+ 

+Organizations that use the [Subscription Activation](/windows/deployment/windows-10-subscription-activation) feature to enable users to ΓÇ£step-upΓÇ¥ from one version of Windows to another, may want to exclude the Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f from their Conditional Access policy.

+This document provides advice on the **technical design and configuration** of SAP platforms and applications when using Azure Active Directory as the primary user authentication service. Learn more about the initial setup in [this tutorial](../saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial.md).

+SAP has example implementations for [client certificate notifications](https://blogs.sap.com/2017/12/06/sap-cloud-platform-integration-automated-notification-of-keystore-entries-reaching-expiry/) with SAP Cloud Integration and [near-expiry handling](https://blogs.sap.com/2019/03/01/sap-cloud-platform-integration-automated-notification-for-client-certificates-reaching-expiry/). Find another example focusing on the SAP BTP trust store and Azure Key Vault [here](https://blogs.sap.com/2022/12/02/automatic-sap-btp-trust-store-certificate-renewal-with-azure-key-vault-or-how-to-stop-thinking-about-expiry-dates-once-and-for-all/). This could be adapted with Azure Integration Services or PowerAutomate. However, they would need to be adapted to work with server certificates. Such approach requires a custom implementation.

+## Next Steps

+- Learn more about the initial setup in [this tutorial](../saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial.md)

+- Discover additional [SAP integration scenarios with Azure AD](../../sap/workloads/integration-get-started.md#azure-ad) and beyond

+> [!TIP]

+> Follow the recommendations and best-practice guide "[Using Azure Active Directory to secure access to SAP platforms and applications](../fundamentals/scenario-azure-first-sap-identity-integration.md)" to operationalize the setup.

+Consult the [recommendations and best-practice guide](../fundamentals/scenario-azure-first-sap-identity-integration.md) to operationalize the setup.

+Weekly releases can also be scheduled with more fine-grained control using Planned Maintenance's `default` configuration type. For more information, see [Planned Maintenance to schedule and control upgrades][planned-maintenance].

+[releases]:release-tracker.md

+[planned-maintenance]: ./planned-maintenance.md

+## Auto-upgrade in the Azure portal

+If you're using the Azure portal, you can find auto-upgrade settings under the *Settings* > *Cluster configuration* blade by selecting *Upgrade version*. By default, the `Patch` channel is selected.

+The Azure portal also highlights all the deprecated APIs between your current version and newer, available versions you intend to migrate to. For more information, see [the Kubernetes API Removal and Deprecation process][k8s-deprecation].

+[k8s-deprecation]: https://kubernetes.io/blog/2022/11/18/upcoming-changes-in-kubernetes-1-26/#:~:text=A%20deprecated%20API%20is%20one%20that%20has%20been,point%20you%20must%20migrate%20to%20using%20the%20replacement

+ Title: Use Planned Maintenance to schedule and control upgrades for your Azure Kubernetes Service (AKS) cluster (preview)

+description: Learn how to use Planned Maintenance to schedule and control cluster and node image upgrades in Azure Kubernetes Service (AKS).

+# Use Planned Maintenance to schedule and control upgrades for your Azure Kubernetes Service (AKS) cluster (preview)

+Your AKS cluster has regular maintenance performed on it automatically. By default, this work can happen at any time. Planned Maintenance allows you to schedule weekly maintenance windows to perform updates and minimize workload impact. Once scheduled, upgrades occur only during the window you selected.

+There are currently two available configuration types: `default` and `aksManagedAutoUpgradeSchedule`:

+- `default` corresponds to a basic configuration that updates your control plane and your kube-system pods on a Virtual Machine Scale Sets instance. It is a legacy configuration that is mostly suitable for basic scheduling of [weekly releases][release-tracker]. Another way of accomplishing this behavior, using pre-configured windows, is detailed at [use Planned Maintenance to schedule weekly releases][pm-weekly]

+- `aksManagedAutoUpgradeSchedule` is a more complex configuration that controls when upgrades scheduled by your designated auto-upgrade channel are performed. More finely controlled cadence and recurrence settings are possible. For more information on cluster auto-upgrade, see [Automatically an Azure Kubernetes Service (AKS) cluster][aks-upgrade].

+We recommend using `aksManagedAutoUpgradeSchedule` for all maintenance and upgrade scenarios, while `default` is meant exclusively for weekly releases. You can port `default` configurations to `aksManagedAutoUpgradeSchedule` configurations via the `az aks maintenanceconfiguration update` command.

+## Creating a maintenance window

+To create a maintenance window, you can use the `az aks maintenanceconfiguration add` command using the `--name` value `default` or `aksManagedAutoUpgradeSchedule`. The name value should reflect the desired configuration type. Using any other name will cause your maintenance window not to run.

+|`startDate`|The date on which the maintenance window begins to take effect|The current date at creation time|

+[pm-weekly]: ./aks-planned-maintenance-weekly-releases.md

+The Azure portal also highlights all the deprecated APIs between your current version and newer, available versions you intend to migrate to. For more information, see [the Kubernetes API Removal and Deprecation process][k8s-deprecation].

+The Azure portal also highlights all the deprecated APIs between your current version and newer, available versions you intend to migrate to. For more information, see [the Kubernetes API Removal and Deprecation process][k8s-deprecation].

+AKS uses best-effort zone balancing in node groups. During an Upgrade surge, zone(s) for the surge node(s) in Virtual Machine Scale Sets is unknown ahead of time. This can temporarily cause an unbalanced zone configuration during an upgrade. However, AKS deletes the surge node(s) once the upgrade has been completed and preserves the original zone balance. If you desire to keep your zones balanced during upgrade, increase the surge to a multiple of three nodes. Virtual Machine Scale Sets will then balance your nodes across Availability Zones with best-effort zone balancing.

+[k8s-deprecation]: https://kubernetes.io/blog/2022/11/18/upcoming-changes-in-kubernetes-1-26/#:~:text=A%20deprecated%20API%20is%20one%20that%20has%20been,point%20you%20must%20migrate%20to%20using%20the%20replacement

+ Title: Script sample - Create a data collection rule in change tracking.

+description: Learn about how to create a data collection rule

+# JSON script to create a data collection rule

+This script helps you to create a data collection rule in Change tracking and inventory.

+## Sample script

+```json

+{

+ "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "dataCollectionRuleName": {

+ "type": "string",

+ "metadata": {

+ "description": "Specifies the name of the data collection rule to create."

+ },

+ "defaultValue": "Microsoft-CT-DCR"

+ },

+ "workspaceResourceId": {

+ "type": "string",

+ "metadata": {

+ "description": "Specifies the Azure resource ID of the Log Analytics workspace to use to store change tracking data."

+ }

+ }

+ },

+ "resources": [

+ {

+ "type": "microsoft.resources/deployments",

+ "name": "get-workspace-region",

+ "apiVersion": "2020-08-01",

+ "properties": {

+ "mode": "Incremental",

+ "template": {

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "resources": [],

+ "outputs": {

+ "workspaceLocation": {

+ "type": "string",

+ "value": "[reference(parameters('workspaceResourceId'), '2020-08-01', 'Full').location]"

+ }

+ }

+ }

+ }

+ },

+ {

+ "type": "microsoft.resources/deployments",

+ "name": "CtDcr-Deployment",

+ "apiVersion": "2020-08-01",

+ "properties": {

+ "mode": "Incremental",

+ "parameters": {

+ "workspaceRegion": {

+ "value": "[reference('get-workspace-region').outputs.workspaceLocation.value]"

+ }

+ },

+ "template": {

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "workspaceRegion": {

+ "type": "string"

+ }

+ },

+ "resources": [

+ {

+ "type": "Microsoft.Insights/dataCollectionRules",

+ "apiVersion": "2021-04-01",

+ "name": "[parameters('dataCollectionRuleName')]",

+ "location": "[[parameters('workspaceRegion')]",

+ "properties": {

+ "description": "Data collection rule for CT.",

+ "dataSources": {

+ "extensions": [

+ {

+ "streams": [

+ "Microsoft-ConfigurationChange"

+ ],

+ "extensionName": "ChangeTracking-Windows",

+ "extensionSettings": {

+ "enableFiles": true,

+ "enableSoftware": true,

+ "enableRegistry": true,

+ "enableServices": false,

+ "enableInventory": true,

+ "registrySettings": {

+ "registryCollectionFrequency": 3000,

+ "registryInfo": [

+ {

+ "name": "Registry_1",

+ "groupTag": "Recommended",

+ "enabled": false,

+ "recurse": true,

+ "description": "",

+ "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup",

+ "valueName": ""

+ },

+ {

+ "name": "Registry_2",

+ "groupTag": "Recommended",

+ "enabled": false,

+ "recurse": true,

+ "description": "",

+ "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Shutdown",

+ "valueName": ""

+ },

+ {

+ "name": "Registry_3",

+ "groupTag": "Recommended",

+ "enabled": false,

+ "recurse": true,

+ "description": "",

+ "keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",

+ "valueName": ""

+ },

+ {

+ "name": "Registry_4",

+ "groupTag": "Recommended",

+ "enabled": false,

+ "recurse": true,

+ "description": "",

+ "keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components",

+ "valueName": ""

+ },

+ {

+ "name": "Registry_5",

+ "groupTag": "Recommended",

+ "enabled": false,

+ "recurse": true,

+ "description": "",

+ "keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\ShellEx\\ContextMenuHandlers",

+ "valueName": ""

+ },

+ {

+ "name": "Registry_6",

+ "groupTag": "Recommended",

+ "enabled": false,

+ "recurse": true,

+ "description": "",

+ "keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Background\\ShellEx\\ContextMenuHandlers",

+ "valueName": ""

+ },

+ {

+ "name": "Registry_7",

+ "groupTag": "Recommended",

+ "enabled": false,

+ "recurse": true,

+ "description": "",

+ "keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Shellex\\CopyHookHandlers",

+ "valueName": ""

+ },

+ {

+ "name": "Registry_8",

+ "groupTag": "Recommended",

+ "enabled": false,

+ "recurse": true,

+ "description": "",

+ "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers",

+ "valueName": ""

+ },

+ {

+ "name": "Registry_9",

+ "groupTag": "Recommended",

+ "enabled": false,

+ "recurse": true,

+ "description": "",

+ "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers",

+ "valueName": ""

+ },

+ {

+ "name": "Registry_10",

+ "groupTag": "Recommended",

+ "enabled": false,

+ "recurse": true,

+ "description": "",

+ "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects",

+ "valueName": ""

+ },

+ {

+ "name": "Registry_11",

+ "groupTag": "Recommended",

+ "enabled": false,

+ "recurse": true,

+ "description": "",

+ "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects",

+ "valueName": ""

+ },

+ {

+ "name": "Registry_12",

+ "groupTag": "Recommended",

+ "enabled": false,

+ "recurse": true,

+ "description": "",

+ "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Extensions",

+ "valueName": ""

+ },

+ {

+ "name": "Registry_13",

+ "groupTag": "Recommended",

+ "enabled": false,

+ "recurse": true,

+ "description": "",

+ "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Internet Explorer\\Extensions",

+ "valueName": ""

+ },

+ {

+ "name": "Registry_14",

+ "groupTag": "Recommended",

+ "enabled": false,

+ "recurse": true,

+ "description": "",

+ "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32",

+ "valueName": ""

+ },

+ {

+ "name": "Registry_15",

+ "groupTag": "Recommended",

+ "enabled": false,

+ "recurse": true,

+ "description": "",

+ "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32",

+ "valueName": ""

+ },

+ {

+ "name": "Registry_16",

+ "groupTag": "Recommended",

+ "enabled": false,

+ "recurse": true,

+ "description": "",

+ "keyName": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\KnownDlls",

+ "valueName": ""

+ },

+ {

+ "name": "Registry_17",

+ "groupTag": "Recommended",

+ "enabled": false,

+ "recurse": true,

+ "description": "",

+ "keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify",

+ "valueName": ""

+ }

+ ]

+ },

+ "fileSettings": {

+ "fileCollectionFrequency": 2700

+ },

+ "softwareSettings": {

+ "softwareCollectionFrequency": 1800

+ },

+ "inventorySettings": {

+ "inventoryCollectionFrequency": 36000

+ },

+ "servicesSettings": {

+ "serviceCollectionFrequency": 1800

+ }

+ },

+ "name": "CTDataSource-Windows"

+ },

+ {

+ "streams": [

+ "Microsoft-ConfigurationChange"

+ ],

+ "extensionName": "ChangeTracking-Linux",

+ "extensionSettings": {

+ "enableFiles": true,

+ "enableSoftware": true,

+ "enableRegistry": false,

+ "enableServices": false,

+ "enableInventory": true,

+ "fileSettings": {

+ "fileCollectionFrequency": 900,

+ "fileInfo": [

+ {

+ "name": "ChangeTrackingLinuxPath_default",

+ "enabled": true,

+ "destinationPath": "/etc/*.conf",

+ "useSudo": true,

+ "recurse": true,

+ "maxContentsReturnable": 5000000,

+ "pathType": "File",

+ "type": "File",

+ "links": "Follow",

+ "maxOutputSize": 500000,

+ "groupTag": "Recommended"

+ }

+ ]

+ },

+ "softwareSettings": {

+ "softwareCollectionFrequency": 300

+ },

+ "inventorySettings": {

+ "inventoryCollectionFrequency": 36000

+ },

+ "servicesSettings": {

+ "serviceCollectionFrequency": 1800

+ }

+ },

+ "name": "CTDataSource-Linux"

+ }

+ ]

+ },

+ "destinations": {

+ "logAnalytics": [

+ {

+ "workspaceResourceId": "[parameters('workspaceResourceId')]",

+ "name": "Microsoft-CT-Dest"

+ }

+ ]

+ },

+ "dataFlows": [

+ {

+ "streams": [

+ "Microsoft-ConfigurationChange"

+ ],

+ "destinations": [

+ "Microsoft-CT-Dest"

+ ]

+ }

+ ]

+ }

+ }

+ ]

+ }

+ }

+ }

+ ]

+}

+```

+## Execute the script

+Save the above script on your machine with a name as *CtDcrCreation.json*. For more information, see [Enable Change Tracking and Inventory using Azure Monitoring Agent (Preview)](enable-vms-monitoring-agent.md#enable-change-tracking-at-scale-using-azure-monitoring-agent).

