-# Configure your blob storage for image retrieval and video search in Vision Studio

-To get started with the **Search photos image retrieval** scenario in Vision Studio, you need to select or create a new Azure storage account. Your storage account can be in any region, but creating it in the same region as your Vision resource is more efficient and reduces cost.

-> You need to create your storage account on the same Azure subscription as the Vision resource you're using in the **Search photos image retrieval** scenario as shown below.

-This allows Vision Studio to access images and videos in your blob storage container to extract insights on your data.

-## Upload images and videos in Vision Studio

-In the **Try with your own video** or **Try with your own image** section in Vision Studio, select the storage account that you configured with the CORS rule. Select the container in which your images or videos are stored. If you don't have a container, you can create one and upload the images or videos from your local device. If you have updated the CORS rules on the storage account, refresh the Blob container or Video files on container sections.

-The following example C# code calculates the cosine similarity between two vectors. It's up to you to decide what similarity threshold to use for returning images as search results.

-PII detection is one of the features offered by [Azure AI Language](../overview.md), a collection of machine learning and AI algorithms in the cloud for developing intelligent applications that involve written language. The PII detection feature can **identify, categorize, and redact** sensitive information in unstructured text. For example: phone numbers, email addresses, and forms of identification. The method for utilizing PII in conversations is different than other use cases, and articles for this use have been separated.

-## Get started with PII detection

-## Responsible AI

-An AI system includes not only the technology, but also the people who will use it, the people who will be affected by it, and the environment in which it's deployed. Read the [transparency note for PII](/legal/cognitive-services/language-service/transparency-note-personally-identifiable-information?context=/azure/ai-services/language-service/context/context) to learn about responsible AI use and deployment in your systems. You can also see the following articles for more information:

-* **Redact some categories of personal information from documents that get wider circulation** - For example, if customer contact records are accessible to first line support representatives, the company may want to redact the customer's personal information besides their name from the version of the customer history to preserve the customer's privacy.

-* **Redact personal information in order to reduce unconscious bias** - For example, during a company's resume review process, they may want to block name, address and phone number to help reduce unconscious gender or other biases.

-* The [quickstart article](quickstart.md) for instructions on making requests to the service using the REST API and client library SDK.

-Note that though the services are labeled document and conversation summarization, document summarization only accepts plain text blocks, and conversation summarization will accept various speech artifacts in order for the model to learn more. If you want to process a conversation but only care about text, you can use document summarization for that scenario.

-Document summarization uses natural language processing techniques to generate a summary for documents. There are two general approaches to automatic summarization, both of which are supported by the API: extractive and abstractive.

-Extractive summarization extracts sentences that collectively represent the most important or relevant information within the original content. Abstractive summarization generates a summary with concise, coherent sentences or words which are not simply extract sentences from the original document. These features are designed to shorten content that could be considered too long to read.

- * Multiple extracted sentences: These sentences collectively convey the main idea of the document. TheyΓÇÖre original sentences extracted from the input documentΓÇÖs content.

- * Rank score: The rank score indicates how relevant a sentence is to a document's main topic. Document summarization ranks extracted sentences, and you can determine whether they're returned in the order they appear, or according to their rank.

- * Multiple returned sentences: Determine the maximum number of sentences to be returned. For example, if you request a three-sentence summary extractive summarization will return the three highest scored sentences.

- * Positional information: The start position and length of extracted sentences.

-* **Abstractive summarization**: Generates a summary that may not use the same words as those in the document, but captures the main idea.

- * Summary texts: Abstractive summarization returns a summary for each contextual input range within the document. A long document may be segmented so multiple groups of summary texts may be returned with their contextual input range.

- * Contextual input range: The range within the input document that was used to generate the summary text.

-*"At Microsoft, we have been on a quest to advance AI beyond existing techniques, by taking a more holistic, human-centric approach to learning and understanding. As Chief Technology Officer of Azure AI services, I have been working with a team of amazing scientists and engineers to turn this quest into a reality. In my role, I enjoy a unique perspective in viewing the relationship among three attributes of human cognition: monolingual text (X), audio or visual sensory signals, (Y) and multilingual (Z). At the intersection of all three, thereΓÇÖs magicΓÇöwhat we call XYZ-code as illustrated in Figure 1ΓÇöa joint representation to create more powerful AI that can speak, hear, see, and understand humans better. We believe XYZ-code will enable us to fulfill our long-term vision: cross-domain transfer learning, spanning modalities and languages. The goal is to have pre-trained models that can jointly learn representations to support a broad range of downstream AI tasks, much in the way humans do today. Over the past five years, we have achieved human performance on benchmarks in conversational speech recognition, machine translation, conversational question answering, machine reading comprehension, and image captioning. These five breakthroughs provided us with strong signals toward our more ambitious aspiration to produce a leap in AI capabilities, achieving multi-sensory and multilingual learning that is closer in line with how humans learn and understand. I believe the joint XYZ-code is a foundational component of this aspiration, if grounded with external knowledge sources in the downstream AI tasks."*

-The document summarization API request is processed upon receipt of the request by creating a job for the API backend. If the job succeeded, the output of the API will be returned. The output will be available for retrieval for 24 hours. After this time, the output is purged. Due to multilingual and emoji support, the response may contain text offsets. See [how to process offsets](../concepts/multilingual-emoji-support.md) for more information.

-Using the above example, the API might return the following summarized sentences:

-* When there are aspects of an ΓÇ£issueΓÇ¥ and ΓÇ£resolutionΓÇ¥, such as:

-**Agent**: "*Hello, youΓÇÖre chatting with Rene. How may I help you?*"

-**Customer**: "*Hi, I tried to set up wifi connection for Smart Brew 300 espresso machine, but it didnΓÇÖt work.*"

-**Agent**: "*IΓÇÖm sorry to hear that. LetΓÇÖs see what we can do to fix this issue. Could you push the wifi connection button, hold for 3 seconds, then let me know if the power light is slowly blinking?*"

-**Agent**: "*I see. Thanks. LetΓÇÖs try if a factory reset can solve the issue. Could you please press and hold the center button for 5 seconds to start the factory reset.*"

-**Customer**: *"IΓÇÖve tried the factory reset and followed the above steps again, but it still didnΓÇÖt work."*

-**Agent**: "*IΓÇÖm very sorry to hear that. Let me see if thereΓÇÖs another way to fix the issue. Please hold on for a minute.*"

-Conversation summarization feature would simplify the text into the following:

-* Summarization takes raw unstructured text for analysis. See [Data and service limits](../concepts/data-limits.md) in the how-to guide for more information.

-* Summarization works with a variety of written languages. See [language support](language-support.md?tabs=document-summarization) for more information.

-* Conversation summarization takes structured text for analysis. See the [data and service limits](../concepts/data-limits.md) for more information.

-* Conversation summarization accepts text in English. See [language support](language-support.md?tabs=conversation-summarization) for more information.

-An AI system includes not only the technology, but also the people who will use it, the people who will be affected by it, and the environment in which itΓÇÖs deployed. Read the [transparency note for summarization](/legal/cognitive-services/language-service/transparency-note-extractive-summarization?context=/azure/ai-services/language-service/context/context) to learn about responsible AI use and deployment in your systems. You can also see the following articles for more information:

-* You can now use Azure OpenAI to automatically label or generate data during authoring. Learn more with the links below.

- * Auto-label your documents in [Custom text classification](./custom-text-classification/how-to/use-autolabeling.md) or [Custom named entity recognition](./custom-named-entity-recognition/how-to/use-autolabeling.md).

-* The latest model version (2022-10-01) for Language Detection now supports 6 more International languages and 12 Romanized Indic languages.

-* Conversational language understanding and orchestration workflow is now available in the following regions in the sovereign cloud for China:

- * Abstractive summarization, which generates a summary of a document that may not use the same words as those in the document, but captures the main idea.

-* [Regular expressions](./conversational-language-understanding/concepts/entity-components.md#regex-component) in conversational language understanding and [required components](./conversational-language-understanding/concepts/entity-components.md#required-components), offering an additional ability to influence entity predictions.

-* Text Analytics for Health now [supports additional languages](./text-analytics-for-health/language-support.md) in preview: Spanish, French, German Italian, Portuguese and Hebrew. These languages are available when using a docker container to deploy the API service.

-* A new version of the Language API (`2022-07-01-preview`) has been released. It provides:

-* There is a new endpoint URL and request format for making REST API calls to prebuilt Language service features. See the following quickstart guides and reference documentation for information on structuring your API calls. All text analytics 3.2-preview.2 API users can begin migrating their workloads to this new endpoint.

-* Model 2021-10-01 is Generally Available (GA) for [Sentiment Analysis and Opinion Mining](sentiment-opinion-mining/overview.md), featuring enhanced modeling for emojis and better accuracy across all supported languages.

-* The version 3.1-preview.x REST endpoints and 5.1.0-beta.x client library have been retired. Please upgrade to the General Available version of the API(v3.1). If you're using the client libraries, use package version 5.1.0 or higher. See the [migration guide](./concepts/migrate-language-service-latest.md) for details.

-* Based on ongoing customer feedback, we have increased the character limit per document for Text Analytics for health from 5,120 to 30,720.

- * [Additional language support](sentiment-opinion-mining/language-support.md?tabs=sentiment-analysis) for the opinion mining feature.

-> To get started, you need to already have been approved for [Azure OpenAI access](../overview.md#how-do-i-get-access-to-azure-openai) and have an [Azure OpenAI Service resource](../how-to/create-resource.md) with either the gpt-35-turbo or the gpt-4 models deployed.

-| ```file```| file | Yes | N/A | The audio file object (not file name) to transcribe, in one of these formats: flac, mp3, mp4, mpeg, mpga, m4a, ogg, wav, or webm.<br/><br/>The file size limit for the Azure OpenAI Whisper model is 25 MB. If you need to transcribe a file larger than 25 MB, break it into chunks. Alternatively you can use the Azure AI Speech [batch transcription](../speech-service/batch-transcription-create.md#using-whisper-models) API.<br/><br/>You can get sample audio files from the [Azure AI Speech SDK repository at GitHub](https://github.com/Azure-Samples/cognitive-services-speech-sdk/tree/master/sampledata/audiofiles). |

-> Azure AI Speech also supports OpenAI's Whisper model via the batch transcription API. To learn more, check out the [Create a batch transcription](../speech-service/batch-transcription-create.md#using-whisper-models) guide. Check out [What is the Whisper model?](../speech-service/whisper-overview.md) to learn more about when to use Azure AI Speech vs. Azure OpenAI Service.

-The file size limit for the Azure OpenAI Whisper model is 25 MB. If you need to transcribe a file larger than 25 MB, you can use the Azure AI Speech [batch transcription](../speech-service/batch-transcription-create.md#using-whisper-models) API.

-When audio files are located in an [Azure Blob Storage](../../storage/blobs/storage-blobs-overview.md) account, you can request transcription of individual audio files or an entire Azure Blob Storage container. You can also [write transcription results](batch-transcription-create.md#destination-container-url) to a Blob container.

-description: With batch transcriptions, you submit the audio, and then retrieve transcription results asynchronously.

-> New pricing is in effect for batch transcription via [Speech to text REST API v3.2](./migrate-v3-1-to-v3-2.md). For more information, see the [pricing guide](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services).

-With batch transcriptions, you submit the [audio data](batch-transcription-audio-data.md), and then retrieve transcription results asynchronously. The service transcribes the audio data and stores the results in a storage container. You can then [retrieve the results](batch-transcription-get.md) from the storage container.

-> [!NOTE]

-> To use batch transcription, you need to use a standard (S0) Speech resource. Free resources (F0) aren't supported. For more information, see [pricing and limits](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/).

-For more information, see [request configuration options](#request-configuration-options).

-Make an HTTP POST request using the URI as shown in the following [Transcriptions_Create](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-1/operations/Transcriptions_Create) example. Replace `YourSubscriptionKey` with your Speech resource key, replace `YourServiceRegion` with your Speech resource region, and set the request body properties as previously described.

-```azurecli-interactive

-```azurecli-interactive

-|`contentContainerUrl`| You can submit individual audio files, or a whole storage container.<br/><br/>You must specify the audio data location via either the `contentContainerUrl` or `contentUrls` property. For more information about Azure blob storage for batch transcription, see [Locate audio files for batch transcription](batch-transcription-audio-data.md).<br/><br/>This property won't be returned in the response.|

-|`contentUrls`| You can submit individual audio files, or a whole storage container.<br/><br/>You must specify the audio data location via either the `contentContainerUrl` or `contentUrls` property. For more information, see [Locate audio files for batch transcription](batch-transcription-audio-data.md).<br/><br/>This property won't be returned in the response.|

-|`destinationContainerUrl`|The result can be stored in an Azure container. If you don't specify a container, the Speech service stores the results in a container managed by Microsoft. When the transcription job is deleted, the transcription result data is also deleted. For more information such as the supported security scenarios, see [Destination container URL](#destination-container-url).|

-|`diarization`|Indicates that diarization analysis should be carried out on the input, which is expected to be a mono channel that contains multiple voices. Specify the minimum and maximum number of people who might be speaking. You must also set the `diarizationEnabled` property to `true`. The [transcription file](batch-transcription-get.md#transcription-result-file) contains a `speaker` entry for each transcribed phrase.<br/><br/>You need to use this property when you expect three or more speakers. For two speakers setting `diarizationEnabled` property to `true` is enough. See an example of the property usage in [Transcriptions_Create](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-1/operations/Transcriptions_Create) operation description.<br/><br/>Diarization is the process of separating speakers in audio data. The batch pipeline can recognize and separate multiple speakers on mono channel recordings. The maximum number of speakers for diarization must be less than 36 and more or equal to the `minSpeakers` property (see [example](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-1/operations/Transcriptions_Create)). The feature isn't available with stereo recordings.<br/><br/>When this property is selected, source audio length can't exceed 240 minutes per file.<br/><br/>**Note**: This property is only available with Speech to text REST API version 3.1 and later. If you set this property with any previous version (such as version 3.0), then it's ignored and only 2 speakers are identified.|

-|`diarizationEnabled`|Specifies that diarization analysis should be carried out on the input, which is expected to be a mono channel that contains two voices. The default value is `false`.<br/><br/>For three or more voices you also need to use property `diarization` (only with Speech to text REST API version 3.1 and later).<br/><br/>When this property is selected, source audio length can't exceed 240 minutes per file.|

-|`displayFormWordLevelTimestampsEnabled`|Specifies whether to include word-level timestamps on the display form of the transcription results. The results are returned in the displayWords property of the transcription file. The default value is `false`.<br/><br/>**Note**: This property is only available with Speech to text REST API version 3.1 and later.|

-|`languageIdentification.candidateLocales`|The candidate locales for language identification such as `"properties": { "languageIdentification": { "candidateLocales": ["en-US", "de-DE", "es-ES"]}}`. A minimum of 2 and a maximum of 10 candidate locales, including the main locale for the transcription, is supported.|

-|`locale`|The locale of the batch transcription. This should match the expected locale of the audio data to transcribe. The locale can't be changed later.<br/><br/>This property is required.|

-|`model`|You can set the `model` property to use a specific base model or [custom speech](how-to-custom-speech-train-model.md) model. If you don't specify the `model`, the default base model for the locale is used. For more information, see [Using custom models](#using-custom-models) and [Using Whisper models](#using-whisper-models).|

-```azurecli-interactive

-## Using custom models

-Batch transcription uses the default base model for the locale that you specify. You don't need to set any properties to use the default base model.

-Optionally, you can modify the previous [create transcription example](#create-a-batch-transcription) by setting the `model` property to use a specific base model or [custom speech](how-to-custom-speech-train-model.md) model.

-```azurecli-interactive

-To use a custom speech model for batch transcription, you need the model's URI. You can retrieve the model location when you create or get a model. The top-level `self` property in the response body is the model's URI. For an example, see the JSON response example in the [Create a model](how-to-custom-speech-train-model.md?pivots=rest-api#create-a-model) guide.

-> A [hosted deployment endpoint](how-to-custom-speech-deploy-model.md) isn't required to use custom speech with the batch transcription service. You can conserve resources if the [custom speech model](how-to-custom-speech-train-model.md) is only used for batch transcription.

-Batch transcription requests for expired models fail with a 4xx error. You want to set the `model` property to a base model or custom model that hasn't yet expired. Otherwise don't include the `model` property to always use the latest base model. For more information, see [Choose a model](how-to-custom-speech-create-project.md#choose-your-model) and [custom speech model lifecycle](how-to-custom-speech-model-and-endpoint-lifecycle.md).

-## Using Whisper models

-Azure AI Speech supports OpenAI's Whisper model via the batch transcription API.

-> Azure OpenAI Service also supports OpenAI's Whisper model for speech to text with a synchronous REST API. To learn more, check out the [quickstart](../openai/whisper-quickstart.md). Check out [What is the Whisper model?](./whisper-overview.md) to learn more about when to use Azure AI Speech vs. Azure OpenAI Service.

-To use a Whisper model for batch transcription, you also need to set the `model` property. Whisper is a display-only model, so the lexical field isn't populated in the response.

-> Whisper models are currently in preview. And you should always use [version 3.2](./migrate-v3-1-to-v3-2.md) of the speech to text API (that's available in a seperate preview) for Whisper models.

-Whisper models via batch transcription are supported in the East US, Southeast Asia, and West Europe regions.

-You can make a [Models_ListBaseModels](https://westus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-2-preview1/operations/Models_ListBaseModels) request to get available base models for all locales.

-By default only the 100 oldest base models are returned, so you can use the `skip` and `top` query parameters to page through the results. For example, the following request returns the next 100 base models after the first 100.

-``````

-Make sure that you set the [configuration variables](spx-basics.md#create-a-resource-configuration) for a Speech resource in one of the supported regions. You can run the `spx csr list --base` command to get available base models for all locales.

-```azurecli-interactive

-```azurecli-interactive

-## Destination container URL

-You can store the results of a batch transcription to a writable Azure Blob storage container using option `destinationContainerUrl` in the [batch transcription creation request](#create-a-transcription-job). Note however that this option is only using [ad hoc SAS](batch-transcription-audio-data.md#sas-url-for-batch-transcription) URI and doesn't support [Trusted Azure services security mechanism](batch-transcription-audio-data.md#trusted-azure-services-security-mechanism). This option also doesn't support Access policy based SAS. The Storage account resource of the destination container must allow all external traffic.

