](attack-path-reference.md#cloud-security-graph-components-list).

+- [Enable Defender CSPM on a subscription](enable-enhanced-security.md#enable-enhanced-security-features-on-a-subscription)

+- [Identify and remediate attack paths](how-to-manage-attack-path.md)

+- [Enabling agentless scanning for machines](enable-vulnerability-assessment-agentless.md#enabling-agentless-scanning-for-machines)

+- [Build a query with the cloud security explorer](how-to-manage-cloud-security-explorer.md)

+The Defender CSPM plan comes with two options, foundational CSPM capabilities and Defender CSPM. When you deploy Defender for Cloud to your subscription and resources, you'll automatically gain the basic coverage offered by the CSPM plan. To gain access to the other capabilities provided by Defender CSPM, you'll need to [enable the Defender Cloud Security Posture Management (CSPM) plan](enable-enhanced-security.md) on your subscription and resources.

+| Feature | Foundational CSPM capabilities | Defender CSPM | Cloud availability |

+> To enable Governance for for DevOps related recommendations, the Defender CSPM plan needs to be enabled on the Azure subscription that hosts the DevOps connector.

+| microsoft-defender-collector-ds-* | kube-system | [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) | A set of containers that focus on collecting inventory and security events from the Kubernetes environment. | SYS_ADMIN, <br>SYS_RESOURCE, <br>SYS_PTRACE | memory: 64Mi<br> <br> cpu: 60m | No |

+| microsoft-defender-collector-misc-* | kube-system | [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) | A set of containers that focus on collecting inventory and security events from the Kubernetes environment that aren't bounded to a specific node. | N/A | memory: 64Mi <br> <br>cpu: 60m | No |

+| microsoft-defender-publisher-ds-* | kube-system | [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) | Publish the collected data to Microsoft Defender for Containers backend service where the data will be processed for and analyzed. | N/A | memory: 200Mi  <br> <br> cpu: 60m | Https 443 <br> <br> Learn more about the [outbound access prerequisites](../aks/limit-egress-traffic.md#microsoft-defender-for-containers) |

+- **SQL Server on Azure VM** - If your SQL machine is hosted on an Azure VM, you can [customize the Log Analytics agent configuration](working-with-log-analytics-agent.md).

+When you enable [Defender Cloud Security Posture Management (CSPM)](concept-cloud-security-posture-management.md) or [Defender for Servers P2](defender-for-servers-introduction.md), agentless scanning is enabled on by default.

+> [Cloud security explorer and attack path analysis](episode-twenty.md)

+ Title: Cloud security explorer and attack path analysis | Defender for Cloud in the Field

+description: Learn about cloud security explorer and attack path analysis.

+# Cloud security explorer and attack path analysis | Defender for Cloud in the Field

+**Episode description**: In this episode of Defender for Cloud in the Field, Tal Rosler joins Yuri Diogenes to talk about cloud security explorer and attack path analysis, two new capabilities in Defender for CSPM that were released at Ignite. The talk explains the rationale behind creating these features and how to use these features to prioritize what is more important to keep your environment more secure. Tal also demonstrates how to use these capabilities to quickly identify vulnerabilities and misconfigurations in cloud workloads.

+<br>

+<br>

+<iframe src="https://aka.ms/docs/player?id=ce442350-7fab-40c0-b934-d93027b00853" width="1080" height="530" allowFullScreen="true" frameBorder="0"></iframe>

+- [01:27](/shows/mdc-in-the-field/security-explorer#time=01m27s) - The business case for cloud security graph

+- [03:00](/shows/mdc-in-the-field/security-explorer#time=03m00s) - What is cloud security graph

+- [05:06](/shows/mdc-in-the-field/security-explorer#time=05m06s) - Demonstration

+- [09:30](/shows/mdc-in-the-field/security-explorer#time=09m30s) - How paths are created under attack path

+- [12:00](/shows/mdc-in-the-field/security-explorer#time=12m00s) - Cloud security explorer demonstration

+- [19:25](/shows/mdc-in-the-field/security-explorer#time=19m25s) - Saving cloud security explorer queries

+## Recommended resources

+ - [Learn more](/defender-for-cloud/concept-attack-path.md) about Attack path.

+ - Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/playlist?list=PL3ZTgFEc7LysiX4PfHhdJPR7S8mGO14YS)

+ - Join our [Tech Community](https://aka.ms/SecurityTechCommunity)

+ - For more about [Microsoft Security](https://msft.it/6002T9HQY)

+- Follow us on social media:

+ - [LinkedIn](https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbFk5TXZuQld2NlpBRV9BQlJqMktYSm95WWhCZ3xBQ3Jtc0tsQU13MkNPWGNFZzVuem5zc05wcnp0VGxybHprVTkwS2todWw0b0VCWUl4a2ZKYVktNGM1TVFHTXpmajVLcjRKX0cwVFNJaDlzTld4MnhyenBuUGRCVmdoYzRZTjFmYXRTVlhpZGc4MHhoa3N6ZDhFMA&q=https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F)

+ - [Twitter](https://twitter.com/msftsecurity)

+- Join our [Tech Community](https://aka.ms/SecurityTechCommunity)

+- Learn more about [Microsoft Security](https://msft.it/6002T9HQY)

+## Next steps

+> [!div class="nextstepaction"]

+> [New AWS Connector in Microsoft Defender for Cloud](episode-one.md)

+| Prerequisite | - [Enable agentless scanning](enable-vulnerability-assessment-agentless.md) <br> - [Enable Defender for CSPM](enable-enhanced-security.md) <br> - [Enable Defender for Containers](defender-for-containers-enable.md), and install the relevant agents in order to view attack paths that are related to containers. This will also give you the ability to [query](how-to-manage-cloud-security-explorer.md#build-a-query-with-the-cloud-security-explorer) containers data plane workloads in security explorer. |

+The potential risk categories include credentials exposure, compute abuse, data exposure, subscription and account takeover.

+Learn more about [the cloud security graph, attack path analysis, and the cloud security explorer?](concept-attack-path.md).

+## Create a new custom assessment for your AWS account (Preview)

+With the cloud security explorer, you can query all of your security issues and environment context such as assets inventory, exposure to internet, permissions, lateral movement between resources and more.

+Learn more about [the cloud security graph, attack path analysis, and the cloud security explorer?](concept-attack-path.md).

+| Prerequisite | - [Enable agentless scanning](enable-vulnerability-assessment-agentless.md) <br> - [Enable Defender for CSPM](enable-enhanced-security.md) <br> - [Enable Defender for Containers](defender-for-containers-enable.md), and install the relevant agents in order to view attack paths that are related to containers. This will also give you the ability to [query](how-to-manage-cloud-security-explorer.md#build-a-query-with-the-cloud-security-explorer) containers data plane workloads in security explorer. |

+View the [reference list of attack paths and cloud security graph components](attack-path-reference.md)

+Learn about the [Defender CSPM plan options](concept-cloud-security-posture-management.md#defender-cspm-plan-options)

+## Create a new custom assessment for your GCP project (Preview)

+- **Classic cloud connector** - Requires configuration in your AWS account to create a user that Defender for Cloud can use to connect to your AWS environment. If you have classic cloud connectors, we recommend that you [delete these connectors](#remove-classic-connectors), and use the native connector to reconnect to the account. Using both the classic and native connectors can produce duplicate recommendations.

+ - Azure Arc for servers installed on your EC2 instances/RDS Custom for SQL Server.

+ Auto provisioning is managed by AWS Systems Manager (SSM) using the SSM agent. Some Amazon Machine Images (AMIs) already have the SSM agent pre-installed. If you already have the SSM agent pre-installed, the AMIs are listed in [AMIs with SSM Agent preinstalled](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-technical-details.html#ami-preinstalled-agent). If your EC2 instances don't have the SSM Agent, you'll need to install it using either of the following relevant instructions from Amazon:

+ - More extensions should be enabled on the Arc-connected machines.

+ Auto provisioning is managed by AWS Systems Manager (SSM) using the SSM agent. Some Amazon Machine Images (AMIs) already have the SSM agent pre-installed. If that is the case, their AMIs are listed in [AMIs with SSM Agent preinstalled](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-technical-details.html#ami-preinstalled-agent). If your EC2 instances don't have the SSM Agent, you'll need to install it using either of the following relevant instructions from Amazon:

+ - Other extensions should be enabled on the Arc-connected machines:

+ The LA agent is currently configured in the subscription level, such that all the multicloud accounts and projects (from both AWS and GCP) under the same subscription will inherit the subscription settings regarding the LA agent.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+ - (Optional) Select **Configure**, to edit the configuration as required.

+ > [!Note]

+## AWS authentication process

+Federated authentication is used between Microsoft Defender for Cloud and AWS. All of the resources related to the authentication are created as a part of the CloudFormation template deployment, including:

+- An identity provider (OpenID connect)

+- Identity and Access Management (IAM) roles with a federated principal (connected to the identity providers).

+The architecture of the authentication process across clouds is as follows:

+1. Microsoft Defender for Cloud CSPM service acquires an Azure AD token with a validity life time of 1 hour that is signed by the Azure AD using the RS256 algorithm.

+1. The Azure AD token is exchanged with AWS short living credentials and Defender for Cloud's CPSM service assumes the CSPM IAM role (assumed with web identity).

+1. Since the principle of the role is a federated identity as defined in a trust relationship policy, the AWS identity provider validates the Azure AD token against the Azure AD through a process that includes:

+ - audience validation

+ - signing of the token

+ - certificate thumbprint

+ 1. The Microsoft Defender for Cloud CSPM role is assumed only after the validation conditions defined at the trust relationship have been met. The conditions defined for the role level are used for validation within AWS and allows only the Microsoft Defender for Cloud CSPM application (validated audience) access to the specific role (and not any other Microsoft token).

+1. After the Azure AD token is validated by the AWS identity provider, the AWS STS exchanges the token with AWS short-living credentials which CSPM service uses to scan the AWS account.

+## CloudFormation deployment source

+As part of connecting an AWS account to Microsoft Defender for Cloud, a CloudFormation template should be deployed to the AWS account. This CloudFormation template creates all of the required resources necessary for Microsoft Defender for Cloud to connect to the AWS account.

+The CloudFormation template should be deployed using Stack (or StackSet if you have a management account).

+When deploying the CloudFormation template, the Stack creation wizard offers the following options:

+1. **Upload a template file** ΓÇô AWS will automatically create an S3 bucket that the CloudFormation template will be saved to. The automation for the S3 bucket will have a security misconfiguration that will cause the `S3 buckets should require requests to use Secure Socket Layer` recommendation to appear. You can remediate this recommendation by applying the following policy:

+ ```bash

+ {ΓÇ»

+ ΓÇ» "Id": "ExamplePolicy",ΓÇ»

+ ΓÇ» "Version": "2012-10-17",ΓÇ»

+ ΓÇ» "Statement": [ΓÇ»

+     { 

+       "Sid": "AllowSSLRequestsOnly", 

+       "Action": "s3:*", 

+       "Effect": "Deny", 

+       "Resource": [ 

+         "<S3_Bucket ARN>", 

+         "<S3_Bucket ARN>/*" 

+       ], 

+       "Condition": { 

+         "Bool": { 

+           "aws:SecureTransport": "false" 

+         } 

+       }, 

+      "Principal": "*" 

+     } 

+ ΓÇ» ]ΓÇ»

+ }ΓÇ»

+ ```

+Follow the steps below to create your AWS cloud connector.

+ - **External ID** - enter the subscription ID as shown in the AWS connector page in Defender for Cloud.

+1. Save the Amazon Resource Name (ARN) for later.

+#### Create an AWS user for Defender for Cloud

+1. In the **Details** step, enter a username for Defender for Cloud and ensure that you select **Programmatic access** for the AWS Access Type.

+ Defender for Cloud discovers the EC2 instances in the connected AWS account and uses SSM to onboard them to Azure Arc.

+ 1. If the machine is connecting to the internet via a proxy server, specify the proxy server IP address, or the name and port number that the machine uses to communicate with the proxy server. Enter the value in the format ```http://<proxyURL>:<proxyport>```

+Now, the new Defender for DevOps plan integrates source code management systems, like GitHub and Azure DevOps, into Defender for Cloud. With this new integration we are empowering security teams to protect their resources from code to cloud.

+The following new recommendations are now available for DevOps:

+Auto-provisioning was meant to allow at-scale enablement of prerequisites, which are needed by Defender for Cloud's advanced features and capabilities. To better support our expanded capabilities, we are launching a new experience with the following changes:

+We are announcing a new Defender plan: Defender CSPM. This plan enhances the security capabilities of Defender for Cloud and includes the following new and expanded features:

+Learn more about the [Defender CSPM plan](concept-cloud-security-posture-management.md).

+| [The ability to create custom assessments in AWS and GCP (Preview) is set to be deprecated](#the-ability-to-create-custom-assessments-in-aws-and-gcp-preview-is-set-to-be-deprecated) | November 2022 |

+| [Recommendation to configure dead-letter queues for Lambda functions to be deprecated](#recommendation-to-configure-dead-letter-queues-for-lambda-functions-to-be-deprecated) | November 2022 |

+| [Recommendation to enable diagnostic logs for Virtual Machine Scale Sets to be deprecated](#recommendation-to-enable-diagnostic-logs-for-virtual-machine-scale-sets-to-be-deprecated) | December 2022 |

+### The ability to create custom assessments in AWS and GCP (Preview) is set to be deprecated

+**Estimated date for change: November 21st, 2022**

+The ability to create custom assessments for [AWS accounts](how-to-manage-aws-assessments-standards.md#create-a-new-custom-assessment-for-your-aws-account-preview) and [GCP projects](how-to-manage-gcp-assessments-standards.md#create-a-new-custom-assessment-for-your-gcp-project-preview) (Preview) is set to be deprecated. This feature will be replaced by with a new feature that will be a part of the [Defender CSPM](concept-cloud-security-posture-management.md) plan, which will be released in the future.

+### Recommendation to configure dead-letter queues for Lambda functions to be deprecated

+**Estimated date for change: November 2022**

+The recommendation [`Lambda functions should have a dead-letter queue configured`](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/AwsRecommendationDetailsBlade/assessmentKey/dcf10b98-798f-4734-9afd-800916bf1e65/showSecurityCenterCommandBar~/false) is set to be deprecated.

+| Recommendation | Description | Severity |

+|--|--|--|

+| Lambda functions should have a dead-letter queue configured | This control checks whether a Lambda function is configured with a dead-letter queue. The control fails if the Lambda function is not configured with a dead-letter queue. As an alternative to an on-failure destination, you can configure your function with a dead-letter queue to save discarded events for further processing. A dead-letter queue acts the same as an on-failure destination. It is used when an event fails all processing attempts or expires without being processed. A dead-letter queue allows you to look back at errors or failed requests to your Lambda function to debug or identify unusual behavior. From a security perspective, it is important to understand why your function failed and to ensure that your function does not drop data or compromise data security as a result. For example, if your function cannot communicate to an underlying resource, that could be a symptom of a denial of service (DoS) attack elsewhere in the network. | Medium |

+### Recommendation to enable diagnostic logs for Virtual Machine Scale Sets to be deprecated

+**Estimated date for change: December 2022**

+The recommendation [`Diagnostic logs in Virtual Machine Scale Sets should be enabled`](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/961eb649-3ea9-f8c2-6595-88e9a3aeedeb/showSecurityCenterCommandBar~/false) is set to be deprecated.

+The related [policy definition](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7c1b1214-f927-48bf-8882-84f0af6588b1) will also be deprecated from any standards displayed in the regulatory compliance dashboard.

+| Recommendation | Description | Severity |

+|--|--|--|

+| Diagnostic logs in Virtual Machine Scale Sets should be enabled | Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. | Low |

+ Title: Setting SSL/TLS appliance certificates

+# Certificates for appliance encryption and authentication (OT appliances)

+1. When uploading the certificate to sensors and on-premises management consoles. If validation fails, the certificate can't be uploaded.

+ - Defender for IoT and certain third party servers defined in Forwarding rules. For more information, see [About forwarded alert information](how-to-forward-alert-information-to-partners.md#about-forwarded-alert-information).

+If the certificate isn't created properly by the certificate lead or there are connection issues to it, the certificate can't be uploaded and users will be forced to work with a locally signed certificate.

+Some organizational security policies may block access to this port. If your organization doesn't have access to port 80, you can:

+Defender for IoT requires that each CA-signed certificate contains a .key file and a .crt file. These files are uploaded to the sensor and On-premises management console after login. Some organizations may require .pem file. Defender for IoT doesn't require this file type.