+## Next steps

+[Learn more](manage-change-tracking-monitoring-agent.md) on Manage change tracking and inventory using Azure Monitoring Agent (Preview).

+

+1. In the search,, enter **Change tracking** to view the change tracking and inventory page.

+ It will initiate the deployment and the notification appears on the top right corner of the screen.

+ You'll see a list of three policies:

+ 1. Provide the **Data Collection Rule Resource id**. Learn more on [how to obtain the Data Collection Rule Resource ID after you create the Data collection rule](#create-data-collection-rule).

+### Create data collection rule

+1. Download [CtDcrCreation.json](change-tracking-data-collection-rule-creation.md) file on your machine.

+1. Go to Azure portal and in the search, enter *Deploy a custom template*.

+1. In the **Custom deployment** page > **select a template**, select **Build your own template in the editor**.

+ :::image type="content" source="media/enable-vms-monitoring-agent/build-template.png" alt-text="Screenshot to get started with building a template.":::

+1. In the **Edit template**, select **Load file** to upload the *CtDcrCreation.json* file.

+1. Select **Save**.

+1. In the **Custom deployment** > **Basics** tab, provide **Subscription** and **Resource group** where you want to deploy the Data Collection Rule. The **Data Collection Rule Name** is optional.

+ :::image type="content" source="media/enable-vms-monitoring-agent/build-template-basics.png" alt-text="Screenshot to provide subscription and resource group details to deploy data collection rule.":::

+

+ >[!NOTE]

+ >- Ensure that the name of your Data Collection Rule is unique in that resource group, else the deployment will overwrite the existing Data Collection Rule.

+ >- The Log Analytics Workspace Resource Id specifies the Azure resource ID of the Log Analytics workspace used to store change tracking data. Ensure that location of workspace is from the [Change tracking supported regions](../how-to/region-mappings.md)

+1. Select **Review+create** > **Create** to initiate the deployment of *CtDcrCreation*.

+1. After the deployment is complete, select **CtDcr-Deployment** to see the DCR Name. Use the **Resource ID** of the newly created Data Collection Rule for Change tracking and inventory deployment through policy.

+ :::image type="content" source="media/enable-vms-monitoring-agent/deployment-confirmation.png" alt-text="Screenshot of deployment notification.":::

+ Title: Adding Exporters and Pipelines | Azure Arc-enabled Data Services

+description: Learn how to add exporters and pipelines to the telemetry router

+# Add exporters and pipelines to your telemetry router deployment

+> [!NOTE]

+>

+> - The telemetry router is in Public Preview and should be deployed for **testing purposes only**.

+> - While the telemetry router is in Public Preview, be advised that future preview releases could include changes to CRD specs, CLI commands, and/or telemetry router messages.

+> - The current preview does not support in-place upgrades of a data controller deployed with the Arc telemetry router enabled. In order to install or upgrade a data controller in a future release, you will need to uninstall the data controller and then re-install.

+## What are Exporters and Pipelines?

+Exporters and Pipelines are two of the main components of the telemetry router. Exporters describe how to send data to a destination system such as Kafka. When creating an exporter, you associate it with a pipeline in order to route that type of telemetry data to that destination. You can have multiple exporters for each pipeline.

+This article provides examples of how you can set up your own exporters and pipelines to route monitoring telemetry data to your own supported exporter.

+### Supported Exporters

+| Exporter | Supported Pipeline Types |

+|--|--|

+| Kafka | logs, metrics |

+| Elasticsearch | logs |

+## Configurations

+All configurations are specified through the telemetry router's custom resource specification and support the configuration of exporters and pipelines.

+### Exporters

+For the Public Preview, exporters are partially configurable and support the following solutions:

+| Exporter | Supported Telemetry Types |

+|--|--|

+| Kafka | logs, metrics |

+| Elasticsearch | logs |

+The following properties are currently configurable during the Public Preview:

+#### General Exporter Settings

+| Setting | Description |

+|--|--|

+| certificateName | The client certificate in order to export to the monitoring solution |

+| caCertificateName | The cluster's Certificate Authority or customer-provided certificate for the Exporter |

+#### Kafka Exporter Settings

+| Setting | Description |

+|--|--|

+| topic | Name of the topic to export |

+| brokers | List of brokers to connect to |

+| encoding | Encoding for the telemetry: otlp_json or otlp_proto |

+#### Elasticsearch Exporter Settings

+| Setting | Description |

+|--|--|

+| index | This setting can be the name of an index or datastream name to publish events |

+| endpoint | Endpoint of the Elasticsearch to export to |

+### Pipelines

+The Telemetry Router supports logs and metrics pipelines. These pipelines are exposed in the custom resource specification of the Arc telemetry router and available for modification.

+#### Pipeline Settings

+| Setting | Description |

+|--|--|

+| logs | Can only declare new logs pipelines |

+| metrics | Can only declare new metrics pipelines |

+| exporters | List of exporters. Can be multiple of the same type |

+### Credentials

+#### Credentials Settings

+| Setting | Description |

+|--|--|

+| certificateName | Name of the certificate must correspond to the certificate name specified in the exporter declaration |

+| secretName | Name of the secret provided through Kubernetes |

+| secretNamespace | Namespace with secret provided through Kubernetes |

+## Example TelemetryRouter Specification

+```yaml

+apiVersion: arcdata.microsoft.com/v1beta4

+kind: TelemetryRouter

+metadata:

+ name: arc-telemetry-router

+ namespace: <namespace>

+spec:

+ credentials:

+ certificates:

+ - certificateName: arcdata-msft-elasticsearch-exporter-internal

+ - certificateName: cluster-ca-certificate

+ exporters:

+ elasticsearch:

+ - caCertificateName: cluster-ca-certificate

+ certificateName: arcdata-msft-elasticsearch-exporter-internal

+ endpoint: https://logsdb-svc:9200

+ index: logstash-otel

+ name: arcdata/msft/internal

+ pipelines:

+ logs:

+ exporters:

+ - elasticsearch/arcdata/msft/internal

+```

+## Example 1: Adding a Kafka exporter for a metrics pipeline

+You can test creating a Kafka exporter for a metrics pipeline that can send metrics data to your own instance of Kafka. You need to prefix the name of your metrics pipeline with `kafka/`. You can have one unnamed instance for each telemetry type. For example, "kafka" is a valid name for a metrics pipeline.

+

+1. Provide your client and CA certificates in the `credentials` section through Kubernetes secrets

+2. Declare the new Exporter in the `exporters` section with the needed settings - name, certificates, broker, and index. Be sure to list the new exporter under the applicable type ("kakfa:")

+3. List your exporter in the `pipelines` section of the spec as a metrics pipeline. The exporter name needs to be prefixed with the type of exporter. For example, `kafka/myMetrics`

+In this example, we've added a metrics pipeline called "metrics" with a single exporter (`kafka/myMetrics`) that routes to your instance of Kafka.

+**arc-telemetry-router.yaml**

+```yaml

+apiVersion: arcdata.microsoft.com/v1beta4

+kind: TelemetryRouter

+metadata:

+ name: arc-telemetry-router

+ namespace: <namespace>

+spec:

+ credentials:

+ certificates:

+ # Step 1. Provide your client and ca certificates through Kubernetes secrets

+ # where the name of the secret and its namespace are specified.

+ - certificateName: <kafka-client-certificate-name>

+ secretName: <name_of_secret>

+ secretNamespace: <namespace_with_secret>

+ - certificateName: <ca-certificate-name>

+ secretName: <name_of_secret>

+ secretNamespace: <namespace_with_secret>

+ exporters:

+ kafka:

+ # Step 2. Declare your Kafka exporter with the needed settings

+ # (name, certificates, endpoint, and index to export to)

+ - name: myMetrics

+ # Provide your client and CA certificate names

+ # for the exporter as well as any additional settings needed

+ caCertificateName: <ca-certificate-name>

+ certificateName: <kafka-client-certificate-name>

+ broker: <kafka_broker>

+ # Index can be the name of an index or datastream name to publish events to

+ index: <kafka_index>

+ pipelines:

+ metrics:

+ exporters:

+ # Step 3. Assign your kafka exporter to the list

+ # of exporters for the metrics pipeline.

+ - kafka/myMetrics

+```

+```bash

+kubectl apply -f arc-telemetry-router.yaml -n <namespace>

+```

+You've added a metrics pipeline that exports to your instance of Kafka. After you've applied the changes to the yaml file, the TelemetryRouter custom resource will go into an updating state, and the collector service will restart.

+## Example 2: Adding an Elasticsearch exporter for a logs pipeline

+Your telemetry router deployment can export to multiple destinations by configuring more exporters. Multiple types of exporters are supported on a given telemetry router deployment. This example demonstrates adding an Elasticsearch exporter as a second exporter. We activate this second exporter by adding it to a logs pipeline.

+1. Provide your client and CA certificates in the `credentials` section through Kubernetes secrets

+2. Declare the new Exporter beneath the `exporters` section with the needed settings - name, certificates, endpoint, and index. Be sure to list the new exporter under the applicable type ("Elasticsearch:").

+3. List your exporter in the `pipelines` section of the spec as a logs pipeline. The exporter name needs to be prefixed with the type of exporter. For example, `elasticsearch/myLogs`

+This example builds on the previous example by adding a logs pipeline for an Elasticsearch exporter (`elasticsearch/myLogs`). At the end of the example, we have two exporters with each exporter added to a different pipeline.

+**arc-telemetry-router.yaml**

+```yaml

+apiVersion: arcdata.microsoft.com/v1beta4

+kind: TelemetryRouter

+metadata:

+ name: arc-telemetry-router

+ namespace: <namespace>

+spec:

+ credentials:

+ certificates:

+ # Step 1. Provide your client and ca certificates through Kubernetes secrets

+ # where the name of the secret and its namespace are specified.

+ - certificateName: <elasticsearch-client-certificate-name>

+ secretName: <name_of_secret>

+ secretNamespace: <namespace_with_secret>

+ - certificateName: <kafka-client-certificate-name>

+ secretName: <name_of_secret>

+ secretNamespace: <namespace_with_secret>

+ - certificateName: <ca-certificate-name>

+ secretName: <name_of_secret>

+ secretNamespace: <namespace_with_secret>

+ exporters:

+ elasticsearch:

+ # Step 2. Declare your Elasticsearch exporter with the needed settings

+ # (certificates, endpoint, and index to export to)

+ - name: myLogs

+ # Provide your client and CA certificate names

+ # for the exporter as well as any additional settings needed

+ caCertificateName: <ca-certificate-name>

+ certificateName: <elasticsearch-client-certificate-name>

+ endpoint: <elasticsearch_endpoint>

+ # Index can be the name of an index or datastream name to publish events to

+ index: <elasticsearch_index>

+ kafka:

+ - name: myMetrics

+ caCertificateName: <ca-certificate-name>

+ certificateName: <kafka-client-certificate-name>

+ broker: <kafka_broker>

+ index: <kafka_index>

+ pipelines:

+ logs:

+ exporters:

+ # Step 3. Add your Elasticsearch exporter to

+ # the exporters list of a logs pipeline.

+ - elasticsearch/myLogs

+ metrics:

+ exporters:

+ - kafka/myMetrics

+```

+```bash

+kubectl apply -f arc-telemetry-router.yaml -n <namespace>

+```

+You now have Kafka and Elasticsearch exporters, added to metrics and logs pipelines. After you apply the changes to the yaml file, the TelemetryRouter custom resource will go into an updating state, and the collector service will restart.