-If you would like to store the transcription results in an Azure Blob storage container via the [Trusted Azure services security mechanism](batch-transcription-audio-data.md#trusted-azure-services-security-mechanism), then you should consider using [Bring-your-own-storage (BYOS)](bring-your-own-storage-speech-resource.md). See details on how to use BYOS-enabled Speech resource for Batch transcription in [this article](bring-your-own-storage-speech-resource-speech-to-text.md).

-## Next steps

- > If you use `destinationContainerUrl` parameter, it will work, but provide significantly less security for your data, because of ad hoc SAS usage. See details [here](batch-transcription-create.md#destination-container-url).

- var animation = e.Animation;

-Azure AI Speech now supports OpenAI's Whisper model via Speech to text REST API v3.2. To learn more, check out the [Create a batch transcription](./batch-transcription-create.md#using-whisper-models) guide.

- <voice name='PhoenixV2Neural'>

-* Azure AI Speech now supports OpenAI's Whisper model via the batch transcription API. To learn more, check out the [Create a batch transcription](./batch-transcription-create.md#using-whisper-models) guide.

-| Transcriptions, captions, and subtitles for prerecorded audio and video. | The Whisper model via [Azure OpenAI](../openai/whisper-quickstart.md) is recommended for fast processing of individual audio files. The Whisper model via [Azure AI Speech](./batch-transcription-create.md#using-whisper-models) is recommended for batch processing of large files. For more information, see [Whisper model via Azure AI Speech or via Azure OpenAI Service?](#whisper-model-via-azure-ai-speech-or-via-azure-openai-service) | Recommended for batch processing of large files, diarization, and word level timestamps. |

-You can choose whether to use the Whisper Model via [Azure OpenAI](../openai/whisper-quickstart.md) or via [Azure AI Speech](./batch-transcription-create.md#using-whisper-models). In either case, the readability of the transcribed text is the same. You can input mixed language audio and the output is in English.

- 1. **Name**. Enter the name you have chosen for your resource. The name you choose must be unique within Azure.

- 1. After your resource has successfully deployed, select **Go to resource**.

-<!-- > [!div class="nextstepaction"]

-> [I ran into an issue with the prerequisites.](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?Pillar=Language&Product=Document-translation&Page=quickstart&Section=Prerequisites) -->

-1. If you've created a new resource, after it deploys, select **Go to resource**. If you have an existing Document Translation resource, navigate directly to your resource page.

-1. Copy and paste your **`key`** and **`document translation endpoint`** in a convenient location, such as *Microsoft Notepad*. Only one key is necessary to make an API call.

-1. You paste your **`key`** and **`document translation endpoint`** into the code samples to authenticate your request to the Document Translation service.

-<!-- > [!div class="nextstepaction"]

-> [I ran into an issue retrieving my key and endpoint.](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?Pillar=Language&Product=Document-translation&Page=quickstart&Section=Retrieve-your-keys-and-endpoint) -->

-* Your **source** container or blob must have designated **read** and **list** access.

-* Your **target** container or blob must have designated **write** and **list** access.

-* Your **glossary** blob must have designated **read** and **list** access.

-<!-- > [!div class="nextstepaction"]

-> [I ran into an issue creating blob storage containers with authentication.](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?Pillar=Language&Product=Document-translation&Page=quickstart&Section=Create-blob-storage-containers) -->

-description: This article introduces role-based access control in Azure AI Studio

-# Role-based access control in Azure AI Studio

-Select the Azure AI resource, subscription, resource group, container registry, or storage account to navigate to the corresponding resource in the Azure portal.

-* An Azure AI Studio project.

-1. Sign in to Azure AI Studio and open the Azure AI project in which you want to create the index.

-1. Sign in to [Azure AI Studio](https://ai.azure.com) with credentials that have access to your Azure OpenAI resource. During or after the sign-in workflow, select the appropriate directory, Azure subscription, and Azure OpenAI resource. You should be on the Azure AI Studio **Home** page.

-To work within the Azure AI Studio, you must first create a project:

-To learn more, see [Azure global infrastructure - Products available by region](https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=cognitive-services).

-> [!NOTE]

-> If you already have a certificate, you can skip this step.

->

-However, modifying any **Azure-created tags** on resources under the node resource group in the AKS cluster is an unsupported action, which breaks the service-level objective (SLO). For more information, see [Does AKS offer a service-level agreement?](#does-aks-offer-a-service-level-agreement)

-Traditionally if your pod is running as a nonroot user (which you should), you must specify a `fsGroup` inside the podΓÇÖs security context so the volume can be readable and writable by the Pod. This requirement is covered in more detail in [here](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).

-* AKS does not support Windows GPU-enabled node pools.

-* [NVadsA10](../virtual-machines/nva10v5-series.md) v5-series are not a recommended SKU for GPU VHD.

-* You also need the Azure CLI version 2.0.64 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

-There are three ways to add the NVIDIA device plugin:

-1. [Using the AKS GPU image](#update-your-cluster-to-use-the-aks-gpu-image-preview)

-2. [Manually installing the NVIDIA device plugin](#manually-install-the-nvidia-device-plugin)

-3. Using the [NVIDIA GPU Operator](https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/latest/microsoft-aks.html)

-### Use NVIDIA GPU Operator with AKS

-You can use the NVIDIA GPU Operator by skipping the gpu driver installation on AKS. For more information about using the NVIDIA GPU Operator with AKS, see [NVIDIA Documentation](https://docs.nvidia.com/datacenter/cloud-native/gpu-operator/latest/microsoft-aks.html).

-Adding the node pool tag `SkipGPUDriverInstall=true` will skip installing the GPU driver automatically on newly created nodes in the node pool. Any existing nodes will not be changed - the pool can be scaled to 0 and back up to make the change take effect. You can specify the tag using the `--nodepool-tags` argument to [`az aks create`][az-aks-create] command (for a new cluster) or `--tags` with [`az aks nodepool add`][az-aks-nodepool-add] or [`az aks nodepool update`][az-aks-nodepool-update].

-> [!WARNING]

-> We don't recommend manually installing the NVIDIA device plugin daemon set with clusters using the AKS GPU image.

-### Update your cluster to use the AKS GPU image (preview)

-AKS provides a fully configured AKS image containing the [NVIDIA device plugin for Kubernetes][nvidia-github].

-1. Install the `aks-preview` Azure CLI extension using the [`az extension add`][az-extension-add] command.

- ```

-2. Update to the latest version of the extension using the [`az extension update`][az-extension-update] command.

- ```azurecli-interactive

-3. Register the `GPUDedicatedVHDPreview` feature flag using the [`az feature register`][az-feature-register] command.

- az feature register --namespace "Microsoft.ContainerService" --name "GPUDedicatedVHDPreview"

- It takes a few minutes for the status to show *Registered*.

-4. Verify the registration status using the [`az feature show`][az-feature-show] command.

- ```azurecli-interactive

- az feature show --namespace "Microsoft.ContainerService" --name "GPUDedicatedVHDPreview"

- ```

-5. When the status reflects *Registered*, refresh the registration of the *Microsoft.ContainerService* resource provider using the [`az provider register`][az-provider-register] command.

- ```azurecli-interactive

- az provider register --namespace Microsoft.ContainerService

- ```

-#### Add a node pool for GPU nodes

-Now that you updated your cluster to use the AKS GPU image, you can add a node pool for GPU nodes to your cluster.

-* Add a node pool using the [`az aks nodepool add`][az-aks-nodepool-add] command.

- --aks-custom-headers UseGPUDedicatedVHD=true \

- The previous example command adds a node pool named *gpunp* to *myAKSCluster* in *myResourceGroup* and uses parameters to configure the following node pool settings:

- * `--node-vm-size`: Sets the VM size for the node in the node pool to *Standard_NC6s_v3*.

- * `--node-taints`: Specifies a *sku=gpu:NoSchedule* taint on the node pool.

- * `--aks-custom-headers`: Specifies a specialized AKS GPU image, *UseGPUDedicatedVHD=true*. If your GPU sku requires generation 2 VMs, use *--aks-custom-headers UseGPUDedicatedVHD=true,usegen2vm=true* instead.

- * `--enable-cluster-autoscaler`: Enables the cluster autoscaler.

- * `--min-count`: Configures the cluster autoscaler to maintain a minimum of one node in the node pool.

- * `--max-count`: Configures the cluster autoscaler to maintain a maximum of three nodes in the node pool.

- > Taints and VM sizes can only be set for node pools during node pool creation, but you can update autoscaler settings at any time.

-### Manually install the NVIDIA device plugin

-You can deploy a DaemonSet for the NVIDIA device plugin, which runs a pod on each node to provide the required drivers for the GPUs.

-1. Add a node pool to your cluster using the [`az aks nodepool add`][az-aks-nodepool-add] command.

- The previous example command adds a node pool named *gpunp* to *myAKSCluster* in *myResourceGroup* and uses parameters to configure the following node pool settings:

- > Taints and VM sizes can only be set for node pools during node pool creation, but you can update autoscaler settings at any time.

-2. Create a namespace using the [`kubectl create namespace`][kubectl-create] command.

- ```console

-3. Create a file named *nvidia-device-plugin-ds.yaml* and paste the following YAML manifest provided as part of the [NVIDIA device plugin for Kubernetes project][nvidia-github]:

-4. Create the DaemonSet and confirm the NVIDIA device plugin is created successfully using the [`kubectl apply`][kubectl-apply] command.

- ```console

-[istio-mtls-reference]: https://istio.io/latest/docs/concepts/security/#mutual-tls-authentication

-description: Best practices for a cluster operator to achieve maximum uptime for your applications and to provide high availability and prepare for disaster recovery in Azure Kubernetes Service (AKS).

-#Customer intent: As an AKS cluster operator, I want to plan for business continuity or disaster recovery to help protect my cluster from region problems.

-# Best practices for business continuity and disaster recovery in Azure Kubernetes Service (AKS)

-As you manage clusters in Azure Kubernetes Service (AKS), application uptime becomes important. By default, AKS provides high availability by using multiple nodes in a [Virtual Machine Scale Set (VMSS)](../virtual-machine-scale-sets/overview.md). But these multiple nodes donΓÇÖt protect your system from a region failure. To maximize your uptime, plan ahead to maintain business continuity and prepare for disaster recovery.

-This article focuses on how to plan for business continuity and disaster recovery in AKS. You learn how to:

-> [!div class="checklist"]

-> * Plan for AKS clusters in multiple regions.

-> * Route traffic across multiple clusters using Azure Traffic Manager.

-> * Use geo-replication for your container image registries.

-> * Plan for application state across multiple clusters.

-> * Replicate storage across multiple regions.

-## Plan for multiregion deployment

-> **Best practice**

->

-> When you deploy multiple AKS clusters, choose regions where AKS is available. Use paired regions.

-An AKS cluster is deployed into a single region. To protect your system from region failure, deploy your application into multiple AKS clusters across different regions. When planning where to deploy your AKS cluster, consider:

-* [**AKS region availability**](./quotas-skus-regions.md#region-availability)

- * Choose regions close to your users.

- * AKS continually expands into new regions.

-* [**Azure paired regions**](../availability-zones/cross-region-replication-azure.md)

- * For your geographic area, choose two regions paired together.

- * AKS platform updates (planned maintenance) are serialized with a delay of at least 24 hours between paired regions.

- * Recovery efforts for paired regions are prioritized where needed.

-* **Service availability**

- * Decide whether your paired regions should be hot/hot, hot/warm, or hot/cold.

- * Do you want to run both regions at the same time, with one region *ready* to start serving traffic? *or*

- * Do you want to give one region time to get ready to serve traffic?

-AKS region availability and paired regions are a joint consideration. Deploy your AKS clusters into paired regions designed to manage region disaster recovery together. For example, AKS is available in East US and West US. These regions are paired. Choose these two regions when you're creating an AKS BC/DR strategy.

-When you deploy your application, add another step to your CI/CD pipeline to deploy to these multiple AKS clusters. Updating your deployment pipelines prevents applications from deploying into only one of your regions and AKS clusters. In that scenario, customer traffic directed to a secondary region won't receive the latest code updates.

-## Use Azure Traffic Manager to route traffic

-> **Best practice**

->

-> For the best performance and redundancy, direct all application traffic through Traffic Manager before it goes to your AKS cluster.

-If you have multiple AKS clusters in different regions, use Traffic Manager to control traffic flow to the applications running in each cluster. [Azure Traffic Manager](../traffic-manager/index.yml) is a DNS-based traffic load balancer that can distribute network traffic across regions. Use Traffic Manager to route users based on cluster response time or based on priority.

-

-If you have a single AKS cluster, you typically connect to the service IP or DNS name of a given application. In a multi-cluster deployment, you should connect to a Traffic Manager DNS name that points to the services on each AKS cluster. Define these services by using Traffic Manager endpoints. Each endpoint is the *service load balancer IP*. Use this configuration to direct network traffic from the Traffic Manager endpoint in one region to the endpoint in a different region.

-Traffic Manager performs DNS lookups and returns your most appropriate endpoint. With priority routing you can enable a primary service endpoint and multiple backup endpoints in case the primary or one of the backup endpoints is unavailable.

-

-For information on how to set up endpoints and routing, see [Configure priority traffic routing method in Traffic Manager](../traffic-manager/traffic-manager-configure-priority-routing-method.md).

-### Application routing with Azure Front Door Service

-Using split TCP-based anycast protocol, [Azure Front Door Service](../frontdoor/front-door-overview.md) promptly connects your end users to the nearest Front Door POP (Point of Presence). More features of Azure Front Door Service:

-* TLS termination

-* Custom domain

-* Web application firewall

-* URL Rewrite

-* Session affinity

-Review the needs of your application traffic to understand which solution is the most suitable.

-### Interconnect regions with global virtual network peering

-Connect both virtual networks to each other through [virtual network peering](../virtual-network/virtual-network-peering-overview.md) to enable communication between clusters. Virtual network peering interconnects virtual networks, providing high bandwidth across Microsoft's backbone network - even across different geographic regions.

-Before peering virtual networks with running AKS clusters, use the standard Load Balancer in your AKS cluster. This prerequisite makes Kubernetes services reachable across the virtual network peering.

-## Enable geo-replication for container images

-> **Best practice**

->

-> Store your container images in Azure Container Registry and geo-replicate the registry to each AKS region.

-To deploy and run your applications in AKS, you need a way to store and pull the container images. Container Registry integrates with AKS, so it can securely store your container images or Helm charts. Container Registry supports multimaster geo-replication to automatically replicate your images to Azure regions around the world.

-To improve performance and availability, use Container Registry geo-replication to create a registry in each region where you have an AKS cluster.Each AKS cluster will then pull container images from the local container registry in the same region.

-

-Using Container Registry geo-replication to pull images from the same region has the following benefits:

-* **Faster**: Pull images from high-speed, low-latency network connections within the same Azure region.

-* **More reliable**: If a region is unavailable, your AKS cluster pulls the images from an available container registry.

-* **Cheaper**: No network egress charge between datacenters.

-Geo-replication is a *Premium* SKU container registry feature. For information on how to configure geo-replication, see [Container Registry geo-replication](../container-registry/container-registry-geo-replication.md).

-## Remove service state from inside containers

-> **Best practice**

->

-> Avoid storing service state inside the container. Instead, use an Azure platform as a service (PaaS) that supports multi-region replication.

-*Service state* refers to the in-memory or on-disk data required by a service to function. State includes the data structures and member variables that the service reads and writes. Depending on how the service is architected, the state might also include files or other resources stored on the disk. For example, the state might include the files a database uses to store data and transaction logs.

-State can be either externalized or co-located with the code that manipulates the state. Typically, you externalize state by using a database or other data store that runs on different machines over the network or that runs out of process on the same machine.

-Containers and microservices are most resilient when the processes that run inside them don't retain state. Since applications almost always contain some state, use a PaaS solution, such as:

-* Azure Cosmos DB

-* Azure Database for PostgreSQL

-* Azure Database for MySQL

-* Azure SQL Database

-To build portable applications, see the following guidelines:

-* [The 12-factor app methodology](https://12factor.net/)

-* [Run a web application in multiple Azure regions](/azure/architecture/reference-architectures/app-service-web-app/multi-region)

-## Create a storage migration plan

-> **Best practice**

->

-> If you use Azure Storage, prepare and test how to migrate your storage from the primary region to the backup region.

-Your applications might use Azure Storage for their data. If so, your applications are spread across multiple AKS clusters in different regions. You need to keep the storage synchronized. Here are two common ways to replicate storage:

-* Infrastructure-based asynchronous replication

-* Application-based asynchronous replication

-### Infrastructure-based asynchronous replication

-Your applications might require persistent storage even after a pod is deleted. In Kubernetes, you can use persistent volumes to persist data storage. Persistent volumes are mounted to a node VM and then exposed to the pods. Persistent volumes follow pods even if the pods are moved to a different node inside the same cluster.

-The replication strategy you use depends on your storage solution. The following common storage solutions provide their own guidance about disaster recovery and replication:

-* [Gluster](https://docs.gluster.org/en/latest/Administrator-Guide/Geo-Replication/)

-* [Ceph](https://docs.ceph.com/docs/master/cephfs/disaster-recovery/)

-* [Rook](https://rook.io/docs/rook/v1.2/ceph-disaster-recovery.html)

-* [Portworx](https://docs.portworx.com/portworx-enterprise/operations/operate-kubernetes/storage-operations/kubernetes-storage-101/volumes.html)

-Typically, you provide a common storage point where applications write their data. This data is then replicated across regions and accessed locally.

-

-If you use Azure Managed Disks, you can use [Velero on Azure][velero] and [Kasten][kasten] to handle replication and disaster recovery. These options are back up solutions native to but unsupported by Kubernetes.

-### Application-based asynchronous replication

-Kubernetes currently provides no native implementation for application-based asynchronous replication. Since containers and Kubernetes are loosely coupled, any traditional application or language approach should work. Typically, the applications themselves replicate the storage requests, which are then written to each cluster's underlying data storage.

-

-## Next steps

-This article focuses on business continuity and disaster recovery considerations for AKS clusters. For more information about cluster operations in AKS, see these articles about best practices:

-* [Multitenancy and cluster isolation][aks-best-practices-cluster-isolation]

-* [Basic Kubernetes scheduler features][aks-best-practices-scheduler]

-<!-- INTERNAL LINKS -->

-[aks-best-practices-scheduler]: operator-best-practices-scheduler.md

-[aks-best-practices-cluster-isolation]: operator-best-practices-cluster-isolation.md

-[velero]: https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure/blob/master/README.md

-[kasten]: https://www.kasten.io/

-When publishing microservices as APIs for consumption, it can be challenging to manage the communication between the microservices and the clients that consume them. There is a multitude of cross-cutting concerns such as authentication, authorization, throttling, caching, transformation, and monitoring. These concerns are valid regardless of whether the microservices are exposed to internal or external clients.