+A .pem, or .der formatted file with a different extension. The file is recognized by Windows Explorer as a certificate. The .pem file isn't recognized by Windows Explorer.

+Verify that you've met the following parameter requirements before creating a certificate:

+| Check a Certificate Signing Request (CSR) | `openssl req -text -noout -verify -in CSR.csr` |

+| Check a private key | `openssl rsa -in privateKey.key -check` |

+| Check a certificate | `openssl x509 -in certificate.crt -text -noout` |

+|The CRL (Certificate Revocation List) location is not reachable. Verify the URL can be accessed from this appliance | Make sure that your network configuration allows the appliance to reach the CRL Server defined in the certificate. You can use a proxy server if there are limitations in establishing a direct connection.

+Unicode characters are now supported when working with sensor certificate passphrases. For more information, see [Certificates for appliance encryption and authentication (OT appliances)](how-to-deploy-certificates.md#certificates-for-appliance-encryption-and-authentication-ot-appliances).

+ * Take note of the *URL* of your storage account to use later.

+ * Take note of the *name* of your storage container to use later.

+ 1. For the **Azure Storage account URL**, enter the URL of your storage container from the [Prerequisites](#prerequisites) section. For the **Azure Storage container name**, enter the name of your storage container from the [Prerequisites](#prerequisites) section.

+1. Scroll down and select **Start simulation** to start sending simulated data to your Azure Digital Twins instance. The simulation will only run while this window is open and the **Start simulation** option is active.

+ 1. For the **Azure Storage account URL**, fill the name of your storage account from the [Create storage resources](#create-storage-resources) step into this URL: `https://<your-storage-account>.blob.core.windows.net`.

+ 1. For the **Azure Storage container name**, enter the name of your storage container from the [Create storage resources](#create-storage-resources) step.

+1. [Register the Event Grid resource provider](#register-the-event-grid-resource-provider) with your Azure subscription.

+1. [Authorize partner](#authorize-partner-to-create-a-partner-topic) to create a partner topic in your resource group.

+4. [Activate partner topic](#activate-a-partner-topic) so that your events start flowing to your partner topic.

+5. [Subscribe to events](#subscribe-to-events).

+Try [invoking any of the Auth0 actions that trigger an event to be published](https://auth0.com/docs/logs/references/log-event-type-codes) to see events flow.

+1. Navigate to **Monitoring** > **Streams**.

+> - The Event Grid service creates blobs in this container. The names of blobs will have the name of the Event Grid subscription with all the letters in upper case. For example, if the name of the subscription is `My-Blob-Subscription`, names of the dead letter blobs will have `MY-BLOB-SUBSCRIPTION` (`myblobcontainer/MY-BLOB-SUBSCRIPTION/2019/8/8/5/111111111-1111-1111-1111-111111111111.json`). This behavior is to protect against differences in case handling between Azure services.

+> - In the above example `.../2019/8/8/5/...` represents the non-zero padded date and hour (UTC): `.../YYYY/MM/DD/HH/...`.`

+> - The dead letter blobs created will contain one or more events in an array, which is an important behavior to consider when processing dead letters.

+### Azure portal

+While creating an event subscription, you can enable dead-lettering on the **Additional features** tab as shown in the following image. After you enable the feature, specify the blob container that will hold dead-lettered events and the Azure subscription that has the blob storage.

+You can optionally enable a system-assigned or user-assigned managed identity for dead-lettering. The managed identity must be a member of a [role-based access control (RBAC) role](../storage/blobs/authorize-access-azure-active-directory.md#azure-built-in-roles-for-blobs) that allows writing events to the storage.

+You can also enable dead-lettering and configure the settings for an existing event subscription. On the **Event Subscription** page of your event subscription, switch to the **Additional features** tab to see the dead-letter settings as shown in the following image.

+When creating an Event Grid subscription, you can set values for how long Event Grid should try to deliver the event. By default, Event Grid tries for 24 hours (1440 minutes), or 30 times. You can set either of these values for your Event Grid subscription. The value for event time-to-live must be an integer from 1 to 1440. The value for max retries must be an integer from 1 to 30.

+### Azure portal

+While creating an event subscription, you can configure retry policy settings on the **Additional features** tab.

+You can also configure retry policy settings for an existing event subscription. On the **Event Subscription** page of your event subscription, switch to the **Additional features** tab to see the retry policy settings as shown in the following image.

+## Why should I use Microsoft Graph API as a destination?

+1. [Register the Event Grid resource provider](#register-the-event-grid-resource-provider) with your Azure subscription.

+1. [Authorize partner](#authorize-partner-to-create-a-partner-topic) to create a partner topic in your resource group.

+3. [Enable events to flow to a partner topic](#enable-graph-api-events-to-flow-to-your-partner-topic)

+4. [Activate partner topic](#activate-a-partner-topic) so that your events start flowing to your partner topic.

+5. [Subscribe to events](#subscribe-to-events).

+## Enable Graph API events to flow to your partner topic

+This article describes steps to subscribe to events published by an SAP S/4HANA system.

+> [!NOTE]

+> See the [New SAP events on Azure Event Grid](https://techcommunity.microsoft.com/t5/messaging-on-azure-blog/new-sap-events-on-azure-event-grid/ba-p/3663372) for an announcement of this feature.

+## High-level steps

+1. [Register the Event Grid resource provider](#register-the-event-grid-resource-provider) with your Azure subscription.

+1. [Authorize partner](#authorize-partner-to-create-a-partner-topic) to create a partner topic in your resource group.

+1. [Enable SAP S/4HANA events to flow to a partner topic](#enable-events-to-flow-to-your-partner-topic).

+4. [Activate partner topic](#activate-a-partner-topic) so that your events start flowing to your partner topic.

+5. [Subscribe to events](#subscribe-to-events).

+SAP's capability to send events to Azure Event Grid is available through SAP's [beta program](https://influence.sap.com/sap/ino/#campaign/3314). Using this program, you can let SAP know about your desire to have your S4/HANA events available on Azure. You can find the SAP's announcement of this new feature [here](https://blogs.sap.com/2022/10/11/sap-event-mesh-event-bridge-to-microsoft-azure-to-go-beta/). Through SAP's Beta program, you'll be provided with the documentation on how to configure your SAP S4/HANA system to flow events to Event Grid.

+| Bot protection | No | Yes | Yes - Only bot manager rule set 1.0 |

+#Customer intent: As a data analyst, I want understand what is Azure HDInsight and Hadoop and how it is offered in so that I can decide on using HDInsight instead of on premises clusters.

+Azure HDInsight is a full-spectrum, managed cluster platform which simplifies running big data frameworks in large volume and velocity using Apache Spark, Apache Hive, LLAP, Apache Kafka, Apache Hadoop, and more in your Azure environment.

+|Cloud native | Azure HDInsight enables you to create optimized clusters for Spark, [Interactive query (LLAP)](./interactive-query/apache-interactive-query-get-started.md), Kafka, HBase and Hadoop on Azure. HDInsight also provides an end-to-end SLA on all your production workloads. |

+Azure HDInsight enables you to create clusters with open-source frameworks such as Spark, Hive, LLAP, Kafka, Hadoop and HBase. These clusters, by default, come with other open-source components that are included on the cluster such as Apache Ambari, Avro, Apache Hive3, HCatalog, Apache Hadoop MapReduce, Apache Hadoop YARN, Apache Phoenix, Apache Pig, Apache Sqoop, Apache Tez, Apache Oozie, and Apache ZooKeeper.

+ :::image type="content" source="media/concepts-device-authentication/group-primary-key.png" alt-text="Screenshot that shows the group primary key from SAS IoT Devices enrollment group." lightbox="media/concepts-device-authentication/group-primary-key.png":::

+ :::image type="content" source="media/concepts-telemetry-properties-commands/raw-data.png" alt-text="Screenshot that shows the raw data view." lightbox="media/concepts-telemetry-properties-commands/raw-data.png":::

+ :::image type="content" source="media/how-to-connect-devices-x509/verified.png" alt-text="Screenshot that shows a verified X509 certificate." lightbox="media/how-to-connect-devices-x509/verified.png":::

+ :::image type="content" source="media/how-to-connect-devices-x509/individual-enrollment.png" alt-text="Screenshot that shows how to connect a device using an X.509 individual enrollment." lightbox="media/how-to-connect-devices-x509/individual-enrollment.png":::

+1. Select the Cascade-500 device template from the list of featured device templates.

+1. Select **Next: Review** to continue to the next step.

+1. On the next screen, select **Create** to onboard the Cascade-500 device template into your IoT Central application.

+ :::image type="content" source="media/howto-connect-rigado-cascade-500/app-scope-id.png" alt-text="Screenshot that shows the ID scope for your application." lightbox="media/howto-connect-rigado-cascade-500/app-scope-id.png":::

+ :::image type="content" source="media/howto-connect-rigado-cascade-500/primary-key-sas.png" alt-text="Screenshot that shows the primary SAS key for you device connection group." lightbox="media/howto-connect-rigado-cascade-500/primary-key-sas.png":::

+You're now ready to use your Cascade-500 device in your IoT Central application.

+ :::image type="content" source="media/howto-connect-ruuvi/ruuvi-device-list.png" alt-text="Screenshot that shows the device list with a RuuviTag." lightbox="media/howto-connect-ruuvi/ruuvi-device-list.png":::

+ :::image type="content" source="media/howto-create-analytics/analytics-ui.png" alt-text="Screenshot that shows the three areas of the data explorer UI." lightbox="media/howto-create-analytics/analytics-ui.png":::

+ :::image type="content" source="media/howto-create-analytics/time-editor-panel.png" alt-text="Screenshot that shows the time editor panel." lightbox="media/howto-create-analytics/time-editor-panel.png":::

+ :::image type="content" source="media/howto-create-analytics/y-axis-control.png" alt-text="A screenshot that highlights the y-axis control." lightbox="media/howto-create-analytics/y-axis-control.png":::

+ :::image type="content" source="media/howto-create-analytics/zoom.png" alt-text="A Screenshot that shows the use of the zoom control." lightbox="media/howto-create-analytics/zoom.png":::

+ :::image type="content" source="media/howto-create-analytics/additional-chart-controls.png" alt-text="A Screenshot that shows how to access the additional chart controls." lightbox="media/howto-create-analytics/additional-chart-controls.png":::

+Navigate to **Application > Management** and select **Copy**. In the dialog box, enter the details for the new application. Then select **Copy** to confirm that you want to continue. To learn more about the fields in the form, see [Create an application](howto-create-iot-central-application.md).

+After the application copy operation succeeds, you can navigate to the new application using the link.

+Copying an application also copies the definition of rules and email action. Some actions, such as Flow and Logic Apps, are tied to specific rules by the rule ID. When a rule is copied to a different application, it gets its own rule ID. In this case, users must create a new action and then associate the new rule with it. In general, it's a good idea to check the rules and actions to make sure they're up-to-date in the new application.

+When you create an Azure IoT Central application, you choose from the built-in sample templates. You can also create your own application templates from existing IoT Central applications. You can then use your own application templates when you create new applications.

+ :::image type="content" source="media/howto-edit-device-template/migrate-device.png" alt-text="Screenshot that shows how to choose the option to start migrating a device." lightbox="media/howto-edit-device-template/migrate-device.png":::

+The following screenshot shows the dashboard in an application created from the **Custom Application** template. If you're in a role with the appropriate permissions, you can customize the default dashboard. To create a new dashboard from scratch, select**Go to dashboard catalog** and then **+New**. To create a new dashboard by copying the current dashboard, select **Copy**:

+You can also manage the dashboards in the catalog by selecting **Go to dashboard catalog**.

+To customize the current dashboard, select **Edit**.

+After you select **Edit**, the dashboard is in *edit* mode. You can use the tools in the **Add a tile** panel to add tiles to the dashboard. You can customize and remove tiles on the dashboard itself. For example, to add a line chart tile to track telemetry values reported by one or more devices over time:

+1. To edit the tile, select its **pencil** icon. Enter a **Title** and select a **Device Group**. In the **Devices** list, select the devices to show on the tile.

+| Image (static) | Display a custom image and can be clickable. The URL can be a relative link to another page in the application or an absolute link to an external site.|

+| Data explorer query | Display a saved data explorer query |

+## Pin data explorer query to dashboard

+To continuously monitor the data explorer queries, you can pin a query to a dashboard. To pin a query to the dashboard:

+1. Navigate to **Data explorer** in the left pane and select a query.

+- Raw data - View the raw data sent by your designated preview device. This view is useful when you're debugging or troubleshooting a device template.

+ :::image type="content" source="media/howto-set-up-template/infer-model-1.png" alt-text="Screenshot that shows raw data from unassigned device." lightbox="media/howto-set-up-template/infer-model-1.png":::

+ :::image type="content" source="media/howto-set-up-template/infer-model-2.png" alt-text="Screenshot that shows data preview change that lets you edit data that IoT Central uses to generate the device template." lightbox="media/howto-set-up-template/infer-model-2.png":::

+ :::image type="content" source="media/howto-set-up-template/infer-model-3.png" alt-text="Screenshot that shows how to rename the autogenerated device template." lightbox="media/howto-set-up-template/infer-model-3.png":::

+ :::image type="content" source="media/howto-set-up-template/view-id.png" alt-text="Screenshot that shows model ID for device template root interface.":::

+ :::image type="content" source="media/howto-set-up-template/device-template.png" alt-text="Screenshot that shows root interface for a model":::

+ :::image type="content" source="media/howto-set-up-template/add-interface.png" alt-text="Screenshot that shows how to add interface or component." lightbox="media/howto-set-up-template/add-interface.png":::

+Properties represent point-in-time values. You can set writable properties from IoT Central. For example, a device can use a writable property to let an operator set the target temperature as shown in the following screenshot:

+> [!TIP]

+> You can only add cloud properties to the **Root** component in the model.

+1. Select the properties and cloud properties to add to the form. Then select **Add section**.

+You can add map tiles to a dashboard to plot the location of one or more devices. When you add a map tile to show location telemetry, you can plot the location over a time period, as shown in the previous screenshot.

+| Field | Description |

+|||

+| Display name | The display name for the property value used on dashboard tiles and device forms. |

+| Name | The name of the property. Azure IoT Central generates a value for this field from the display name, but you can choose your own value if necessary. This field must be alphanumeric. The device code uses this **Name** value. |

+| Capability type | Property. |

+| Semantic type | The semantic type of the property, such as temperature, state, or event. The choice of semantic type determines which of the following fields are available. |

+| Schema | The property data type, such as double, string, or vector. The available choices are determined by the semantic type. Schema isn't available for the event and state semantic types. |

+| Writable | If the property isn't writable, the device can report property values to Azure IoT Central. If the property is writable, the device can report property values to Azure IoT Central. Then Azure IoT Central can send property updates to the device. |

+| Severity | Only available for the event semantic type. The severities are **Error**, **Information**, or **Warning**. |

+| State values | Only available for the state semantic type. Define the possible state values, each of which has display name, name, enumeration type, and value. |

+| Unit | A unit for the property value, such as **mph**, **%**, or **&deg;C**. |

+| Display unit | A display unit for use on dashboards tiles and device forms. |

+| Comment | Any comments about the property capability. |

+| Description | A description of the property capability. |

+When you select the complex **Schema**, such as **Object**, you need to define the object schema.

+ "@type": "Property",

+ "description": {

+ "en": "Device model name."

+ },

+ "en": "Device model"

+ "name": "model",

+ "writable": false,

+ "schema": {

+ "@type": "Object",

+ "en": "Object"

+ "fields": [

+ {

+ "displayName": {

+ "en": "Model Name"

+ },

+ "name": "ModelName",

+ "schema": "string"

+ },

+ {

+ "displayName": {

+ "en": "Model ID"

+ },

+ "name": "ModelID",

+ "schema": "integer"

+ }

+ ]

+ }

+- Create [custom device management dashboards](howto-manage-dashboards.md). A dashboard can include a [pinned query](howto-manage-dashboards.md#pin-data-explorer-query-to-dashboard) from the **Data explorer**.

+While it's possible to author an import manifest JSON manually using a text editor, the Azure Command Line Interface (CLI) simplifies the process greatly. When you're ready to try out the creation of an import manifest, you can use the [How-to guide](create-update.md#create-a-basic-device-update-import-manifest).

+When the application you're load testing is hosted on Azure App Service, you can get extra insights by using [App Service diagnostics](/azure/app-service/overview-diagnostics).