+# Deploy the Azure Arc telemetry Router

+> - The telemetry router is in Public Preview and should be deployed for **testing purposes only**.

+> - While the telemetry router is in Public Preview, be advised that future preview releases could include changes to CRD specs, CLI commands, and/or telemetry router messages.

+> - The current preview does not support in-place upgrades of a data controller deployed with the Arc telemetry router enabled. In order to install or upgrade a data controller in a future release, you will need to uninstall the data controller and then re-install.

+## What is the Azure Arc Telemetry Router?

+The Azure Arc telemetry router enables exporting telemetry data to other monitoring solutions. For this Public Preview, we only support exporting log data to either Kafka or Elasticsearch and metric data to Kafka.

+## Deployment

+> [!NOTE]

+>

+> The telemetry router currently supports indirectly connected mode only.

+### Create a Custom Configuration Profile

+After setting up your Kubernetes cluster, you'll need to [create a custom configuration profile](create-custom-configuration-template.md). Next, enable a temporary feature flag that deploys the telemetry router during data controller creation.

+### Turn on the Feature Flag

+After creating the custom configuration profile, you'll need to edit the profile to add the `monitoring` property with the `enableOpenTelemetry` flag set to `true`. You can set the feature flag by running the following az CLI commands (edit the --path parameter, as necessary):

+az arcdata dc config add --path ./control.json --json-values ".spec.monitoring={}"

+az arcdata dc config add --path ./control.json --json-values ".spec.monitoring.enableOpenTelemetry=true"

+To confirm the flag was set correctly, open the control.json file and confirm the `monitoring` object was added to the `spec` object and `enableOpenTelemetry` is set to `true`.

+This feature flag requirement will be removed in a future release.

+### Create the Data Controller

+After creating the custom configuration profile and setting the feature flag, you're ready to [create the data controller using indirect connectivity mode](create-data-controller-indirect-cli.md?tabs=linux). Be sure to replace the `--profile-name` parameter with a `--path` parameter that points to your custom control.json file (see [use custom control.json file to deploy Azure Arc-enabled data controller](create-custom-configuration-template.md))

+### Verify Telemetry Router Deployment

+When the data controller is created, a TelemetryRouter custom resource is also created. Data controller deployment is marked ready when both custom resources have finished deploying. After the data controller finishes deployment, you can use the following command to verify that the TelemetryRouter exists:

+apiVersion: arcdata.microsoft.com/v1beta4

+ exporters:

+ elasticsearch:

+ - caCertificateName: cluster-ca-certificate

+ certificateName: arcdata-msft-elasticsearch-exporter-internal

+ endpoint: https://logsdb-svc:9200

+ index: logstash-otel

+ name: arcdata/msft/internal

+ pipelines:

+ logs:

+ exporters:

+ - elasticsearch/arcdata/msft/internal

+For the public preview, the pipeline and exporter have a default pre-configuration to Microsoft's deployment of Elasticsearch. This default deployment gives you an example of how the parameters for credentials, exporters, and pipelines are set up within the spec. You can follow this example to export to your own monitoring solutions. See [adding exporters and pipelines](adding-exporters-and-pipelines.md) for more examples. This example deployment will be removed at the conclusion of the public preview.

+After the TelemetryRouter is deployed, both TelemetryCollector custom resources should be in a *Ready* state. These resources are system managed and editing them isn't supported. If you look at the pods, you should see the following types of pods:

+- Two telemetry collector pods - `arctc-collector-inbound-0` and `arctc-collector-outbound-0`

+- A kakfa broker pod - `arck-arc-router-kafka-broker-0`

+- A kakfa controller pod - `arck-arc-router-kafka-controller-0`

+NAME READY STATUS RESTARTS AGE

+arc-bootstrapper-job-4z2vr 0/1 Completed 0 15h

+arc-webhook-job-facc4-z7dd7 0/1 Completed 0 15h

+arck-arc-router-kafka-broker-0 2/2 Running 0 15h

+arck-arc-router-kafka-controller-0 2/2 Running 0 15h

+arctc-collector-inbound-0 2/2 Running 0 15h

+arctc-collector-outbound-0 2/2 Running 0 15h

+bootstrapper-8d5bff6f7-7w88j 1/1 Running 0 15h

+control-vpfr9 2/2 Running 0 15h

+controldb-0 2/2 Running 0 15h

+logsdb-0 3/3 Running 0 15h

+logsui-fwrh9 3/3 Running 0 15h

+metricsdb-0 2/2 Running 0 15h

+metricsdc-bc4df 2/2 Running 0 15h

+metricsdc-fm7jh 2/2 Running 0 15h

+metricsdc-qgl26 2/2 Running 0 15h

+metricsdc-sndjv 2/2 Running 0 15h

+metricsdc-xh78q 2/2 Running 0 15h

+metricsui-qqgbv 2/2 Running 0 15h

+- [Add exporters and pipelines to your telemetry router](/adding-exporters-and-pipelines.md)

+Neither Azure Arc-enabled data services nor any of the applicable data services store any customer data. This applies to Azure Arc-enabled SQL Managed Instance and Azure Arc-enabled PostgreSQL.

+- Azure Arc-enabled SQL Managed Instance

+- Data controller

+ - `object: K8sRaw` [Details](https://github.com/microsoft/azure_arc/tree/main/arc_data_services/crds)

+ - `object: K8sRaw` [Details](https://github.com/microsoft/azure_arc/tree/main/arc_data_services/crds)

+ - `object: K8sRaw` [Details](https://github.com/microsoft/azure_arc/tree/main/arc_data_services/crds)

+ Title: Azure glossary - Azure dictionary

+- Customize the alerts email, using your own email subject and body format.

+- Customize the alert metadata by looking up tags for affected resources or fetching a log query search result. For information on how to access the search result rows containing alerts data, see:

+ - [Azure Monitor Log Analytics API response format](../logs/api/response-format.md)

+ - [Query/management HTTP response](/azure/data-explorer/kusto/api/rest/response)

+- Integrate with external services using existing connectors like Outlook, Microsoft Teams, Slack and PagerDuty, or by configuring the Logic App for your own services.

+In this example, the following steps create a Logic App that uses the [common alerts schema](./alerts-common-schema.md) to send details from the alert. The example uses the following steps:

+1. In the [portal](https://portal.azure.com/), create a new Logic app. In the **Search** bar at the top of the page, enter "Logic App".

+1. On the **Logic App** page, select **+Add**.

+1. Select the **Subscription** and **Resource group** for your Logic App.

+1. Set **Logic App name**, and select **Consumption Plan type**.

+1. On the **Logic Apps Designer** page, select **When a HTTP request is received**.

+ :::image type="content" source="./media/alerts-logic-apps/configure-http-request-received.png" alt-text="A screenshot showing the parameters for the http request received step.":::

+1. (Optional). You can customize the alert notification by extracting information about the affected resource on which the alert fired, e.g. the resourceΓÇÖs tags. You can then include those resource tags in the alert payload and use the information in your logical expressions for sending the notifications. To do this, we will:

+ - Create a variable for the affected resource IDs.

+ - Split the resource ID into in an array so we can use its various elements (e.g. subscription, resource group).

+ - Use the Azure Resource Manager connector to read the resourceΓÇÖs metadata.

+ - Fetch the resourceΓÇÖs tags which can then be used in subsequent steps of the Logic App.

+ 1. Select **+** and **Add an action** to insert a new step.

+ 1. In the **Search** field, search for and select **Initialize variable**.

+ 1. In the **Name** field, enter the name of the variable, such as 'AffectedResources'.

+ 1. In the **Type** field, select **Array**.

+ 1. In the **Value** field, select **Add dynamic Content**. Select the **Expression** tab, and enter this string: `split(triggerBody()?['data']?['essentials']?['alertTargetIDs'][0], '/')`.

+ :::image type="content" source="./media/alerts-logic-apps/initialize-variable.png" alt-text="A screenshot showing the parameters for the initializing a variable in Logic Apps.":::

+ 1. Select **+** and **Add an action** to insert another step.

+ 1. In the **Search** field, search for and select **Azure Resource Manager**, and then **Read a resource**.

+ 1. Populate the fields of the **Read a resource** action with the array values from the `AffectedResources` variable. In each of the fields, click inside the field, and scroll down to **Enter a custom value**. Select **Add dynamic content**, and then select the **Expression** tab. Enter the strings from this table:

+ |Field|String value|

+ |||

+ |Subscription|`variables('AffectedResource')[2]`|

+ |Resource Group|`variables('AffectedResource')[4]`|

+ |Resource Provider|`variables('AffectedResource')[6]`|

+ |Short Resource Id|`concat(variables('AffectedResource')[7], '/', variables('AffectedResource')[8]`)|

+ |Client Api Version|2021-06-01|

+ The dynamic content now includes tags from the affected resource. You can use those tags when you configure your notifications as described in the following steps.

+1. Select **+** and **Add an action** to insert a new step.

+ :::image type="content" source="./media/alerts-logic-apps/configure-http-request-received.png" alt-text="A screenshot showing the parameters for the when http request received step.":::

+ - Enter the text: `An alert has been triggered with this monitoring condition:`. Then, select **monitorCondition** from the **Dynamic content** list.

+ - Enter the text: `Date fired:`. Then, select **firedDateTime** from the **Dynamic content** list.

+ - Enter the text: `Affected resources:`. Then, select **alertTargetIDs** from the **Dynamic content** list.

+ - Enter the text: `Alert:`. Then, select **alertRule** from the **Dynamic content** list.

+ - Enter the text: `with severity:`. Then, select **severity** from the **Dynamic content** list.

+ - Enter the text: `has condition:`. Then, select **monitorCondition** from the **Dynamic content** list.

+You've created a Logic App that sends an email to the specified address, with details from the alert that triggered it.

+1. Select **User** from the **Post as** dropdown.

+1. Select **Group chat** from the **Post in** dropdown.

+1. Create the message text in the **Message** field by entering static text and including content taken from the alert payload by choosing fields from the **Dynamic content** list.

+ 1. Enter `Alert:` then select **alertRule** from the **Dynamic content** list.

+ 1. Enter `with severity:` and select **severity** from the **Dynamic content** list.

+ 1. Enter `was fired at:` and select **firedDateTime** from the **Dynamic content** list.

+ 1. Add more fields according to your requirements.

+You've created a Logic App that sends a Teams message to the specified group, with details from the alert that triggered it.

+1. Set **Enable common alert schema** to *Yes*. If you select *No*, the alert type determines which alert schema is used. For more information about alert schemas, see [Context specific alert schemas](./alerts-non-common-schema-definitions.md).

+The following email is sent to the specified account:

+> To set up multiple contiguous profiles using the portal, leave the end time empty. The current profile will stop being used when the next profile becomes active. Only specify an end time when you want to revert to the default profile.

+> Creating a recurring profile with no end time is only supported via the portal and ARM templates.

+Rules define the conditions needed to trigger a scale event, the direction of the scaling, and the amount to scale by. Combine multiple rules using different metrics, for example CPU usage and queue length. Define up to 10 rules per profile.

+Rules can be:

+| profiles | rules | Rules |Autoscale automatically scales between the maximum and minimum capacities, by using the rules in the profile. Define up to 10 individual rules in a profile. Typically rules are defined in pairs, one to determine when to scale out, and the other to determine when to scale in. |

+| time-generated-field | The name of a field in the data that contains the timestamp of the data item. If you specify a field, its contents are used for **TimeGenerated**. If you don't specify this field, the default for **TimeGenerated** is the time that the message is ingested. The contents of the message field should follow the ISO 8601 format YYYY-MM-DDThh:mm:ssZ. The Time Generated value cannot be older than 2 days before received time or more than a day in the future. In such case, the time that the message is ingested will be used.|

+> [!NOTE]

+> The **TimeGenerated** value cannot be older than 2 days before received time or more than a day in the future. If in some situation, the value is older than 2 days or more than a day in the future, it would be replaced with the actual recieved time.

+> Billing of restore is not yet enabled. You can restore logs for free until early 2023.

+Other services such as Microsoft Defender for Cloud and Microsoft Sentinel also bill their usage against Log Analytics workspace resources, so you might want to add them to your filter.

+To get the most useful view for understanding your cost trends in the **Cost analysis** view,

+1. Select the date range you want to investigate

+2. Select the desired "Granularity" of "Daily" or "Monthly" (not "Accumulated")

+3. Set the chart type to "Column (stacked)" in the top right above the chart

+4. Set "Group by" to be "Meter"

+See [Common cost analysis uses](../cost-management-billing/costs/cost-analysis-common-uses.md) for more information on how to use this Cost analysis view.

+ > It may take a few minutes for your IoT Hub deployment to complete. If you need a higher [message throughput](../iot-hub/iot-hub-scaling.md#tier-editions-and-units) for your edge AI applications, you may [upgrade your IoT Hub to a higher standard tier](../iot-hub/iot-hub-upgrade.md) in the Azure Portal at any time. B and F tiers do NOT support Azure Percept.