-When used together, AKS and API Management provide a platform for deploying, publishing, securing, monitoring, and managing your microservices-based APIs. In this article, we will go through a few options of deploying AKS in conjunction with API Management.

-In a Kubernetes cluster, containers are deployed in [Pods](https://kubernetes.io/docs/concepts/workloads/pods/pod/), which are ephemeral and have a lifecycle. When a worker node dies, the Pods running on the node are lost. Therefore, the IP address of a Pod can change anytime. We cannot rely on it to communicate with the pod.

-When we are ready to publish our microservices as APIs through API Management, we need to think about how to map our Services in Kubernetes to APIs in API Management. There are no set rules. It depends on how you designed and partitioned your business capabilities or domains into microservices at the beginning. For instance, if the pods behind a Service are responsible for all operations on a given resource (e.g., Customer), the Service may be mapped to one API. If operations on a resource are partitioned into multiple microservices (e.g., GetOrder, PlaceOrder), then multiple Services may be logically aggregated into one single API in API management (See Fig. 1).

-While an AKS cluster is always deployed in a virtual network (VNet), an API Management instance is not required to be deployed in a VNet. When API Management does not reside within the cluster VNet, the AKS cluster has to publish public endpoints for API Management to connect to. In that case, there is a need to secure the connection between API Management and AKS. In other words, we need to ensure the cluster can only be accessed exclusively through API Management. LetΓÇÖs go through the options.

-* Easy configuration on the API Management side because it does not need to be injected into the cluster VNet

-Although Option 1 might be easier, it has notable drawbacks as mentioned above. If an API Management instance does not reside in the cluster VNet, Mutual TLS authentication (mTLS) is a robust way of ensuring the traffic is secure and trusted in both directions between an API Management instance and an AKS cluster.

-* Easy configuration on the API Management side because it does not need to be injected into the cluster VNet and mTLS is natively supported

-In some cases, customers with regulatory constraints or strict security requirements may find Option 1 and 2 not viable solutions due to publicly exposed endpoints. In others, the AKS cluster and the applications that consume the microservices might reside within the same VNet, hence there is no reason to expose the cluster publicly as all API traffic will remain within the VNet. For these scenarios, you can deploy API Management into the cluster VNet. [API Management Developer and Premium tiers](https://aka.ms/apimpricing) support VNet deployment.

-There are two modes of [deploying API Management into a VNet](./api-management-using-with-vnet.md) ΓÇô External and Internal.

-If all API consumers reside within the cluster VNet, then the Internal mode (Fig. 5) could be used. In this mode, the API Management gateway is injected into the cluster VNET and accessible only from within this VNet via an internal load balancer. There is no way to reach the API Management gateway or the AKS cluster from public internet.

- In both cases, the AKS cluster is not publicly visible. Compared to Option 2, the Ingress Controller may not be necessary. Depending on your scenario and configuration, authentication might still be required between API Management and your microservices. For instance, if a Service Mesh is adopted, it always requires mutual TLS authentication.

-* Learn more about [How to use API Management with virtual networks](./api-management-using-with-vnet.md)

- </id>

- </etag>

- <set-body template="liquid" >...set-body policy configuration...</set-body>

- <partition-key data-type="string | number | bool | none | null" template="liquid">

- "Container partition key"

- </partition-key>

-# Set principal variable to the value from Azure portal

-As of 15 January 2024, you can no longer create new App Service Environment v1 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

-As of 15 January 2024, you can no longer create new App Service Environment v1 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

-As of 15 January 2024, you can no longer create new App Service Environment v1 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

-As of 15 January 2024, you can no longer create new App Service Environment v1 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

-As of 15 January 2024, you can no longer create new App Service Environment v1 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

-As of 15 January 2024, you can no longer create new App Service Environment v1 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

-As of 15 January 2024, you can no longer create new App Service Environment v1 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

-As of 15 January 2024, you can no longer create new App Service Environment v1 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

-As of 15 January 2024, you can no longer create new App Service Environment v1 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

-As of 15 January 2024, you can no longer create new App Service Environment v1 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

-As of 15 January 2024, you can no longer create new App Service Environment v2 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

-As of 15 January 2024, you can no longer create new App Service Environment v2 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

-As of 15 January 2024, you can no longer create new App Service Environment v2 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

-As of 15 January 2024, you can no longer create new App Service Environment v2 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

-As of 15 January 2024, you can no longer create new App Service Environment v2 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

-As of 15 January 2024, you can no longer create new App Service Environment v2 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

-When the previous step finishes, you're shown the IP addresses for your new App Service Environment v3. Using the new IPs, update any resources and networking components to ensure your new environment functions as intended once migration is complete. It's your responsibility to make any necessary updates. This step is also a good time to review the [inbound and outbound network](networking.md#ports-and-network-restrictions) dependency changes when moving to App Service Environment v3 including the port change for the Azure Load Balancer, which now uses port 80. Don't move on to the next step until you confirmed that you made these updates.

-As of 15 January 2024, you can no longer create new App Service Environment v2 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

-As of 15 January 2024, you can no longer create new App Service Environment v2 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

-### Azure Public

-|Migrate cannot be called on Zone Pinned ASEs. |App Service Environment v2 that is zone pinned can't be migrated using the migration feature at this time. |Migrate using one of the [manual migration options](migration-alternatives.md) if you want to migrate immediately. |

- Zone pinned App Service Environment is currently not a supported scenario for migration using the migration feature. App Service Environment v3 doesn't support zone pinning. To migrate to App Service Environment v3, see the [manual migration options](migration-alternatives.md).

- Zone pinning isn't a supported feature on App Service Environment v3.

-As of 15 January 2024, you can no longer create new App Service Environment v2 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

-|**5**|**Learn more**|Join the [free live webinar](https://developer.microsoft.com/en-us/reactor/events/20417) with FastTrack Architects.<br><br>Need more help? [Submit a request](https://cxp.azure.com/nominationportal/nominationform/fasttrack) to contact FastTrack.<br><br>[Frequently asked questions](migrate.md#frequently-asked-questions)<br><br>[Community support](https://aka.ms/asev1v2retirement)|

-As of 15 January 2024, you can no longer create new App Service Environment v2 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

-As of 15 January 2024, you can no longer create new App Service Environment v1 or v2 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

-As of 15 January 2024, you can no longer create new App Service Environment v2 resources using any of the available methods including ARM/Bicep templates, Azure Portal, Azure CLI, or REST API. You must [migrate to App Service Environment v3](upgrade-to-asev3.md) before 31 August 2024 to prevent resource deletion and data loss.

-# Quickstart: Add feature flags to a .NET Framework app

-## Create a .NET console app

- Microsoft.Extensions.DependencyInjection

- using Microsoft.Extensions.DependencyInjection;

-1. Update the `Main` method to connect to App Configuration, specifying the `UseFeatureFlags` option so that feature flags are retrieved. Then display a message if the `Beta` feature flag is enabled.

- IConfigurationRoot configuration = new ConfigurationBuilder()

- IServiceCollection services = new ServiceCollection();

- services.AddSingleton<IConfiguration>(configuration).AddFeatureManagement();

- using (ServiceProvider serviceProvider = services.BuildServiceProvider())

- IFeatureManager featureManager = serviceProvider.GetRequiredService<IFeatureManager>();

- if (await featureManager.IsEnabledAsync("Beta"))

- {

- Console.WriteLine("Welcome to the beta!");

- }

-Use Bicep or Azure Resource Manager (ARM) [quickstart templates](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/function-app-storage-private-endpoints) to create secured function app and storage account resources.

-+ The [Java Developer Kit](/azure/developer/java/fundamentals/java-support-on-azure), version 8 or 11. The `JAVA_HOME` environment variable must be set to the install location of the correct version of the JDK.

- |**Select a version of Java**| Choose `Java 11` or `Java 8`, the Java version on which your functions run in Azure. Choose a Java version that you've verified locally. |

-+ There are scenarios where you must set the `WEBSITE_CONTENTSHARE` value to a predefined share, such as when you [use a secured storage account in a virtual network](configure-networking-how-to.md#restrict-your-storage-account-to-a-virtual-network). In this case, you must set a unique share name for the main function app and the app for each deployment slot.

-Apps using [Azure Cosmos DB extension version 4.x](./functions-bindings-cosmosdb-v2.md?tabs=extensionv4) or higher will have different attribute properties, which are shown below. This example refers to a simple `ToDoItem` type.

-This function is invoked when there are inserts or updates in the specified database and collection.

-# [Extension 4.x+](#tab/extensionv4)

-TypeScript samples are not documented for model v3.

-From the [Java functions runtime library](/java/api/overview/azure/functions/runtime), use the `@CosmosDBInput` annotation on parameters that read data from Azure Cosmos DB. The annotation supports the following properties:

-# [Extension 4.x+](#tab/extensionv4)

-# [Functions 2.x+](#tab/functionsv2)

-Starting with version 3.x of the Azure Functions runtime, you can define retry policies for Timer, Kafka, and Event Hubs triggers that are enforced by the Functions runtime.

-A retry policy is evaluated when a Timer, Kafka, or Event Hubs-triggered function raises an uncaught exception. As a best practice, you should catch all exceptions in your code and rethrow any errors that you want to result in a retry.

-```cs

-The queue trigger provides several [metadata properties](./functions-bindings-expressions-patterns.md#trigger-metadata). These properties can be used as part of binding expressions in other bindings or as parameters in your code.

-The properties are members of the [CloudQueueMessage] class.

-|`DequeueCount`|`int`|The number of times this message has been dequeued.|

-You can create your function app in a deployment where one or more of the resources have been secured by integrating with virtual networks. Virtual network integration for your function app is defined by a `Microsoft.Web/sites/networkConfig` resource. This integration depends on both the referenced function app and virtual network resources. You function app might also depend on other private networking resources, such as private endpoints and routes. For more information, see [Azure Functions networking options](functions-networking-options.md).

- The `<TRIGGER_INPUT>` you supply depends on the type of trigger. For services that use JSON payloads, such as Azure Service Bus, the test JSON payload should be escaped and serialized as a string. If you don't want to pass input data to the function, you must still supply an empty dictionary `{}` as the body of the POST request. For more information, see the reference article for the specific non-HTTP trigger.

-* ARM, Bicep, and Terraform templates:

-If service endpoints aren't already enabled with Microsoft.Web for the subnet that you selected, they are automatically enabled unless you select the **Ignore missing Microsoft.Web service endpoints** check box. The scenario where you might want to enable service endpoints on the app but not the subnet depends mainly on whether you have the permissions to enable them on the subnet.

-When you run a Premium plan, you can connect non-HTTP trigger functions to services that run inside a virtual network. To do this, you must enable virtual network trigger support for your function app. The **Runtime Scale Monitoring** setting is found in the [Azure portal](https://portal.azure.com) under **Configuration** > **Function runtime settings**.

-### [Azure CLI](#tab/azure-cli)

-You can also enable virtual network triggers by using the following Azure CLI command:

-### [Azure PowerShell](#tab/azure-powershell)

-You can also enable virtual network triggers by using the following Azure PowerShell command:

-> Enabling virtual network triggers may have an impact on the performance of your application since your App Service plan instances will need to monitor your triggers to determine when to scale. This impact is likely to be very small.

-Virtual network triggers are supported in version 2.x and above of the Functions runtime. The following non-HTTP trigger types are supported.

-| Extension | Minimum version |

-|--||

-|[Microsoft.Azure.WebJobs.Extensions.Storage](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.Storage/) | 3.0.10 or above |

-|[Microsoft.Azure.WebJobs.Extensions.EventHubs](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.EventHubs)| 4.1.0 or above|

-|[Microsoft.Azure.WebJobs.Extensions.ServiceBus](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.ServiceBus)| 3.2.0 or above|

-|[Microsoft.Azure.WebJobs.Extensions.CosmosDB](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.CosmosDB)| 3.0.5 or above|

-|[Microsoft.Azure.WebJobs.Extensions.DurableTask](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.DurableTask)| 2.0.0 or above|

-> When you enable virtual network trigger support, only the trigger types shown in the previous table scale dynamically with your application. You can still use triggers that aren't in the table, but they're not scaled beyond their pre-warmed instance count. For the complete list of triggers, see [Triggers and bindings](./functions-triggers-bindings.md#supported-bindings).

-See the [Node.js Troubleshoot guide](./functions-node-troubleshoot.md).

-| 4.x |17 <br/>11 <br/>8 |17 <br/>11 <br/>8 |

-You can control the version of Java targeted by the Maven archetype by using the `-DjavaVersion` parameter. The value of this parameter can be either `8` or `11`.

-| Element | Java 8 value | Java 11 value | Java 17 value | Description |

-| - | - | - | - | |

-| **`Java.version`** | 1.8 | 11 | 17 | Version of Java used by the maven-compiler-plugin. |

-| **`JavaVersion`** | 8 | 11 | 17 | Java version hosted by the function app in Azure. |

-Microsoft and [Adoptium](https://adoptium.net/) builds of OpenJDK are provided and supported on Functions for Java 8 (Adoptium), 11 (MSFT) and 17(MSFT). These binaries are provided as a no-cost, multi-platform, production-ready distribution of the OpenJDK for Azure. They contain all the components for building and running Java SE applications.

-In [runtime scale monitoring](functions-networking-options.md?tabs=azure-cli#premium-plan-with-virtual-network-triggers), the extensions handle target-based scaling. Hence, in addition to the function app runtime version requirement, your extension packages must meet the following minimum versions:

- 

- 

- 

-With private endpoints, the network traffic between the clients on the VNet and the Azure AI services account run over the VNet and a private link on the Microsoft backbone network. This eliminates exposure from the public internet.

-

-To send an API request, you need your Azure AI services account endpoint and key. You can also find a full view on the [request parameters here](../request-info.md)

-

-More information on the [response information can be found here](../response-info.md)

-There are currently two models available in Azure AI Health Insights:

-Azure AI Health Insights service receives patient data through multiple input channels. This can be unstructured healthcare data, FHIR resources or specific JSON format data. This in combination with the correct model configuration, such as ```includeEvidence```.

-With these input channels and configuration, the service can run the data through several health insights AI models, such as Trial Matcher or Onco-Phenotype.

-> [Trial Matcher](trial-matcher//overview.md)

-description: this article describes the required properties to interact with Azure AI Health Insights

-# Azure AI Health Insights request info

-This page describes the request models and parameters that are used to interact with Azure AI Health Insights service.

-## Request

-The generic part of Azure AI Health Insights request, common to all models.

-Name |Required|Type |Description

-`patients`|yes |Patient[]|The list of patients, including their clinical information and data.

-## Patient

-A patient record, including their clinical information and data.

-Name|Required|Type |Description

-`id` |yes |string |A given identifier for the patient. Has to be unique across all patients in a single request.

-`info`|no |PatientInfo |Patient structured information, including demographics and known structured clinical information.

-`data`|no |PatientDocument|Patient unstructured clinical data, given as documents.

-## PatientInfo

-Patient structured information, including demographics and known structured clinical information.

-Name |Required|Type |Description

-|--|-|--

-`gender` |no |string |[ female, male, unspecified ]

-`birthDate` |no |string |The patient's date of birth.

-`clinicalInfo`|no |ClinicalCodeElement|A piece of clinical information, expressed as a code in a clinical coding system.

-## ClinicalCodeElement

-A piece of clinical information, expressed as a code in a clinical coding system.

-Name |Required|Type |Description

-|--||-

-`system`|yes |string|The clinical coding system, for example ICD-10, SNOMED-CT, UMLS.

-`code` |yes |string|The code within the given clinical coding system.

-`name` |no |string|The name of this coded concept in the coding system.

-`value` |no |string|A value associated with the code within the given clinical coding system.

-## PatientDocument

-A clinical unstructured document related to a patient.

-Name |Required|Type |Description

-|--||--

-`type ` |yes |string |[ note, fhirBundle, dicom, genomicSequencing ]

-`clinicalType` |no |string |[ consultation, dischargeSummary, historyAndPhysical, procedure, progress, imaging, laboratory, pathology ]

-`id` |yes |string |A given identifier for the document. Has to be unique across all documents for a single patient.

-`language` |no |string |A 2 letter ISO 639-1 representation of the language of the document.

-`createdDateTime`|no |string |The date and time when the document was created.

-`content` |yes |DocumentContent|The content of the patient document.

-## DocumentContent

-The content of the patient document.

-Name |Required|Type |Description

-`sourceType`|yes |string|The type of the content's source.<br>If the source type is 'inline', the content is given as a string (for instance, text).<br>If the source type is 'reference', the content is given as a URI.[ inline, reference ]

-`value` |yes |string|The content of the document, given either inline (as a string) or as a reference (URI).

-## Next steps

-To get started using the service, you can

->[!div class="nextstepaction"]

-> [Deploy the service via the portal](deploy-portal.md)

-description: this article describes the response from the service

-# Azure AI Health Insights response info

-This page describes the response models and parameters that are returned by Azure AI Health Insights service.

-## Response

-The generic part of Azure AI Health Insights response, common to all models.

-Name |Required|Type |Description

-|--||

-`jobId` |yes |string|A processing job identifier.

-`createdDateTime` |yes |string|The date and time when the processing job was created.

-`expirationDateTime`|yes |string|The date and time when the processing job is set to expire.

-`lastUpdateDateTime`|yes |string|The date and time when the processing job was last updated.

-`status ` |yes |string|The status of the processing job. [ notStarted, running, succeeded, failed, partiallyCompleted ]

-`errors` |no |Error|An array of errors, if any errors occurred during the processing job.

-## Error

-Name |Required|Type |Description

-`code` |yes |string |Error code

-`message` |yes |string |A human-readable error message.

-`target` |no |string |Target of the particular error. (for example, the name of the property in error.)

-`details` |no |collection|A list of related errors that occurred during the request.

-`innererror`|no |object |An object containing more specific information about the error.

-## Next steps

-To get started using the service, you can

->[!div class="nextstepaction"]

-> [Deploy the service via the portal](deploy-portal.md)

-

-> The Trial Matcher is an asynchronous API. Trial Matcher prediction is performed upon receipt of the API request and the results are returned asynchronously. The API results are available for 1 hour from the time the request was ingested and is indicated in the response. After the time period, the results are purged and are no longer available for retrieval.