+In *single-tenant* Azure Logic Apps, the *app settings* for a Standard logic app specify the global configuration options that affect *all the workflows* in that logic app. However, these settings apply *only* when these workflows run in your *local development environment*. Locally running workflows can access these app settings as *local environment variables*, which are used by local development tools for values that can often change between environments. For example, these values can contain connection strings. When you deploy to Azure, app settings are ignored and aren't included with your deployment.

+| `ServiceProviders.Sql.QueryTimeout` | `00:02:00` <br>(2 min) | Sets the request timeout value for SQL service provider operations. |

+| `WEBSITE_LOAD_ROOT_CERTIFICATES` | None | Sets the thumbprints for the root certificates to be trusted. |

+| `Workflows.Connection.AuthenticationAudience` | None | Sets the audience for authenticating a managed (Azure-hosted) connection. |

+| `Workflows.CustomHostName` | None | Sets the host name to use for workflow and input-output URLs, for example, "logic.contoso.com". For information to configure a custom DNS name, see [Map an existing custom DNS name to Azure App Service](../app-service/app-service-web-tutorial-custom-domain.md) and [Secure a custom DNS name with a TLS/SSL binding in Azure App Service](../app-service/configure-ssl-bindings.md). |

+| `Workflows.<workflowName>.RuntimeConfiguration.RetentionInDays` | None | Sets the amount of time in days to keep the run history for <*workflowName*>. |

+| `Workflows.RuntimeConfiguration.RetentionInDays` | `90.00:00:00` <br>(90 days) | Sets the amount of time in days to keep workflow run history after a run starts. |

+### Run duration and history retention

+| `Runtime.Backend.FlowRunTimeout` | `90.00:00:00` <br>(90 days) | Sets the amount of time a workflow can continue running before forcing a timeout. <br><br>**Important**: Make sure this value is less than or equal to the value for the app setting named `Workflows.RuntimeConfiguration.RetentionInDays`. Otherwise, run histories can get deleted before the associated jobs are complete. |

+| `Runtime.FlowMaintenanceJob.RetentionCooldownInterval` | `7.00:00:00` <br>(7 days) | Sets the amount of time in days as the interval between when to check for and delete run history that you no longer want to keep. |

+<a name="manage-host-settings-portal"></a>

+<a name="manage-host-settings-visual-studio-code"></a>

+ Title: Exchange RosettaNet messages

+description: Exchange RosettaNet messages for B2B enterprise integration using Azure Logic Apps. Add a PIP process configuration and an agreement to an integration account.

+#Customer intent: As a logic apps developer, I want to send and receive RosettaNet messages using workflows in Azure Logic Apps so that I can use a standardized process to share business information with partners.

+# Exchange RosettaNet messages for B2B integration using workflows in Azure Logic Apps

+To send and receive RosettaNet messages in workflows that you create using Azure Logic Apps, you can use the RosettaNet connector, which provides actions that manage and support communication that follows RosettaNet standards. RosettaNet is a non-profit consortium that has established standard processes for sharing business information. These standards are commonly used for supply chain processes and are widespread in the semiconductor, electronics, and logistics industries. The RosettaNet consortium creates and maintains Partner Interface Processes (PIPs), which provide common business process definitions for all RosettaNet message exchanges. RosettaNet is based on XML and defines message guidelines, interfaces for business processes, and implementation frameworks for communication between companies. For more information, visit the [RosettaNet site](https://resources.gs1us.org).

+The connector is based on the RosettaNet Implementation Framework (RNIF) version 2.0.01 and supports all PIPs defined by this version. RNIF is an open network application framework that enables business partners to collaboratively run RosettaNet PIPs. This framework defines the message structure, the need for acknowledgments, Multipurpose Internet Mail Extensions (MIME) encoding, and the digital signature. Communication with the partner can be synchronous or asynchronous. The connector provides the following capabilities:

+* Receive or decode RosettaNet messages.

+* Send or encode RosettaNet messages.

+This how-to guide shows how to send and receive RosettaNet messages in workflows using Azure Logic Apps and the RosettaNet connector by completing the following tasks:

+* Add a PIP process configuration, if you don't have one already.

+* Create a RosettaNet agreement.

+* Add an action that receives or decodes RosettaNet messages.

+* Add an action that sends or encodes RosettaNet messages.

+The following concepts and terms are unique to the RosettaNet specification and are important to know when you build RosettaNet-based integration workflows:

+ The RosettaNet organization creates and maintains PIPs, which provide common business process definitions for all RosettaNet message exchanges. Each PIP specification provides a document type definition (DTD) file and a message guideline document. The DTD file defines the service-content message structure. The message guideline document, which is a human-readable HTML file, specifies element-level constraints. Together, these files provide a complete definition of the business process.

+ PIPs are categorized by a high-level business function, or cluster, and a subfunction, or segment. For example, "3A4" is the PIP for Purchase Order, while "3" is the Order Management function, and "3A" is the Quote & Order Entry subfunction. For more information, visit the [RosettaNet site](https://resources.gs1us.org).

+## Connector technical reference

+The RosettaNet connector is available only for Consumption logic app workflows.

+| Logic app | Environment | Connector version |

+|--|-|-|

+| **Consumption** | Multi-tenant Azure Logic Apps | Managed connector, which appears in the designer under the **Standard** label. The **RosettaNet** connector provides only actions, but you can use any trigger that works for your scenario. For more information, review the following documentation: <br><br>- [RosettaNet connector operations](#rosettanet-operations) <br>- [B2B protocol limits for message sizes](logic-apps-limits-and-config.md#b2b-protocol-limits) <br>- [Managed connectors in Azure Logic Apps](../connectors/managed.md) |

+| **Consumption** | Integration service environment (ISE) | Built-in connector, which appears in the designer with the **CORE** label. The **RosettaNet** connector provides only actions, but you can use any trigger that works for your scenario. For more information, review the following documentation: <br><br>- [RosettaNet connector operations](#rosettanet-operations) <br>- [ISE message limits](logic-apps-limits-and-config.md#message-size-limits) <br>- [Managed connectors in Azure Logic Apps](../connectors/managed.md) |

+<a name="rosettanet-operations"></a>

+### RosettaNet operations

+The **RosettaNet** connector has no triggers. The following table describes the actions that the **RosettaNet** connector provides for establishing security and reliability when transmitting messages:

+| Action | Description |

+|--|-|

+| [**RosettaNet Encode** action](#send-encode-rosettanet) | Send RosettaNet messages using encoding that follows RosettaNet standards. |

+| [**RosettaNet Decode** action](#receive-decode-rosettanet) | Receive RosettaNet messages using decoding that follows RosettaNet standards. |

+| [**RosettaNet wait for response** action](#send-encode-rosettanet) | Have the host wait for a RosettaNet response or signal message from the receiver. |

+* An Azure account and subscription. If you don't have a subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* The Consumption logic app resource and workflow where you want to use the RosettaNet operations.

+* An [integration account](../logic-apps/logic-apps-enterprise-integration-create-integration-account.md) for storing your agreement and other business-to-business (B2B) artifacts.

+ > [!IMPORTANT]

+ >

+ > To work together, both your integration account and logic app resource must exist in the same Azure subscription and Azure region.

+ > To use integration account artifacts in your workflow, make sure to [link your logic app resource to your integration account](logic-apps-enterprise-integration-create-integration-account.md?tabs=consumption#link-account).

+* At least two [partners](../logic-apps/logic-apps-enterprise-integration-partners.md) that are defined in your integration account and configured with the **DUNS** qualifier under **Business Identities** in the Azure portal.

+* Optional [certificates](../logic-apps/logic-apps-enterprise-integration-certificates.md) for encrypting, decrypting, or signing the messages that you upload to the integration account. Certificates are required only if you use signing or encryption.

+To send or receive RosettaNet messages, your integration account requires a PIP process configuration, if you don't have one already. The process configuration stores all the PIP configuration characteristics. You can then reference this configuration when you create an agreement with a partner.

+1. In the [Azure portal](https://portal.azure.com), go to your integration account.

+1. On the integration account navigation menu, under **Settings**, select **RosettaNet PIP**.

+ :::image type="content" source="media/logic-apps-enterprise-integration-rosettanet/select-rosettanetpip.png" alt-text="Screenshot of the Azure portal and the integration account page. On the navigation menu, RosettaNet PIP is selected.":::

+1. On the **RosettaNet PIP** page, select **Add**. On the **Add Partner Interface Process** pane, enter your PIP details.

+ :::image type="content" source="media/logic-apps-enterprise-integration-rosettanet/add-rosettanet-pip.png" alt-text="Screenshot of the RosettaNet PIP page, with Add selected. The Add Partner Interface Process pane contains boxes for the name, code, and version.":::

+ | **Name** | Yes | Your PIP name. |

+ | **PIP Code** | Yes | The three-digit PIP code. For more information, see [RosettaNet PIPs](/biztalk/adapters-and-accelerators/accelerator-rosettanet/rosettanet-pips). |

+ | **PIP Version** | Yes | The PIP version number, which depends on your selected PIP code. |

+1. When you're done, select **OK** to create the PIP configuration.

+1. To view or edit the process configuration, select the PIP, and select **Edit as JSON**.

+ All process configuration settings come from the PIP's specifications. Azure Logic Apps populates most of the settings with the default values that are the most typically used values for these properties.

+ :::image type="content" source="media/logic-apps-enterprise-integration-rosettanet/edit-rosettanet-pip.png" alt-text="Screenshot of the RosettaNet PIP page, with Edit as JSON and a PIP selected. Under Edit as JSON, encoded PIP properties are visible.":::

+<a name="create-rosettanet-agreement"></a>

+1. In the [Azure portal](https://portal.azure.com), go to your integration account.

+1. On the integration account navigation menu, under **Settings**, select **Agreements**.

+ :::image type="content" source="media/logic-apps-enterprise-integration-rosettanet/select-agreements.png" alt-text="Screenshot of the Azure portal with the integration account page open. On the navigation menu, Agreements is selected.":::

+1. On the **Agreements** page, select **Add**. Under **Add**, enter your agreement details.

+ :::image type="content" source="media/logic-apps-enterprise-integration-rosettanet/add-agreement-details.png" alt-text="Screenshot of the Agreements page, with Add selected. On the Add pane, boxes appear for the agreement name and type and for partner information.":::

+ | **Name** | Yes | The name of the agreement. |

+ | **Agreement type** | Yes | The type of the agreement. Select **RosettaNet**. |

+ | **Host Partner** | Yes | The organization that configures the agreement. An agreement requires both a host and guest partner. |

+ | **Host Identity** | Yes | An identifier for the host partner. |

+ | **Guest Partner** | Yes | The organization that's doing business with the host partner. An agreement requires both a host and guest partner. |

+ | **Guest Identity** | Yes | An identifier for the guest partner. |

+ | **Receive Settings** | Varies | Properties that apply to all messages received by the host partner. |

+ | **Send Settings** | Varies | Properties that apply to all messages sent by the host partner. |

+ 1. To enable signing or encryption for incoming messages, under **Message**, select **Message should be signed** or **Message should be encrypted**, respectively.

+ | **Message should be signed** | No | The option to sign incoming messages with the selected certificate |

+ | **Enable message encryption** | No | The option to encrypt incoming messages with the selected certificate |

+ 1. Under each selection, select the [certificate](./logic-apps-enterprise-integration-certificates.md) in your integration account that you want to use for signing or encryption.

+ :::image type="content" source="media/logic-apps-enterprise-integration-rosettanet/add-agreement-receive-details.png" alt-text="Screenshot of the Receive Settings page, with options for signing and encrypting messages and entering certificates.":::

+1. To set up your agreement for sending messages to the guest partner, select **Send Settings**.

+ 1. To enable signing or encryption for outgoing messages, under **Messages**, select **Enable message signing** or **Enable message encryption**, respectively. Under each selection, select the algorithm and [certificate](./logic-apps-enterprise-integration-certificates.md) in your integration account that you want to use for signing or encryption.

+ | **Enable message signing** | No | The option to sign outgoing messages with the selected signing algorithm and certificate |

+ | **Enable message encryption** | No | The option to encrypt outgoing messages with the selected encryption algorithm and certificate |

+ :::image type="content" source="media/logic-apps-enterprise-integration-rosettanet/add-agreement-send-details.png" alt-text="Screenshot of the Send Settings page, with options for signing and encrypting messages and for entering algorithms, certificates, and endpoints.":::

+1. To set up your agreement with the RosettaNet PIP references for partners, select **RosettaNet PIP references**. Under **PIP Name**, select the name of the PIP that you created earlier.

+ :::image type="content" source="media/logic-apps-enterprise-integration-rosettanet/add-agreement-pip-details.png" alt-text="Screenshot that shows a table of PIP information that has one row. That row contains default values except the name, MyPIPConfig, which is selected.":::

+ :::image type="content" source="media/logic-apps-enterprise-integration-rosettanet/add-agreement-selected-pip.png" alt-text="Screenshot that shows a table of PIP information. A row for the PIP called MyPIPConfig contains accurate information.":::

+<a name="receive-decode-rosettanet"></a>

+1. In the [Azure portal](https://portal.azure.com), open your Consumption logic app workflow in the designer.

+ Your workflow should already have a trigger and any other actions that you want to run before you add the RosettaNet action. This example continues with the Request trigger.

+1. Under the trigger or action, select **New step**.

+ :::image type="content" source="media/logic-apps-enterprise-integration-rosettanet/request-trigger.png" alt-text="Screenshot of the designer. Under the Request trigger, New step is selected.":::

+1. Under the **Choose an operation** search box, select **All**. In the search box, enter **rosettanet**. From the actions list, select the action named **RosettaNet Decode**.

+ :::image type="content" source="media/logic-apps-enterprise-integration-rosettanet/select-decode-rosettanet-action.png" alt-text="Screenshot of the designer. The Choose an operation search box contains rosettanet, and the RosettaNet Decode action is selected.":::

+1. Enter the information for the action's properties:

+ :::image type="content" source="media/logic-apps-enterprise-integration-rosettanet/decode-action-details.png" alt-text="Screenshot of the RosettaNet Decode action where boxes are available for the message, the headers, and the role.":::

+ The output of the RosettaNet Decode action includes **Outbound signal**. You can encode this output and return it to the partner, or you can take any other action on this output.

+<a name="send-encode-rosettanet"></a>

+## Send or encode RosettaNet messages

+1. In the [Azure portal](https://portal.azure.com), open your Consumption logic app workflow in the designer.

+ Your workflow should already have a trigger and any other actions that you want to run before you add the RosettaNet action. This example continues with the Request trigger.

+1. Under the trigger or action, select **New step**.

+ :::image type="content" source="media/logic-apps-enterprise-integration-rosettanet/request-trigger.png" alt-text="Screenshot of the designer. Under the Request trigger, New step is selected.":::

+1. Under the **Choose an operation** search box, select **All**. In the search box, enter **rosettanet**. From the actions list, select the action named **RosettaNet Encode**.

+ :::image type="content" source="media/logic-apps-enterprise-integration-rosettanet/select-encode-rosettanet-action.png" alt-text="Screenshot of the designer. The Choose an operation search box contains rosettanet, and the RosettaNet Encode action is selected.":::

+1. Enter the information for the action's properties:

+ :::image type="content" source="media/logic-apps-enterprise-integration-rosettanet/encode-action-details.png" alt-text="Screenshot of the RosettaNet Encode action where boxes appear for the message, the partners, PIP information, the message type, and the role.":::

+1. To send the encoded message, the following example uses the **HTTP** action, which is renamed **HTTP - Send encoded message to partner**.

+ :::image type="content" source="media/logic-apps-enterprise-integration-rosettanet/send-rosettanet-message-to-partner.png" alt-text="Screenshot of the designer with an HTTP action renamed as HTTP - Send encoded message to partner, and the URI, header, and body values are entered.":::

+ According to RosettaNet standards, business transactions are considered complete only when all the steps defined by the PIP are complete.

+1. After the host sends the encoded message to a partner, the host waits for the signal and acknowledgment. To accomplish this task, add the action named **RosettaNet wait for response**.

+ :::image type="content" source="media/logic-apps-enterprise-integration-rosettanet/rosettanet-wait-for-response-action.png" alt-text="Screenshot of a RosettaNet wait for response action where boxes are available for the body, PIP instance identity, retry count, and role.":::

+ The duration to use for waiting and the number of retries are based on the PIP configuration in your integration account. If the response isn't received, a Notification of Failure is generated. To handle retries, always put the **Encode** and **Wait for response** actions in an **Until** loop.