+> [!NOTE]

+> The above table covers stable Dapr APIs. To learn more about using alpha APIs and components, [see limitations](#unsupported-dapr-capabilities).

+- **Alpha APIs and components**: Dapr alpha APIs and components are available to use on a self-service, opt-in basis. Alpha APIs and components are provided "as is" and "as available," and are continually evolving as they move toward stable status. Alpha APIs and components are not covered by customer support.

+Granting access to view costs and optionally manage cost configuration, such as budgets and exports, is done on governance scopes using Azure RBAC. You use Azure RBAC to grant Azure AD users and groups access to do a predefined set of actions. The actions are defined in a role on a specific scope and lower. For instance, a role assigned to a management group scope also grants the same permissions to nested subscriptions and resource groups.

+Cost Management Contributor is the recommended least-privilege role. The role allows people to create and manage budgets and exports to more effectively monitor and report on costs. Cost Management Contributors might also require more roles to support complex cost management scenarios. Consider the following scenarios:

+- **Act when budgets are exceeded** ΓÇô Cost Management Contributors also need access to create and manage action groups to automatically react to overages. Consider granting [Monitoring Contributor](../../role-based-access-control/built-in-roles.md#monitoring-contributor) to a resource group that contains the action group to use when budget thresholds are exceeded. Automating specific actions requires more roles for the specific services used, such as Automation and Azure Functions.

+The following table shows how Cost Management features are used by each role. The following behavior is applicable to all Azure RBAC scopes.

+- **Department read-only user** ΓÇô Can view department settings, cost data, and cost configuration. Can manage budgets and exports. If **DA view charges** option is disabled, department users can't see costs at any level, even if they're an account or subscription owner.

+Management groups in CSP scopes aren't supported by Cost Management. If you have a CSP subscription and you set the scope to a management group in cost analysis, an error similar the following one is shown:

+All Cost Management views in the Azure portal include a **Scope** selection pill at the top-left of the view. Use it to quickly change scope. Select the **Scope** pill to open the scope picker. It shows billing accounts, the root management group, and any subscriptions that aren't nested under the root management group. To select a scope, select the background to highlight it, and then select **Select** at the bottom. To drill-in to nested scopes, like resource groups in a subscription, select the scope name link. To select the parent scope at any nested level, select **Select this &lt;scope&gt;** at the top of the scope picker.

+### View historical billing scopes after migration or contract change

+If you migrated from an EA agreement to a Microsoft Customer Agreement, you still have access to your old billing scope.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. Search for and then select **Cost Management + Billing**.

+3. Select **Billing Scope** to view your new and previous billing accounts.

+When you work with Cost Management APIs, knowing the scope is critical. Use the following information to build the proper scope URI for Cost Management APIs.

+Your invoice displays Azure usage charges with costs associated to them first, followed by any Marketplace charges. If you have a credit balance, it's applied to Azure usage. Your invoice shows Azure usage and Marketplace usage without any cost last.

+In the Azure portal, an Enterprise Administrator for a direct EA enrollment can update the purchase order (PO) for the upcoming Azure Overage/Marketplace invoices. The PO number can get updated anytime before the invoice is created during the current billing period.

+> [!NOTE]

+>PO number update is only used for Overage/Marketplace invoices. To update a PO number for other invoices such as the invoice for a prepayment purchase, contact your Software Advisor (direct customer) or your partner (indirect customer). They in-turn, can contact the Regional Operation Center to update a PO number using the Call Logging tool at the Explore.ms site.

+The following items are the Accounting codes and description for the adjustments.

+If your currency uses a period (**.**) for the thousandth place separator and a comma (**,**) for the decimal place separator, it's displayed incorrectly. For example: *1.000,00*. The import results may vary depending on your regional language setting.

+1. Under the **Column Data Format** section, select **Text** instead of **General**. The column header changes from **General** to **Text**.

+- To learn about common tasks that an enterprise administrator accomplishes in the Azure portal, see [EA Billing administration on the Azure portal](direct-ea-administration.md).

+ Title: Azure DDoS Protection business continuity

+ Title: 'Quickstart: Create and configure Azure DDoS Network Protection - Bicep'

+ Title: 'Quickstart: Create and configure an Azure DDoS Network Protection plan - Azure CLI'

+ Title: 'Quickstart: Create and configure Azure DDoS IP Protection Preview - PowerShell'

+ Title: 'Quickstart: Create and configure Azure DDoS Network Protection - Azure PowerShell'

+ Title: 'Quickstart: Create and configure Azure DDoS Network Protection - ARM template'

+ Title: 'Quickstart: Create and configure Azure DDoS Network Protection using - Azure portal'

+description: Important reference material needed when you monitor DDoS Protection.

+description: Learn about how to test through simulations.

+Defender for Containers also includes host-level threat detection with over 60 Kubernetes-aware analytics, AI, and anomaly detections based on your runtime workload. For a full list of the cluster level alerts, see the [reference table of alerts](alerts-reference.md#alerts-k8scluster).

+- [Why is my Azure DevOps repository not refreshing to healthy?](#why-is-my-azure-devops-repository-not-refreshing-to-healthy)

+- [What are the programing languages that are supported by Defender for DevOps?](#what-are-the-programing-languages-that-are-supported-by-defender-for-devops)

+### Why is my Azure DevOps repository not refreshing to healthy?

+For a previously unhealthy scan result to be healthy again, updated healthy scan results need to be from the same build definition as the one that generated the findings in the first place. A common scenario where this issue occurs is when testing with different pipelines. For results to refresh appropriately, scan results need to be for the same pipeline(s) and branch(es).

+If no scanning is performed for 14 days, the scan results would be revert to ΓÇ£N/AΓÇ¥.

+### What are the programing languages that are supported by Defender for DevOps?

+The following languages are supported by Defender for DevOps:

+- Python

+- Java Script

+- Type Script

+> [!TIP]

+> Welcome to the **Azure Deployment Environments** documentation. If you're looking for information about **Microsoft Dev Box**, follow this link: [*Components common to Microsoft Dev Box and Azure Deployment Environments*](../dev-box/concept-common-components.md).

+> [!TIP]

+> Welcome to the **Microsoft Dev Box** documentation. If you're looking for information about **Azure Deployment Environments**, follow this link: [*Components common to Azure Deployment Environments and Microsoft Dev Box*](../deployment-environments/concept-common-components.md).

+# Overview of Azure Event Hubs Dedicated tier

+Event Hubs dedicated clusters are designed to meet the needs of most demanding mission-critical event streaming workloads. These clusters provide a high-performance, low-latency, scalable, and reliable event streaming service for your event streaming applications that are based on AMQP(Event Hubs SDK) or Apache Kafka APIs.

+## Why Dedicated cluster?

+The dedicated tier of Event Hubs offers several benefits to customers who need run mission-critical workloads at enterprise-level capacity.

+### Low latency event streaming

+These clusters are optimized for low end-to-end latency and high performance. Therefore these clusters enable businesses to handle high-velocity and high-volume data streaming.

+### Streaming large volumes of data

+Dedicated clusters can stream events at the gigabytes per second or millions of events per second scale for Most of the use cases. Also, these clusters can be easily scaled to accommodate changes in event streaming volume.

+### Guaranteed consistent performance

+Event Hubs dedicated clusters minimize the latency jitter and ensure consistent performance with guaranteed capacity.

+### Zero interference

+Event Hubs Dedicated Clusters operate on a single-tenant architecture. Therefore it ensures that the allocated resources being not shared with any other tenants. Therefore, unlike other tiers, you wouldn't see any cross tenant interference in Dedicated cluster.

+### Self-serve scaling

+The dedicated cluster offers self-serve scaling capabilities that allow you to adjust the capacity of the cluster according to dynamic loads and to facilitate business operations. You can scale out during spikes in usage and scale in when the usage is low.

+### High-end features and generous quotas

+Dedicated clusters include all features of the Premium tier and more. The service also manages load balancing, operating system updates, security patches, and partitioning. So, you can spend less time on infrastructure maintenance and more time on building your event streaming applications.

+## Capacity Units(CU)

+Dedicated clusters are provisioned and billed by capacity units (CUs), a pre-allocated amount of CPU and memory resources.

+How much you can ingest and stream per CU depends on various factors, such as the following ones:

+- Number of partitions.

+- Producer and consumer configuration.

+- Payload size

+Therefore, to determine the necessary number of CUs, you should carry out your anticipated event streaming workload on an Event Hubs dedicated cluster while observing the cluster's resource utilization. For more information, see [When to scale my dedicated cluster](#when-to-scale-my-dedicated-cluster).

+## Cluster Types

+Event Hubs Dedicated Clusters come in two distinct types: Self-serve scalable clusters and Legacy clusters. These two types differ in their support for the number of CUs, the amount of throughput each CU provides, and the regional and zone availability.

+As a dedicated cluster user, you can determine the type of cluster by examining the availability of the capacity scaling feature in the portal. If this capability is present, you're using a self-serve scalable cluster. Conversely, if it isn't available, you're utilizing a legacy dedicated cluster. Alternatively you can look for the [Azure Resource Manager properties](/azure/templates/microsoft.eventhub/clusters?pivots=deployment-language-arm-template) related to Dedicated clusters.

+### Self-serve scalable clusters

+Event Hubs Self-serve scalable clusters are based on new infrastructure and allow users to easily scale the number of capacity units allocated to each cluster. By creating a dedicated cluster through the Event Hubs portal or ARM templates, you gain access to a self-service scalable cluster. To learn how to scale your dedicated cluster, see [Scale Event Hubs dedicated clusters](event-hubs-dedicated-cluster-create-portal.md).

+Approximately, one capacity unit (CU) in a self-serve scalable cluster provides *ingress capacity ranging from 100 MB/s to 200 MB/s*, although actual throughput may fluctuate depending on various factors.

+With self-serve scalable clusters, you can purchase up to 10 CUs for a cluster in the Azure portal. In contrast to traditional clusters, these clusters can be scaled incrementally with CUs ranging from 1 to 10.

+If you need a cluster larger than 10 CU, you can [submit a support request](event-hubs-dedicated-cluster-create-portal.md#submit-a-support-request) to scale up your cluster after its creation.

+> [!IMPORTANT]

+> Self-serve scalable dedicated clusters currently don't support [availability zones](../availability-zones/az-overview.md#azure-regions-with-availability-zones). If you need to use AZ with your dedicated cluster, then you need to explicitly create a Legacy dedicated cluster.

+### Legacy clusters

+Event Hubs dedicated clusters created prior to the availability of self-serve scalable clusters are referred to as legacy clusters.

+To use these legacy clusters, direct creation through the Azure portal or ARM templates isn't possible and you must instead [submit a support request](event-hubs-dedicated-cluster-create-portal.md#submit-a-support-request) to create one.

+Approximately, one capacity unit (CU) in a self-serve scalable cluster provides *ingress capacity ranging from 50 MB/s to 100 MB/s*, although actual throughput may fluctuate depending on various factors.

+With Legacy cluster, you can purchase up to 20 CUs.

+> [!Note]

+> Event Hubs Dedicated clusters require at least 8 Capacity Units(CUs) to enable availability zones. Clusters with self-serve scaling does not support availability zones yet. Availability zone support is only available in [Azure regions with availability zones](../availability-zones/az-overview.md#azure-regions-with-availability-zones).

+> Migrating an existing Legacy cluster to a Self-Serve Cluster isn't currently support. For more information, see [migrating a Legacy cluster to Self-Serve Scalable cluster.](#can-i-migrate-my-standard-or-premium-namespaces-to-a-dedicated-tier-cluster).

+## Determining cluster type

+You can determine the cluster type that you are using the following methods.

+| Method | Action | Self-serve scalable clusters | Legacy clusters | Notes |

+| -| - | | | |

+| Using Portal | Check for presence of ΓÇÿScaleΓÇÖ tab under the cluster | ΓÇÿScaleΓÇÖ page available in the cluster UI.| No scale page available in the cluster UI. | |

+| Using Azure Resource Manager| Check for `supportsScaling` Azure Resource Manager property on cluster. | Check for presence of ‘Scale’ page under the cluster.  | No scale page available in the cluster UI. | Check this property on Portal, CLI or PowerShell. Needs API version *2022-01-01-preview* or newer. |

+| Using nslookup| Run nslookup command on a namespace in cluster. | CNAME maps to `*.cloudapp.azure.com`.  | CNAME maps to `*.cloudapp.net`. | Example: `nslookup ns.servicebus.windows.net`. |

+## Quotas and limits

+The Event Hubs dedicated offering is billed at a fixed monthly price, with a **minimum of 4 hours of usage**. The dedicated tier offers all the features of the premium plan, but with enterprise-scale capacity and limits for customers with demanding workloads.