- "AcceptedGenders":[

- "Female"

- ],

- "AcceptedAgeRange":{

-description: This article describes a PowerShell script used to remove MMA agent from systems that users have migrated to AMA.

-# Customer intent: As an Azure account administrator, I want to use the available Azure Monitor tools to migrate from Log Analytics Agent to Azure Monitor Agent and track the status of the migration in my account.

-# MMA Discovery and Removal Tool (Preview)

-After you migrate your machines to AMA, you need to remove the MMA agent to avoid duplication of logs. AzTS MMA Discovery and Removal Utility can centrally remove MMA extension from Azure Virtual Machine (VMs), Azure Virtual Machine Scale Sets and Azure Arc Servers from a tenant.

-The utility works in two steps

-1. Discovery ΓÇô First the utility creates an inventory of all machines that have the MMA agents installed. We recommend that no new VMs, Virtual Machine Scale Sets or Azure Arc Servers with MMA extension are created while the utility is running.

-2. Removal - Second the utility selects machines with both MMA and AMA and removes the MMA extension. You can disable this step and run after validating the list of machines. There's an option remove from machines that only have the MMA agent, but we recommended that you first migrate all dependencies to AMA and then remove MMA.

-You do all the setup steps in a [Visual Studio Code](https://code.visualstudio.com/) with the [PowerShell Extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode.PowerShell).

-## Download Deployment package

- The package contains:

- ``` PowerShell

- Get-ChildItem -Path "<Extracted folder path>" -Recurse | Unblock-File

- ```

-## Set up the tool

-### [Single Tenant](#tab/Single)

-You perform set up in two steps:

-1. Go to deployment folder and load consolidated setup script. You must have **Owner** access on the subscription.

- ``` PowerShell

- CD "<LocalExtractedFolderPath>\AzTSMMARemovalUtilityDeploymentFiles"

- . ".\MMARemovalUtilitySetupConsolidated.ps1"

- ```

-2. The Install-AzTSMMARemovalUtilitySolutionConsolidated does the following operations:

- - Installs required Az modules.

- - Set up remediation user-assigned managed identity.

- - Prompts and collects onboarding details for usage telemetry collection based on user preference.

- - Creates or updates the RG.

- - Creates or updates the resources with MIs assigned.

- - Creates or updates the monitoring dashboard.

- - Configures target scopes.

-You must log in to Azure Account using the following PowerShell command.

-``` PowerShell

-$TenantId = "<TenantId>"

-Connect-AzAccount -Tenant $TenantId

-```

-Run the setup script

-``` PowerShell

-$SetupInstallation = Install-AzTSMMARemovalUtilitySolutionConsolidated `

- -RemediationIdentityHostSubId <MIHostingSubId> `

- -RemediationIdentityHostRGName <MIHostingRGName> `

- -RemediationIdentityName <MIName> `

- -TargetSubscriptionIds @("<SubId1>","<SubId2>","<SubId3>") `

- -TargetManagementGroupNames @("<MGName1>","<MGName2>","<MGName3>") `

- -TenantScope `

- -SubscriptionId <HostingSubId> `

- -HostRGName <HostingRGName> `

- -Location <Location> `

- -AzureEnvironmentName <AzureEnvironmentName>

-```

-Parameters

-|Param Name | Description | Required |

-|:-|:-|:-:|

-|RemediationIdentityHostSubId| Subscription ID to create remediation resources | Yes |

-|RemediationIdentityHostRGName| New ResourceGroup name to create remediation. Defaults to 'AzTS-MMARemovalUtility-RG'| No |

-|RemediationIdentityName| Name of the remediation MI| Yes |

-|TargetSubscriptionIds| List of target subscription ID(s) to run on | No |

-|TargetManagementGroupNames| List of target management group name(s) to run on | No|

-|TenantScope| Activate tenant scope and assigns roles using your tenant id| No|

-|SubscriptionId| Subscription ID where setup is installed| Yes|

-|HostRGName| New resource group name where remediation MI is created. Default value is 'AzTS-MMARemovalUtility-Host-RG'| No|

-|Location| Location DC where setup is created. Default value is 'EastUS2'| No|

-|AzureEnvironmentName| Azure environment where solution is to be installed: AzureCloud, AzureGovernmentCloud. Default value is 'AzureCloud'| No|

-### [MultiTenant](#tab/MultiTenant)

-In this section, we walk you through the steps for setting up multitenant AzTS MMA Removal Utility. This set up may take up to 30 minutes and has 9 steps

-1. Load setup script

-Point the current path to the folder containing the extracted deployment package and run the setup script.

- ``` PowerShell

- CD "<LocalExtractedFolderPath>\AzTSMMARemovalUtilityDeploymentFiles"

- . ".\MMARemovalUtilitySetup.ps1"

-2. Installing required Az modules.

-Az modules contain cmdlets to deploy Azure resources, which are used to create resources. Install the required Az PowerShell Modules using this command. For more details of Az Modules, refer [link](/powershell/azure/install-az-ps). You must point current path to the extracted folder location.

-3. Set up multitenant identity

-The Microsoft Entra ID Application identity is used to associate the MEI Application using service principal. You perform the following operations. You must log in to the Microsoft Entra ID account where you want to install the Removal Utility setup using the PowerShell command.

- - Creates a new multitenant MEI application if not provided with pre-existing MEI application objectId.

- - Creates password credentials for the MEI application.

-Parameters

-|Param Name| Description | Required |

-| DisplayName | Display Name of the Remediation Identity| Yes |

-| ObjectId | Object Id of the Remediation Identity | No |

-| AdditionalOwnerUPNs | User Principal Names (UPNs) of the owners for the App to be created | No |

-4. Set up secrets storage

-In this step you create secrets storage. You must have owner access on the subscription to create a new RG. You perform the following operations.

- - Creates or updates the resource group for Key Vault.

- - Creates or updates the Key Vault.

- - Store the secret.

-Parameters

-|Param Name|Description|Required?

-| SubscriptionId | Subscription ID where keyvault is created.| Yes |

-| ResourceGroupName | Resource group name where Key Vault is created. Should be in a different RG from the set up RG | Yes |

-|Location| Location DC where Key Vault is created. For better performance, we recommend creating all the resources related to set up to be in one location. Default value is 'EastUS2'| No |

-|KeyVaultName| Name of the Key Vault that is created.| Yes |

-|AADAppPasswordCredential| Removal Utility MEI application password credentials| Yes |

-5. Set up Installation

-This step install the MMA Removal Utility, which discovers and removes MMA agents installed on Virtual Machines. You must have owner access to the subscription where the setup is created. We recommend that you use a new resource group for the tool. You perform the following operations.

- - Prompts and collects onboarding details for usage telemetry collection based on user preference.

- - Creates the RG if it doesn't exist.

- - Creates or updates the resources with MIs.

- - Creates or updates the monitoring dashboard.

-Parameters

-| Param Name | Description | Required |

-| SubscriptionId | Subscription ID where setup is created | Yes |

-| HostRGName | Resource group name where setup is created Default value is 'AzTS-MMARemovalUtility-Host-RG'| No |

-| Location | Location DC where setup is created. For better performance, we recommend hosting the MI and Removal Utility in the same location. Default value is 'EastUS2'| No |

-| SupportMultiTenant | Switch to support multitenant set up | No |

-| IdentityApplicationId | MEI application Id.| Yes |

-|I dentitySecretUri | MEI application secret uri| No |

-6. Grant internal remediation identity with access to Key Vault

-In this step a user assigned managed ident is created to enable function apps to read the Key Vault for authentication. You must have Owner access to the RG.

-Parameters

-| Param Name | Description | Required |

-|SubscriptionId| Subscription ID where setup is created | Yes |

-|ResourceId| Resource Id of existing key vault | Yes |

-|UserAssignedIdentityObjectId| Object ID of your managed identity | Yes |

-|SendAlertsToEmailIds| User email Ids to whom alerts should be sent| No, Yes if DeployMonitoringAlert switch is enabled |

-| SecretUri | Key Vault SecretUri of the Removal Utility App's credentials | No, Yes if DeployMonitoringAlert switch is enabled |

-| LAWorkspaceResourceId | ResourceId of the LA Workspace associated with key vault| No, Yes if DeployMonitoringAlert switch is enabled.|

-| DeployMonitoringAlert | Create alerts on top of Key Vault auditing logs | No, Yes if DeployMonitoringAlert switch is enabled |

-7. Set up runbook for managing key vault IP ranges

-This step creates a secure Key Vault with public network access disabled. IP Ranges for function apps must be allowed access to the Key Vault. You must have owner access to the RG. You perform the following operations:

- - Creates or updates the automation account.

- - Grants access for automation account using system-assigned managed identity on Key Vault.

- - Set up the runbook with script to fetch the IP ranges published by Azure every week.

- - Runs the runbook one-time at the time of set up and schedule task to run every week.

-```

-Parameters

-|Param Name |Description | Required|

-|SubscriptionId| Subscription ID where the automation account and key vault are present.| Yes|

-|ResourceGroupName| Name of resource group where the automation account and key vault are | Yes|

-|Location| Location where your automation account is created. For better performance, we recommend creating all the resources related to setup in the same location. Default value is 'EastUS2'| No|

-|FunctionAppUsageRegion| Location of dynamic ip addresses that are allowed on keyvault. Default location is EastUS2| Yes|

-|KeyVaultResourceId| Resource ID of the keyvault for ip addresses that are allowed.| Yes|

-8. Set up SPN and grant required roles for each tenant

-In this step you create SPNs for each tenant and grant permission on each tenant. Set up requires Reader, Virtual Machine Contributor, and Azure Arc ScVmm VM contributor access on your scopes. Scopes Configured can be a Tenant/ManagementGroup(s)/Subscription(s) or both ManagementGroup(s) and Subscription(s).

-For each tenant, perform the steps and make sure you have enough permissions on the other tenant for creating SPNs. You must have **User Access Administrator (UAA) or Owner** on the configured scopes. For example, to run setup on subscription 'X' you have to have UAA role assignment on subscription 'X' to grant the SPN with the required permissions.

-Parameters

-For Set-AzSKTenantSecuritySolutionMultiTenantIdentitySPN,

-|Param Name | Description | Required |

-|AppId| Your application Id that is created| Yes |

-For Grant-AzSKAzureRoleToMultiTenantIdentitySPN,

-|Param Name | Description | Required|

-| AADIdentityObjectId | Your identity object| Yes|

-| TargetSubscriptionIds| Your list of target subscription ID(s) to run set up on | No |

-| TargetManagementGroupNames | Your list of target management group name(s) to run set up on | No|

-9. Configure target scopes

-You can configure target scopes using the `Set-AzTSMMARemovalUtilitySolutionScopes`

-Parameters

-|Param Name|Description|Required|

-|SubscriptionId| Your subscription ID where setup is installed | Yes |

-|ResourceGroupName| Your resource group name where setup is installed| Yes|

-|ScopesFilePath| File path with target scope configurations. See scope configuration| Yes |

-Scope configuration file is a CSV file with a header row and three columns

-| Subscription | /subscriptions/abb5301a-22a4-41f9-9e5f-99badff261f8 | 72f988bf-86f1-41af-91ab-2d7cd011db47 |

-| Subscription | /subscriptions/71bdd12b-ae1d-499a-a4ea-e32d4c1d9c35 | e60f12c0-e1dc-4be1-8d86-e979a5527830 |

-## Run The Tool

-### [Discovery](#tab/Discovery)

-Parameters

-|Param Name|Description|Required?

-|SubscriptionId| Subscription ID where you installed the Utility | Yes|

-|ResourceGroupName| ResourceGroup name where you installed the Utility | Yes|

-|StartScopeResolverAfterMinutes| Time in minutes to wait before running resolver | Yes (Mutually exclusive with param '-StartScopeResolverImmediatley')|

-|StartScopeResolverImmediatley | Run resolver immediately | Yes (Mutually exclusive with param '-StartScopeResolverAfterMinutes') |

-|StartExtensionDiscoveryAfterMinutes | Time in minutes to wait to run discovery (should be after resolver is done) | Yes (Mutually exclusive with param '-StartExtensionDiscoveryImmediatley')|

-|StartExtensionDiscoveryImmediatley | Run extensions discovery immediately | Yes (Mutually exclusive with param '-StartExtensionDiscoveryAfterMinutes')|

-### [Removal](#tab/Removal)

-Parameters

-| Param Name | Description | Required?

-| SubscriptionId | Subscription ID where you installed the Utility | Yes |

-| ResourceGroupName | ResourceGroup name where you installed the Utility| Yes|

-| StartAfterMinutes | Time in minutes to wait before starting removal | Yes (Mutually exclusive with param '-StartImmediately')|

-| StartImmediately | Run removal phase immediately | Yes (Mutually exclusive with param '-StartAfterMinutes') |

-| EnableRemovalPhase | Enable removal phase | Yes (Mutually exclusive with param '-DisableRemovalPhase')|

-| RemovalCondition | MMA extension should be removed when:</br>ChgeckForAMAPresence AMA extension is present </br> SkipAMAPresenceCheck in all cases whether AMA extension is present or not) | No |

-| DisableRemovalPhase | Disable removal phase | Yes (Mutually exclusive with param '-EnableRemovalPhase')|

-**Know issues**

-| Error Code | Description/Reason | Next steps

-|:-|:-|:-|

-| AuthorizationFailed | Remediation Identity doesn't have permission to perform 'Extension delete' operation on VM(s), VMSS, Azure Arc Servers.| Grant 'VM Contributor' role to Remediation Identity on VM(s) and Grant 'Azure Arc ScVmm VM Contributor' role to Remediation Identity on VMSS and rerun removal phase.|

-| OperationNotAllowed | Resource(s) are in a de-allocated state or a Lock is applied on the resource(s) | Turn on failed resource(s) and/or Remove Lock and rerun removal phase |

-The utility collects error details in the Log Analytics workspace that was used during set up. Go to Log Analytics workspace > Select Logs and run following query:

-## [CleanUp](#tab/CleanUp)

-The utility creates resources that you should clean up once you have remove MMA from your infrastructure. Execute the following steps to clean up.

- 1. Go to the folder containing the deployment package and load the cleanup script

- ``` PowerShell

- CD "<LocalExtractedFolderPath>\AzTSMMARemovalUtilityDeploymentFiles"

- . ".\MMARemovalUtilityCleanUpScript.ps1"

-```

-2. Run the cleanup script

-``` PowerShell

-Remove-AzTSMMARemovalUtilitySolutionResources `

- -SubscriptionId <HostingSubId> `

- -ResourceGroupName <HostingRGName> `

- [-DeleteResourceGroup `]

- -KeepInventoryAndProcessLogs

-```

-Parameters

-|Param Name|Description|Required|

-|SubscriptionId| Subscription ID that the Utility is deleting| Yes|

-|ResourceGroupName| ResourceGroup name, which is deleting| Yes|

-|DeleteResourceGroup| Boolean flag to delete entire resource group| Yes|

-|KeepInventoryAndProcessLogs| Boolean flag to exclude log analytics workspace and application insights. CanΓÇÖt be used with DeleteResourceGroup.| No|

-* [Azure Spring Apps](../../spring-apps/how-to-application-insights.md)

-For more information, see [Use Application Insights Java In-Process Agent in Azure Spring Apps](../../spring-apps/how-to-application-insights.md).

-| Azure Spring Apps | [Set up autoscale for applications](../../spring-apps/how-to-setup-autoscale.md) |

-> [!NOTE]

-> This article describes collection of custom metrics from Kubernetes clusters. You can also collect Prometheus metrics as described in [Collect Prometheus metrics with Container insights](container-insights-prometheus.md).

-| ASimNetworkSessionLogs | |

-| DynamicEventCollection | |

-Returns the first character of the string, or first element of the array.

-This article describes how to use MSBuild to convert a Bicep file to Azure Resource Manager template (ARM template) JSON. The examples use MSBuild from the command line with C# project files that convert Bicep to JSON. The project files are examples that can be used in an MSBuild continuous integration (CI) pipeline.

-You'll need the latest versions of the following software:

-## MSBuild tasks and CLI packages

-If your existing continuous integration (CI) pipeline relies on [MSBuild](/visualstudio/msbuild/msbuild), you can use MSBuild tasks and CLI packages to convert Bicep files into ARM template JSON.

-The functionality relies on the following NuGet packages. The latest NuGet package versions match the latest Bicep CLI version.

-| [Azure.Bicep.MSBuild](https://www.nuget.org/packages/Azure.Bicep.MSBuild) | Cross-platform MSBuild task that invokes the Bicep CLI and compiles Bicep files into ARM template JSON. |

-### Azure.Bicep.MSBuild package

-When referenced in a project file's `PackageReference` the `Azure.Bicep.MSBuild` package imports the `Bicep` task that's used to invoke the Bicep CLI. The package converts its output into MSBuild errors and the `BicepCompile` target that's used to simplify the `Bicep` task's usage. By default the `BicepCompile` runs after the `Build` target and compiles all `@(Bicep)` items and places the output in `$(OutputPath)` with the same file name and the _.json_ extension.

-The following example compiles _one.bicep_ and _two.bicep_ files in the same directory as the project file and places the compiled _one.json_ and _two.json_ in the `$(OutputPath)` directory.

-```xml

-<ItemGroup>

- <Bicep Include="one.bicep" />

- <Bicep Include="two.bicep" />

-</ItemGroup>

-```

-You can override the output path per file using the `OutputFile` metadata on `Bicep` items. The following example will recursively find all _main.bicep_ files and place the compiled _.json_ files in `$(OutputPath)` under a subdirectory with the same name in `$(OutputPath)`:

-```xml

-<ItemGroup>

- <Bicep Include="**\main.bicep" OutputFile="$(OutputPath)\%(RecursiveDir)\%(FileName).json" />

-</ItemGroup>

-```

-More customizations can be performed by setting one of the following properties in your project:

-| Property Name | Default Value | Description |

-| - |- | - |

-| `BicepCompileAfterTargets` | `Build` | Used as `AfterTargets` value for the `BicepCompile` target. Change the value to override the scheduling of the `BicepCompile` target in your project. |

-| `BicepCompileDependsOn` | None | Used as `DependsOnTargets` value for the `BicepCompile` target. This property can be set to targets that you want `BicepCompile` target to depend on. |

-| `BicepCompileBeforeTargets` | None | Used as `BeforeTargets` value for the `BicepCompile` target. |

-| `BicepOutputPath` | `$(OutputPath)` | Set this property to override the default output path for the compiled ARM template. `OutputFile` metadata on `Bicep` items takes precedence over this value. |

-The `Azure.Bicep.MSBuild` requires the `BicepPath` property to be set either in order to function. You may set it by referencing the appropriate `Azure.Bicep.CommandLine.*` package for your operating system or manually by installing the Bicep CLI and setting the `BicepPath` environment variable or MSBuild property.