+ :::image type="content" source="media/logic-apps-enterprise-integration-rosettanet/rosettanet-loop.png" alt-text="Screenshot of the designer. An Until loop contains actions for encoding and sending messages and for waiting for responses.":::

+## RosettaNet templates

+To accelerate development and recommend integration patterns, you can use Consumption logic app templates for decoding and encoding RosettaNet messages. When you create a Consumption logic app workflow, you can select from the template gallery in the designer. You can also find these templates in the [GitHub repository for Azure Logic Apps](https://github.com/Azure/logicapps).

+* [Managed connector reference for Azure Logic Apps](/connectors/connector-reference/connector-reference-logicapps-connectors)

+* [About managed connectors in Azure Logic Apps](../connectors/managed.md)

+* [About built-in connectors for Azure Logic Apps](../connectors/built-in.md)

+This reference guide describes the limits and configuration information for Azure Logic Apps and related resources. Based on your scenario, solution requirements, the capabilities that you want, and the environment where you want to run your workflows, you choose whether to create a Consumption logic app workflow that runs in *multi-tenant* Azure Logic Apps or an integration service environment (ISE). Or, create a Standard logic app workflow that runs in *single-tenant* Azure Logic Apps or an App Service Environment (v3 - Windows plans only).

+The following table briefly summarizes differences between a Consumption logic app and a Standard logic app. You'll also learn how single-tenant Azure Logic Apps compares to multi-tenant Azure Logic Apps and an ISE for deploying, hosting, and running your logic app workflows.

+## Run duration and history retention limits

+## Change run duration and history retention in storage

+If a run's duration exceeds the current run history retention limit, the run is removed from the runs history in storage. To avoid losing run history, make sure that the retention limit is *always* more than the run's longest possible duration.

+### [Consumption](#tab/consumption)

+For Consumption logic app workflows, the same setting controls the maximum number of days that a workflow can run and for keeping run history in storage.

+* In multi-tenant Azure Logic Apps, the 90-day default limit is the same as the maximum limit. You can only decrease this value.

+* In an ISE, you can decrease or increase the 90-day default limit.

+For example, suppose that you reduce the retention limit from 90 days to 30 days. A 60-day-old run is removed from the runs history. If you increase the retention period from 30 days to 60 days, a 20-day-old run stays in the runs history for another 40 days.

+#### Portal

+1. In the [Azure portal](https://portal.azure.com) search box, open your logic app workflow in the designer.

+1. On the logic app menu, select **Workflow settings**.

+#### ARM template

+#### [Standard](#tab/standard)

+For Standard logic app workflows, you can decrease or increase the 90-day default limit, but you need to add the following settings and their values to your logic app resource or project:

+* An app setting named [**Workflows.RuntimeConfiguration.RetentionInDays**](edit-app-settings-host-settings.md#reference-local-settings-json)

+* A host setting named [**Runtime.FlowMaintenanceJob.RetentionCooldownInterval**](edit-app-settings-host-settings.md#run-duration-history)

+By default, the app setting named **Workflows.RuntimeConfiguration.RetentionInDays** is set to keep 90 days of data. The host setting named **Runtime.FlowMaintenanceJob.RetentionCooldownInterval** is set to check every 7 days for old data to delete. If you leave these default values, you might see data *up to* 97 days old. For example, suppose Azure Logic Apps checks on Day X and deletes data older than Day X - 90 days, and then waits for 7 days before running again. This behavior results in data that ages up to 97 days before the job runs again. However, if you set the interval to 1 day, but leave the retention days at the default value, the maximum delay to delete old data is 90+1 days.

+#### Portal

+1. [Follow these steps to add the app setting named **Workflows.RuntimeConfiguration.RetentionInDays**](edit-app-settings-host-settings.md?tabs=azure-portal#manage-app-settings), and set the value to the number days that you want to keep your workflow run history.

+1. [Follow these steps to add the host setting named **Runtime.FlowMaintenanceJob.RetentionCooldownInterval**](edit-app-settings-host-settings.md#manage-host-settings-portal), and set the value to the number of days as the interval between when to check for and delete run history that you don't want to keep.

+#### Visual Studio Code

+1. [Follow these steps to add the app setting named **Workflows.RuntimeConfiguration.RetentionInDays**](edit-app-settings-host-settings.md?tabs=visual-studio-code#manage-app-settings), and set the value to the number days that you want to keep your workflow run history.

+1. [Follow these steps to add the host setting named **Runtime.FlowMaintenanceJob.RetentionCooldownInterval**](edit-app-settings-host-settings.md#manage-host-settings-visual-studio-code), and set the value to the number of days as the interval between when to check for and delete run history that you don't want to keep.

+ Title: Connect to on-premises file systems

+description: Connect to file systems on premises from workflows in Azure Logic Apps using the File System connector.

+# Connect to on-premises file systems from workflows in Azure Logic Apps

+This how-to guide shows how to access an on-premises file share from a workflow in Azure Logic Apps by using the File System connector. You can then create automated workflows that run when triggered by events in your file share or in other systems and run actions to manage your files. The connector provides the following capabilities:

+In this article, the example scenarios demonstrate the following tasks:

+- Trigger a workflow when a file is created or added to a file share, and then send an email.

+- Trigger a workflow when copying a file from a Dropbox account to a file share, and then send an email.

+## Connector technical reference

+The File System connector has different versions, based on [logic app type and host environment](../logic-apps/logic-apps-overview.md#resource-environment-differences).

+| Logic app | Environment | Connector version |

+|--|-|-|

+| **Consumption** | Multi-tenant Azure Logic Apps | Managed connector, which appears in the designer under the **Standard** label. For more information, review the following documentation: <br><br>- [File System managed connector reference](/connectors/filesystem/) <br>- [Managed connectors in Azure Logic Apps](../connectors/managed.md) |

+| **Consumption** | Integration service environment (ISE) | Managed connector, which appears in the designer under the **Standard** label, and the ISE version, which has different message limits than the Standard class. For more information, review the following documentation: <br><br>- [File System managed connector reference](/connectors/filesystem/) <br>- [ISE message limits](../logic-apps/logic-apps-limits-and-config.md#message-size-limits) <br>- [Managed connectors in Azure Logic Apps](../connectors/managed.md) |

+| **Standard** | Single-tenant Azure Logic Apps and App Service Environment v3 (Windows plans only) | Managed connector, which appears in the designer under the **Azure** label, and built-in connector, which appears in the designer under the **Built-in** label. The built-in version differs in the following ways: <br><br>- The built-in version supports only Standard logic apps that run in an App Service Environment v3 with Windows plans only. <br><br>- The built-in version can connect directly to a file share and access Azure virtual networks. You don't need an on-premises data gateway. <br><br>For more information, review the following documentation: <br><br>- [File System managed connector reference](/connectors/filesystem/) <br>- [File System built-in connector reference](/azure/logic-apps/connectors/built-in/reference/filesystem/) <br>- [Built-in connectors in Azure Logic Apps](../connectors/built-in.md) |

+## General limitations

+- The File System connector currently supports only Windows file systems on Windows operating systems.

+- Mapped network drives aren't supported.

+* To connect to your file share, different requirements apply, based on your logic app and the hosting environment:

+ - Consumption logic app workflows

+ - In multi-tenant Azure Logic Apps, you need to meet the following requirements, if you haven't already:

+

+ 1. [Install the on-premises data gateway on a local computer](logic-apps-gateway-install.md).

+ The File System managed connector requires that your gateway installation and file system server must exist in the same Windows domain.

+ 1. [Create an on-premises data gateway resource in Azure](logic-apps-gateway-connection.md).

+ 1. After you add a File System managed connector trigger or action to your workflow, select the data gateway resource that you previously created so you can connect to your file system.

+ - In an ISE, you don't need the on-premises data gateway. Instead, you can use the ISE-versioned File System connector.

+ - Standard logic app workflows

+ You can use the File System built-in connector or managed connector.

+ * To use the File System managed connector, follow the same requirements as a Consumption logic app workflow in multi-tenant Azure Logic Apps.

+ * To use the File System built-in connector, your Standard logic app workflow must run in App Service Environment v3, but doesn't require the data gateway resource.

+* To follow the example scenario in this how-to guide, you need an email account from a provider that's supported by Azure Logic Apps, such as Office 365 Outlook, Outlook.com, or Gmail. For other providers, [review other supported email connectors](/connectors/connector-reference/connector-reference-logicapps-connectors). This example uses the Office 365 Outlook connector with a work or school account. If you use another email account, the overall steps are the same, but your UI might slightly differ.

+* The logic app workflow where you want to access your file share. To start your workflow with a File System trigger, you have to start with a blank workflow. To add a File System action, start your workflow with any trigger.

+### [Consumption](#tab/consumption)

+1. In the [Azure portal](https://portal.azure.com), open your blank logic app workflow in the designer.

+1. On the designer, under the search box, select **Standard**. In the search box, enter **file system**.

+1. From the triggers list, select the [File System trigger](/connectors/filesystem/#triggers) that you want. This example continues with the trigger named **When a file is created**.

+ 

+1. In the connection information box, provide the following information as required:

+ The following example shows the connection information for the File System managed connector trigger:

+ 

+ The following example shows the connection information for the File System ISE-based trigger:

+ 

+1. When you're done, select **Create**.

+ Azure Logic Apps creates and tests your connection, making sure that the connection works properly. If the connection is set up correctly, the setup options appear for your selected trigger.

+1. Continue building your workflow.

+ 1. Provide the required information for your trigger.

+ For this example, select the folder path on your file system server to check for a newly created file. Specify the number of files to return and how often you want to check.

+ 

+ 1. To test your workflow, add an Outlook action that sends you an email when a file is created on the file system in specified folder. Enter the email recipients, subject, and body. For testing, you can use your own email address.

+ 

+ > [!TIP]

+ >

+ > To add outputs from previous steps in the workflow, click inside the trigger's edit boxes.

+ > When the dynamic content list appears, select from the available outputs.

+1. Save your logic app. Test your workflow by uploading a file and triggering the workflow.

+ If successful, your workflow sends an email about the new file.

+### [Standard](#tab/standard)

+#### Built-in connector trigger

+These steps apply only to Standard logic apps in an App Service Environment v3 with Windows plans only.

+1. In the [Azure portal](https://portal.azure.com), open your blank logic app workflow in the designer.

+1. On the designer, under the search box, select **Built-in**. In the search box, enter **file system**.

+1. From the triggers list, select the [File System trigger](/azure/logic-apps/connectors/built-in/reference/filesystem/#triggers) that you want. This example continues with the trigger named **When a file is added**.

+ 

+1. In the connection information box, provide the following information as required:

+ | Property | Required | Value | Description |

+ |-|-|-|-|

+ | **Connection name** | Yes | <*connection-name*> | The name to use for your connection |

+ | **Root folder** | Yes | <*root-folder-name*> | The root folder for your file system, which is usually the main parent folder and is the folder used for the relative paths with all triggers that work on files. <br><br>For example, if you installed the on-premises data gateway, use the local folder on the computer with the data gateway installation. Or, use the folder for the network share where the computer can access that folder, for example, **`\\PublicShare\\MyFileSystem`**. |

+ | **Username** | Yes | <*domain-and-username*> | The domain and username for the computer where you have your file system. <br><br>For the managed File System connector, use one of the following values with the backslash (**`\`**): <br><br>- **<*domain*>\\<*username*>** <br>- **<*local-computer*>\\<*username*>** |

+ | **Password** | Yes | <*password*> | The password for the computer where you have your file system |

+ The following example shows the connection information for the File System built-in connector trigger:

+ 

+1. When you're done, select **Create**.

+ Azure Logic Apps creates and tests your connection, making sure that the connection works properly. If the connection is set up correctly, the setup options appear for your selected trigger.

+1. Continue building your workflow.

+ 1. Provide the required information for your trigger.

+ For this example, select the folder path on your file system server to check for a newly added file. Specify how often you want to check.

+ 

+ 1. To test your workflow, add an Outlook action that sends you an email when a file is added to the file system in specified folder. Enter the email recipients, subject, and body. For testing, you can use your own email address.

+ 

+ > [!TIP]

+ >

+ > To add outputs from previous steps in the workflow, click inside the trigger's edit boxes.

+ > When the dynamic content list appears, select from the available outputs.

+1. Save your logic app. Test your workflow by uploading a file and triggering the workflow.

+ If successful, your workflow sends an email about the new file.

+#### Managed connector trigger

+1. In the [Azure portal](https://portal.azure.com), open your blank logic app workflow in the designer.

+1. On the designer, under the search box, select **Azure**. In the search box, enter **file system**.

+1. From the triggers list, select the [File System trigger](/connectors/filesystem/#triggers/#triggers) that you want. This example continues with the trigger named **When a file is created**.

+ 

+1. In the connection information box, provide the following information as required:

+ | Property | Required | Value | Description |

+ |-|-|-|-|

+ | **Connection name** | Yes | <*connection-name*> | The name to use for your connection |

+ | **Root folder** | Yes | <*root-folder-name*> | The root folder for your file system, which is usually the main parent folder and is the folder used for the relative paths with all triggers that work on files. <br><br>For example, if you installed the on-premises data gateway, use the local folder on the computer with the data gateway installation. Or, use the folder for the network share where the computer can access that folder, for example, **`\\PublicShare\\MyFileSystem`**. |

+ | **Authentication Type** | No | <*auth-type*> | The type of authentication that your file system server uses, which is **Windows** |

+ | **Username** | Yes | <*domain-and-username*> | The domain and username for the computer where you have your file system. <br><br>For the managed File System connector, use one of the following values with the backslash (**`\`**): <br><br>- **<*domain*>\\<*username*>** <br>- **<*local-computer*>\\<*username*>** <br><br>For example, if your file system folder is on the same computer as the on-premises data gateway installation, you can use **<*local-computer*>\\<*username*>**. <br><br>- For the ISE-based File System connector, use the forward slash instead (**`/`**): <br><br>- **<*domain*>/<*username*>** <br>- **<*local-computer*>/<*username*>** |

+ | **Password** | Yes | <*password*> | The password for the computer where you have your file system |

+ | **gateway** | No | - <*Azure-subscription*> <br>- <*gateway-resource-name*> | This section applies only to the managed File System connector: <br><br>- **Subscription**: The Azure subscription associated with the data gateway resource <br>- **Connection Gateway**: The data gateway resource |

+ The following example shows the connection information for the File System managed connector trigger:

+ 

+1. When you're done, select **Create**.

+ 

+ 

+The example logic app workflow starts with the [Dropbox trigger](/connectors/dropbox/#triggers), but you can use any trigger that you want.

+### [Consumption](#tab/consumption)

+1. In the [Azure portal](https://portal.azure.com), open your logic app workflow in the designer.

+1. Find and select the [File System action](/connectors/filesystem/#actions) that you want to use. This example continues with the action named **Create file**.

+ 1. Under the trigger or action where you want to add the File System action, select **New step**.

+ Or, to add an action between existing steps, move your pointer over the connecting arrow. Select the plus sign (**+**) that appears, and then select **Add an action**.

+1. Under the **Choose an operation** search box, select **Standard**. In the search box, enter **file system**.

+1. From the actions list, select the File System action named **Create file**.

+ 

+1. In the connection information box, provide the following information as required:

+ The following example shows the connection information for the File System managed connector action:

+ 

+ The following example shows the connection information for the File System ISE-based connector action:

+ 

+1. When you're done, select **Create**.

+ 

+ > To add outputs from previous steps in the workflow, click inside the action's edit boxes.

+ 

+1. Save your logic app. Test your workflow by uploading a file to Dropbox.

+ If successful, your workflow creates a file on your file system server, based on the uploaded file in DropBox, and sends an email about the created file.

+### [Standard](#tab/standard)

+#### Built-in connector action

+These steps apply only to Standard logic apps in an App Service Environment v3 with Windows plans only.

+1. In the [Azure portal](https://portal.azure.com), open your logic app workflow in the designer.

+1. Find and select the [File System action](/azure/logic-apps/connectors/built-in/reference/filesystem/#actions) that you want to use. This example continues with the action named **Create file**.

+ 1. Under the trigger or action where you want to add the action, select the plus sign (**+**), and then select **Add an action**.

+ Or, to add an action between existing steps, select the plus sign (**+**) on the connecting arrow, and then select **Add an action**.

+ 1. Under the **Choose an operation** search box, select **Built-in**. In the search box, enter **file system**.

+ 1. From the actions list, select the File System action named **Create file**.