+For more information about quotas and limits, see [Event Hubs quotas and limits](event-hubs-quotas.md)

+Contact your Microsoft sales representative or Microsoft Support to get more details about Event Hubs Dedicated. You can also create a cluster or learn more about Event Hubs pricing tiers by visiting the following links:

+- [Event Hubs Dedicated pricing](https://azure.microsoft.com/pricing/details/event-hubs/). You can also contact your Microsoft sales representative or Microsoft Support to get more details about Event Hubs Dedicated capacity.

+ Title: Azure Front Door (classic)

+ Title: 'Quickstart: Create an Azure Front Door Standard/Premium - Bicep'

+ Title: 'Quickstart: Create an Azure Front Door Standard/Premium - the Azure CLI'

+description: Learn how to create an Azure Front Door Standard/Premium using Azure CLI. Use Azure Front Door to deliver content to your global user base and protect your web apps against vulnerabilities.

+ Title: 'Quickstart: Create an Azure Front Door Standard/Premium - Azure PowerShell'

+description: Learn how to create an Azure Front Door Standard/Premium using Azure PowerShell. Use Azure Front Door to deliver content to your global user base and protect your web apps against vulnerabilities.

+ Title: 'Quickstart: Create an Azure Front Door Standard/Premium - ARM template'

+description: This quickstart describes how to create an Azure Front Door Standard/Premium using Azure Resource Manager template (ARM template).

+ Title: 'Quickstart: Create an Azure Front Door Standard/Premium profile - Terraform'

+ Title: Azure Front Door - Application layer security

+ Title: 'Tutorial: Configure HTTPS on a custom domain for Azure Front Door (classic)'

+ Title: 'Tutorial: Add custom domain to your Azure Front Door configuration'

+description: This page provides information about how Azure Front Door helps to protect against DDoS attacks.

+ Title: Monitor metrics and logs in Azure Front Door (classic)

+# Monitor metrics and logs in Azure Front Door (classic)

+ Title: Create a Front Door with HTTP to HTTPS redirection - Azure portal

+ Title: Protocol support for HTTP headers in Azure Front Door

+ Title: HTTP/2 support in Azure Front Door

+ Title: Azure Front Door

+ Title: Azure Resource Manager template samples

+ Title: Routing rule matching

+ Title: Routing architecture

+ Title: Routing limits

+ Title: Traffic acceleration

+ Title: 'Tutorial: Configure Rules Engine'

+ Title: URL Redirect

+ Title: URL Rewrite

+ Title: Support for wildcard domains

+ Title: Backend health monitoring

+ Title: Configure caching

+ Title: Configure an endpoint with Front Door manager

+ Title: How to configure origins

+ Title: Azure Front Door manager

+ Title: Secure traffic to origins

+ Title: Origins and origin groups

+ Title: 'Quickstart: Create an Azure Front Door Service - Bicep'

+ Title: 'Quickstart: Create an Azure Front Door Service - ARM template'

+ Title: 'Quickstart: Create an Azure Front Door (classic) - Terraform'

+ Title: Traffic routing methods to origin

+ Title: Server variables

+ Title: Use Azure Front Door with Azure Storage blobs

+ Title: Accelerate and secure your web application with Azure Front Door

+- **Protocol blocking:** Front Door only accepts traffic on the HTTP and HTTPS protocols, and will only process valid requests with a known `Host` header. Because of this behavior, your application is protected against many types of attacks across a range of protocols.

+#### Azure Health Data Services

+#### DICOM service

+#### Toolkit and Samples (Open Source)

+Bug is now fixed and Resource will be updated if matches the Etag header. For details, see [#2877](https://github.com/microsoft/fhir-server/issues/2877)

+#### Toolkit and Samples (Open Source)

+The issue is now fixed and querying with :not operator should provide correct results. For more information, see [#2790](https://github.com/microsoft/fhir-server/pull/2785).

+#### Toolkit and Samples (Open Source)

+The toolkit is open-source and allows you to easily customize and extend the functionality of their Azure Health Data Services implementations.

+We've recently identified an issue with the sorting order of history bundles on FHIR® server. History bundles were sorted with the oldest version first. Per FHIR specification, the sorting of versions defaults to the oldest version last. This bug fix, addresses FHIR server behavior for sorting history bundle. <br><br>We understand if you would like to keep the sorting per existing behavior (oldest version first). To support existing behavior, we recommend you append `_sort=_lastUpdated` to the HTTP GET command utilized for retrieving history. <br><br>For example: `<server URL>/_history?_sort=_lastUpdated` <br><br>For more information, see [#2689](https://github.com/microsoft/fhir-server/pull/2689).

+#### MedTech service

+**Added FHIRPath Patch**

+#### FHIR service

+#### FHIR service

+**Added support for conditional patch [Conditional patch](./././azure-api-for-fhir/fhir-rest-api-capabilities.md#patch-and-conditional-patch)**

+Conditional patch [#2163](https://github.com/microsoft/fhir-server/pull/2163)

+Added conditional patch audit event. [#2213](https://github.com/microsoft/fhir-server/pull/2213)

+**Allow JSON patch in bundles**

+Allows for search history bundles with Patch requests. [#2156](https://github.com/microsoft/fhir-server/pull/2156)

+Enabled JSON patch in bundles using Binary resources.[#2143](https://github.com/microsoft/fhir-server/pull/2143)

+Added new audit event [OperationName subtypes](./././azure-api-for-fhir/enable-diagnostic-logging.md#audit-log-details) [#2170](https://github.com/microsoft/fhir-server/pull/2170)

+**Running a reindex job**

+Added [boundaries for reindex](./././azure-api-for-fhir/how-to-run-a-reindex.md#performance-considerations) parameters.[#2103](https://github.com/microsoft/fhir-server/pull/2103)

+Updated error message for reindex parameter boundaries.[#2109](https://github.com/microsoft/fhir-server/pull/2109)

+Added final reindex count check. [#2099](https://github.com/microsoft/fhir-server/pull/2099)

+**Bug Fixes**

+Provided Wider catch for exceptions during applying patch [#2192](https://github.com/microsoft/fhir-server/pull/2192)

+Fixed history with PATCH in STU3 [#2177](https://github.com/microsoft/fhir-server/pull/2177)

+Addressed the delete failure with Custom Search parameters [#2133](https://github.com/microsoft/fhir-server/pull/2133)

+Added retry logic while Deleting Search parameter [#2121](https://github.com/microsoft/fhir-server/pull/2121)

+Set max item count in search options in SearchParameterDefinitionManager [#2141](https://github.com/microsoft/fhir-server/pull/2141)

+Better exception if there's a bad expression in a search parameter [#2157](https://github.com/microsoft/fhir-server/pull/2157)

+Resolved SQL batch reindex if one resource fails

+Updated SQL batch reindex retry logic [#2118](https://github.com/microsoft/fhir-server/pull/2118)

+**GitHub issues closed**

+Unclear error message for conditional create with no ID [#2168](https://github.com/microsoft/fhir-server/issues/2168)

+description: Create or modify an Exchange peering with Route Server using the Azure portal.

+description: Create or modify a Direct peering using the Azure portal.

+description: Create or modify a Direct peering using PowerShell.

+description: Create or modify an Exchange peering using the Azure portal.

+description: Create or modify an Exchange peering using PowerShell.

+description: Convert a legacy Direct peering to an Azure resource using the Azure portal.

+description: Convert a legacy Direct peering to an Azure resource using PowerShell.

+description: Convert a legacy Exchange peering to an Azure resource using the Azure portal.

+description: Convert a legacy Exchange peering to an Azure resource using PowerShell.

+description: Enable Azure Peering Service on a Direct peering using the Azure portal.

+description: Enable Azure Peering Service on a Direct peering using PowerShell.

+description: Associate peer ASN to Azure subscription using the Azure portal.

+description: Associate peer ASN to Azure subscription using PowerShell.

+description: Internet peering vs. Peering Service.

+description: Overview of peering.

+description: Microsoft peering policy.

+description: Learn about the prerequisites to set up peering with Microsoft.

+description: Azure Internet peering for Communications Services walkthrough.

+description: Direct peering walkthrough.

+description: Exchange peering walkthrough.

+description: Peering Service partner walkthrough.

+> This action counts against your IoT Hub messages quota. We recommend only changing up to 50,000 device or module twin tags at a time, otherwise you may need to buy more IoT Hub units if you exceed your daily IoT Hub message quota. For more information, see [Quotas and throttling](../iot-hub/iot-hub-devguide-quotas-throttling.md).

+While device groups are automatically created, groups, device classes and deployments are not automatically cleaned up so as to retain them for historical records or other user needs. Device groups can be deleted through Azure portal by individually selecting and deleting the desired groups, or by calling the DELETE API on the group. [Learn more](/cli/azure/iot/du/device/group#az-iot-du-device-group-delete)

+* The group must have NO active or canceled deployments associated with it.

+ Title: Understand Azure IoT Hub pricing

+# Azure IoT Hub billing information

+[Azure IoT Hub pricing](https://azure.microsoft.com/pricing/details/iot-hub) provides the general information on different SKUs and pricing for IoT Hub. This article contains details on how the various IoT Hub functionalities are metered as messages by IoT Hub.

+| Device-to-cloud messages | Successfully sent messages are charged in 4-KB chunks on ingress into IoT Hub. For example, a 100-byte message is charged as one message, and a 6-KB message is charged as two messages. <br/><br/> [Send Device Event](/rest/api/iothub/device/send-device-event): either *Device to Cloud Telemetry* or *Device to Cloud Telemetry Routing* depending on whether the IoT hub has message routing features configured. |

+| Cloud-to-device messages | Successfully sent messages are charged in 4-KB chunks. For example, a 6-KB message is charged as two messages. <br/><br/> [Receive Device Bound Notification](/rest/api/iothub/device/receive-device-bound-notification): *Cloud To Device Command* |

+| File uploads | File transfer to Azure Storage isn't metered by IoT Hub. File transfer initiation and completion messages are charged as messaged metered in 4-KB increments. For example, transferring a 10-MB file is charged as two messages in addition to the Azure Storage cost. <br/><br/> [Create File Upload Sas Uri](/rest/api/iothub/device/create-file-upload-sas-uri): *Device To Cloud File Upload* <br/> [Update File Upload Status](/rest/api/iothub/device/update-file-upload-status): *Device To Cloud File Upload* |

+| Direct methods | Successful method requests are charged in 4-KB chunks, and responses are charged in 4-KB chunks as additional messages. Requests or responses with no payload are charged as one message. For example, a method with a 4-KB body that results in a response with no payload from the device is charged as two messages. A method with a 6-KB body that results in a 1-KB response from the device is charged as two messages for the request plus another message for the response. Requests to disconnected devices are charged as messages in 4-KB chunks plus one message for a response that indicates the device isn't online. <br/><br/> [Device - Invoke Method](/rest/api/iothub/service/devices/invoke-method): *Device Direct Invoke Method*, <br/> [Module - Invoke Method](/rest/api/iothub/service/modules/invoke-method): *Module Direct Invoke Method* |

+| Device and module twin reads | Twin reads from the device or module and from the solution back end are charged as messages in 4-KB chunks. For example, reading an 8-KB twin is charged as two messages. <br/><br/> [Get Twin](/rest/api/iothub/service/devices/get-twin): *Get Twin* <br/> [Get Module Twin](/rest/api/iothub/service/modules/get-twin): *Get Module Twin* <br/><br/> Read device and module twins from a device: <br/> **Endpoint**: `/devices/{id}/twin` ([MQTT](iot-hub-mqtt-support.md#retrieving-a-device-twins-properties), AMQP only): *D2C Get Twin* <br/> **Endpoint**: `/devices/{deviceid}/modules/{moduleid}/twin` (MQTT, AMQP only): *Module D2C Get Twin* |

+| Device and module twin updates (tags and properties) | Twin updates from the device or module and from the solution back end are charged as messages in 4-KB chunks. For example, a 12-KB update to a twin is charged as three messages. <br/><br/> [Update Twin](/rest/api/iothub/service/devices/update-twin): *Update Twin* <br/> [Update Module Twin](/rest/api/iothub/service/modules/update-twin): *Update Module Twin* <br/> [Replace Twin](/rest/api/iothub/service/devices/replace-twin): *Replace Twin* <br/> [Replace Module Twin](/rest/api/iothub/service/modules/replace-twin): *Replace Module Twin* <br/><br/> Update device or module twin reported properties from a device: <br/> **Endpoint**: `/twin/PATCH/properties/reported/` ([MQTT](iot-hub-mqtt-support.md#update-device-twins-reported-properties), AMQP only): *D2 Patch ReportedProperties* or *Module D2 Patch ReportedProperties* <br/><br/> Receive desired properties update notifications on a device: <br/> **Endpoint**: `/twin/PATCH/properties/desired/` ([MQTT](iot-hub-mqtt-support.md#receiving-desired-properties-update-notifications), AMQP only): *D2C Notify DesiredProperties* or *Module D2C Notify DesiredProperties* |

+| Device and module twin queries | Queries against **devices** or **devices.modules** are charged as messages depending on the result size in 4-KB chunks. Queries against **jobs** aren't charged. <br/><br/> [Get Twins](/rest/api/iothub/service/query/get-twins) (query against **devices** or **devices.modules** collections): *Query Devices* |