-### Azure.Bicep.CommandLine packages

-The `Azure.Bicep.CommandLine.*` packages are available for Windows, Linux, and macOS. When referenced in a project file via a `PackageReference`, the `Azure.Bicep.CommandLine.*` packages set the `BicepPath` property to the full path of the Bicep executable for the platform. The reference to this package may be omitted if Bicep CLI is installed through other means and the `BicepPath` environment variable or MSBuild property are set accordingly.

-### SDK-based examples

-The following examples contain a default Console App SDK-based C# project file that was modified to convert Bicep files into ARM templates. Replace `__LATEST_VERSION__` with the latest version of the Bicep NuGet packages.

-The .NET Core 3.1 and .NET 6 examples are similar. But .NET 6 uses a different format for the _Program.cs_ file. For more information, see [.NET 6 C# console app template generates top-level statements](/dotnet/core/tutorials/top-level-templates).

-### .NET 6

-In this example, the `RootNamespace` property contains a placeholder value. When you create a project file, the value matches your project's name.

-```xml

-<Project Sdk="Microsoft.NET.Sdk">

- <PropertyGroup>

- <OutputType>Exe</OutputType>

- <TargetFramework>net6.0</TargetFramework>

- <RootNamespace>net6-sdk-project-name</RootNamespace>

- <ImplicitUsings>enable</ImplicitUsings>

- <Nullable>enable</Nullable>

- </PropertyGroup>

- <PackageReference Include="Azure.Bicep.MSBuild" Version="__LATEST_VERSION__" />

- </ItemGroup>

- <ItemGroup>

- <Bicep Include="**\main.bicep" OutputFile="$(OutputPath)\%(RecursiveDir)\%(FileName).json" />

- </ItemGroup>

-</Project>

-```

-### .NET Core 3.1

-```xml

-<Project Sdk="Microsoft.NET.Sdk">

- <OutputType>Exe</OutputType>

- <TargetFramework>netcoreapp3.1</TargetFramework>

- <ItemGroup>

- <PackageReference Include="Azure.Bicep.CommandLine.win-x64" Version="__LATEST_VERSION__" />

- <PackageReference Include="Azure.Bicep.MSBuild" Version="__LATEST_VERSION__" />

- </ItemGroup>

- <ItemGroup>

- <Bicep Include="**\main.bicep" OutputFile="$(OutputPath)\%(RecursiveDir)\%(FileName).json" />

- </ItemGroup>

-</Project>

-```

-### NoTargets SDK

-The following example contains a project that converts Bicep files into ARM templates using [Microsoft.Build.NoTargets](https://www.nuget.org/packages/Microsoft.Build.NoTargets). This SDK allows creation of standalone projects that compile only Bicep files. Replace `__LATEST_VERSION__` with the latest version of the Bicep NuGet packages.

-For [Microsoft.Build.NoTargets](/dotnet/core/project-sdk/overview#project-files), specify a version like `Microsoft.Build.NoTargets/3.5.6`.

-<Project Sdk="Microsoft.Build.NoTargets/__LATEST_VERSION__">

-### Classic framework

-The following example converts Bicep to JSON inside a classic project file that's not SDK-based. Only use the classic example if the previous examples don't work for you. Replace `__LATEST_VERSION__` with the latest version of the Bicep NuGet packages.

-In this example, the `ProjectGuid`, `RootNamespace` and `AssemblyName` properties contain placeholder values. When you create a project file, a unique GUID is created, and the name values match your project's name.

-The following examples show how MSBuild converts a Bicep file to JSON. Follow the instructions to create one of the project files for .NET, .NET Core 3.1, or Classic framework. Then continue to create the Bicep file and run MSBuild.

-1. Open Visual Studio code and select **Terminal** > **New Terminal** to start a PowerShell session.

-1. Create a directory named _bicep-msbuild-demo_ and go to the directory. This example uses _C:\bicep-msbuild-demo_.

- New-Item -Name .\bicep-msbuild-demo -ItemType Directory

- Set-Location -Path .\bicep-msbuild-demo

- The project file uses the same name as your directory, _bicep-msbuild-demo.csproj_. For more information about how to create a console application from Visual Studio Code, see the [tutorial](/dotnet/core/tutorials/with-visual-studio-code).

-1. Replace the contents of _bicep-msbuild-demo.csproj_ with the [.NET 6](#net-6) or [NoTargets SDK](#notargets-sdk) examples.

-1. Replace `__LATEST_VERSION__` with the latest version of the Bicep NuGet packages.

-1. Open Visual Studio code and select **Terminal** > **New Terminal** to start a PowerShell session.

-1. Create a directory named _bicep-msbuild-demo_ and go to the directory. This example uses _C:\bicep-msbuild-demo_.

- New-Item -Name .\bicep-msbuild-demo -ItemType Directory

- Set-Location -Path .\bicep-msbuild-demo

-1. Run the `dotnet` command to create a new console with the .NET 6 framework.

- The project file is named the same as your directory, _bicep-msbuild-demo.csproj_. For more information about how to create a console application from Visual Studio Code, see the [tutorial](/dotnet/core/tutorials/with-visual-studio-code).

-1. Replace the contents of _bicep-msbuild-demo.csproj_ with the [.NET Core 3.1](#net-core-31) or [NoTargets SDK](#notargets-sdk) examples.

-1. Enter a project name. For this example, use _bicep-msbuild-demo_ for the project.

-If you know how to unload a project and reload a project, you can edit _bicep-msbuild-demo.csproj_ in Visual Studio.

-Otherwise, edit the project file in Visual Studio Code.

-1. Open Visual Studio Code and go to the _bicep-msbuild-demo_ directory.

-1. Replace _bicep-msbuild-demo.csproj_ with the [Classic framework](#classic-framework) code sample.

-You'll need a Bicep file that will be converted to JSON.

-1. Use Visual Studio Code and create a new file.

-1. Copy the following sample and save it as _main.bicep_ in the _C:\bicep-msbuild-demo_ directory.

-```bicep

-@allowed([

- 'Premium_LRS'

- 'Premium_ZRS'

- 'Standard_GRS'

- 'Standard_GZRS'

- 'Standard_LRS'

- 'Standard_RAGRS'

- 'Standard_RAGZRS'

- 'Standard_ZRS'

-])

-@description('Storage account type.')

-param storageAccountType string = 'Standard_LRS'

-@description('Location for all resources.')

-param location string = resourceGroup().location

-var storageAccountName = 'storage${uniqueString(resourceGroup().id)}'

-resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = {

- name: storageAccountName

- location: location

- sku: {

- name: storageAccountType

- }

- kind: 'StorageV2'

-}

-output storageAccountNameOutput string = storageAccount.name

-```

-Run MSBuild to convert the Bicep file to JSON.

-1. In the PowerShell session, go to the _C:\bicep-msbuild-demo_ directory.

- MSBuild.exe -restore .\bicep-msbuild-demo.csproj

-1. Go to the output directory and open the _main.json_ file that should look like the sample.

-When you're finished with the files, delete the directory. For this example, delete _C:\bicep-msbuild-demo_.

-Remove-Item -Path "C:\bicep-msbuild-demo" -Recurse

-| Microsoft.AppPlatform | [Azure Spring Apps](../../spring-apps/overview.md) |

-| Microsoft.Microservices4Spring | [Azure Spring Apps](../../spring-apps/overview.md) |

-To learn more about the limits for Azure Spring Apps, see [Quotas and service plans for Azure Spring Apps](../../spring-apps/quotas.md).

-> | storageaccounts | **Yes** | **Yes** | **Yes**<br/><br/> [Move an Azure Storage account to another region](../../storage/common/storage-account-move.md) |

-Returns the first character of the string, or first element of the array.

-In this tutorial, you can discover the process of creating your own authentication method and integrate it with the Microsoft Azure SignalR Service.

-The authentication initially used in the quickstart's chat room application is too simple for real-world scenarios. The application allows each client to claim who they are, and the server simply accepts that. This approach lacks effectiveness in real-world, as it fails to prevent malicious users who might assume false identities from gaining access to sensitive data.

-[GitHub](https://github.com/) provides authentication APIs based on a popular industry-standard protocol called [OAuth](https://oauth.net/). These APIs allow third-party applications to authenticate GitHub accounts. In this tutorial, you can use these APIs to implement authentication through a GitHub account before allowing client logins to the chat room application. After authenticating a GitHub account, the account information will be added as a cookie to be used by the web client to authenticate.

-By default when a web client attempts to connect to SignalR Service, the connection is granted based on an access token that is provided internally. This access token isn't associated with an authenticated identity.

- You're prompted to authorize the chat app's access to your GitHub account. Select the **Authorize** button.

- - Windows Server 2019, Windows Server 2016, and Windows Server 2012 R2

- - Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 8.2, openSUSE Leap 15.2, CentOS 8, Debian 10 Buster (with unzip installation required), Oracle Linux 8.3, and Ubuntu Server 18.04 LTS

- * **Windows:** Microsoft Edge, Google Chrome, and Firefox

- * **MacOS:** Safari, Google Chrome, and Firefox

-zone_pivot_groups: acs-azcli-azp-azpnew-java-net-python-csharp-js

-description: In this tutorial, you learn how to migrate your calling product from Twilio to Azure Communication Services.

-This article provides guidance on how to migrate your existing Twilio Video implementation to the [Azure Communication Services' Calling SDK](../concepts/voice-video-calling/calling-sdk-features.md) for WebJS. Twilio Video and Azure Communication Services' calling SDK for WebJS are both cloud-based platforms that enable developers to add voice and video calling features to their web applications. However, there are some key differences between them that may affect your choice of platform or require some changes to your existing code if you decide to migrate. In this article, we will compare the main features and functionalities of both platforms and provide some guidance on how to migrate your existing Twilio Video implementation to Azure Communication Services' Calling SDK for WebJS.

-**For a more detailed understanding of the capabilities of the Calling SDK for different platforms, consult** [**this document**](../concepts/voice-video-calling/calling-sdk-features.md#detailed-capabilities)**.**

-1. **Azure Account:** Confirm that you have an active subscription in your Azure account. New users can create a free Azure account [here](https://azure.microsoft.com/free/).

-2. **Node.js 18:** Ensure Node.js 18 is installed on your system; download can be found right [here](https://nodejs.org/en).

-3. **Communication Services Resource:** Set up a [Communication Services Resource](../quickstarts/create-communication-resource.md?tabs=windows&pivots=platform-azp) via your Azure portal and note down your connection string.

-4. **Azure CLI:** You can get the Azure CLI installer from [here](/cli/azure/install-azure-cli-windows?tabs=azure-cli)..

-For more information, see the guide on how to [Use Azure CLI to Create and Manage Access Tokens](../quickstarts/identity/access-tokens.md?pivots=platform-azcli).

-The UI Library simplifies the process of creating modern communication user interfaces using Azure Communication Services. It offers a collection of ready-to-use UI components that you can easily integrate into your application.

-This prebuilt set of controls facilitates the creation of aesthetically pleasing designs using [Fluent UI SDK](https://developer.microsoft.com/en-us/fluentui#/) components and the development of audio/video communication experiences. If you wish to explore more about the UI Library, check out the [overview page](../concepts/ui-library/ui-library-overview.md), where you find comprehensive information about both web and mobile platforms.

-The Azure Communication Services Calling SDK supports the following streaming configurations:

-Azure Communication Services offers various call types. The type of call you choose impacts your signaling schema, the flow of media traffic, and your pricing model. Further details can be found [here](../concepts/voice-video-calling/about-call-types.md).

-You can remove the Twilio SDK from your project by uninstalling the package

-## Object model

-| AzureCommunicationTokenCredential | Implements the CommunicationTokenCredential interface, which is used to instantiate the CallAgent. |

-| CallAgent | Used to start and manage calls. |

-| Device Manager | Used to manage media devices. |

-| Call | Used for representing a Call. |

-| LocalVideoStream | Used for creating a local video stream for a camera device on the local system. |

-| RemoteParticipant | Used for representing a remote participant in the Call. |

-| RemoteVideoStream | Used for representing a remote video stream from a Remote Participant. |

-| LocalAudioStream | Represents a local audio stream for a local microphone device |

-| AudioOptions | Audio options, which are provided when making an outgoing call or joining a group call |

-| AudioIssue | Represents the end of call survey audio issues, example responses would be NoLocalAudio - the other participants were unable to hear me, or LowVolume - the callΓÇÖs audio volume was low |

-When using in a Teams implementation there are a few differences:

-Twilio doesn't have a Device Manager analog, tracks are being created using the systemΓÇÖs default device. For customization, you should obtain the desired source track via:

-You can use the getDeviceManager method on the CallClient instance to access deviceManager.

-```javascript

-To create and start a call, use one of the APIs on `callAgent` and provide a user that you created through the Communication Services identity SDK.

-Call creation and start are synchronous. The `call` instance allows you to subscribe to call events - subscribe to `stateChanged` event for value changes.

-``````

-To call another Communication Services user, use the `startCall` method on `callAgent` and pass the recipient's CommunicationUserIdentifier that you [created with the Communication Services administration library](../quickstarts/identity/access-tokens.md).

-To join a `room` call, you can instantiate a context object with the `roomId` property as the room identifier. To join the call, use the join method and pass the context instance.

-A **room** offers application developers better control over who can join a call, when they meet and how they collaborate. To learn more about **rooms**, you can read the [conceptual documentation](../concepts/rooms/room-concept.md) or follow the [quick start guide](../quickstarts/rooms/join-rooms-call.md).

-### Azure Communication Services group Call

-To start a new group call or join an ongoing group call, use the `join` method and pass an object with a groupId property. The `groupId` value has to be a GUID.

-Start a synchronous one-to-one or group call with `startCall` API on `teamsCallAgent`. You can provide `MicrosoftTeamsUserIdentifier` or `PhoneNumberIdentifier` as a parameter to define the target of the call. The method returns the `TeamsCall` instance that allows you to subscribe to call events.

-The Twilio Video SDK the Participant is being created after joining the room, and it doesn't have any information about other rooms.

-When starting/joining/accepting a call with video on, if the specified video camera device is being used by another process or if it's disabled in the system, the call starts with video off, and a `cameraStartFailed:` true call diagnostic will be raised.

- // Get information about this Call. This API is provided as a preview for developers and may change based on feedback that we receive. Do not use this API in a production environment. To use this api please use 'beta' release of Azure Communication Services Calling Web SDK

-After starting a call, joining a call, or accepting a call, you can also use the callAgents' `callsUpdated` event to be notified of the new Call object and start subscribing to it.

-For Azure Communication Services Teams implementation, check how to [Receive a Teams Incoming Call](../how-tos/cte-calling-sdk/manage-calls.md#receive-a-teams-incoming-call).

-To add a participant to a call, you can use `addParticipant`. Provide one of the Identifier types. It synchronously returns the remoteParticipant instance.

-To remove a participant from a call, you can invoke `removeParticipant`. You have to pass one of the Identifier types. This method resolves asynchronously after the participant is removed from the call. The participant is also removed from the `remoteParticipants` collection.

-Camera is enabled by default, however it can be disabled and enabled back if necessary:

-Or

-Later created video track should be attached locally:

-Twilio Tracks rely on default input devices and reflect the changes in defaults. However, to change an input device, the previous Video Track should be unpublished:

-And a new Video Track with the correct constraints should be created.

-To start a video while on a call, you have to enumerate cameras using the getCameras method on the `deviceManager` object. Then create a new instance of `LocalVideoStream` with the desired camera and then pass the `LocalVideoStream` object into the `startVideo` method of an existing call object:

-After you successfully start sending video, a LocalVideoStream instance of type Video is added to the localVideoStreams collection on a call instance.

-To stop local video while on a call, pass the localVideoStream instance that's being used for video:

-You can switch to a different camera device while a video is sending by invoking switchSource on a localVideoStream instance:

-To verify if the local video is on or off you can use `isLocalVideoStarted` API, which returns true or false:

-To listen for changes to the local video, you can subscribe and unsubscribe to the `isLocalVideoStartedChanged` event

-### Rendering a remote user video

-As soon as a Remote Participant publishes a Video Track, it needs to be attached. `trackSubscribed` event on Room or Remote Participant allows you to detect when the track can be attached:

-To render `RemoteVideoStream`, you have to subscribe to its `isAvailableChanged` event. If the `isAvailable` property changes to true, a remote participant is sending a stream. After that happens, create a new instance of `VideoStreamRenderer`, and then create a new `VideoStreamRendererView` instance by using the asynchronous createView method. You can then attach `view.target` to any UI element.

-Whenever availability of a remote stream changes, you can destroy the whole `VideoStreamRenderer` or a specific `VideoStreamRendererView`. If you do decide to keep them it will result in displaying a blank video frame.

-Subscribe to the remote participant's videoStreamsUpdated event to be notified when the remote participant adds new video streams and removes video streams.

-To use Virtual Background, Twilio helper library should be installed:

-New Processor instance should be created and loaded:

-As soon as the model is loaded the background can be added to the video track via addProcessor method:

-```javascript

-videoTrack.addProcessor(processor, { inputFrameBufferType: 'video', outputFrameBufferContextType: 'webgl2' });

-```

-For background replacement with an image you need to provide the URL of the image you want as the background to this effect. Currently supported image formats are: png, jpg, jpeg, tiff, bmp, and current supported aspect ratio is 16:9

-Changing the image for this effect can be done by passing it via the configured method:

-Switching effects can be done using the same method on the video effects feature API:

-At any time if you want to check what effects are active, you can use the `activeEffects` property. The `activeEffects` property returns an array with the names of the currently active effects and returns an empty array if there are no affects active.

-// Using the video effects feature API

-Microphone is enabled by default, however it can be disabled and enabled back if necessary:

-Created Audio Track should be attached by Local Participant the same way as Video Track:

-Or

-It is impossible to mute incoming audio in Twilio Video SDK.

-### Detecting Dominant speaker

-To detect the loudest Participant in the Room, Dominant Speaker API can be used. It can be enabled in the connection options when joining the Group Room with at least 2 participants:

-When the loudest speaker in the Room will change, the dominantSpeakerChanged event is emitted:

-Dominant speakers for a call are an extended feature of the core Call API and allows you to obtain a list of the active speakers in the call. This is a ranked list, where the first element in the list represents the last active speaker on the call and so on.