+ 

+1. In the connection information box, provide the following information as required:

+ | Property | Required | Value | Description |

+ |-|-|-|-|

+ | **Connection name** | Yes | <*connection-name*> | The name to use for your connection |

+ | **Root folder** | Yes | <*root-folder-name*> | The root folder for your file system, which is usually the main parent folder and is the folder used for the relative paths with all triggers that work on files. <br><br>For example, if you installed the on-premises data gateway, use the local folder on the computer with the data gateway installation. Or, use the folder for the network share where the computer can access that folder, for example, **`\\PublicShare\\MyFileSystem`**. |

+ | **Username** | Yes | <*domain-and-username*> | The domain and username for the computer where you have your file system. <br><br>For the managed File System connector, use one of the following values with the backslash (**`\`**): <br><br>- **<*domain*>\\<*username*>** <br>- **<*local-computer*>\\<*username*>** |

+ | **Password** | Yes | <*password*> | The password for the computer where you have your file system |

+ The following example shows the connection information for the File System built-in connector action:

+ 

+ Azure Logic Apps creates and tests your connection, making sure that the connection works properly. If the connection is set up correctly, the setup options appear for your selected action.

+1. Continue building your workflow.

+ 1. Provide the required information for your action. For this example, follow these steps:

+ 1. Enter path and name for the file that you want to create, including the file name extension. Make sure the path is relative to the root folder.

+ 1. To specify the content from the file created on Dropbox, from the **Add a parameter** list, select **File content**.

+ 1. Click inside the **File Content** parameter box. appears, click inside the edit box. From the dynamic content list that appears, in the **When a file is created** section, select **File Content**.

+ 

+ 1. To test your workflow, add an Outlook action that sends you an email when the File System action creates a file. Enter the email recipients, subject, and body. For testing, you can use your own email address.

+ 

+1. Save your logic app. Test your workflow by uploading a file to Dropbox.

+ If successful, your workflow creates a file on your file system server, based on the uploaded file in DropBox, and sends an email about the created file.

+#### Managed connector action

+1. In the [Azure portal](https://portal.azure.com), open your logic app workflow in the designer.

+1. Find and select the [File System action](/connectors/filesystem/#actions) that you want to use. This example continues with the action named **Create file**.

+ 1. Under the trigger or action where you want to add the action, select the plus sign (**+**), and then select **Add an action**.

+ Or, to add an action between existing steps, select the plus sign (**+**) on the connecting arrow, and then select **Add an action**.

+ 1. Under the **Choose an operation** search box, select **Azure**. In the search box, enter **file system**.

+ 1. From the actions list, select the File System action named **Create file**.

+ 

+1. In the connection information box, provide the following information as required:

+ | Property | Required | Value | Description |

+ |-|-|-|-|

+ | **Connection name** | Yes | <*connection-name*> | The name to use for your connection |

+ | **Root folder** | Yes | <*root-folder-name*> | The root folder for your file system, which is usually the main parent folder and is the folder used for the relative paths with all triggers that work on files. <br><br>For example, if you installed the on-premises data gateway, use the local folder on the computer with the data gateway installation. Or, use the folder for the network share where the computer can access that folder, for example, **`\\PublicShare\\MyFileSystem`**. |

+ | **Authentication Type** | No | <*auth-type*> | The type of authentication that your file system server uses, which is **Windows** |

+ | **Username** | Yes | <*domain-and-username*> | The domain and username for the computer where you have your file system. <br><br>For the managed File System connector, use one of the following values with the backslash (**`\`**): <br><br>- **<*domain*>\\<*username*>** <br>- **<*local-computer*>\\<*username*>** <br><br>For example, if your file system folder is on the same computer as the on-premises data gateway installation, you can use **<*local-computer*>\\<*username*>**. <br><br>- For the ISE-based File System connector, use the forward slash instead (**`/`**): <br><br>- **<*domain*>/<*username*>** <br>- **<*local-computer*>/<*username*>** |

+ | **Password** | Yes | <*password*> | The password for the computer where you have your file system |

+ | **gateway** | No | - <*Azure-subscription*> <br>- <*gateway-resource-name*> | This section applies only to the managed File System connector: <br><br>- **Subscription**: The Azure subscription associated with the data gateway resource <br>- **Connection Gateway**: The data gateway resource |

+ The following example shows the connection information for the File System managed connector action:

+ 

+ Azure Logic Apps creates and tests your connection, making sure that the connection works properly. If the connection is set up correctly, the setup options appear for your selected action.

+1. Continue building your workflow.

+ 1. Provide the required information for your action. For this example, follow these steps:

+ 1. Enter path and name for the file that you want to create, including the file name extension. Make sure the path is relative to the root folder.

+ 1. To specify the content from the file created on Dropbox, from the **Add a parameter** list, select **File content**.

+ 1. Click inside the **File Content** parameter box. appears, click inside the edit box. From the dynamic content list that appears, in the **When a file is created** section, select **File Content**.

+ 

+ 1. To test your workflow, add an Outlook action that sends you an email when the File System action creates a file. Enter the email recipients, subject, and body. For testing, you can use your own email address.

+ 

+* [Managed connectors for Azure Logic Apps](/connectors/connector-reference/connector-reference-logicapps-connectors)

+* [Built-in connectors for Azure Logic Apps](../connectors/built-in.md)

+ import urllib.request

+ response = urllib.request.urlretrieve('https://azuremlexampledata.blob.core.windows.net/data/imagenet/model.zip', 'model.zip')

+ with ZipFile(response[0], 'r') as zip:

+* You can **share and reuse data** with other members of the team such that they don't need to remember file locations.

+ - [**URIs**](#Create a `uri_folder` data asset) - A **U**niform **R**esource **I**dentifier that is a reference to a storage location on your local computer or in the cloud that makes it easy to access data in your jobs. Azure Machine Learning distinguishes two types of URIs:`uri_file` and `uri_folder`.

+ - [**MLTable**](#Create a `mltable` data asset) - `MLTable` helps you to abstract the schema definition for tabular data so it is more suitable for complex/changing schema or to be used in AutoML. If you just want to create a data asset for a job or you want to write your own parsing logic in python you could use `uri_file`, `uri_folder`.

+ - You only need a subset of data (for example: a sample of rows or files, specific columns, etc.)

+Find more details about what are the abilities we provide via `mltable` in [reference-yaml-mltable](reference-yaml-mltable.md).

+In this section, we show you how to create a data asset when the type is a `mltable`.

+An *example* MLTable file for delimited files is provided below:

+An *example* MLTable file for Delta Lake is provided below:

+```yml

+type: mltable

+paths:

+ - abfss://my_delta_files

+transformations:

+ - read_delta_lake:

+ timestamp_as_of: '2022-08-26T00:00:00Z'

+#timestamp_as_of: Timestamp to be specified for time-travel on the specific Delta Lake data.

+#version_as_of: Version to be specified for time-travel on the specific Delta Lake data.

+```

+For more transformations available in `mltable`, please look into [reference-yaml-mltable](reference-yaml-mltable.md).

+### Create an MLTable artifact via Python SDK: from_*

+If you would like to create an MLTable object in memory via Python SDK, you could use from_* methods.

+The from_* methods does not materialize the data, but rather stores is as a transformation in the MLTable definition.

+For example you can use from_delta_lake() to create an in-memory MLTable artifact to read delta lake data from the path `delta_table_path`.

+```python

+import mltable as mlt

+mltable = from_delta_lake(delta_table_path, timestamp_as_of="2021-01-01T00:00:00Z")

+df = mltable.to_pandas_dataframe()

+print(df.to_string())

+```

+Please find more details about [MLTable Python functions here](/python/api/mltable/mltable).

+Below shows you how to create a `mltable` data asset. The `path` can be any of the supported path formats outlined above.

+ az network private-endpoint show --name <endpoint> --resource-group <resource-group> --query 'networkInterfaces[*].id' --output table

+## **Environment definition problems**

+### *Environment name issues*

+### Curated prefix not allowed

+### Environment name is too long

+### *Docker issues*

+### Missing Docker definition

+### Missing Docker build context location

+### Too many Docker options

+### Missing Docker option

+### Container registry credentials missing either username or password

+### Multiple credentials for base image registry

+### Secrets in base image registry

+### Deprecated Docker attribute

+### Dockerfile length over limit

+### *Docker build context issues*

+### Missing Dockerfile path

+### Not allowed to specify attribute with Docker build context

+### Location type not supported/Unknown location type

+### Invalid location

+### *Base image issues*

+### Base image is deprecated

+### No tag or digest

+### *Environment variable issues*

+### Misplaced runtime variables

+### *Python issues*

+### Python section missing

+### Python version missing

+### Multiple Python versions

+### Python version not supported

+### Python version not recommended

+### Failed to validate Python version

+### *Conda issues*

+### Missing conda dependencies

+### Invalid conda dependencies

+### Missing conda channels

+### Base conda environment not recommended

+### Unpinned dependencies

+### *Pip issues*

+### Pip not specified

+### Pip not pinned

+### *Deprecated environment property issues*

+### R section is deprecated

+## **Image build problems**

+### *Miscellaneous issues*

+### Build log unavailable

+### ACR unreachable

+<!--issueDescription-->

+This can happen by failing to access a workspace's associated Azure Container Registry (ACR) resource.

+**Potential causes:**

+* Workspace's ACR is behind a virtual network (VNet) (private endpoint or service endpoint), and no compute cluster is used to build images.

+* Workspace's ACR is behind a virtual network (private endpoint or service endpoint), and the compute cluster used for building images have no access to the workspace's ACR.

+**Affected areas (symptoms):**

+* Failure in building environments from UI, SDK, and CLI.

+* Failure in running jobs because it will implicitly build the environment in the first step.

+* Pipeline job failures

+* Model deployment failures

+<!--/issueDescription-->

+**Troubleshooting steps**

+*Applies to: Python SDK azureml V1*

+Update the workspace image build compute property using SDK:

+```

+from azureml.core import Workspace

+ws = Workspace.from_config()

+ws.update(image_build_compute = 'mycomputecluster')

+```

+*Applies to: Azure CLI extensions V1 & V2*

+Update the workspace image build compute property using Azure CLI:

+```

+az ml workspace update --name myworkspace --resource-group myresourcegroup --image-build-compute mycomputecluster

+```

+> [!NOTE]

+> * Only Azure Machine Learning compute clusters are supported. Compute, Azure Kubernetes Service (AKS), or other instance types are not supported for image build compute.

+> * Make sure the compute cluster's VNet that's used for the image build compute has access to the workspace's ACR.

+> * Make sure the compute cluster is CPU based.

+**Resources**

+* [Enable Azure Container Registry (ACR)](https://aka.ms/azureml/environment/acr-private-endpoint)

+* [How To Use Environments](https://aka.ms/azureml/environment/how-to-use-environments)

+### *Docker pull issues*

+### Failed to pull Docker image

+### *Conda issues during build*

+### Bad spec

+### Communications error

+### Compile error

+### Missing command

+### Conda timeout

+### Out of memory

+### Package not found

+### Missing Python module

+### No matching distribution

+### Cannot build mpi4py

+### Interactive auth was attempted

+### Forbidden blob

+### Horovod build

+### Conda command not found

+### Incompatible Python version

+### Conda bare redirection

+### *Pip issues during build*

+### Failed to install packages

+### Cannot uninstall package

+| 429 | Too many pending requests | Your model is getting more requests than it can handle. We allow maximum 2 * `max_concurrent_requests_per_instance` * `instance_count` requests in parallel at any time. Additional requests are rejected. You can confirm these settings in your model deployment config under `request_settings` and `scale_settings`, respectively. If you're using auto-scaling, your model is getting requests faster than the system can scale up. With auto-scaling, you can try to resend requests with [exponential backoff](https://aka.ms/exponential-backoff). Doing so can give the system time to adjust. Apart from enable auto-scaling, you could also increase the number of instances by using the below [code](#how-to-calculate-instance-count). |

+# time to process the request (in seconds, choose appropriate percentile)

+> [!NOTE]

+| | | |

+| Multiple Azure AD Admins | No | Yes |

+| Managed Identities (System & User assigned) | Partial | Full |

+| Disable Password Authentication | Not Available | Available |

+| Service Principal can act as group member | No | Yes |

+| Audit Azure AD Logins | No | Yes |

+When Azure AD authentication is enabled and Azure AD principal is added as an Azure AD administrator the account gets the same privileges as the original PostgreSQL administrator. Only Azure AD administrator can manage other Azure AD enabled roles on the server using Azure portal or Database API. The Azure AD administrator sign-in can be an Azure AD user, Azure AD group, Service Principal or Managed Identity. Using a group account as an administrator enhances manageability by allowing you to centrally add and remove group members in Azure AD without changing the users or permissions in the PostgreSQL server. Multiple Azure AD administrators can be configured at any time and you can optionally disable password authentication to an Azure Database for PostgreSQL Flexible Server for better auditing and compliance needs.

+## Other considerations

+- In preview, `Azure Active Directory Authentication only` is supported post server creation, this option is currently disabled during server creation experience

+The DEKs, encrypted with the KEKs, are stored separately. Only an entity with access to the KEK can decrypt these DEKs. For more information, see [Security in encryption at rest](../../security/fundamentals/encryption-atrest.md).

+- **get**: For retrieving, the public part and properties of the key in the key Vault.

+- **list**: For listing\iterating through keys in, the key Vault.

+- If Key Vault generates the key, create a key backup before using the key for the first time. You can only restore the backup to Key Vault.

+After Azure Database for PostgreSQL - Flexible Server is encrypted with a customer's managed key stored in Key Vault, any newly created server copy is also encrypted. You can make this new copy through a [PITR restore](concepts-backup-restore.md) operation or read replicas.

+> [!NOTE]

+1. Navigate to Azure Database for PostgreSQL - Flexible Server create pane via Azure portal

+1. Provide required information on Basics and Networking tabs

+1. Navigate to Security(preview) tab. On the screen, provide Azure Active Directory (Azure AD) identity that has access to the Key Vault and Key in Key Vault in the same region where you're creating this server

+1. On Review Summary tab, make sure that you provided correct information in Security section and press Create button

+1. Once it's finished, you should be able to navigate to Data Encryption (preview) screen for the server and update identity or key if necessary

+- Key Vault with key in region where Postgres Flex Server will be created. Follow this [tutorial](../../key-vault/general/quick-create-portal.md) to create Key Vault and generate key.

+1. Navigate to Data Encryption (preview) screen under Security tab

+1. Select different identity to connect to Azure Key Vault, remembering that this identity needs to have proper access rights to the Key Vault

+1. Select different key by choosing subscription, Key Vault and key from dropdowns provided.

+- No support for Geo backup enabled servers

+- No support for Azure HSM Key Vault

+- [Azure Active Directory](../../active-directory-domain-services/overview.md)

+# Azure Active Directory for authentication with PostgreSQL Flexible Server Preview

+> [!NOTE]

+In this article, you'll configure Azure Active Directory (Azure AD) access and how to connect using an Azure AD token with Azure Database for PostgreSQL Flexible Server.

+Only Azure AD administrator users can create/enable users for Azure AD-based authentication. We recommend not using the Azure AD administrator for regular database operations, as it has elevated user permissions (for example, CREATEDB). You can now have multiple Azure AD admin users with flexible server, and Azure AD admin users can be either a user, a group, or a service principal.

+## Install AzureAD PowerShell: AzureAD Module

+### Prerequisites

+- An Azure account with an active subscription. If you don't already have one, [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+ - One of the following roles: Global Administrator, Privileged Role Administrator, Tenant Administrator.

+The following steps are mandatory to use Azure Active Directory authentication with Azure Database for PostgreSQL Flexible Server.

+### 1 - Connect to the user tenant

+### 2 - Grant Flexible Server Service Principal read access to customer tenant

+This command grants Azure Database for PostgreSQL Flexible Server Service Principal read access to customer tenant to request Graph API tokens for Azure AD validation tasks. AppID (5657e26c-cc92-45d9-bc47-9da6cfdb4ed9) in the above command is the AppID for Azure Database for PostgreSQL Flexible Server Service.

+### 3 - Networking Requirements

+Azure Active Directory is a multi-tenant application and requires outbound connectivity to perform certain operations like adding Azure AD admin groups. Additionally, networking rules are required for Azure AD connectivity to work depending upon your network topology.

+No extra networking rules are required.

+- An outbound NSG rule to allow virtual network traffic to reach AzureActiveDirectory service tag only.

+- Optionally, if youΓÇÖre using a proxy, then add a new firewall rule to allow http/s traffic to reach AzureActiveDirectory service tag only.

+Complete the above prerequisites steps before adding Azure AD administrator to your server. To set the Azure AD admin during server provisioning, follow the below steps.