+| Digital twin reads | Digital twin reads from the solution back end are charged as messages in 4-KB chunks. For example, reading an 8-KB twin is charged as two messages. <br/><br/> [Get Digital Twin](/rest/api/iothub/service/digital-twin/get-digital-twin): *Get Digital Twin* |

+| Digital twin updates | Digital twin updates from the solution back end are charged as messages in 4-KB chunks. For example, a 12-KB update to a twin is charged as three messages. <br/><br/> [Update Digital Twin](/rest/api/iothub/service/digital-twin/update-digital-twin): *Patch Digital Twin* |

+| Digital twin commands | Successful commands are charged in 4-KB chunks, and responses are charged in 4-KB chunks as additional messages. Requests or responses with no body are charged as one message. For example, a command with a 4-KB body that results in a response with no body from the device is charged as two messages. A command with a 6-KB body that results in a 1-KB response from the device is charged as two messages for the command plus another message for the response. Commands to disconnected devices are charged as messages in 4-KB chunks plus one message for a response that indicates the device isn't online. <br/><br/> [Invoke Component Command](/rest/api/iothub/service/digital-twin/invoke-component-command): *Digital Twin Component Command* <br/> [Invoke Root Level Command](/rest/api/iothub/service/digital-twin/invoke-root-level-command): *Digital Twin Root Command* |

+| Jobs per-device operations | Jobs operations (such as twin updates, and methods) are charged in 4-KB chunks. For example, a job resulting in 1000 method calls with 1-KB requests and empty-payload responses is charged 2000 messages (one message for each request and response). <br/><br/> *Update Twin Device Job* <br/> *Invoke Method Device Job* |

+| Configuration per-device operations | Configuration operations are charged as messages in 4-KB chunks. Responses aren't charged. For example, an apply configuration operation with a 6-KB body is charged as two messages. <br/><br/> [Apply on Edge Device](/rest/api/iothub/service/configuration/apply-on-edge-device): *Configuration Service Apply*. |

+| Keep-alive messages | When using AMQP or MQTT protocols, messages exchanged to establish the connection and messages exchanged in the negotiation, or to keep the connection open and alive, aren't charged. |

+| Device streams (preview) | Device streams is in preview and operations aren't charged yet. <br/><br/> **Endpoint**: `/twins/{deviceId}/streams/{streamName}`: *Device Streams* <br/> **Endpoint**: `/twins/{deviceId}/modules/{moduleId}/streams/{streamName}`: *Device Streams Module* |

+Your batching strategy depends on your scenario and on how time-critical the data is. If you're sending large amounts of data, you can also consider implementing data compression to further reduce the impact on message quota.

+When you open a support request on Azure portal, diagnostics specific to your reported issue are run. The result is displayed as an insight on the **Solutions** tab of your request. One such insight reports quota usage for your IoT hub using the terms in italics in the table earlier. Whether this particular insight is returned will depend on the results of the diagnostics performed on your IoT hub for the problem you're reporting. If the quota usage insight is reported, you can use the table to cross-reference the reported usage term or terms with the operation(s) that they refer to.

+Each IoT hub is provisioned with units in a specific tier. The tier and number of units determine the maximum daily quota of messages that you can send in your hub per day. The message size used to calculate the daily quota is 0.5 KB for a free tier hub and 4KB for all other tiers. For more information, see [Azure IoT Hub pricing](https://azure.microsoft.com/pricing/details/iot-hub/) or [Choose the right IoT Hub tier for your solution].

+You can find your hub's quota limit under the column **Total number of messages /day** on the [IoT Hub pricing page](https://azure.microsoft.com/pricing/details/iot-hub/) in the Azure portal.

+It's a good practice to throttle your calls so that you don't hit/exceed the throttling limits. If you do hit the limit, IoT Hub responds with error code 429 and the client should back-off and retry. These limits are per hub (or in some cases per hub/unit). For more information, see [Manage connectivity and reliable messaging/Retry patterns](iot-hub-reliability-features-in-sdks.md#retry-patterns).

+### Basic and standard tier operations

+The following table shows the enforced throttles for operations that are available in all IoT Hub tiers. Values refer to an individual hub.

+| Throttle | Free, B1, and S1 | B2 and S2 | B3 and S3 |

+| [New device connections](#device-connections-throttle) (this limit applies to the rate of *new connections*, not the total number of connections) | Higher of 100/sec or 12/sec/unit <br/> For example, two S1 units are 2\*12 = 24 new connections/sec, but you have at least 100 new connections/sec across your units. With nine S1 units, you have 108 new connections/sec (9\*12) across your units. | 120 new connections/sec/unit | 6,000 new connections/sec/unit |

+### Standard tier operations

+The following table shows the enforced throttles for operations that are available in standard tiers only. Values refer to an individual hub.

+| Throttle | Free and S1 | S2 | S3 |

+| -- | - | - | - |

+| Cloud-to-device sends | 1.67 send operations/sec/unit (100 messages/min/unit) | 1.67 send operations/sec/unit (100 send operations/min/unit) | 83.33 send operations/sec/unit (5,000 send operations/min/unit) |

+| Cloud-to-device receives <br/> (only when device uses HTTPS)| 16.67 receive operations/sec/unit (1,000 receive operations/min/unit) | 16.67 receive operations/sec/unit (1,000 receive operations/min/unit) | 833.33 receive operations/sec/unit (50,000 receive operations/min/unit) |

+| Direct methods | 160KB/sec/unit¹ | 480KB/sec/unit¹ | 24MB/sec/unit¹ |

+| Twin (device and module) reads | 100/sec | Higher of 100/sec or 10/sec/unit | 500/sec/unit |

+| Twin updates (device and module) | 50/sec | Higher of 50/sec or 5/sec/unit | 250/sec/unit |

+| Jobs operations <br/> (create, update, list, delete) | 1.67/sec/unit (100/min/unit) | 1.67/sec/unit (100/min/unit) | 83.33/sec/unit (5,000/min/unit) |

+| Jobs device operations <br/> (update twin, invoke direct method) | 10/sec | Higher of 10/sec or 1/sec/unit | 50/sec/unit |

+| Configurations and edge deployments <br/> (create, update, list, delete) | 0.33/sec/unit (20/min/unit) | 0.33/sec/unit (20/min/unit) | 0.33/sec/unit (20/min/unit) |

+| Device stream initiation rate | 5 new streams/sec | 5 new streams/sec | 5 new streams/sec |

+| Maximum number of concurrently connected device streams | 50 | 50 | 50 |

+| Maximum device stream data transfer (aggregate volume per day) | 300 MB | 300 MB | 300 MB |

+¹Throttling meter size is 4 KB. Throttling is based on request payload size only.

+### Throttling details

+* The meter size determines at what increments your throttling limit is consumed. If your direct call's payload is between 0 KB and 4 KB, it's counted as 4 KB. You can make up to 40 calls per second per unit before hitting the limit of 160 KB/sec/unit.

+ Similarly, if your payload is between 4 KB and 8 KB, each call accounts for 8 KB and you can make up to 20 calls per second per unit before hitting the max limit.

+ Finally, if your payload size is between 156 KB and 160 KB, you can make only one call per second per unit in your hub before hitting the limit of 160 KB/sec/unit.

+* For *Jobs device operations (update twin, invoke direct method)* for tier S3, 50/sec/unit only applies to when you invoke methods using jobs. If you invoke direct methods directly, the original throttling limit of 24 MB/sec/unit (for S3) applies.

+* Your cloud-to-device and device-to-cloud throttles determine the maximum *rate* at which you can send messages irrespective of 4 KB chunks. Device-to-cloud messages can be up to 256 KB; cloud-to-device messages can be up to 64 KB. These are the maximum message sizes for each type of message.

+For example, you use a simulated device to send 200 device-to-cloud messages per second to your S1 IoT Hub (which has a limit of 100/sec device-to-cloud sends). For the first minute or two, the messages are processed immediately. However, since the device continues to send more messages than the throttle limit, IoT Hub begins to only process 100 messages per second and puts the rest in a queue. You start noticing increased latency. Eventually, you start getting `429 ThrottlingException` as the queue fills up, and the ["Number of throttling errors" IoT Hub metric](monitor-iot-hub-reference.md#device-telemetry-metrics) starts increasing. To learn how to create alerts and charts based on metrics, see [Monitor IoT Hub](monitor-iot-hub.md).

+When initiating identity operations through [bulk registry update operations](/rest/api/iothub/service/bulkregistry/updateregistry) (*not* bulk import and export jobs), the same throttle limits apply. For example, if you want to submit bulk operation to create 50 devices, and you have a S1 IoT Hub with one unit, only two of these bulk requests are accepted per minute. This limitation is because the identity operation throttle for an S1 IoT Hub with one unit is 100/min/unit. Also in this case, a third request (and beyond) in the same minute would be rejected because the limit has been reached.

+The *device connections* throttle governs the rate at which new device connections can be established with an IoT hub. The *device connections* throttle doesn't govern the maximum number of simultaneously connected devices. The *device connections* rate throttle depends on the number of units that are provisioned for the IoT hub.

+| Jobs¹ | Maximum concurrent jobs are 1 (for Free and S1), 5 (for S2), and 10 (for S3). However, the max concurrent [device import/export jobs](iot-hub-bulk-identity-mgmt.md) is 1 for all tiers. <br/>Job history is retained up to 30 days. |

+| Additional endpoints | Basic and standard SKU hubs may have 10 additional endpoints. Free SKU hubs may have one additional endpoint. |

+| Message routing queries | Basic and standard SKU hubs may have 100 routing queries. Free SKU hubs may have five routing queries. |

+| Message enrichments | Basic and standard SKU hubs can have up to 10 message enrichments. Free SKU hubs can have up to two message enrichments.|

+| Automatic device and module configurations¹ | 100 configurations per basic or standard SKU hub. 10 configurations per free SKU hub. |

+| IoT Edge automatic deployments¹ | 50 modules per deployment. 100 deployments (including layered deployments) per basic or standard SKU hub. 10 deployments per free SKU hub. |

+¹This feature isn't available in the basic tier of IoT Hub. For more information, see [How to choose the right IoT Hub](iot-hub-scaling.md).

+IoT Hub strives to provide low latency for all operations. However, due to network conditions and other unpredictable factors it can't guarantee a certain latency. When designing your solution, you should:

+Multiple IoT Hub units affect throttling as described previously, but don't provide any additional latency benefits or guarantees.

+ Title: Azure IoT Hub scaling

+description: How to choose the correct IoT hub tier and size to support your anticipated message throughput and desired features.

+# Choose the right IoT Hub tier and size for your solution

+Each IoT Hub tier is available in three sizes, based around how much data throughput they can handle in any given day. These sizes are numerically identified as 1, 2, and 3. For example, each unit of a level 1 IoT hub can handle 400 thousand messages a day, while a level 3 unit can handle 300 million. For more details about the data guidelines, continue to [Tier editions and units](#tier-editions-and-units).

+| Capability | Basic tier | Standard tier |

+### IoT Hub REST APIs

+| API | Basic tier | Standard tier |

+| [Create or update device](/rest/api/iothub/service/devices/create-or-update-identity), [Get device](/rest/api/iothub/service/devices/get-identity), [Delete device](/rest/api/iothub/service/devices/delete-identity) | Yes | Yes |

+| [Create or update module](/rest/api/iothub/service/modules/create-or-update-identity), [Get module](/rest/api/iothub/service/modules/get-identity), [Delete module](/rest/api/iothub/service/modules/delete-identity) | Yes | Yes |

+| [Create import export job](/rest/api/iothub/service/jobs/createimportexportjob), [Get import export job](/rest/api/iothub/service/jobs/getimportexportjob), [Cancel import export job](/rest/api/iothub/service/jobs/cancelimportexportjob) | Yes | Yes |

+| [Get device twin](/rest/api/iothub/service/devices/get-twin), [Update device twin](/rest/api/iothub/service/devices/update-twin) | | Yes |

+| [Get module twin](/rest/api/iothub/service/modules/get-twin), [Update module twin](/rest/api/iothub/service/modules/update-twin) | | Yes |

+| [Create job](/rest/api/media/jobs/create), [Get job](/java/api/com.microsoft.azure.sdk.iot.service.jobs.jobclient.getjob), [Cancel job](/rest/api/media/jobs/canceljob) | | Yes |

+### Partitions

+Azure IoT hubs contain many core components from [Azure Event Hubs](../event-hubs/event-hubs-features.md), including [partitions](../event-hubs/event-hubs-features.md#partitions). Event streams for IoT hubs are populated with incoming telemetry data that is reported by various IoT devices. The partitioning of the event stream is used to reduce contentions that occur when concurrently reading and writing to event streams.