-Also, you can subscribe to the `dominantSpeakersChanged` event to know when the dominant speakers list has changed.

-To share the screen in Twilio Video, source track should be obtained via navigator.mediaDevices

-Obtain the screen share track can then be published and managed the same way as casual Video Track (see the ΓÇ£VideoΓÇ¥ section).

-To start screen sharing while on a call, you can use asynchronous API `startScreenSharing`:

-After successfully starting to sending screen sharing, a `LocalVideoStream` instance of type `ScreenSharing` is created and is added to the `localVideoStreams` collection on the call instance.

-To stop screen sharing while on a call, you can use asynchronous API `stopScreenSharing`:

-To verify if screen sharing is on or off, you can use `isScreenSharingOn` API, which returns true or false:

-To listen for changes to the screen share, you can subscribe and unsubscribe to the `isScreenSharingOnChanged` event

-To collect real-time media stats, the getStats method can be used.

-Media quality statistics is an extended feature of the core Call API. You first need to obtain the mediaStatsFeature API object:

-If you want control over the interval of the summmaryReported event, you need to define `mediaStatsCollectorOptions` of type `MediaStatsCollectorOptions`. Otherwise, the SDK uses default values.

-In case you don't need to use the media statistics collector, you can call dispose method of `mediaStatsCollector`.

-It's not necessary to call the dispose method of `mediaStatsCollector` every time the call ends, as the collectors are reclaimed internally when the call ends.

-You can learn more about media quality statistics [here](../concepts/voice-video-calling/media-quality-sdk.md?pivots=platform-web).

-To test connectivity, Twilio offers Preflight API - a test call is performed to identify signaling and media connectivity issues.

-To launch the test, an access token is required:

-Another way to identify network issues during the call is Network Quality API, which monitors Participant's network and provides quality metrics. It can be enabled in the connection options when joining the Group Room:

-When the network quality for Participant changes, a `networkQualityLevelChanged` event will be emitted:

-Azure Communication Services provides a feature called `"User Facing Diagnostics" (UFD)` that can be used to examine various properties of a call to determine what the issue might be. User Facing Diagnostics are events that are fired off that could indicate due to some underlying issue (poor network, the user has their microphone muted) that a user might have a poor experience.

-User-facing diagnostics is an extended feature of the core Call API and allows you to diagnose an active call.

-Subscribe to the diagnosticChanged event to monitor when any user-facing diagnostic changes:

-You can learn more about User Facing Diagnostics and the different diagnostic values available in [this article](../concepts/voice-video-calling/user-facing-diagnostics.md?pivots=platform-web).

-ACS also provides a pre-call diagnostics API. To Access the Pre-Call API, you need to initialize a `callClient`, and provision an Azure Communication Services access token. There you can access the `PreCallDiagnostics` feature and the `startTest` method.

-The Pre-Call API returns a full diagnostic of the device including details like device permissions, availability and compatibility, call quality stats and in-call diagnostics. The results are returned as a PreCallDiagnosticsResult object.

-You can learn more about ensuring precall readiness [here](../concepts/voice-video-calling/pre-call-diagnostics.md).

-### Twilio

-

-[Azure Spring Apps](../spring-apps/overview.md) is a fully managed service for Spring developers. If you want to run Spring Boot, Spring Cloud or any other Spring applications on Azure, Azure Spring Apps is an ideal option. The service manages the infrastructure of Spring applications so developers can focus on their code. Azure Spring Apps provides lifecycle management using comprehensive monitoring and diagnostics, configuration management, service discovery, CI/CD integration, blue-green deployments, and more.

-## <a name="use-additional-tcp-ports"></a>Use additional TCP ports (preview)

-> [Note]

-> To use this preview feature, you must have the container apps CLI extension. Run `az extension add -n containerapp` in order to install the latest version of the container apps CLI extension.

-## <a name="additional-tcp-ports"></a>Additional TCP ports (preview)

-In addition to the main HTTP/TCP port for your container apps, you might expose additional TCP ports to enable applications that accept TCP connections on multiple ports. This feature is in preview.

-> As the feature is in preview, make sure you are using the latest preview version of the container apps CLI extension.

-Create a container registry using the [az acr create][az-acr-create] command. The registry name must be unique within Azure, and contain 5-50 alphanumeric characters. In the following example, *myContainerRegistry008* is used. Update this to a unique value.

- --name myContainerRegistry008 --sku Basic

- --registry myContainerRegistry008 \

-az acr run --registry myContainerRegistry008 \

-When asked about logs for a particular resource, Microsoft Copilot for Azure (preview) generates an example KQL expression and allows you to further explore the data in Azure Monitor logs. This capability is available for all customers using Log Analytics, and can be used in the context of a particular Azure Kubernetes Service cluster that is using Azure Monitor logs.

-When you ask Microsoft Copilot for Azure (preview) about logs, it automatically pulls context when possible, based on the current conversation or on the page you're viewing in the Azure portal. If the context isn't clear, you'll be prompted to specify the resource for which you want information.

-Here are a few examples of the kinds of prompts you can use to get information about Azure Monitor logs. Modify these prompts based on your real-life scenarios, or try additional prompts to get different kinds of information.

-```azurecli

-az cosmosdb sql database merge \

- --account-name '<cosmos-account-name>'

- --name '<cosmos-database-name>'

- --resource-group '<resource-group-name>'

-```http

-POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DocumentDB/databaseAccounts/{accountName}/sqlDatabases/{databaseName}/partitionMerge?api-version=2023-11-15-preview

-```

-For **shared-throughput databases**, start the merge by using [`az cosmosdb mongodb database merge`](/cli/azure/cosmosdb/mongodb/database?view=azure-cli-latest).

-```azurecli

-```http

-All versions and deletes mode (preview) is a persistent record of all changes to items from create, update, and delete operations. You get a record of each change to items in the order that it occurred, including intermediate changes to an item between change feed reads. For example, if an item is created and then updated before you read the change feed, both the create and the update versions of the item appear in the change feed. To read from the change feed in all versions and deletes mode, you must have [continuous backups](../continuous-backup-restore-introduction.md) configured for your Azure Cosmos DB account. Turning on continuous backups creates the all versions and deletes change feed. You can only read changes that occurred within the continuous backup period when using this change feed mode. This mode is only compatible with Azure Cosmos DB for NoSQL accounts. Learn more about how to [sign up for the preview](#get-started).

-* Learn to [use Azure CLI authentication in Terraform](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/azure_cli).

- - task: NodeTool@0

- versionSpec: '14.x'

-When you onboard to Defender for Cloud, the GCloud template is used to create the following resources as part of the authentication process:

-Once you've selected the plans, you want to enable and the resources you want to protect you have to configure access between Defender for Cloud and your GCP project.

-Once you've selected the plans, you want to enable and the resources you want to protect you have to configure access between Defender for Cloud and your GCP project.

-You need to decide what is your best option for your organization's architecture. We recommend creating a dedicated project for Defender for Cloud.

-| Required permissions: | **Account Administrator** with permissions to sign in to the Azure portal. <br> **Contributor** to create a connector on the Azure subscription. <br> **Project Collection Administrator** on the Azure DevOps Organization. <br> **Basic or Basic + Test Plans Access Level** in Azure DevOps. <br> **Third-party application access via OAuth**, which must be set to `On` on the Azure DevOps Organization. [Learn more about OAuth and how to enable it in your organizations](/azure/devops/organizations/accounts/change-application-access-policies).|

-Azure and AWS container registry vulnerabilities sub-assessments are published to ARG as part of the security resources. Learn more about [security sub-assessments](/azure/governance/resource-graph/samples/samples-by-category?tabs=azure-cli#list-container-registry-vulnerability-assessment-results).

-* For Azure container vulnerability assessment powered by MDVM the key is `c0b7cfc6-3172-465a-b378-53c7ff2cc0d5`.

-* For AWS container vulnerability assessment powered by MDVM the key is `c27441ae-775c-45be-8ffa-655de37362ce`.

-| assessedResourceType | string: <br> AzureContainerRegistryVulnerability<br> AwsContainerRegistryVulnerability | Subassessment resource type |

-### ResourceDetails - AWS

-Details of the AWS resource that was assessed

-| source | string: Aws | The platform where the assessed resource resides |

-| resourceProvider | string: ecr | The assessed resource provider |

-| hierarchyId | string | Account ID (Aws) |

-| NotApplicable | string | Assessment for this resource did not happen |

-| properties.resourceDetails | ResourceDetails: <br> [Azure Resource Details](/azure/defender-for-cloud/subassessment-rest-api#resourcedetailsazure) <br> [AWS Resource Details](/azure/defender-for-cloud/subassessment-rest-api#resourcedetailsaws) | Details of the resource that was assessed |

-> When you're facing a problem or need advice from our support team, the **Diagnose and solve problems** section of the Azure portal is good place to look for solutions.

-> :::image type="content" source="media/release-notes/solve-problems.png" alt-text="Screenshot of the Azure portal that shows the page for diagnosing and solving problems in Defender for Cloud.":::

- :::image type="content" source="./media/troubleshooting-guide/authorize-select-tenant.png" alt-text="Screenshot of the Azure DevOps profile page that's used to select an account.":::

-description: In this tutorial, you download and use a remote desktop client to connect to a dev box in Microsoft Dev Box. Configure the RDP client for a multi-monitor setup.

-In this tutorial, you download and use a remote desktop client application to connect to a dev box in Microsoft Dev Box. Learn how to configure the application to take advantage of a multi-monitor setup.

-Alternately, you can also connect to your dev box through the browser from the Microsoft Dev Box developer portal.

-> * Configure the remote desktop client for multiple monitors.

-To complete this tutorial, you must first:

-1. After you select your platform configuration, click the platform configuration to start the download process for the Remote Desktop client.

- :::image type="content" source="./media/tutorial-connect-to-dev-box-with-remote-desktop-app/download-windows-desktop.png" alt-text="Screenshot that shows how to click the platform configuration again to download the Windows Remote Desktop client.":::

-## Configure Remote Desktop to use multiple monitors

-When you connect to your cloud-hosted developer machine in Microsoft Dev Box, you can take advantage of a multi-monitor setup. Microsoft Remote Desktop for Windows and Microsoft Remote Desktop for Mac both support up to 16 monitors.

-Use the following steps to configure Remote Desktop to use multiple monitors.

-# [Windows](#tab/windows)

-1. Open Remote Desktop.

-

-1. Right-click the dev box you want to configure, and then select **Settings**.

-

-1. On the settings pane, turn off **Use default settings**.

-

- :::image type="content" source="media/tutorial-connect-to-dev-box-with-remote-desktop-app/turn-off-default-settings.png" alt-text="Screenshot showing the Use default settings slider.":::

-

-1. In **Display Settings**, in the **Display configuration** list, select the displays to use and configure the options:

-

- | Value | Description | Options |

- ||||

- | All displays | Remote desktop uses all available displays. | - Use only a single display when in windowed mode. <br> - Fit the remote session to the window. |

- | Single display | Remote desktop uses a single display. | - Start the session in full screen mode. <br> - Fit the remote session to the window. <br> - Update the resolution on when a window is resized. |

- | Select displays | Remote Desktop uses only the monitors you select. | - Maximize the session to the current displays. <br> - Use only a single display when in windowed mode. <br> - Fit the remote connection session to the window. |

- :::image type="content" source="media/tutorial-connect-to-dev-box-with-remote-desktop-app/remote-desktop-select-display.png" alt-text="Screenshot showing the Remote Desktop display settings, highlighting the option to select the number of displays.":::

-1. Close the settings pane, and then select your dev box to begin the Remote Desktop session.

-# [Non-Windows](#tab/non-Windows)

-1. Open Remote Desktop.

-

-1. Select **PCs**.

-1. On the Connections menu, select **Edit PC**.

-

-1. Select **Display**.

-

-1. On the Display tab, select **Use all monitors**, and then select **Save**.

- :::image type="content" source="media/tutorial-connect-to-dev-box-with-remote-desktop-app/remote-desktop-for-mac.png" alt-text="Screenshot showing the Edit PC dialog box with the display configuration options.":::

-1. Select your dev box to begin the Remote Desktop session.

-

-## Fetch OID

-The object ID (OID) is the Microsoft Entra user OID.

-1. Input the OID of the users (or the application or client ID if managing access for an application) as parameters in the calls to the Entitlements API of your Azure Data Manager for Energy instance.

- 2. Add the user to the `users.datalake.ops@<data-partition-id>.<domain>` OSDU group.

- curl --location --request POST 'https://<adme-url>/api/entitlements/v2/groups/<group-name>@<data-partition-id>.dataservices.energy/members' \

- curl --location --request GET 'https://<adme-url>/api/entitlements/v2/members/<OBJECT_ID>/groups?type=none' \

- curl --location --request DELETE 'https://<adme-url>/api/entitlements/v2/members/<OBJECT_ID>' \

-After you enable identity for your event grid custom topic or domain, Azure automatically creates an identity in Microsoft Entra ID. Add this identity to appropriate Azure roles so that the custom topic or domain can forward events to supported destinations. For example, add the identity to the **Azure Event Hubs Data Sender** role for an Azure Event Hubs namespace so that the event grid custom topic can forward events to event hubs in that namespace.

-Currently, Azure event grid supports custom topics or domains configured with a system-assigned managed identity to forward events to the following destinations. This table also gives you the roles that the identity should be in so that the custom topic can forward the events.

-The following example adds a managed identity for an event grid custom topic named **msitesttopic** to the **Azure Service Bus Data Sender** role for a Service Bus namespace that contains a queue or topic resource. When you add to the role at the namespace level, the event grid custom topic can forward events to all entities within the namespace.

-The example in this section shows you how to use the Azure CLI to add an identity to an Azure role. The sample commands are for event grid custom topics. The commands for event grid domains are similar.

-The following CLI example shows how to add an event grid custom topic's identity to the **Azure Service Bus Data Sender** role at the namespace level or at the Service Bus topic level. If you create the role assignment at the namespace level, the event grid topic can forward events to all entities (Service Bus queues or topics) within that namespace. If you create a role assignment at the Service Bus queue or topic level, the event grid custom topic can forward events only to that specific Service Bus queue or topic.

-2. In the search bar at the top, type **Event Grid Topics**, and then select **Event Grid Topics** from the drop-down list. If you are create a domain, search for **Event Grid Domains**.

- :::image type="content" source="./media/custom-event-quickstart-portal/select-topics.png" alt-text="Screenshot showing the Azure port search bar to search for Event Grid topics.":::

-3. Provide a unique **name** for the custom topic or domain. The name must be unique because it's represented by a DNS entry. Don't use the name shown in the image. Instead, create your own name - it must be between 3-50 characters and contain only values a-z, A-Z, 0-9, and "-".

-1. If you want to allow clients to connect to the topic or domain endpoint via a public IP address, keep the **Public access** option selected.

- The **Cross-Geo** option allows Microsoft-initiated failover to the paired region in case of a region failure. For more information, see [Server-side geo disaster recovery in Azure Event Grid](geo-disaster-recovery.md). Microsoft-initiated failover is exercised by Microsoft in rare situations to fail over Event Grid resources from an affected region to the corresponding geo-paired region. This process doesn't require an intervention from user. Microsoft reserves right to make a determination of when this path will be taken. The mechanism doesn't involve a user consent before the user's topic or domain is failed over. For more information, see [How do I recover from a failover?](./faq.yml).

- If you select the **Regional** option, you may define your own disaster recovery plan.

-The **Tags** page has no fields that are specific to Event Grid. You can assign a tag (name-value pair) as you do for any other Azure resource. Select **Next: Review + create** to switch to the **Review + create** page.

-[Azure Event Grid](overview.md) is a highly scalable and serverless event broker that you can use to integrate applications using events. Events are delivered by Event Grid to [supported event handlers](event-handlers.md) and Azure Event Hubs is one of them. In this article, you use Azure CLI for the following steps:

-An Event Grid topic provides a user-defined endpoint that you post your events to. The following example creates the custom topic in your resource group. Replace `<topic_name>` with a unique name for your custom topic. The Event Grid topic name must be unique because it's represented by a DNS entry.

-To simplify this article, you use sample event data to send to the custom topic. Typically, an application or Azure service would send the event data. CURL is a utility that sends HTTP requests. In this article, use CURL to send the event to the custom topic. The following example sends three events to the Event Grid topic:

-On the **Overview** page for your Event Hubs namespace in the Azure portal, notice that Event Grid sent those three events to the event hub. You'll see the same chart on the **Overview** page for the `demohub` Event Hubs instance page.

-[Azure Event Grid](overview.md) is a highly scalable and serverless event broker that you can use to integrate applications using events. Events are delivered by Event Grid to [supported event handlers](event-handlers.md) and Azure Queue storage is one of them. In this article, you use Azure CLI for the following steps:

-An Event Grid topic provides a user-defined endpoint that you post your events to. The following example creates the custom topic in your resource group. Replace `<topic_name>` with a unique name for your custom topic. The Event Grid topic name must be unique because it's represented by a DNS entry.

-To simplify this article, you use sample event data to send to the custom topic. Typically, an application or Azure service would send the event data. CURL is a utility that sends HTTP requests. In this article, you use CURL to send the event to the custom topic. The following example sends three events to the Event Grid topic:

-By default, topic and domain are accessible from the internet as long as the request comes with valid authentication and authorization. With IP firewall, you can restrict it further to only a set of IP addresses or IP address ranges in [CIDR (Classless Inter-Domain Routing)](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) notation. Publishers originating from any other IP address will be rejected and will receive a 403 (Forbidden) response.

-You can use [private endpoints](../private-link/private-endpoint-overview.md) to allow ingress of events directly from your virtual network to your topics and domains securely over a [private link](../private-link/private-link-overview.md) without going through the public internet. A private endpoint is a special network interface for an Azure service in your VNet. When you create a private endpoint for your topic or domain, it provides secure connectivity between clients on your VNet and your Event Grid resource. The private endpoint is assigned an IP address from the IP address range of your VNet. The connection between the private endpoint and the Event Grid service uses a secure private link.

-

-When you create a private endpoint for a topic or domain in your VNet, a consent request is sent for approval to the resource owner. If the user requesting the creation of the private endpoint is also an owner of the resource, this consent request is automatically approved. Otherwise, the connection is in **pending** state until approved. Applications in the VNet can connect to the Event Grid service over the private endpoint seamlessly, using the same connection strings and authorization mechanisms that they would use otherwise. Resource owners can manage consent requests and the private endpoints, through the **Private endpoints** tab for the resource in the Azure portal.