+1. In the Azure portal, during server provisioning, select either `PostgreSQL and Azure Active Directory authentication` or `Azure Active Directory authentication only` as the authentication method.

+1. You can also optionally add a local PostgreSQL admin account if you prefer `PostgreSQL and Azure Active Directory authentication` method.

+Note only one Azure admin user can be added during server provisioning, and you can add multiple Azure AD admin users after server is created.

+![set-Azure-ad-administrator][3]

+1. Under Security, select Authentication and choose either `PostgreSQL and Azure Active Directory authentication` or `Azure Active Directory authentication only` as the authentication method based on your requirements.

+![set Azure ad administrator][2]

+1. Select `Add Azure AD Admins` and select a valid Azure AD user/group/service principal/Managed Identity in the customer tenant to be an Azure AD administrator.

+We've designed the Azure AD integration to work with standard PostgreSQL tools like psql, which aren't Azure AD aware and only support specifying username and password when connecting to PostgreSQL. We pass the Azure AD token as the password, as shown in the picture above.

+- PgAdmin (uncheck connect now at server creation.

+ - For more information, see step 4.

+These are the steps that a user/application needs to authenticate with Azure AD described below:

+## Azure CLI

+You can follow along in Azure Cloud Shell, an Azure VM, or on your local machine.

+### Prerequisites

+Make sure you have the [Azure CLI installed](/cli/azure/install-azure-cli).

+### 1 - Sign in to the user's Azure subscription

+The command launches a browser window to the Azure AD authentication page. It requires you to give your Azure AD user ID and password.

+### 2 - Retrieve Azure AD access token

+The above resource value must be specified as shown. For other clouds, the resource value can be looked up using:

+After authentication is successful, Azure AD returns an access token:

+The token is a Base 64 string that encodes all the information about the authenticated user and is targeted to the Azure Database for PostgreSQL service.

+### 3 - Use token as password for logging in with client psql

+When connecting, it's best to use the access token as the PostgreSQL user password.

+While using the `psql` command line client, the access token needs to be passed through the `PGPASSWORD` environment variable since the access token exceeds the password length that `psql` can accept directly:

+```powerShell

+### 4 - Use token as a password for logging in with PgAdmin

+1. Uncheck the connect now an option at server creation.

+Essential considerations when connecting:

+* `user@tenant.onmicrosoft.com` is the name of the Azure AD user

+* Make sure to use the exact way the Azure user is spelled - as the Azure AD user and group names are case-sensitive.

+* The access token validity is anywhere between 5 minutes to 60 minutes. We recommend you get the access token just before initiating the sign-in to Azure Database for PostgreSQL.

+### 1 - Create Azure AD groups in Azure Database for PostgreSQL Flexible Server

+To enable an Azure AD group for access to your database, use the exact mechanism as for users, but instead specify the group name:

+When logging in, group members use their personal access tokens but sign in with the group name specified as the username.

+### 2 - Sign in to the userΓÇÖs Azure Subscription

+Authenticate with Azure AD using the Azure CLI tool. This step isn't required in Azure Cloud Shell. The user needs to be a member of the Azure AD group.

+### 3 - Retrieve Azure AD access token

+After authentication is successful, Azure AD returns an access token:

+### 4 - Use token as password for logging in with psql or PgAdmin (see above steps for a user connection)

+- groupname is the name of the Azure AD group you're trying to connect as

+- Make sure to use the exact way the Azure AD group name is spelled.

+- Azure AD user and group names are case-sensitive

+- When connecting as a group, use only the group name and not the alias of a group member.

+- If the name contains spaces, use \ before each space to escape it.

+- The access token validity is anywhere between 5 minutes to 60 minutes. We recommend you get the access token just before initiating the sign-in to Azure Database for PostgreSQL.

+- Review the overall concepts for [Azure Active Directory authentication with Azure Database for PostgreSQL - Flexible Server](concepts-azure-ad-authentication.md)

+- Learn how to create and manage Azure AD enabled PostgreSQL roles [Manage Azure AD roles in Azure Database for PostgreSQL - Flexible Server](Manage Azure AD roles in Azure Database for PostgreSQL - Flexible Server.md)

+ - devx-track-csharp

+ - devx-track-azurecli

+> [!NOTE]

+You can use both system-assigned and user-assigned managed identities to authenticate to Azure Database for PostgreSQL. This article shows you how to use a system-assigned managed identity for an Azure Virtual Machine (VM) to access an Azure Database for PostgreSQL server. Managed Identities are automatically managed by Azure and enable you to authenticate to services that support Azure AD authentication without needing to insert credentials into your code.

+- To do the required resource creation and role management, your account needs "Owner" permissions at the appropriate scope (your subscription or resource group). If you need assistance with a role assignment, see [Assign Azure roles to manage access to your Azure subscription resources](../../../articles/role-based-access-control/role-assignments-portal.md).

+- You need an Azure VM (for example, running Ubuntu Linux) that you'd like to use to access your database using Managed Identity

+- To follow the C# example, first, complete the guide on how to [Connect with C#](connect-csharp.md)

+## Create a system-assigned managed identity for your VM

+Use [az vm identity assign](/cli/azure/vm/identity/) with the `identity assign` command enables the system-assigned identity to an existing VM:

+## Create a PostgreSQL user for your Managed Identity

+For more information on managing Azure AD enabled database roles, see [how to manage Azure AD enabled PostgreSQL roles](./how-to-manage-azure-ad-users.md)

+The managed identity now has access when authenticating with the identity name as a role name and the Azure AD token as a password.

+## Retrieve the access token from the Azure Instance Metadata service

+You get back a JSON result containing an `access_token` field - this long text value is the Managed Identity access token you should use as the password when connecting to the database.

+For testing purposes, you can run the following commands in your shell.

+> [!NOTE]

+> Note you need `curl`, `jq`, and the `psql` client installed.

+You're now connected to the database you configured earlier.

+## Connect using Managed Identity in C#

+When run, this command gives an output like this:

+```output

+- Review the overall concepts for [Azure Active Directory authentication with Azure Database for PostgreSQL](concepts-azure-ad-authentication.md)

+> [!NOTE]

+Suppose you want to learn how to create and manage Azure subscription users and their privileges. In that case, you can visit the [Azure role-based access control (Azure RBAC) article](../../role-based-access-control/built-in-roles.md) or review [how to customize roles](../../role-based-access-control/custom-roles.md).

+When you first created your Azure Database for PostgreSQL, you provided a server admin username and password. For more information, you can follow the [Quickstart](quickstart-create-server-portal.md) to see the step-by-step approach. Since the server admin user name is a custom name, you can locate the chosen server admin user name from the Azure portal.

+The Azure Database for PostgreSQL server is created with the three default roles defined. You can see these roles by running the command: `SELECT rolname FROM pg_roles;`

+Your server admin user is a member of the azure_pg_admin role. However, the server admin account isn't part of the azure_superuser role. Since this service is a managed PaaS service, only Microsoft is part of the super user role.

+- Sign in, NOSUPERUSER, INHERIT, CREATEDB, CREATEROLE, REPLICATION

+The server admin user account can be used to create more users and grant those users into the azure_pg_admin role. Also, the server admin account can be used to create less privileged users and roles that have access to individual databases and schemas.

+## How to create more admin users in Azure Database for PostgreSQL

+ You need the full server name and admin sign-in credentials to connect to your database server. You can easily find the server name and sign-in information from the server **Overview** page or the **Properties** page in the Azure portal.

+1. Use the admin account and password to connect to your database server. Use your preferred client tool, such as pgAdmin or psql.

+ If you're unsure of how to connect, see [the quickstart](./quickstart-create-server-portal.md)

+1. Edit and run the following SQL code. Replace your new user name with the placeholder value <new_user>, and replace the placeholder password with your own strong password.

+ You need the full server name and admin sign-in credentials to connect to your database server. You can easily find the server name and sign-in information from the server **Overview** page or the **Properties** page in the Azure portal.

+1. Use the admin account and password to connect to your database server. Use your preferred client tool, such as pgAdmin or psql.

+1. Edit and run the following SQL code. Replace the placeholder value `<db_user>` with your intended new user name and placeholder value `<newdb>` with your own database name. Replace the placeholder password with your own strong password.

+ This sql code syntax creates a new database named testdb, for example, purposes. Then it creates a new user in the PostgreSQL service and grants connect privileges to the new database for that user.

+1. Using an admin account, you may need to grant other privileges to secure the objects in the database. Refer to the [PostgreSQL documentation](https://www.postgresql.org/docs/current/static/ddl-priv.html) for further details on database roles and privileges. For example:

+1. Sign in to your server, specifying the designated database, using the new username and password. This example shows the psql command line. With this command, you're prompted for the password for the user name. Replace your own server name, database name, and user name.

+- [Create and manage Azure Database for PostgreSQL firewall rules by using the Azure portal](how-to-manage-firewall-portal.md) or [Azure CLI](how-to-manage-firewall-cli.md).

+- For more information regarding user account management, see PostgreSQL product documentation for [Database Roles and Privileges](https://www.postgresql.org/docs/current/static/user-manag.html), [GRANT Syntax](https://www.postgresql.org/docs/current/static/sql-grant.html), and [Privileges](https://www.postgresql.org/docs/current/static/ddl-priv.html).

+> [!NOTE]

+1. To add an administrator - select **Add Azure AD Admin** and select a user, group, application or a managed identity from the current Azure AD tenant.

+1. To remove an administrator - select **Delete** icon for the one to remove.

+1. Select **Save** and wait for provisioning operation to completed.

+ Title: Modify a packet core instance

+description: In this how-to guide, you'll learn how to modify a packet core instance using the Azure portal.

+# Modify the packet core instance in a site

+Each Azure Private 5G Core Preview site contains a packet core instance, which is a cloud-native implementation of the 3GPP standards-defined 5G Next Generation Core (5G NGC or 5GC). In this how-to guide, you'll learn how to modify a packet core instance using the Azure portal; this includes modifying the packet core's custom location, connected Azure Stack Edge device, and access network configuration. You'll also learn how to modify the data network attached to the packet core instance.

+## Prerequisites

+- If you want to make changes to the packet core configuration or access network, refer to [Collect packet core configuration values](collect-required-information-for-a-site.md#collect-packet-core-configuration-values) and [Collect access network values](collect-required-information-for-a-site.md#collect-access-network-values) to collect the new values and make sure they're in the correct format.

+ > [!NOTE]

+ > You can't update a packet core instance's **Technology type** or **Version** field.

+ >

+ > - To change the technology type, you'll need to delete the site and [recreate it](create-a-site.md). <!-- link to new site deletion section -->

+ > - To change the version, [upgrade the packet core instance](upgrade-packet-core-azure-portal.md).

+- If you want to make changes to the attached data network, refer to [Collect data network values](collect-required-information-for-a-site.md#collect-data-network-values) to collect the new values and make sure they're in the correct format.

+- Ensure you can sign in to the Azure portal using an account with access to the active subscription you used to create your private mobile network. This account must have the built-in Contributor or Owner role at the subscription scope.

+## Select the packet core instance to modify

+In this step, you'll navigate to the **Packet Core Control Plane** resource representing your packet core instance.

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+2. Search for and select the **Mobile Network** resource representing the private mobile network.

+ :::image type="content" source="media/mobile-network-search.png" alt-text="Screenshot of the Azure portal. It shows the results of a search for a Mobile Network resource.":::

+3. In the **Resource** menu, select **Sites**.

+4. Select the site containing the packet core instance you want to modify.

+5. Under the **Network function** heading, select the name of the **Packet Core Control Plane** resource shown next to **Packet Core**.

+ :::image type="content" source="media/packet-core-field.png" alt-text="Screenshot of the Azure portal showing the Packet Core field.":::

+6. Select **Modify packet core**.

+ :::image type="content" source="media/modify-packet-core/modify-packet-core-configuration.png" alt-text="Screenshot of the Azure portal showing the Modify packet core option.":::

+7. If you want to make changes to the packet core configuration or access network values, go to [Modify the packet core configuration](#modify-the-packet-core-configuration). If you only want to make changes to the attached data network, go to [Modify the attached data network configuration](#modify-the-attached-data-network-configuration).

+### Modify the packet core configuration

+To modify the packet core and/or access network configuration:

+1. In the **Configuration** tab, fill out the fields with any new values.

+

+ - Use the information you collected in [Collect packet core configuration values](collect-required-information-for-a-site.md#collect-packet-core-configuration-values) for the top-level configuration values.

+ - Use the information you collected in [Collect access network values](collect-required-information-for-a-site.md#collect-access-network-values) for the configuration values under **Access network**.

+ :::image type="content" source="media/modify-packet-core/modify-packet-core-configuration-tab.png" alt-text="Screenshot of the Azure portal showing the Modify packet core Configuration tab.":::

+2. If you also want to make changes to the attached data network, select the **Data network** tab and go to [Modify the attached data network configuration](#modify-the-attached-data-network-configuration). Otherwise, go to [Submit and verify changes](#submit-and-verify-changes).

+### Modify the attached data network configuration

+To make changes to the data network attached to your packet core instance:

+1. In the **Data network** tab, select the data network.

+ :::image type="content" source="media/modify-packet-core/modify-packet-core-data-network-tab.png" alt-text="Screenshot of the Azure portal showing the Modify packet core Data network tab.":::

+2. Use the information you collected in [Collect data network values](collect-required-information-for-a-site.md#collect-data-network-values) to fill out the fields in the **Modify a data network** window.

+ :::image type="content" source="media/modify-packet-core/modify-packet-core-modify-data-network.png" alt-text="Screenshot of the Azure portal showing the Attach data network screen.":::

+3. Select **Modify**. You should see your changes under the **Data network** tab.

+### Submit and verify changes

+1. Select **Modify**.

+2. Azure will now redeploy the packet core instance with the new configuration. The Azure portal will display the following confirmation screen when this deployment is complete.

+ :::image type="content" source="media/site-deployment-complete.png" alt-text="Screenshot of the Azure portal showing the confirmation of a successful deployment of a packet core instance.":::

+3. Navigate to the **Packet Core Control Plane** resource as described in [Select the packet core instance to modify](#select-the-packet-core-instance-to-modify).

+ - If you made changes to the packet core configuration, check that the fields under **Connected ASE device**, **Custom ARC location** and **Access network** contain the updated information.

+ - If you made changes to the attached data network, check that the fields under **Data network** contain the updated information.

+## Next steps

+Use Log Analytics or the packet core dashboards to confirm your packet core instance is operating normally after you modify it.

+- [Monitor Azure Private 5G Core with Log Analytics](monitor-private-5g-core-with-log-analytics.md)

+- [Packet core dashboards](packet-core-dashboards.md)

+#### Maximum Transmission Units (MTUs)

+The Maximum Transmission Unit (MTU) is a property of an IP link, and it is configured on the interfaces at each end of the link. Packets that exceed an interface's configured MTU are split into smaller packets via IPv4 fragmentation prior to sending and are then reassembled at their destination. However, if an interface's configured MTU is higher than the link's supported MTU, the packet will fail to be transmitted correctly.

+To avoid transmission issues caused by IPv4 fragmentation, a 4G or 5G packet core instructs UEs what MTU they should use. However, UEs do not always respect the MTU signalled by the packet core.

+IP packets from UEs are tunnelled through from the RAN, which adds overhead from encapsulation. Due to this, the MTU value for the UE should be smaller than the MTU value used between the RAN and the Packet Core to avoid transmission issues.

+RANs typically come pre-configured with an MTU of 1500. The Packet CoreΓÇÖs default UE MTU is 1300 bytes to allow for encapsulation overhead. These values maximize RAN interoperability, but risk that certain UEs will not observe the default MTU and will generate larger packets that require IPv4 fragmentation that may be dropped by the network.

+If you are affected by this issue, it is strongly recommended to configure the RAN to use an MTU of 1560 or higher which allows a sufficient overhead for the encapsulation and avoids fragmentation with a UE using a standard MTU of 1500.

+ :::image type="content" source="media/packet-core-field.png" alt-text="Screenshot of the Azure portal showing the Packet Core field.":::

+2. Check the **Version** field under the **Configuration** heading to view the current software version. If there's an attention icon next to this field, a new packet core version is available. If there's a warning that you're running an unsupported version, we advise that you upgrade your packet core instance to a version that Microsoft currently supports.