+The partition limit is chosen when an IoT hub is created, and can't be changed. The maximum limit of device-to-cloud partitions for basic tier and standard tier IoT hubs is 32. Most IoT hubs only need four partitions. For more information on determining the partitions, see the [How many partitions do I need?](../event-hubs/event-hubs-faq.yml#how-many-partitions-do-i-need-) question in the FAQ for [Azure Event Hubs](../event-hubs/index.yml).

+### Upgrade tiers

+After you create your IoT hub, you can upgrade from the basic tier to the standard tier without interrupting your existing operations. You can't downgrade from standard tier to basic tier. For more information, see [How to upgrade your IoT hub](iot-hub-upgrade.md).

+The partition configuration remains unchanged when you migrate from basic tier to standard tier.

+> [!NOTE]

+> The free tier does not support upgrading to basic or standard tier.

+## Tier editions and units

+Once you've chosen the tier that provides the best features for your solution, determine the size that provides the best data capacity for your solution.

+Each IoT Hub tier is available in three sizes, based around how much data throughput they can handle in any given day. These sizes are numerically identified as 1, 2, and 3.

+Tiers and sizes are represented as *editions*. A basic tier IoT hub of size 2 is represented by the edition **B2**. Similarly, a standard tier IoT hub of size 3 is represented by the edition **S3**.

+Only one type of [IoT Hub edition](https://azure.microsoft.com/pricing/details/iot-hub/) within a tier can be chosen per IoT hub. For example, you can create an IoT hub with multiple units of S1. However, you can't create an IoT hub with a mix of units from different editions, such as S1 and B3 or S1 and S2.

+The following table shows the capacity for device-to-cloud messages for each size.

+| Size | Messages per day per unit | Data per day per unit |

+| - | - | |

+| 1 | 400,000 | 1.5 GB |

+| 2 | 6,000,000 | 22.8 GB |

+| 3 | 300,000,000 | 1144.4 GB |

+You can purchase up to 200 units for a size 1 or 2 IoT hub, or up to 10 units for a size 3 IoT hub. Your daily message limit and throttling limits are based on the combined capacity of all units. For example, buying one unit of size 2 gives you the same daily message limit as fifteen units of size 1.

+For more information on the capacity and limits of each IoT Hub edition, see [IoT Hub quotas and throttling](iot-hub-devguide-quotas-throttling.md).

+### Upgrade or downgrade editions

+After you create your IoT hub, without interrupting your existing operations, you can:

+* Change the number of units available within its edition (for example, upgrading from one to three units of B1)

+* Upgrade or downgrade between editions within its tier (for example, upgrading from B1 to B2)

+For more information, see [How to upgrade your IoT hub](iot-hub-upgrade.md).

+ Title: Upgrade Azure IoT Hub

+* Change the size of the IoT hub. For example, migrate a hub from the B1 tier to the B2 tier to increase the number of messages that each unit can support per day from 400,000 to 6 million. Both these changes can occur without interrupting existing operations.

+* Upgrade to a higher tier. For example, upgrade a hub from the B1 tier to the S1 tier for access to advanced features with the same messaging capacity.

+ > You cannot upgrade from a Free Hub to a Paid Hub through our upgrade function. You must create a Paid hub and migrate the configurations and devices from the Free hub to the Paid hub. This process is documented at [How to clone an IoT Hub](/azure/iot-hub/iot-hub-how-to-clone).

+ > [!Tip]

+If you want to downgrade your IoT hub, you can remove units and reduce the size of the IoT hub but you can't downgrade to a lower tier. For example, you can move from the S2 tier to the S1 tier, but not from the S2 tier to the B1 tier. Only one type of [IoT Hub edition](https://azure.microsoft.com/pricing/details/iot-hub/) within a tier can be chosen per IoT hub. For example, you can create an IoT hub with multiple units of S1. However, you can't create an IoT hub with a mix of units from different editions, such as S1 and B3 or S1 and S2.

+If you want to upgrade an existing IoT hub, you can do so from the Azure portal.

+1. Select **Pricing and scale** from the navigation menu.

+ :::image type="content" source="./media/iot-hub-upgrade/pricing-scale.png" alt-text="Screenshot that shows the pricing and scale page for an IoT hub.":::

+1. To upgrade the tier for your hub, select **Upgrade** on the tier tile. You can only upgrade from the basic tier to the standard tier. You can't change the tier of a free or standard hub.

+1. To change the size or units for your hub, select **Adjust** on the daily message limit tile.

+ On the **Message and pricing options** page, choose the new daily message limit that you want for your IoT hub. Or, if you prefer to choose the specific tier and units combination, select **Advanced options**. For more information, see [Choose the right IoT Hub for your solution](iot-hub-scaling.md).

+ :::image type="content" source="./media/iot-hub-upgrade/message-pricing-advanced-options.png" alt-text="Screenshot that shows how to upgrade the size or units of your IoT hub.":::

+description: Get started learning how to configure and manage the backend pool of an Azure Load Balancer.

+description: Azure CLI Samples.

+description: Overview of Azure Load Balancer components.

+description: Overview of Azure Load Balancer concepts.

+description: Learn how to configure a Virtual Machine Scale Set with an existing Azure Load Balancer using the Azure CLI.

+description: Learn how to configure a Virtual Machine Scale Set with an existing Azure Load Balancer using the Azure portal.

+description: Learn how to configure a Virtual Machine Scale Set with an existing Azure Load Balancer using Azure PowerShell.

+description: In this article, learn about how to create an internal load balancer with outbound NAT.

+# Add IPv6 to an IPv4 application in Azure virtual network using Azure CLI

+# Add an IPv4 application to IPv6 in Azure virtual network using PowerShell

+# Deploy an IPv6 dual stack application using Standard Internal Load Balancer in Azure using PowerShell

+description: Upgrade guidance for migrating basic Load Balancer to standard Load Balancer.

+description: Describes how to resolve common errors when you deploy Azure Load Balancers.

+description: Learn about the different types of health probes and configuration for Azure Load Balancer.

+description: Overview of Azure Load Balancer Floating IP.

+description: Use the load balancer insights to achieve rapid fault localization and informed design decisions.

+description: Learn how to create an Internet facing load balancer with IPv6 using PowerShell for Resource Manager.

+ Title: Load balancing on multiple IP configurations - PowerShell

+description: In this article, learn about load balancing across primary and secondary IP configurations using Azure PowerShell.

+description: learn how to configure multiple Virtual Machine Scale Set instances behind a single Azure load Balancer.

+ Title: Multiple frontends

+description: This article describes the fundamentals of load balancing across multiple IP addresses using the same port and protocol using multiple frontends on Azure Load Balancer.

+ Title: Guidance for virtual machine scale sets with Azure Standard Load Balancer

+description: Learn about working with virtual machine scale sets and Azure Standard Load Balancer.

+# Guidance for virtual machine scale sets with Azure Load Balancer

+## Virtual Machine Scale Set instance-level IPs

+- Load Balancer backend pool VM isn't listening on the probe port

+description: In this article, learn how to manage health probes for Azure Load Balancer using the Azure portal.

+description: In this article, learn how to manage rules for Azure Load Balancer using the Azure portal.

+description: Get started learning about Azure Load Balancer portal settings.

+description: Important reference material needed when you monitor Load Balancer.

+ Title: Move an Azure external load balancer to another Azure region - Azure portal

+description: Use an Azure Resource Manager template to move an external load balancer from one Azure region to another using the Azure portal.

+# Move an external load balancer to another region using the Azure portal

+ Title: Move Azure external Load Balancer to another Azure region - Azure PowerShell

+ Title: Move Azure internal Load Balancer to another Azure region - Azure portal

+description: Use Azure Resource Manager template to move Azure internal Load Balancer from one Azure region to another using the Azure portal.

+ Title: Move Azure internal Load Balancer to another Azure region - Azure PowerShell

+ Title: Azure PowerShell Samples

+ Title: 'Quickstart: Create an internal Azure load balancer - Bicep'

+# Quickstart: Create an internal load balancer to load balance VMs using Bicep

+description: This quickstart shows how to create an internal load balancer using the Azure CLI.

+# Quickstart: Create an internal load balancer to load balance VMs using the Azure CLI

+description: This quickstart shows how to create an internal load balancer using the Azure portal.

+ Title: 'Quickstart: Create an internal load balancer - ARM template'

+description: This quickstart shows how to create an internal Azure load balancer using an Azure Resource Manager template (ARM template).

+# Quickstart: Create an internal load balancer to load balance VMs using an ARM template

+description: This quickstart shows how to create a load balancer using a Bicep file.

+# Quickstart: Create a public load balancer to load balance VMs using a Bicep file

+description: This quickstart shows how to create a public load balancer using the Azure CLI.

+description: This quickstart shows how to create a load balancer using the Azure portal.

+description: This quickstart shows how to create a load balancer using Azure PowerShell.

+ Title: "Quickstart: Create a public load balancer - ARM template"

+# Quickstart: Create a public load balancer to load balance VMs using an ARM template

+description: Overview of Azure Load Balancer SKUs.

+description: Overview of common error codes and corresponding mitigation methods for Azure Instance Metadata Service (IMDS).

+ Title: 'Tutorial: Create a cross-region load balancer - Azure CLI'

+ Title: 'Tutorial: Create a cross-region load balancer - Azure portal'

+ Title: 'Tutorial: Create a cross-region load balancer - Azure PowerShell'

+description: In this tutorial, learn how to create a public load balancer with an IP based backend pool using the Azure portal.

+description: In this tutorial, learn how to configure port forwarding using Azure Load Balancer to create a connection to a single virtual machine in an Azure virtual network.

+description: This tutorial demonstrates how to create a Standard Load Balancer with zonal frontend to load balance VMs within an availability zone by using Azure portal.

+description: In this tutorial, learn how to configure port forwarding using Azure Load Balancer to create a connection to multiple virtual machines in an Azure virtual network.

+ Title: Upgrade an internal basic load balancer - No outbound connections required

+description: This article shows you how to upgrade Azure Internal Load Balancer from Basic SKU to Standard SKU.

+# Upgrade an internal basic load balancer - No outbound connections required

+# Deploy an IPv6 dual stack application in Azure virtual network using Azure CLI

+# Deploy an IPv6 dual stack application in Azure virtual network using PowerShell

+| **Node provisioning** | Managed compute provisioning, update, removal | User responsibility |

+| **Node maintenance** | Managed host OS image updates, and security hardening | User responsibility |

+| **Cluster sizing (scaling)** | [Managed manual and autoscale](how-to-autoscale-endpoints.md), supporting additional nodes provisioning | [Manual and autoscale](v1/how-to-deploy-azure-kubernetes-service.md#autoscaling), supporting scaling the number of replicas within fixed cluster boundaries |

+| **Compute type** | Managed by the service | Customer-managed Kubernetes cluster (Kubernetes) |

+| **Virtual Network (VNET)** | [Supported via managed network isolation](how-to-secure-online-endpoint.md) | User responsibility |

+| **Out-of-box monitoring & logging** | [Azure Monitor and Log Analytics powered](how-to-monitor-online-endpoints.md) (includes key metrics and log tables for endpoints and deployments) | User responsibility |

+| **Logging with Application Insights (legacy)** | Supported | Supported |

+| **View costs** | [Detailed to endpoint / deployment level](how-to-view-online-endpoints-costs.md) | Cluster level |

+| **Cost applied to** | VMs assigned to the deployments | VMs assigned to the cluster |

+Currently, you can specify only one model per deployment in the YAML. If you have more than one model, when you register the model, copy all the models as files or subdirectories into a folder that you use for registration. In your scoring script, use the environment variable `AZUREML_MODEL_DIR` to get the path to the model root folder. The underlying directory structure is retained. For an example of deploying multiple models to one deployment, see [Deploy multiple models to one deployment](https://github.com/Azure/azureml-examples/blob/main/cli/endpoints/online/custom-container/minimal/multimodel).

+> [!TIP]

+> If you have more than 1500 files to register, you may consider compressing the files or subdirectories as .tar.gz when registering the model. To consume the models, you can uncompress the files or subdirectories in the init() function from the scoring script. In this case, uncompression happens once in the initialization stage.

+After your project administrator creates an Azure Machine Learning [image data labeling project](./how-to-create-image-labeling-projects.md) or an Azure Machine Learning [text data labeling project](./how-to-create-text-labeling-projects.md), you can use the labeling tool to rapidly prepare data for a Machine Learning project. This article describes:

+* A [Microsoft account](https://account.microsoft.com/account), or an Azure Active Directory account, for the organization and project.

+* Contributor-level access to the workspace containing the labeling project.

+1. Select the subscription and the workspace containing the labeling project. Your project administrator has this information.

+1. You may see multiple sections on the left, depending on your access level. If you do, select **Data labeling** on the left-hand side to find the project.

+In the data labeling project table, select the **Label data** link for your project.

+You see instructions, specific to your project. They explain the type of data involved, how you should make your decisions, and other relevant information. Read the information, and select **Tasks** at the top of the page. You can also select **Start labeling** at the bottom of the page.