-Publishers on a VNet using the private endpoint should use the same connection string for the topic or domain as clients connecting to the public endpoint. DNS resolution automatically routes connections from the VNet to the topic or domain over a private link. Event Grid creates a [private DNS zone](../dns/private-dns-overview.md) attached to the VNet with the necessary update for the private endpoints, by default. However, if you're using your own DNS server, you may need to make additional changes to your DNS configuration.

-When you resolve the topic or domain endpoint URL from outside the VNet with the private endpoint, it resolves to the public endpoint of the service. The DNS resource records for 'topicA', when resolved from **outside the VNet** hosting the private endpoint, will be:

-You can deny or control access for a client outside the VNet through the public endpoint using the [IP firewall](#ip-firewall).

-When resolved from the VNet hosting the private endpoint, the topic or domain endpoint URL resolves to the private endpoint's IP address. The DNS resource records for the topic 'topicA', when resolved from **inside the VNet** hosting the private endpoint, will be:

-This approach enables access to the topic or domain using the same connection string for clients on the VNet hosting the private endpoints, and clients outside the VNet.

-If you're using a custom DNS server on your network, clients can resolve the FQDN for the topic or domain endpoint to the private endpoint IP address. Configure your DNS server to delegate your private link subdomain to the private DNS zone for the VNet, or configure the A records for `topicOrDomainName.regionName.privatelink.eventgrid.azure.net` with the private endpoint IP address.

-To troubleshoot network connectivity issues, see [Troubleshoot network connectivity issues](troubleshoot-network-connectivity.md)

-Azure Event Grid's **Partner Events** allows customers to **subscribe to events** that originate in a registered system using the same mechanism they would use for any other event source on Azure, such as an Azure service. Those registered systems integrate with Event Grid are known as "partners".

-4. [Subscribe to events](subscribe-to-partner-events.md#subscribe-to-events) by creating one or more event subscriptions on the partner topic.

-You may want to use the Partner Events feature if you've one or more of the following requirements.

-You must authorize partners to create partner topics before they attempt to create those resources. If you don't grant your authorization, the partners' attempt to create the partner resource will fail.

-* Private Link: FastPath Connectivity to a private endpoint or Private Link service over an ExpressRoute Direct circuit is supported for limited scenarios. For more information, see [enable FastPath and Private Link for 100 Gbps ExpressRoute Direct](expressroute-howto-linkvnet-arm.md#fastpath-and-private-link-for-100-gbps-expressroute-direct). FastPath connectivity to a Private endpoint/Private Link service is not supported for ExpressRoute partner circuits.

-## Public preview

-The following FastPath features are in Public preview:

-### Virtual network (VNet) Peering

-FastPath sends traffic directly to any VM deployed in a virtual network peered to the one connected to ExpressRoute, bypassing the ExpressRoute virtual network gateway. This feature is available for both IPv4 and IPv6 connectivity.

-**FastPath support for VNet peering is only available for ExpressRoute Direct connections.**

-> [!NOTE]

-> * FastPath VNet peering connectivity is not supported for Azure Dedicated Host workloads.

-### User Defined Routes (UDRs)

-FastPath honors UDRs configured on the GatewaySubnet and send traffic directly to an Azure Firewall or third party NVA.

-**FastPath support for UDRs is only available for ExpressRoute Direct connections**

-> [!NOTE]

-> * FastPath UDR connectivity is not supported for Azure Dedicated Host workloads.

-> * FastPath UDR connectivity is not supported for IPv6 workloads.

-To enroll in the Public preview, send an email to **exrpm@microsoft.com** with the following information:

-FastPath Private Endpoint/Private Link support for 100Gbps and 10Gbps ExpressRoute Direct connections is available for limited scenarios in the following Azure regions:

-For more information about supported scenarios and to enroll in the limited GA offering, send an email to **exrpm@microsoft.com** with the following information:

-### FastPath and Private Link for 100-Gbps ExpressRoute Direct

-With FastPath and Private Link, Private Link traffic sent over ExpressRoute bypasses the ExpressRoute virtual network gateway in the data path. This is Generally Available for connections associated to 100-Gb ExpressRoute Direct circuits. To enable, follow the below guidance:

-1. Send an email to **ExRPM@microsoft.com**, providing the following information:

-* Azure Subscription ID

-* Virtual Network (virtual network) Resource ID

-* Azure Region where the Private Endpoint/Private Link service is deployed

-* Virtual Network Connection Resource ID

-* Number of Private Endpoints/Private Link services deployed to the virtual network

-* Target bandwidth to the Private Endpoints/Private Link services

->

-## Enroll in ExpressRoute FastPath features (preview)

-### FastPath virtual network peering and user defined routes (UDRs).

-With FastPath and virtual network peering, you can enable ExpressRoute connectivity directly to VMs in a local or peered virtual network, bypassing the ExpressRoute virtual network gateway in the data path.

-With FastPath and UDR, you can configure a UDR on the GatewaySubnet to direct ExpressRoute traffic to an Azure Firewall or third party NVA. FastPath honors the UDR and send traffic directly to the target Azure Firewall or NVA, bypassing the ExpressRoute virtual network gateway in the data path.

-To enroll in the preview, send an email to **exrpm@microsoft.com**, providing the following information:

-* Azure Subscription ID

-* Virtual Network (virtual network) Resource ID

-* ExpressRoute Circuit Resource ID

-* ExpressRoute Connection(s) Resource ID(s)

-* Number of Private Endpoints deployed to the local/Hub virtual network.

-* Resource ID of any User-Defined-Routes (UDRs) configured in the local/Hub virtual network.

-### FastPath and Private Link for 10-Gbps ExpressRoute Direct

-With FastPath and Private Link, Private Link traffic sent over ExpressRoute bypasses the ExpressRoute virtual network gateway in the data path. This preview supports connections associated to 10-Gbps ExpressRoute Direct circuits. This preview doesn't support ExpressRoute circuits managed by an ExpressRoute partner.

-To enroll in this preview, run the following Azure PowerShell command in the target Azure subscription:

-```azurepowershell-interactive

-Register-AzProviderFeature -FeatureName ExpressRoutePrivateEndpointGatewayBypass -ProviderNamespace Microsoft.Network

-```

-FastPath support for virtual network peering is now in Public preview. Enrollment is only available through Azure PowerShell. See [FastPath preview features](expressroute-howto-linkvnet-arm.md#enroll-in-expressroute-fastpath-features-preview), for instructions on how to enroll.

-FastPath support for virtual network peering is now in Public preview. Enrollment is only available through Azure PowerShell. See [FastPath preview features](expressroute-howto-linkvnet-arm.md#enroll-in-expressroute-fastpath-features-preview), for instructions on how to enroll.

-description: Compare Azure Firewall performance for Azure Firewall Standard and Premium

-Reliable firewall performance is essential to operate and protect your virtual networks in Azure. More advanced features (like those found in Azure Firewall Premium) require more processing complexity. This will affect firewall performance and impact the overall network performance.

-Azure Firewall has two versions: Standard and Premium.

- Azure Firewall Standard has been generally available since September 2018. It's cloud native, highly available, with built-in auto scaling firewall-as-a-service. You can centrally govern and log all your traffic flows using a DevOps approach. The service supports both application and network level-filtering rules, and is integrated with the Microsoft Threat Intelligence feed for filtering known malicious IP addresses and domains.

-Before you deploy Azure Firewall, the performance needs to be tested and evaluated to ensure it meets your expectations. Not only should Azure Firewall handle the current traffic on a network, but it should also be ready for potential traffic growth. It's recommended to evaluate on a test network and not in a production environment. The testing should attempt to replicate the production environment as close as possible. This includes the network topology, and emulating the actual characteristics of the expected traffic through the firewall.

-The following throughput numbers are for an Azure Firewall deployment before auto-scale (out of the box deployment). Azure Firewall gradually scales out when the average throughput and CPU consumption is at 60% or if the number of connections usage is at 80%. Scale out takes five to seven minutes. Azure Firewall gradually scales in when the average throughput, CPU consumption, or number of connections is below 20%.

-When performance testing, ensure you test for at least 10 to 15 minutes, and start new connections to take advantage of newly created firewall nodes.

-Actual performance may vary depending on your rule complexity and network configuration. These metrics are updated periodically as performance continuously evolves with each release.

-> **Get started:** [Deploy your first Spring Boot app in Azure Spring Apps](../../spring-apps/quickstart.md).

-aksManagedResourceGroup=`az rest --uri https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.HDInsight/clusterpools/{clusterPoolName}\?api-version\=2023-06-01-preview --query properties.managedResourceGroupName -o tsv --query properties.aksManagedResourceGroupName -o tsv`

-|\includeAssociatedData | No | Allows you to export history and soft deleted resources. This filter doesn't work with '_typeFilter' query parameter. Include value as '_history' to export history/ non latest versioned resources. Include value as '_deleted' to export soft deleted resources. |

-description: Learn about events, its features, integrations, and next steps.

-> [!NOTE]

-> [Fast Healthcare Interoperability Resources (FHIR&#174;)](https://www.hl7.org/fhir/) is an open healthcare specification.

-Events are a subscription and notification feature in the Azure Health Data Services. Events enable customers to utilize and enhance the analysis and workflows of structured and unstructured data like vitals and clinical or progress notes, operations data, health data, and medical imaging data.

-When FHIR resource changes or Digital Imaging and Communications in Medicine (DICOM) image changes are successfully written to the Azure Health Data Services, the events feature sends notification messages to events subscribers. These event notification occurrences can be sent to multiple endpoints to trigger automation ranging from starting workflows to sending email and text messages to support the changes occurring from the health data it originated from. The events feature integrates with the [Azure Event Grid service](../../event-grid/overview.md) and creates a system topic for the Azure Health Data Services workspace.

-> [!IMPORTANT]

-> FHIR resource and DICOM image change data is only written and event messages are sent when the events feature is turned on. The event feature doesn't send messages on past resource changes or when the feature is turned off.

-> [!TIP]

-> For more information about the features, configurations, and to learn about the use cases of the Azure Event Grid service, see [Azure Event Grid](../../event-grid/overview.md)

-> [!IMPORTANT]

-> Events currently supports the following operations:

->

-> * **FhirResourceCreated** - The event emitted after a FHIR resource gets created successfully.

->

-> * **FhirResourceUpdated** - The event emitted after a FHIR resource gets updated successfully.

->

-> * **FhirResourceDeleted** - The event emitted after a FHIR resource gets soft deleted successfully.

->

-> * **DicomImageCreated** - The event emitted after a DICOM image gets created successfully.

->

-> * **DicomImageDeleted** - The event emitted after a DICOM image gets deleted successfully.

->

-> - **DicomImageUpdated** - The event emitted after a DICOM image gets updated successfully.

->

-> For more information about the FHIR service delete types, see [FHIR REST API capabilities for Azure Health Data Services FHIR service](../../healthcare-apis/fhir/fhir-rest-api-capabilities.md).

-## Scalable

-Events are designed to support growth and changes in healthcare technology needs by using the [Azure Event Grid service](../../event-grid/overview.md) and creating a system topic for the Azure Health Data Services Workspace.

-## Configurable

-Choose the FHIR and DICOM event types that you want to receive messages about. Use the advanced features like filters, dead-lettering, and retry policies to tune events message delivery options.

-> [!NOTE]

-> The advanced features come as part of the Event Grid service.

-## Extensible

-Use events to send FHIR resource and DICOM image change messages to services like [Azure Event Hubs](../../event-hubs/event-hubs-about.md) or [Azure Functions](../../azure-functions/functions-overview.md) to trigger downstream automated workflows to enhance items such as operational data, data analysis, and visibility to the incoming data capturing near real time.

-

-## Secure

-Events are built on a platform that supports protected health information compliance with privacy, safety, and security in mind.

-Use [Azure Managed identities](../../active-directory/managed-identities-azure-resources/overview.md) to provide secure access from your Event Grid system topic to the events message receiving endpoints of your choice.

-To learn about deploying events using the Azure portal, see

-> [!div class="nextstepaction"]

-> [Deploy events using the Azure portal](events-deploy-portal.md)

-To learn about troubleshooting events, see

-> [!div class="nextstepaction"]

-> [Troubleshoot events](events-troubleshooting-guide.md)

-To learn about the frequently asks questions (FAQs) about events, see

-

-> [!div class="nextstepaction"]

-> [Frequently asked questions about Events](events-faqs.md)

-FHIR&#174; is a registered trademark of Health Level Seven International, registered in the U.S. Trademark Office and is used with their permission.

-* Azure CLI installed on your development machine. For more information, see [How to install the Azure CLI](/cli/azure/install-azure-cli). This scenario requires Azure CLI version 2.42.0 or higher. Use `az --version` to check your version and `az upgrade` to update if necessary.

-* The Azure IoT Operations extension for Azure CLI.

- ```bash

- az extension add --name azure-iot-ops

-1. Select **Azure IoT Operations (preview)** from the **Application services** section of the Azure Arc menu.

-1. On the **Basics** tab of the **Install Azure IoT Operations Arc Extension** page, provide the following information:

-1. On the **Automation** tab, the automation commands are populated based on your chosen cluster and key vault. Select an automation option:

- * **Azure CLI enablement + UI deployment -- Visually guided configuration**: Generates an Azure CLI command that configures your cluster. If you choose this option, you'll return to the Azure portal to complete the Azure IoT Operations deployment.

- * **Azure CLI deployment -- Efficiency unleashed**: Generates an Azure CLI command that configures your cluster and also deploys Azure IoT Operations.

-1. After choosing your automation option, copy the generated CLI command.

- <!-- :::image type="content" source="../get-started/media/quickstart-deploy/install-extension-automation.png" alt-text="Screenshot of copying the CLI command from the automation tab for installing the Azure IoT Operations Arc extension in the Azure portal."::: -->

- If you copied the **Azure CLI deployment** CLI command, then you're done with the cluster configuration and deployment.

-1. If you copied the **Azure CLI enablement + UI deployment** CLI command, return to the Azure portal and select **Review + Create**.

-1. Wait for the validation to pass and then select **Create**.

- - ignite-2023

- This quickstart requires Azure CLI version 2.42.0 or higher. Use `az --version` to check your version and `az upgrade` to update if necessary.

-* The Azure IoT Operations extension for Azure CLI.

- ```powershell

- az extension add --name azure-iot-ops

- This quickstart requires Azure CLI version 2.42.0 or higher. Use `az --version` to check your version and `az upgrade` to update if necessary.

-* The Azure IoT Operations extension for Azure CLI.

- az extension add --name azure-iot-ops

-1. Select **Azure IoT Operations (preview)** from the **Application services** section of the Azure Arc menu.

-1. On the **Basics** tab of the **Install Azure IoT Operations Arc Extension** page, provide the following information:

-1. Once you select a key vault, the **Automation** tab populates an Azure CLI command that configures your cluster with your deployment information. Copy the CLI command.

- >[!TIP]

- >Select the **Azure CLI deployment -- Efficiency unleashed** automation option to generate a CLI command that performs the configuration tasks on your cluster and then also deploys Azure IoT Operations.

- <!-- :::image type="content" source="./media/quickstart-deploy/install-extension-automation.png" alt-text="Screenshot of copying the CLI command from the automation tab for installing the Azure IoT Operations Arc extension in the Azure portal."::: -->

- > When using a Github codespace in a browser, `az login` returns a localhost error in the browser window after logging in. To fix, either:

- Wait for the command to complete before continuing to the next step.

-1. Return to the Azure portal and select **Review + Create**.

-1. Wait for the validation to pass and then select **Create**.

-All incoming data within the pipeline is stored in the `equipment` dataset in the reference data store. The stored data includes the `installationDate` timestamp and keys such as `equipment` and `location`.

-Within the `equipment` dataset, the `asset` key serves as the primary key. When th pipeline ingests new data, Data Processor checks this property to determine how to handle the incoming data:

-[Azure CLI version 2.42.0 or higher](/cli/azure/install-azure-cli) is required and the [Azure IoT Operations extension](/cli/azure/iot/ops) installed.

-The module is designed to accommodate failures, either due to unhandled errors or unexpected script termination. The failure design is a 'fail forward' approach, where instead of attempting to move back to the Basic Load Balancer, you should correct the issue causing the failure (see the error output or log file), and retry the migration again, specifying the `-FailedMigrationRetryFilePathLB <BasicLoadBalancerbackupFilePath> -FailedMigrationRetryFilePathVMSS <VMSSBackupFile>` parameters. For public load balancers, because the Public IP Address SKU has been updated to Standard, moving the same IP back to a Basic Load Balancer won't be possible.

-| **Consumption** | Multi-tenant Azure Logic Apps | Managed connector, which appears in the designer under the **Standard** label. The **RosettaNet** connector provides only actions, but you can use any trigger that works for your scenario. For more information, review the following documentation: <br><br>- [RosettaNet connector operations](#rosettanet-operations) <br>- [B2B protocol limits for message sizes](logic-apps-limits-and-config.md#b2b-protocol-limits) <br>- [Managed connectors in Azure Logic Apps](../connectors/managed.md) |

-* At least two [partners](../logic-apps/logic-apps-enterprise-integration-partners.md) that are defined in your integration account and configured with the **DUNS** qualifier under **Business Identities** in the Azure portal.

- For more information about these PIP properties, visit the [RosettaNet website](https://resources.gs1us.org/RosettaNet-Standards/Standards-Library/PIP-Directory#1043208-pipsreg).

- :::image type="content" source="media/logic-apps-enterprise-integration-rosettanet/select-agreements.png" alt-text="Screenshot of the Azure portal with the integration account page open. On the navigation menu, Agreements is selected.":::

- :::image type="content" source="media/logic-apps-enterprise-integration-rosettanet/add-agreement-details.png" alt-text="Screenshot of the Agreements page, with Add selected. On the Add pane, boxes appear for the agreement name and type and for partner information.":::

- :::image type="content" source="media/logic-apps-enterprise-integration-rosettanet/add-agreement-send-details.png" alt-text="Screenshot of the Send Settings page, with options for signing and encrypting messages and for entering algorithms, certificates, and endpoints.":::

- :::image type="content" source="media/logic-apps-enterprise-integration-rosettanet/add-agreement-selected-pip.png" alt-text="Screenshot that shows a table of PIP information. A row for the PIP called MyPIPConfig contains accurate information.":::

-For Consumption logic apps only, before you can create or manage logic apps and their connections, you need specific permissions, which are provided through roles using [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md). You can also set up permissions so that only specific users or groups can run specific tasks, such as managing, editing, and viewing logic apps. To control their permissions, you can assign built-in or customized roles to members who have access to your Azure subscription. Azure Logic Apps has the following specific roles:

-* [Logic App Contributor](../role-based-access-control/built-in-roles.md#logic-app-contributor): Lets you manage logic apps, but you can't change access to them.