+|| [SQL Server on Azure-Arc](register-scan-azure-arc-enabled-sql-server.md)| [Yes](register-scan-azure-arc-enabled-sql-server.md#register) | [Yes](register-scan-azure-arc-enabled-sql-server.md#scan) | No* |[Yes](register-scan-azure-arc-enabled-sql-server.md#access-policy) | No |

+| [Yes](#register) | [Yes](#scan) | [Yes](#scan) | [Yes](#scan) | [Yes](#scan) | [Yes](#access-policy) | Limited** | No |

+## Access policy

+### Supported policies

+The following types of policies are supported on this data resource from Microsoft Purview:

+* [DevOps policies](how-to-policies-devops-arc-sql-server.md)

+* [Data Owner](how-to-policies-data-owner-arc-sql-server.md)

+**Azure Payments HSM**: A FIPS 140-2 Level 3, PCI HSM v3, validated bare metal offering that lets customers lease a payment HSM appliance in Microsoft datacenters for payments operations, including payment processing, payment credential issuing, securing keys and authentication data, and sensitive data protection. The service is PCI DSS and PCI 3DS compliant. Azure Payment HSM offers single-tenant HSMs for customers to have complete administrative control and exclusive access to the HSM. Once the HSM is allocated to a customer, Microsoft has no access to customer data. Likewise, when the HSM is no longer required, customer data is zeroized and erased as soon as the HSM is released, to ensure complete privacy and security is maintained. For more information, see [About Azure Payment HSM](../../payment-hsm/overview.md).

+| - 750 SP04 to SP12<br>- 751 SP00 to SP06<br>- 752 SP00 to SP02 | [2641084 - Standardized read access to data of Security Audit Log](https://launchpad.support.sap.com/#/notes/2641084)* |

+Connector execution logs for your Microsoft Sentinel Solution for SAP data connector deployment are stored on your VM in **/opt/sapcon/[SID]/log/**. Log filename is **OmniLog.log**. A history of logfiles is kept, suffixed with *.[number]* such as **OmniLog.log.1**, **OmniLog.log.2** etc

+| MaxDeliveryCountExceeded | Message couldn't be consumed after maximum delivery attempts. See the [Maximum delivery count](#maximum-delivery-count) section for details. |

+ Title: 'Tutorial: Deploy an application to Azure Spring Apps and connect it to Azure Database for MySQL Flexible Server using Service Connector'

+description: Create a Spring Boot application connected to Azure Database for MySQL Flexible Server with Service Connector.

+# Tutorial: Deploy an application to Azure Spring Apps and connect it to Azure Database for MySQL Flexible Server using Service Connector

+In this tutorial, you'll complete the following tasks using the Azure portal or the Azure CLI. Both methods are explained in the following procedures.

+> * Provision an instance of Azure Spring Apps

+> * Build and deploy apps to Azure Spring Apps

+> * Integrate Azure Spring Apps with Azure Database for MySQL with Service Connector

+* [Install the Azure CLI version 2.0.67 or higher](/cli/azure/install-azure-cli) and install the Azure Spring Apps extension with the command: `az extension add --name spring`

+## Provision an instance of Azure Spring Apps

+The following procedure uses the Azure CLI extension to provision an instance of Azure Spring Apps.

+1. Update Azure CLI with the Azure Spring Apps extension.

+ az extension update --name spring

+1. Create a resource group to contain your app and an instance of the Azure Spring Apps service.

+ az group create --name ServiceConnector-tutorial-mysqlf --location eastus

+1. Create an instance of Azure Spring Apps. Its name must be between 4 and 32 characters long and can only contain lowercase letters, numbers, and hyphens. The first character of the Azure Spring Apps instance name must be a letter and the last character must be either a letter or a number.

+ az spring create -n my-azure-spring -g ServiceConnector-tutorial-mysqlf

+## Create an Azure Database for MySQL Flexible Server

+Create a MySQL Flexible Server instance. In the command below, replace `<admin-username>` and `<admin-password>` by credentials of your choice to create an administrator user for the MySQL flexible server. The admin username can't be *azure_superuser*, *azure_pg_admin*, *admin*, *administrator*, *root*, *guest*, or *public*. It can't start with *pg_*. The password must contain **8 to 128 characters** from three of the following categories: English uppercase letters, English lowercase letters, numbers, and non-alphanumeric characters (for example, `!`, `#`, `%`). The password can't contain `username`.

+```azurecli-interactive

+az mysql flexible-server create \

+ --resource-group ServiceConnector-tutorial-mysqlf \

+ --name mysqlf-server \

+ --database-name mysqlf-db \

+ --admin-user <admin-username> \

+ --admin-password <admin-password>

+```

+ The server is created with the following default values unless you manually override them:

+| **Setting** | **Default value** | **Description** |

+|-|-||

+| server-name | System generated | A unique name that identifies your Azure Database for MySQL server. |

+| sku-name | GP_Gen5_2 | The name of the sku. Follows the convention {pricing tier}\_{compute generation}\_{vCores} in shorthand. The default is a General Purpose Gen5 server with 2 vCores. For more information about the pricing, go to our [pricing page](https://azure.microsoft.com/pricing/details/mysql/). |

+| backup-retention | 7 | How long a backup should be retained. Unit is days. |

+| geo-redundant-backup | Disabled | Whether geo-redundant backups should be enabled for this server or not. |

+| location | westus2 | The Azure location for the server. |

+| ssl-enforcement | Enabled | Whether SSL should be enabled or not for this server. |

+| storage-size | 5120 | The storage capacity of the server (unit is megabytes). |

+| version | 5.7 | The MySQL major version. |

+> Standard_B1ms SKU is used by default. Refer to [Azure Database for MySQL pricing](https://azure.microsoft.com/pricing/details/mysql/flexible-server/) for pricing details.

+> [!NOTE]

+> For more information about the `az mysql flexible-server create` command and its additional parameters, see the [Azure CLI documentation](/cli/azure/mysql/flexible-server#az-mysql-flexible-server-create).

+1. Create the app with public endpoint assigned. If you selected Java version 11 when generating the Azure Spring Apps project, include the `--runtime-version=Java_11` switch.

+ ```azurecli-interactive

+ az spring app create -n hellospring -s my-azure-spring -g ServiceConnector-tutorial-mysqlf --assign-endpoint true

+1. Run the `az spring connection create` command to connect the application deployed to Azure Spring Apps to the MySQL Flexible Server database. Replace the placeholders below with your own information.

+ ```azurecli-interactive

+ az spring connection create mysql-flexible \

+ --resource-group ServiceConnector-tutorial-mysqlf \

+ --service my-azure-spring \

+ --app hellospring \

+ --target-resource-group ServiceConnector-tutorial-mysqlf \

+ --server mysqlf-server \

+ --database mysqlf-db \

+ --secret name=<admin-username> secret=<admin-secret>

+ | Setting | Description |

+ ||-|

+ | `--resource-group` | The name of the resource group that contains the app hosted by Azure Spring Apps. |

+ | `--service` | The name of the Azure Spring Apps resource. |

+ | `--app` | The name of the application hosted by Azure Spring Apps that connects to the target service. |

+ | `--target-resource-group` | The name of the resource group with the storage account. |

+ | `--server` | The MySQL Flexible Server you want to connect to |

+ | `--database` | The name of the database you created earlier. |

+ | `--secret name` | The MySQL Flexible Server username. |

+ | `--secret` | The MySQL Flexible Server password. |

+ > If you see the error message "The subscription is not registered to use Microsoft.ServiceLinker", please run `az provider register -n Microsoft.ServiceLinker` to register the Service Connector resource provider and run the connection command again.

+1. Deploy the JAR file for the app `target/demo-0.0.1-SNAPSHOT.jar`.

+ az spring app deploy \

+ --name hellospring \

+ --service my-azure-spring \

+ --resource-group ServiceConnector-tutorial-mysqlf \

+ --artifact-path target/demo-0.0.1-SNAPSHOT.jar

+ az spring app list --resource-group ServiceConnector-tutorial-mysqlf --service my-azure-spring --output table