-* [Logic App Operator](../role-based-access-control/built-in-roles.md#logic-app-operator): Lets you read, enable, and disable logic apps, but you can't edit or update them.

-* [Contributor](../role-based-access-control/built-in-roles.md#contributor): Grants full access to manage all resources, but doesn't allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.

- For example, suppose you have to work with a logic app that you didn't create and authenticate connections used by that logic app's workflow. Your Azure subscription requires Contributor permissions for the resource group that contains that logic app resource. If you create a logic app resource, you automatically have Contributor access.

-To prevent others from changing or deleting your logic app, you can use [Azure Resource Lock](../azure-resource-manager/management/lock-resources.md). This capability prevents others from changing or deleting production resources. For more information about connection security, review [Connection configuration in Azure Logic Apps](../connectors/introduction.md#connection-configuration) and [Connection security and encryption](../connectors/introduction.md#connection-security-encryption).

-Azure Machine Learning is built on top of multiple Azure services. While the data is stored securely using encryption keys that Microsoft provides, you can enhance security by also providing your own (customer-managed) keys. The keys you provide are stored securely using Azure Key Vault. Your data is stored on a set of additional resources managed in your Azure subscription.

-In addition to customer-managed keys, Azure Machine Learning also provides a [hbi_workspace flag](/python/api/azure-ai-ml/azure.ai.ml.entities.workspace). Enabling this flag reduces the amount of data Microsoft collects for diagnostic purposes and enables [extra encryption in Microsoft-managed environments](../security/fundamentals/encryption-atrest.md). This flag also enables the following behaviors:

-* Starts encrypting the local scratch disk in your Azure Machine Learning compute cluster, provided you haven't created any previous clusters in that subscription. Else, you need to raise a support ticket to enable encryption of the scratch disk of your compute clusters.

-* Securely passes credentials for your storage account, container registry, and SSH account from the execution layer to your compute clusters using your key vault.

-> [!TIP]

-> The `hbi_workspace` flag does not impact encryption in transit, only encryption at rest.

-* An Azure Key Vault instance. The key vault contains the key(s) used to encrypt your services.

- * The key vault instance must enable soft delete and purge protection.

- * The managed identity for the services secured by a customer-managed key must have the following permissions in key vault:

- * wrap key

- * unwrap key

- * get

- For example, the managed identity for Azure Cosmos DB would need to have those permissions to the key vault.

-* After workspace creation, the customer-managed encryption key for resources the workspace depends on can only be updated to another key in the original Azure Key Vault resource.

-* Encrypted data is stored on resources that live in a Microsoft-managed resource group in your subscription. You cannot create these resources upfront or transfer ownership of these to you. Data lifecycle is managed indirectly via the Azure ML APIs as you create objects in Azure Machine Learning service.

-* You can't delete Microsoft-managed resources used for customer-managed keys without also deleting your workspace.

-* The compute cluster OS disk cannot be encrypted using your customer-managed keys, but only Microsoft-managed keys.

-## How and what workspace metadata is stored

-When you bring your own encryption key, service metadata is stored on dedicated resources in your Azure subscription. Microsoft creates a separate resource group in your subscription for this named *"azureml-rg-workspacename_GUID"*. Resource in this managed resource group can only be modified by Microsoft.

-The following resources are created and store metadata for your workspace:

-| -- | -- | -- |

-| Azure Cosmos DB | Stores job history data, compute metadata, asset metadata | Job name, status, sequence number and status; Compute cluster name, number of cores, number of nodes; Datastore names and tags, descriptions on assets like models; data label names |

-| Azure AI Search | Stores indices that are used to help query your machine learning content. | These indices are built on top of the data stored in CosmosDB. |

-| Azure Storage Account | Stores metadata related to Azure Machine Learning pipelines data. | Designer pipeline names, pipeline layout, execution properties. |

-From a data lifecycle management point of view, data in the above resources are created and deleted as you create and delete their corresponding objects in Azure Machine Learning.

-Your Azure Machine Learning workspace reads and writes data using its managed identity. This identity is granted access to the resources using a role assignment (Azure role-based access control) on the data resources. The encryption key you provide is used to encrypt data that is stored on Microsoft-managed resources. It's also used to create indices for Azure AI Search, which are created at runtime.

-Extra networking controls are configured when you create a private link endpoint on your workspace to allow for inbound connectivity. In this configuration, a private link endpoint connection will be created to the CosmosDB instance and network access will be restricted to only trusted Microsoft services.

-When you __don't use a customer-managed key__, Microsoft creates and manages these resources in a Microsoft owned Azure subscription and uses a Microsoft-managed key to encrypt the data.

-When you __use a customer-managed key__, these resources are _in your Azure subscription_ and encrypted with your key. While they exist in your subscription, these resources are __managed by Microsoft__. They're automatically created and configured when you create your Azure Machine Learning workspace.

-> [!IMPORTANT]

-> When using a customer-managed key, the costs for your subscription will be higher because these resources are in your subscription. To estimate the cost, use the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/).

-These Microsoft-managed resources are located in a new Azure resource group is created in your subscription. This group is in addition to the resource group for your workspace. This resource group contains the Microsoft-managed resources that your key is used with. The resource group will be named using the formula of `<Azure Machine Learning workspace resource group name><GUID>`.

-> * The [__Request Units__](../cosmos-db/request-units.md) for the Azure Cosmos DB automatically scale as needed.

-> * If your Azure Machine Learning workspace uses a private endpoint, this resource group will also contain a Microsoft-managed Azure Virtual Network. This VNet is used to secure communications between the managed services and the workspace. You __cannot provide your own VNet for use with the Microsoft-managed resources__. You also __cannot modify the virtual network__. For example, you cannot change the IP address range that it uses.

-> [!IMPORTANT]

-> If your subscription does not have enough quota for these services, a failure will occur.

-> [!WARNING]

-> __Don't delete the resource group__ that contains this Azure Cosmos DB instance, or any of the resources automatically created in this group. If you need to delete the resource group or Microsoft-managed services in it, you must delete the Azure Machine Learning workspace that uses it. The resource group resources are deleted when the associated workspace is deleted.

-## How compute data is stored

-Azure Machine Learning uses compute resources to train and deploy machine learning models. The following table describes the compute options and how data is encrypted by each one:

-| Azure Container Instance | Data is encrypted by a Microsoft-managed key or a customer-managed key.</br>For more information, see [Encrypt data with a customer-managed key](../container-instances/container-instances-encrypt-data.md). |

-| Azure Kubernetes Service | Data is encrypted by a Microsoft-managed key or a customer-managed key.</br>For more information, see [Bring your own keys with Azure disks in Azure Kubernetes Services](../aks/azure-disk-customer-managed-keys.md). |

-| Azure Machine Learning compute instance | Local scratch disk is encrypted if the `hbi_workspace` flag is enabled for the workspace. |

-| Azure Machine Learning compute cluster | OS disk encrypted in Azure Storage with Microsoft-managed keys. Temporary disk is encrypted if the `hbi_workspace` flag is enabled for the workspace. |

-| Azure Kubernetes Service | Data is encrypted by a Microsoft-managed key or a customer-managed key.</br>For more information, see [Bring your own keys with Azure disks in Azure Kubernetes Services](../aks/azure-disk-customer-managed-keys.md). |

-| Azure Machine Learning compute instance | Local scratch disk is encrypted if the `hbi_workspace` flag is enabled for the workspace. |

-| Azure Machine Learning compute cluster | OS disk encrypted in Azure Storage with Microsoft-managed keys. Temporary disk is encrypted if the `hbi_workspace` flag is enabled for the workspace. |

-**Compute cluster**

-Compute clusters have local OS disk storage and can mount data from storage accounts in your subscription during the job.

-When mounting data from your own storage account in a job, you can enable customer-managed keys on those storage accounts for encryption.

-The OS disk for each compute node stored in Azure Storage is always encrypted with Microsoft-managed keys in Azure Machine Learning storage accounts, and not using customer-managed keys. This compute target is ephemeral, and hence data that is stored on the OS disk is deleted once the cluster scales down. Clusters are typically scaled down when no jobs are queued, autoscaling is on and the minimum node count is set to zero. The underlying virtual machine is deprovisioned, and the OS disk is deleted.

-Azure Disk Encryption isn't supported for the OS disk. Each virtual machine also has a local temporary disk for OS operations. If you want, you can use the disk to stage training data. If the workspace was created with the `hbi_workspace` parameter set to `TRUE`, the temporary disk is encrypted. This environment is short-lived (only during your job) and encryption support is limited to system-managed keys only.

-**Compute instance**

-The OS disk for compute instance is encrypted with Microsoft-managed keys in Azure Machine Learning storage accounts. If the workspace was created with the `hbi_workspace` parameter set to `TRUE`, the local temporary disk on compute instance is encrypted with Microsoft managed keys. Customer managed key encryption isn't supported for OS and temp disk.

-### HBI_workspace flag

-* The `hbi_workspace` flag can only be set when a workspace is created. It can't be changed for an existing workspace.

-* When this flag is set to True, it may increase the difficulty of troubleshooting issues because less telemetry data is sent to Microsoft. There's less visibility into success rates or problem types. Microsoft may not be able to react as proactively when this flag is True.

-To enable the `hbi_workspace` flag when creating an Azure Machine Learning workspace, follow the steps in one of the following articles:

-* [How to create and manage a workspace](how-to-manage-workspace.md).

-* [How to create and manage a workspace using the Azure CLI](how-to-manage-workspace-cli.md).

-* [How to create a workspace using Hashicorp Terraform](how-to-manage-workspace-terraform.md).

-* [How to create a workspace using Azure Resource Manager templates](how-to-create-workspace-template.md).

-## Next Steps

-* [How to configure customer-managed keys with Azure Machine Learning](how-to-setup-customer-managed-keys.md).

-description: 'Learn how Azure Machine Learning computes and data stores provides data encryption at rest and in transit.'

-Azure Machine Learning relies on a various of Azure data storage services and compute resources when training models and performing inferences. In this article, learn about the data encryption for each service both at rest and in transit.

-> [!IMPORTANT]

-> For production grade encryption during __training__, Microsoft recommends using Azure Machine Learning compute cluster. For production grade encryption during __inference__, Microsoft recommends using Azure Kubernetes Service.

->

-> Azure Machine Learning compute instance is a dev/test environment. When using it, we recommend that you store your files, such as notebooks and scripts, in a file share. Your data should be stored in a datastore.

-Azure Machine Learning end to end projects integrates with services like Azure Blob Storage, Azure Cosmos DB, Azure SQL Database etc. The article describes encryption method of such services.

-### Azure Blob storage

-Azure Machine Learning stores snapshots, output, and logs in the Azure Blob storage account (default storage account) that's tied to the Azure Machine Learning workspace and your subscription. All the data stored in Azure Blob storage is encrypted at rest with Microsoft-managed keys.

-For information on how to use your own keys for data stored in Azure Blob storage, see [Azure Storage encryption with customer-managed keys in Azure Key Vault](../storage/common/customer-managed-keys-configure-key-vault.md).

-Training data is typically also stored in Azure Blob storage so that it's accessible to training compute targets. This storage isn't managed by Azure Machine Learning but mounted to compute targets as a remote file system.

-If you need to __rotate or revoke__ your key, you can do so at any time. When rotating a key, the storage account will start using the new key (latest version) to encrypt data at rest. When revoking (disabling) a key, the storage account takes care of failing requests. It usually takes an hour for the rotation or revocation to be effective.

-For information on regenerating the access keys, see [Regenerate storage access keys](how-to-change-storage-access-key.md).

-**ADLS Gen2**

-Azure Data Lake Storage Gen 2 is built on top of Azure Blob Storage and is designed for enterprise big data analytics. ADLS Gen2 is used as a datastore for Azure Machine Learning. Same as Azure Blob Storage the data at rest is encrypted with Microsoft-managed keys.

-### Azure Relational Databases

-Azure Machine Learning services support data from different data sources such as Azure SQL Database, Azure PostgreSQL and Azure MYSQL.

-**Azure SQL Database**

-Transparent Data Encryption protects Azure SQL Database against threat of malicious offline activity by encrypting data at rest. By default, TDE is enabled for all newly deployed SQL Databases with Microsoft managed keys.

-For information on how to use customer managed keys for transparent data encryption, see [Azure SQL Database Transparent Data Encryption](/azure/azure-sql/database/transparent-data-encryption-tde-overview) .

-**Azure Database for PostgreSQL**

-Azure PostgreSQL uses Azure Storage encryption to encrypt data at rest by default using Microsoft managed keys. It is similar to Transparent Data Encryption (TDE) in other databases such as SQL Server.

-For information on how to use customer managed keys for transparent data encryption, see [Azure Database for PostgreSQL Single server data encryption with a customer-managed key](../postgresql/single-server/concepts-data-encryption-postgresql.md).

-**Azure Database for MySQL**

-Azure Database for MySQL is a relational database service in the Microsoft cloud based on the MySQL Community Edition database engine. The Azure Database for MySQL service uses the FIPS 140-2 validated cryptographic module for storage encryption of data at-rest.

-To encrypt data using customer managed keys, see [Azure Database for MySQL data encryption with a customer-managed key](../mysql/single-server/concepts-data-encryption-mysql.md) .

-Azure Machine Learning stores metadata in an Azure Cosmos DB instance. This instance is associated with a Microsoft subscription managed by Azure Machine Learning. All the data stored in Azure Cosmos DB is encrypted at rest with Microsoft-managed keys.

-When using your own (customer-managed) keys to encrypt the Azure Cosmos DB instance, a Microsoft managed Azure Cosmos DB instance is created in your subscription. This instance is created in a Microsoft-managed resource group, which is different than the resource group for your workspace. For more information, see [Customer-managed keys](concept-customer-managed-keys.md).

-All container images in your registry (Azure Container Registry) are encrypted at rest. Azure automatically encrypts an image before storing it and decrypts it when Azure Machine Learning pulls the image.

-To use customer-managed keys to encrypt your Azure Container Registry, you need to create your own ACR and attach it while provisioning the workspace. You can encrypt the default instance that gets created at the time of workspace provisioning.

-> Azure Machine Learning requires the admin account be enabled on your Azure Container Registry. By default, this setting is disabled when you create a container registry. For information on enabling the admin account, see [Admin account](../container-registry/container-registry-authentication.md#admin-account).

-> Once an Azure Container Registry has been created for a workspace, do not delete it. Doing so will break your Azure Machine Learning workspace.

-For an example of creating a workspace using an existing Azure Container Registry, see the following articles:

-* [Create a workspace for Azure Machine Learning with Azure CLI](how-to-manage-workspace-cli.md).

-* [Create a workspace with Python SDK](how-to-manage-workspace.md?tabs=python#create-a-workspace).

-### Azure Container Instance

-> Deployments to ACI rely on the Azure Machine Learning Python SDK and CLI v1.

-You may encrypt a deployed Azure Container Instance (ACI) resource using customer-managed keys. The customer-managed key used for ACI can be stored in the Azure Key Vault for your workspace. For information on generating a key, see [Encrypt data with a customer-managed key](../container-instances/container-instances-encrypt-data.md#generate-a-new-key).

-To use the key when deploying a model to Azure Container Instance, create a new deployment configuration using `AciWebservice.deploy_configuration()`. Provide the key information using the following parameters:

-* [AciWebservice.deploy_configuration()](/python/api/azureml-core/azureml.core.webservice.aci.aciwebservice#deploy-configuration-cpu-cores-none--memory-gb-none--tags-none--properties-none--description-none--location-none--auth-enabled-none--ssl-enabled-none--enable-app-insights-none--ssl-cert-pem-file-none--ssl-key-pem-file-none--ssl-cname-none--dns-name-label-none--primary-key-none--secondary-key-none--collect-model-data-none--cmk-vault-base-url-none--cmk-key-name-none--cmk-key-version-none-) reference

-* [Where and how to deploy](./v1/how-to-deploy-and-where.md)

-For more information on using a customer-managed key with ACI, see [Encrypt deployment data](../container-instances/container-instances-encrypt-data.md).

-You may encrypt a deployed Azure Kubernetes Service resource using customer-managed keys at any time. For more information, see [Bring your own keys with Azure Kubernetes Service](../aks/azure-disk-customer-managed-keys.md).

-This process allows you to encrypt both the Data and the OS Disk of the deployed virtual machines in the Kubernetes cluster.

-> This process only works with AKS K8s version 1.17 or higher. Azure Machine Learning added support for AKS 1.17 on Jan 13, 2020.

-### Machine Learning Compute

-**Compute cluster**

-The OS disk for each compute node stored in Azure Storage is encrypted with Microsoft-managed keys in Azure Machine Learning storage accounts. This compute target is ephemeral, and clusters are typically scaled down when no jobs are queued. The underlying virtual machine is de-provisioned, and the OS disk is deleted. Azure Disk Encryption is not enabled for workspaces by default. If the workspace was created with the `hbi_workspace` parameter set to `TRUE`, then the OS disk is encrypted.

-Each virtual machine also has a local temporary disk for OS operations. If you want, you can use the disk to stage training data. If the workspace was created with the `hbi_workspace` parameter set to `TRUE`, the temporary disk is encrypted. This environment is short-lived (only during your job,) and encryption support is limited to system-managed keys only.

-Managed online endpoint and batch endpoint use machine learning compute in the backend, and follows the same encryption mechanism.

-**Compute instance**

-The OS disk for compute instance is encrypted with Microsoft-managed keys in Azure Machine Learning storage accounts. If the workspace was created with the `hbi_workspace` parameter set to `TRUE`, the local OS and temporary disks on compute instance are encrypted with Microsoft managed keys. Customer managed key encryption is not supported for OS and temporary disks.

-For more information, see [Customer-managed keys](concept-customer-managed-keys.md).

-### Azure Data Factory

-The Azure Data Factory pipeline is used to ingest data for use with Azure Machine Learning. Azure Data Factory encrypts data at rest, including entity definitions and any data cached while runs are in progress. By default, data is encrypted with a randomly generated Microsoft-managed key that is uniquely assigned to your data factory.

-For information on how to use customer managed keys for encryption use [Encrypt Azure Data Factory with customer managed keys](../data-factory/enable-customer-managed-key.md) .