+ You should see the following output:

+ ```output

+ Name Location ResourceGroup Public Url Production Deployment Provisioning State CPU Memory Running Instance Registered Instance Persistent Storage Bind Service Registry Bind Application Configuration Service

+ -- - -- -- -- -- -- -- -- -

+ hellospring eastus ServiceConnector-tutorial-mysqlf https://my-azure-spring-hellospring.azuremicroservices.io default Succeeded 1 1Gi 1/1 0/1 - -

+### [Using a passwordless connection with a managed identity for flexible server](#tab/Passwordlessflex)

+Configure Azure Spring Apps to connect to the PostgreSQL Database with a system-assigned managed identity using the `az spring connection create` command.

+```azurecli

+az spring connection create postgres-flexible \

+ --resource-group $SPRING_APP_RESOURCE_GROUP \

+ --service $Spring_APP_SERVICE_NAME \

+ --app $APP_NAME \

+ --deployment $DEPLOYMENT_NAME \

+ --target-resource-group $POSTGRES_RESOURCE_GROUP \

+ --server $POSTGRES_SERVER_NAME \

+ --database $DATABASE_NAME \

+ --system-identity

+```

+### [Using a passwordless connection with a managed identity for single server](#tab/Passwordlesssingle)

+Configure Azure Spring Apps to connect to the PostgreSQL Database with a system-assigned managed identity using the `az spring connection create` command.

+ --app $APP_NAME \

+ --deployment $DEPLOYMENT_NAME \

+ --system-identity

+ DeploymentType: 'Artifacts'

+ DeploymentType: 'Artifacts'

+ DeploymentType: 'Artifacts'

+ DeploymentType: 'Artifacts'

+ DeploymentType: 'Artifacts'

+### Deploy from custom image

+To deploy directly from an existing container image, use the following pipeline template.

+```yaml

+- task: AzureSpringCloud@0

+ inputs:

+ azureSubscription: '<your service connection name>'

+ Action: 'Deploy'

+ AzureSpringCloud: '<your Azure Spring Apps service>'

+ AppName: '<app-name>'

+ DeploymentType: 'CustomContainer'

+ UseStagingDeployment: false

+ DeploymentName: 'default'

+ ContainerRegistry: 'docker.io' # or your Azure Container Registry, e.g: 'contoso.azurecr.io'

+ RegistryUsername: '$(username)'

+ RegistryPassword: '$(password)'

+ ContainerImage: '<your image tag>'

+```

+ Title: How to deploy applications in Azure Spring Apps with a custom container image

+# Deploy an application with a custom container image

+> The web application must listen on port `1025` for Standard tier and on port `8080` for Enterprise tier. The way to change the port depends on the framework of the application. For example, specify `SERVER_PORT=1025` for Spring Boot applications or `ASPNETCORE_URLS=http://+:1025/` for ASP.Net Core applications. You can disable the probe for applications that don't listen on any port. For more information, see [How to configure health probes and graceful termination periods for apps hosted in Azure Spring Apps](how-to-configure-health-probes-graceful-termination.md).

+| Feature | Spring Boot Apps - container deployment | Polyglot Apps - container deployment | Notes |

+|--|--|--|--|

+| App lifecycle management | ✔️ | ✔️ | |

+| Support for container registries | ✔️ | ✔️ | |

+| Assign endpoint | ✔️ | ✔️ | |

+| Azure Monitor | ✔️ | ✔️ | |

+| APM integration | ✔️ | ✔️ | Supported by [manual installation](#install-an-apm-into-the-image-manually). |

+| Blue/green deployment | ✔️ | ✔️ | |

+| Custom domain | ✔️ | ✔️ | |

+| Scaling - auto scaling | ✔️ | ✔️ | |

+| Scaling - manual scaling (in/out, up/down) | ✔️ | ✔️ | |

+| Managed Identity | ✔️ | ✔️ | |

+| Spring Cloud Eureka & Config Server | ✔️ | ❌ | |

+| API portal for VMware Tanzu® | ✔️ | ✔️ | Enterprise tier only. |

+| Spring Cloud Gateway for VMware Tanzu® | ✔️ | ✔️ | Enterprise tier only. |

+| Application Configuration Service for VMware Tanzu® | ✔️ | ❌ | Enterprise tier only. |

+| VMware Tanzu® Service Registry | ✔️ | ❌ | Enterprise tier only. |

+| VNET | ✔️ | ✔️ | Add registry to [allowlist in NSG or Azure Firewall](#avoid-not-being-able-to-connect-to-the-container-registry-in-a-vnet). |

+| Outgoing IP Address | ✔️ | ✔️ | |

+| E2E TLS | ✔️ | ✔️ | [Trust a self-signed CA](#trust-a-certificate-authority). |

+| Liveness and readiness settings | ✔️ | ✔️ | |

+| Advanced troubleshooting - thread/heap/JFR dump | ✔️ | ❌ | The image must include Bash and the JDK with `PATH` specified. |

+| Bring your own storage | ✔️ | ✔️ | |

+| Integrate service binding with Resource Connector | ✔️ | ❌ | |

+| Availability Zone | ✔️ | ✔️ | |

+| App Lifecycle events | ✔️ | ✔️ | |

+| Reduced app size - 0.5 vCPU and 512 MB | ✔️ | ✔️ | |

+| Automate app deployments with Terraform | ✔️ | ✔️ | |

+| Soft Deletion | ✔️ | ✔️ | |

+| Interactive diagnostic experience (AppLens-based) | ✔️ | ✔️ | |

+| SLA | ✔️ | ✔️ | |

+### Trust a Certificate Authority

+There are two options to trust a Certificate Authority:

+**Option 1: Upload via Azure Spring Apps**

+To load the CA certs into your apps, see [Use TLS/SSL certificates in your application in Azure Spring Apps](how-to-use-tls-certificate.md). Then the certs will be mounted into the location */etc/azure-spring-cloud/certs/public/*.

+**Option 2: Manual installation in the image**

+When your application is restarted or scaled out, the latest image will always be pulled. If the image has been changed, the newly started application instances will use the new image while the old instances will continue to use the old image.

+> [!NOTE]

+> Avoid using the `latest` tag or overwrite the image without a tag change to avoid unexpected application behavior.

+We recommend that you use Microsoft Defender for Cloud with ACR to prevent your images from being vulnerable. For more information, see [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks#scanning-images-in-acr-registries)

+You can switch the deployment type from JAR deployment to container deployment directly by redeploying using the following command:

+Or reversely:

+```azurecli

+az spring app deploy \

+ --resource-group <your-resource-group> \

+ --name <your-app-name> \

+ --artifact-path <your-jar-file> \

+ --service <your-service-name>

+```

+### CI/CD

+Automating deployments using Azure Pipelines Tasks or GitHub Actions are supported now. For more information, see [Automate application deployments to Azure Spring Apps](how-to-cicd.md) and [Use Azure Spring Apps CI/CD with GitHub Actions](./how-to-github-actions.md)

+The following example deploys to the default production deployment in Azure Spring Apps with an existing container image.

+```yml

+name: AzureSpringCloud

+on: push

+env:

+ ASC_PACKAGE_PATH: ${{ github.workspace }}

+ AZURE_SUBSCRIPTION: <azure subscription name>

+jobs:

+ deploy_to_production:

+ runs-on: ubuntu-latest

+ name: deploy to production with soruce code

+ steps:

+ - name: Checkout GitHub Action

+ uses: actions/checkout@v2

+ - name: Login via Azure CLI

+ uses: azure/login@v1

+ with:

+ creds: ${{ secrets.AZURE_CREDENTIALS }}

+ - name: Deploy Custom Image

+ uses: Azure/spring-apps-deploy@v1

+ with:

+ azure-subscription: ${{ env.AZURE_SUBSCRIPTION }}

+ action: deploy

+ service-name: <service instance name>

+ app-name: <app name>

+ deployment-name: <deployment name>

+ container-registry: <your container image registry>

+ registry-username: ${{ env.REGISTRY_USERNAME }}

+ registry-password: ${{ secrets.REGISTRY_PASSWORD }}

+ container-image: <your image tag>

+> [!NOTE]

+> The first 50 vCPU hours and 100 GB hours of memory are free each month. For more information, see [Price Reduction - Azure Spring Apps does more, costs less!](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/price-reduction-azure-spring-apps-does-more-costs-less/ba-p/3614058) on the [Apps on Azure Blog](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/bg-p/AppsonAzureBlog).

+In this quickstart, we use the well-known sample app [PetClinic](https://github.com/spring-petclinic/spring-petclinic-microservices) that will show you how to deploy apps to the Azure Spring Apps service. The **Pet Clinic** sample demonstrates the microservice architecture pattern and highlights the services breakdown. You'll see how to deploy services to Azure with Azure Spring Apps capabilities such as service discovery, config server, logs, metrics, distributed tracing, and developer-friendly tooling support.

+* **API Gateway**: The API Gateway is a single entry point into the system, used to handle requests and route them to an appropriate service or to invoke multiple services, and aggregate the results. The three core services expose an external API to client. In real-world systems, the number of functions can grow quickly with system complexity. Hundreds of services might be involved in rendering one complex webpage.

+> [!NOTE]

+> The first 50 vCPU hours and 100 GB hours of memory are free each month. For more information, see [Price Reduction - Azure Spring Apps does more, costs less!](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/price-reduction-azure-spring-apps-does-more-costs-less/ba-p/3614058) on the [Apps on Azure Blog](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/bg-p/AppsonAzureBlog).

+- If you're deploying Azure Spring Apps Enterprise tier for the first time in the target subscription, see the [Prerequisites](./how-to-enterprise-marketplace-offer.md#prerequisites) section of [View Azure Spring Apps Enterprise tier offering in Azure Marketplace](./how-to-enterprise-marketplace-offer.md).

+- If you're deploying Azure Spring Apps Enterprise tier for the first time in the target subscription, see the [Prerequisites](./how-to-enterprise-marketplace-offer.md#prerequisites) section of [View Azure Spring Apps Enterprise tier offering in Azure Marketplace](./how-to-enterprise-marketplace-offer.md).

+1. Use [Spring Initializr](https://start.spring.io/#!type=maven-project&language=java&platformVersion=2.6.10&packaging=jar&jvmVersion=11&groupId=com.example&artifactId=hellospring&name=hellospring&description=Demo%20project%20for%20Spring%20Boot&packageName=com.example.hellospring&dependencies=web,cloud-eureka,actuator,cloud-config-client) to generate a sample project with recommended dependencies for Azure Spring Apps. The following URL provides default settings for you.

+The following image shows the recommended Initializr settings for the *hellospring* sample project.

+This example uses Java version 11. To use a different Java version, change the Java version setting under **Project Metadata**.

+## Prerequisites

+- If you're deploying Azure Spring Apps Enterprise tier for the first time in the target subscription, see the [Prerequisites](./how-to-enterprise-marketplace-offer.md#prerequisites) section of [View Azure Spring Apps Enterprise tier offering in Azure Marketplace](./how-to-enterprise-marketplace-offer.md).

+More samples are available on GitHub: [Azure Spring Apps Samples](https://github.com/Azure-Samples/Azure-Spring-Cloud-Samples).

+ -AllowBlobPublicAccess $true

+When a container is configured for anonymous public access, requests to read blobs in that container do not need to be authorized. However, any firewall rules that are configured for the storage account remain in effect and will block traffic inline with the configured ACLs.

+- The **Azure Import/Export service** provides a way to import or export large amounts of data to and from your storage account using hard drives that you provide. For more information, see [What is Azure Import/Export service?](../../import-export/storage-import-export-service.md).

+### Azure Storage data movement API

+> [!Note]

+> The **Allow Azure services on the trusted services list to access this storage account** exception must be selected on your storage account to allow trusted first party Microsoft services such as Azure File Sync to access the storage account. To learn more, see [Grant access to trusted Azure services](../common/storage-network-security.md#grant-access-to-trusted-azure-services).

+#### Grant access to trusted Azure services and disable access to the storage account public endpoint

+#### Grant access to trusted Azure services and restrict access to the storage account public endpoint to specific virtual networks

+| Audit | Azure Files | The storage account's public endpoint is enabled. See [Grant access to trusted Azure services and disable access to the storage account public endpoint](#grant-access-to-trusted-azure-services-and-disable-access-to-the-storage-account-public-endpoint) for more information. | Storage accounts should restrict network access |

+This [feature](storage-files-identity-auth-azure-active-directory-enable.md) builds on top of [FSLogix profile container support](../../virtual-desktop/create-profile-container-azure-ad.md) released in December 2022 and expands it to support more use cases (SMB only). Hybrid identities, which are user identities created in Active Directory Domain Services (AD DS) and synced to Azure AD, can mount and access Azure file shares without the need for line-of-sight to an Active Directory domain controller. While the initial support is limited to hybrid identities, itΓÇÖs a significant milestone as we simplify identity-based authentication for Azure Files customers. [Read the blog post](https://techcommunity.microsoft.com/t5/azure-storage-blog/general-availability-azure-active-directory-kerberos-with-azure/ba-p/3612111).

+ Title: Configure a Point-to-Site (P2S) VPN on Windows for use with Azure Files

+- A [gateway subnet](../../vpn-gateway/vpn-gateway-about-vpn-gateway-settings.md#gwsub) must be created on the virtual network, and you'll need to know the name of the gateway subnet.

+Remember to replace `<desired-vpn-name-here>`, `<desired-region-here>`, and `<gateway-subnet-name-here>` in the below script with the proper values for these variables.

+$gatewaySubnet = "<gateway-subnet-name-here>"

+The Azure virtual network gateway will create a downloadable package with configuration files required to initialize the VPN connection on your on-premises Windows machine. We will configure the VPN connection using the [Always On VPN](/windows-server/remote/remote-access/vpn/always-on-vpn/) feature introduced in Windows 10/Windows Server 2016. This package also contains executable packages which will configure the legacy Windows VPN client, if so desired. This guide uses Always On VPN rather than the legacy Windows VPN client as the Always On VPN client allows end-users to connect/disconnect from the Azure VPN without having administrator permissions to their machine.

+| Share-level permission (built-in role) | NTFS permission | Resulting access |

+For more information on these advanced permissions, see [the command-line reference for icacls](/windows-server/administration/windows-commands/icacls).

+ If a throttled request was authenticated with Kerberos, you might see a prefix indicating the authentication protocol, such as:

+ - KerberosSuccessWithShareEgressThrottling

+ - KerberosSuccessWithShareIngressThrottling

+Stream Analytics guarantees jobs in paired regions are updated in separate batches. The deployment of an update to Stream Analytics would not occur at the same time in a set of paired regions. As a result there is a sufficient time gap between the updates to identify potential issues and remediate them.

+You can start, stop, pause or resume a link connection. When started, a link connection will start from a full initial load from your source database followed by incremental change feeds via the change feed feature in Azure SQL database. When you stop a link connection, the updates made to the operational data won't be synchronized to your Synapse dedicated SQL pool. It will do a full initial load from your source database if you start the link connection again. When you pause a link connection, the updates made to the operational data won't be synchronized to your Synapse dedicated SQL pool. When you resume a link connection, it will continue to synchronize the update from the place where you paused the link connection to your Synapse dedicated SQL pool. For more information, see [Azure Synapse Link change feed for SQL Server 2022 and Azure SQL Database](/sql/sql-server/synapse-link/synapse-link-sql-server-change-feed).

+* **Stopping:** a link connection is going to be stopped. The compute engine is being shut down.

+* **Pausing:** a link connection is going to be paused. The compute engine is being shut down.

+* **Paused:** a link connection is paused. You will not be charged in paused state.

+* **Resuming:** a link connection is going to be resumed by setting up compute engines to continue to replicate the changes.

+You can start, stop, pause or resume a link connection. When started, a link connection will start from a full initial load from your source database followed by incremental change feeds via change feed feature in SQL Server 2022. When you stop a link connection, the updates made to the operational data won't be synchronized to your Synapse dedicated SQL pool. It will do a full initial load from your source database if you start the link connection again. When you pause a link connection, the updates made to the operational data won't be synchronized to your Synapse dedicated SQL pool. When you resume a link connection, it will continue to synchronize the update from the place where you paused the link connection to your Synapse dedicated SQL pool. For more information, see [Azure Synapse Link change feed for SQL Server 2022 and Azure SQL Database](/sql/sql-server/synapse-link/synapse-link-sql-server-change-feed).

+* **Stopping:** a link connection is going to be stopped. The compute engine is being shut down.

+* **Pausing:** a link connection is going to be paused. The compute engine is being shut down.

+* **Paused:** a link connection is paused. You will not be charged in paused state.

+* **Resuming:** a link connection is going to be resumed by setting up compute engines to continue to replicate the changes.

+- Allow storage firewall for users to view the boot screenshots or serial logs. To do this, add your network or the client/browser's Internet IPs as firewall exclusions. For more information, see [Configure Azure Storage firewalls and virtual networks](../storage/common/storage-network-security.md).

+1. Select the **Disk SKU** and select **Premium SSD v2**.

+- DiskIOPSReadWrite:

+ - Has a baseline minimum IOPS of 100, for disks 100 GiB and smaller.

+ - For disks larger than 100 GiB, the baseline minimum IOPS you can set increases by 1 per GiB. So the lowest you can set DiskIOPSReadWrite for a 101 GiB disk is 101 IOPS.

+ - The maximum you can set this attribute is determined by the size of your disk, the formula is 300 * GiB, up to a maximum of 160,000.

+- DiskMBpsReadWrite

+ - The minium throughput (MB/s) of this attribute is determined by your IOPS, the formula is 4 KiB per second per IOPS. So if you had 101 IOPS, the minium MB/s you can set is 1.

+ - The maximum you can set this attribute is determined by the amount of IOPS you set, the formula is 256 KiB per second per IOPS, up to a maximum of 4,000 MB/s.

+- DiskIOPSReadOnly

+ - The minimum baseline IOPS for this attribute is 100. For DiskIOPSReadOnly, the baseline doesn't increase with disk size.

+ - The maximum you can set this attribute is determined by the size of your disk, the formula is 300 * GiB, up to a maximum of 160,000.

+- DiskMBpsReadOnly

+ - The minimum throughput (MB/s) for this attribute is 1. For DiskMBpsReadOnly, the baseline doesn't increase with IOPS.

+ - The maximum you can set this attribute is determined by the amount of IOPS you set, the formula is 256 KiB per second per IOPS, up to a maximum of 4,000 MB/s.

+The Azure Compute Gallery lets you share your custom VM images with others in your organization, within or across regions, within an Azure AD tenant, or publicly using a [community gallery (preview)](azure-compute-gallery.md#community). Choose which images you want to share, which regions you want to make them available in, and who you want to share them with. You can create multiple galleries so that you can logically group images. Many new features like ARM64, Accelerated Networking and TrustedVM are only supported through Azure Compute Gallery and not available for managed images.

+> The file customizer is only suitable for small file downloads, < 20MB. For larger file downloads, use a script or inline command, then use code to download files, such as, Linux `wget` or `curl`, Windows, `Invoke-WebRequest`. For files that are in Azure storage, ensure that you assign an identity with permissions to view that file to the build VM by following the documentation here: [User Assigned Identity for the Image Builder Build VM](#user-assigned-identity-for-the-image-builder-build-vm). Any file that is not stored in Azure must be publicly accessible for Azure Image Builder to be able to download it.

+To implement this solution in portal, follow the instructions in this documentation: [Assign Azure roles using the Azure portal - Azure RBAC](../../role-based-access-control/role-assignments-portal.md).

+For [Step 1: Identify the needed scope](../../role-based-access-control/role-assignments-portal.md#step-1-identify-the-needed-scope): The needed scope is your resource group.

+For [Step 3: Select the appropriate role](../../role-based-access-control/role-assignments-portal.md#step-3-select-the-appropriate-role): The role is Contributor.

+For [Step 4: Select who needs access](../../role-based-access-control/role-assignments-portal.md#step-4-select-who-needs-access): Select member “Azure Virtual Machine Image Builder”

+Then proceed to [Step 6: Assign role](../../role-based-access-control/role-assignments-portal.md#step-6-assign-role) to assign the role.

+**Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Flexible scale sets :heavy_check_mark: Uniform scale sets

+- As of June 30th, 2023, new subscriptions won't be eligible to create unmanaged disks.

+- November 07, 2022: Added HANA hook susChkSrv for scale-up pacemaker cluster in [High availability of SAP HANA on Azure VMs on SLES](sap-hana-high-availability.md), [High availability of SAP HANA Scale-up with ANF on SLES](sap-hana-high-availability-netapp-files-suse.md).

+- November 07, 2022: Added monitor operation for azure-lb resource in [High availability of SAP HANA on Azure VMs on SLES](sap-hana-high-availability.md), [SAP HANA scale-out with HSR and Pacemaker on SLES](sap-hana-high-availability-scale-out-hsr-suse.md), [Set up IBM Db2 HADR on Azure virtual machines (VMs)](dbms-guide-ha-ibm.md), [Azure VMs high availability for SAP NetWeaver on SLES for SAP Applications with simple mount and NFS](high-availability-guide-suse-nfs-simple-mount.md), [Azure VMs high availability for SAP NW on SLES with NFS on Azure File](high-availability-guide-suse-nfs-azure-files.md), [Azure VMs high availability for SAP NW on SLES with Azure NetApp Files](high-availability-guide-suse-netapp-files.md), [Azure VMs high availability for SAP NetWeaver on SLES](high-availability-guide-suse.md), [High availability for NFS on Azure VMs on SLES](high-availability-guide-suse-nfs.md), [Azure VMs high availability for SAP NetWeaver on SLES multi-SID guide](high-availability-guide-suse-multi-sid.md)

+Existing connections may not be interrupted when you remove a security rule that enabled the flow. Traffic flows are interrupted when connections are stopped and no traffic is flowing in either direction, for at least a few minutes.

+Modifying NSG rules will only impact the new connections that are formed. When a new rule is created or an existing rule is updated in a network security group, it will only apply to new flows and new connections. Existing workflow connections are not updated with the new rules.

+[Azure Virtual WAN][virtual-wan-overview] is a networking solution that allows creating sophisticated networking topologies easily: it encompasses routing across Azure regions between Azure VNets and on-premises locations via Point-to-Site VPN, Site-to-Site VPN, [ExpressRoute][er] and [integrated SDWAN appliances][virtual-wan-nva], including the option to [secure the traffic][virtual-wan-secured-hub]. In most scenarios it is not required any deep knowledge of how Virtual WAN internal routing works, but in certain situations it can be useful to understand Virtual WAN routing concepts.

+This document will explore sample Virtual WAN scenarios that will explain some of the behaviors that organizations might encounter when interconnecting their VNets and branches in complex networks. The scenarios shown in this article are by no means design recommendations, they are just sample topologies designed to demonstrate certain Virtual WAN functionalities.

+The first scenario in this article will analyze a topology with two Virtual WAN hubs, one ExpressRoute circuit connected to each hub, one branch connected over VPN to hub 1, and a second branch connected via SDWAN to an NVA deployed inside of hub 2. In each hub, there are VNets connected directly (VNets 11 and 21) and indirectly through an NVA (VNets 121, 122, 221 and 222). VNet 12 exchanges routing information with hub 1 via BGP (see [BGP peering with a virtual hub][virtual-wan-bgp]), and VNet 22 has static routes configured, so that differences between both options can be shown.

+In each hub, the VPN and SDWAN appliances server to a dual purpose: on one side they advertise their own individual prefixes (`10.4.1.0/24` over VPN in hub 1 and `10.5.3.0/24` over SDWAN in hub 2), and on the other they advertise the same prefixes as the ExpressRoute circuits in the same region (`10.4.2.0/24` in hub 1 and `10.5.2.0/24` in hub 2). This difference will be used to demonstrate how the [Virtual WAN hub routing preference][virtual-wan-hrp] works.

+> [!IMPORTANT]

+> The previous diagram shows two secured virtual hubs, but this topology is not supported yet. For more information see [How to configure Virtual WAN Hub routing intent and routing policies][virtual-wan-intent].

+After adding the static route, hub 1 will contain the `10.2.20.0/22` route as well:

+> [!IMPORTANT]

+> The previous diagram shows two secured virtual hubs, but this topology is not supported yet. For more information see [How to configure Virtual WAN Hub routing intent and routing policies][virtual-wan-intent].

+You can see that the IP prefix for hub 2 (`192.168.2.0/23`) still appears reachable over the Global Reach link, but this shouldn't impact traffic as there shouldn't be any traffic addressed to devices in hub 2. This might be an issue though if there were NVAs in both hubs establishing SDWAN tunnels between each other.

+In order to add direct links between the Azure regions and the on-premises locations connected via ExpressRoute, it is often desirable connecting a single ExpressRoute circuit to multiple Virtual WAN hubs in a topology some times described as "bow tie", as the following topology shows:

+> [!IMPORTANT]

+> The previous diagram shows two secured virtual hubs, but this topology is not supported yet. For more information see [How to configure Virtual WAN Hub routing intent and routing policies][virtual-wan-intent].

+[virtual-wan-intent]: ./how-to-routing-policies.md

+[er-gr]: ../expressroute/expressroute-global-reach.md