+In all data labeling tasks, you choose an appropriate tag or tags from a set specified by the project administrator. You can use the keyboard number keys to select the first nine tags.

+Machine learning algorithms may be triggered during your labeling. If your project has these algorithms enabled, you may see:

+ * After some amount of data is labeled, you might see **Tasks clustered** at the top of your screen, next to the project name. Images are grouped together to present similar images on the same page. If so, switch to one of the multiple image views to take advantage of the grouping.

+ * Later on, you might see **Tasks prelabeled** next to the project name. Items appear with a suggested label produced by a machine learning classification model. No machine learning model has 100% accuracy. While we only use data for which the model is confident, these data values might still have incorrect pre-labels. When you see labels, correct any wrong labels before you submit the page.

+ * For object identification models, you may see bounding boxes and labels already present. Correct all mistakes with them before you submit the page.

+ * For segmentation models, you may see polygons and labels already present. Correct all mistakes with them before you submit the page.

+ * You may eventually see **Tasks prelabeled** next to the project name. Items appear with a suggested label that a machine learning classification model produces. No machine learning model has 100% accuracy. While we only use data for which the model is confident, these data values might still be incorrectly prelabeled. When you see labels, correct any wrong labels before submitting the page.

+Early in a labeling project, the machine learning model may only have enough accuracy to pre-label a small image subset. Once these images are labeled, the labeling project will return to manual labeling to gather more data for the next model training round. Over time, the model will become more confident about a higher proportion of images. Later in the project, its confidence results in more pre-label tasks.

+When there are no more pre-labeled tasks, you stop confirming or correcting labels, and go back to manual item tagging.

+To select all the displayed images simultaneously, use **Select all**. To select individual images, use the circular selection button in the upper-right corner of the image. You must select at least one image to apply a tag. If you select multiple images, any tag that you select applies to all the selected images.

+Here, we chose a two-by-two layout, and applied the tag "Mammal" to the bear and orca images. The shark image was already tagged as "Cartilaginous fish," and the iguana doesn't yet have a tag.

+> Switch layouts only when you have a fresh page of unlabeled data. Switching layouts clears the in-progress tagging work of the page.

+Once you tag all the images on the page, Azure enables the **Submit** button. Select **Submit** to save your work.

+While you label the medical images with the same tools as any other images, you can use a different tool for DICOM images. Select the **Window and level** tool to change the intensity of the image. This tool is available only for DICOM images.

+Assign a single tag to the entire image for an "Image Classification Multi-Class" project type. To review the directions at any time, go to the **Instructions** page, and select **View detailed instructions**.

+If you realize that you made a mistake after you assign a tag to an image, you can fix it. Select the "**X**" on the label displayed below the image, to clear the tag. You can also select the image and choose another class. The newly selected value replaces the previously applied tag.

+If your project is of type "Image Classification Multi-Label," you apply one *or more* tags to an image. To see the project-specific directions, select **Instructions**, and go to **View detailed instructions**.

+Select the image that you want to label, and then select the tag. The tag is applied to all the selected images, and then the images are deselected. To apply more tags, you must reselect the images. The following animation shows multi-label tagging:

+To correct a mistake, select the "**X**" to clear an individual tag, or select the images and then select the tag, to clear the tag from all the selected images. This scenario is shown here. Selecting "Land" clears that tag from the two selected images.

+Azure will only enable the **Submit** button after you apply at least one tag to each image. Select **Submit** to save your work.

+If your project is of type "Object Identification (Bounding Boxes)," you specify one or more bounding boxes in the image, and apply a tag to each box. Images can have multiple bounding boxes, each with a single tag. Use **View detailed instructions** to determine if your project uses multiple bounding boxes.

+1. Select a tag for the bounding box you plan to create.

+1. Select the **Rectangular box** tool , or select "R."

+3. Select and diagonally drag across your target, to create a rough bounding box. Drag the edges or corners to adjust the bounding box.

+You can't change the tag of an existing bounding box. To fix a tag-assignment mistake, you must delete the bounding box, and create a new one with the correct tag.

+Use the **Regions manipulation** tool , or "M", to adjust an existing bounding box. Drag the edges or corners to adjust the shape. Select in the interior if you want to drag the whole bounding box. If you can't edit a region, you probably toggled the **Lock/unlock regions** tool.

+Use the **Template-based box** tool , or "T", to create multiple bounding boxes of the same size. If the image has no bounding boxes, and you activate template-based boxes, the tool produces 50-by-50-pixel boxes. If you create a bounding box, and then activate template-based boxes, the size of any new bounding boxes matches the size of the last box that you created. Template-based boxes can be resized after placement. Resizing a template-based box only resizes that particular box.

+If your project is of type "Instance Segmentation (Polygon)," specify one or more polygons in the image, and apply a tag to each polygon. Images can have multiple bounding polygons, each with a single tag. Use **View detailed instructions** to determine if your project uses multiple bounding polygons.

+1. Select the **Draw polygon region** tool , or select "P."

+1. Select for each point in the polygon. When you complete the shape, double-click to finish.

+To change the tag for a polygon, select the **Move region** tool, select the polygon, and select the correct tag.

+You can edit existing polygons. The **Lock/unlock regions** tool , or "L", toggles that behavior. If regions are locked, you can only change the shape or location of a new polygon.

+Use the **Add or remove polygon points** tool , or "U", to adjust an existing polygon. Select the polygon to add or remove a point. If you can't edit a region, you probably toggled the **Lock/unlock regions** tool.

+| Classification Multi-Class | Assign a single tag to the entire text entry. You can only select one tag for each text item. Select a tag, and then select **Submit** to move to the next entry. |

+| Classification Multi-Label | Assign one *or more* tags to each text entry. You can select multiple tags for each text item. Select all the tags that apply, and then select **Submit** to move to the next entry. |

+| Named entity recognition | Tag different words or phrases in each text entry. See directions in the next section.

+To see the project-specific directions, select **Instructions**, and go to **View detailed instructions**.

+### Tag words and phrases

+1. Select the label, or type the number corresponding to the appropriate label

+* Delete the label and start over.

+* Change the value for some or all of a specific label in your current item:

+ * Select the label itself, which selects all instances of that label.

+ * Select again on the instances of this label, to unselect any instances you want to keep.

+Once you tag all the items in an entry, select **Submit** to move to the next entry.

+When you submit a page of tagged data, Azure assigns new unlabeled data to you from a work queue. If there's no more unlabeled data available, a new message says so, along with a link to the portal home page.

+When you finish labeling, select your image inside a circle in the upper-right corner of the studio, and then select **sign-out**. If you don't sign out, eventually Azure will "time you out" and assign your data to another labeler.

+* If you're using Azure Container Registry (ACR), Storage Account, Key Vault, or Application Insights in the different subscription than the workspace, you cannot use network isolation with managed online endpoints. If you want to use network isolation with managed online endpoints, you must have ACR, Storage Account, Key Vault, and Application Insights in the same subscription with the workspace. For limitations that apply to network isolation with managed online endpoints, see [How to secure online endpoint](how-to-secure-online-endpoint.md#limitations).

+

+* When you use network isolation with a deployment, you can use Azure Container Registry (ACR), Storage account, Key Vault and Application Insights from a different resource group in the same subscription, but you cannot use them if they are in a different subscription.

+- [Troubleshoot online endpoints deployment](how-to-troubleshoot-online-endpoints.md)

+ inputs=Input(path="https://azuremlexampledata.blob.core.windows.net/data/mnist/sample/", type=AssetTypes.URI_FOLDER)

+1. On __Select data source__, select the data input you want to use. For this example, select __Datastore__ and in the section __Path__ enter the full URL `https://azuremlexampledata.blob.core.windows.net/dat) for details.

+Use `params_override` to configure any folder in an Azure Machine Learning registered data store. Only registered data stores are supported as output paths. In this example we will use the default data store:

+```python

+batch_ds = ml_client.datastores.get_default()

+```

+Once you identified the data store you want to use, configure the output as follows:

+ input=Input(

+ path="https://azuremlexampledata.blob.core.windows.net/data/mnist/sample/",

+ type=AssetTypes.URI_FOLDER

+ ),

+ params_override=[

+ { "output_dataset.datastore_id": f"azureml:{batch_ds.id}" },

+ { "output_dataset.path": "/mnist-batch-results" }

+ { "output_file_name": "mnist-predictions.csv" },

+ ]

+ input=Input(

+ path="https://azuremlexampledata.blob.core.windows.net/data/mnist/sample/"

+ ),

+description: Learn about Azure Peering Service.

+description: Learn how to create, change, or delete a Peering Service connection using the Azure portal.

+description: Learn how to create, change, or delete a Peering Service connection using the Azure CLI.

+ Title: Access connection telemetry

+description: Learn how to access Azure Peering Service connection telemetry.

+# Access Peering Service connection telemetry

+description: Learn about Microsoft Azure Peering Service connection.

+description: Learn about Azure Peering Service available locations and partners.

+ Title: Measure connection telemetry

+description: Learn how to measure Azure Peering Service connection telemetry.

+# Measure Peering Service connection telemetry

+description: Get started to onboard Azure Peering Service.

+You can now enable pg_hint_plan your Postgres database. Connect to the database and issue the following command:

+CREATE EXTENSION pg_hint_plan ;

+Best way to manage PostgreSQL database access permissions at scale is using the concept of [roles](https://www.postgresql.org/docs/current/user-manag.html). A role can be either a database user or a group of database users, moreover roles can own the database objects and assign privileges on those objects to other roles to control who has access to which objects. It is also possible to grant membership in a role to another role, thus allowing the member role to use privileges assigned to another role.

+PostgreSQL lets you grant permissions directly to the database users. As a good security practice, it can be recommended that you create roles with specific sets of permissions based on minimum application and access requirements and then assign the appropriate roles to each user. The roles should be used to enforce a *least privilege model* for accessing database objects.

+While you're creating the Azure Database for PostgreSQL server, you provide credentials for an **administrator role**. This administrator role can be used to create more [PostgreSQL roles](https://www.postgresql.org/docs/current/user-manag.html). The administrator role should never be used by the application.

+For example, below we can create an example role called *demouser*,

+ Title: 'Quickstart: Create a private endpoint - Bicep'

+ Title: 'Quickstart: Create a private endpoint - Azure CLI'

+description: In this quickstart, you'll learn how to create a private endpoint using the Azure CLI.

+ Title: 'Quickstart: Create a private endpoint - Azure portal'

+description: In this quickstart, you'll learn how to create a private endpoint using the Azure portal.

+ Title: 'Quickstart: Create a private endpoint - Azure PowerShell'

+description: In this quickstart, you'll learn how to create a private endpoint using Azure PowerShell.

+ Title: 'Quickstart: Create a private endpoint - ARM template'

+description: In this quickstart, you'll learn how to create a private endpoint using an Azure Resource Manager template (ARM template).

+ Title: 'Quickstart: Create a private link service - Bicep'

+ Title: 'Quickstart - Create an Azure Private Link service - Azure CLI'

+description: In this quickstart, learn how to create an Azure Private Link service using Azure CLI.

+ Title: 'Quickstart - Create a Private Link service - Azure portal'

+description: Learn how to create a Private Link service using the Azure portal in this quickstart.

+ Title: 'Quickstart: Create an Azure private link service - Azure PowerShell'

+description: In this quickstart, learn how to create an Azure private link service using Azure PowerShell.

+ Title: 'Quickstart: Create a private link service - ARM template'

+# Quickstart: Create a private link service using an ARM template

+ Title: 'Disable network policies for Azure Private Link service source IP address'

+description: Learn about Azure Private Endpoint DNS configuration.

+ Title: Export DNS records for a private endpoint - Azure portal

+# Tutorial: Connect to an Azure SQL server using an Azure Private Endpoint using Azure CLI

+description: Get started with this tutorial to learn how to connect to a storage account privately via Azure Private Endpoint using the Azure portal.

+# Tutorial: Connect to an Azure SQL server using an Azure Private Endpoint using the Azure portal

+# Tutorial: Connect to an Azure SQL server using an Azure Private Endpoint using Azure PowerShell

+ Title: Propagating anycast routes to on-premises

+description: Learn about advertising the same route from different regions with Azure Route Server.

+ Title: Azure Route Server support for ExpressRoute and Azure VPN

+ Title: Monitor Azure Route Server

+description: Learn how to monitor Azure Route Server metrics using Azure Monitor.

+ Title: Multi-region designs with Azure Route Server

+ Title: Next Hop IP Support

+ Title: What is Azure Route Server?

+ Title: Path selection with Azure Route Server

+ Title: 'Quickstart: Create and configure Route Server - Azure CLI'

+description: In this quickstart, you learn how to create and configure an Azure Route Server using Azure CLI.

+ Title: 'Quickstart: Create and configure Route Server - Azure portal'

+description: In this quickstart, you learn how to create and configure an Azure Route Server using the Azure portal.

+ Title: 'Quickstart: Create and configure Route Server - Azure PowerShell'

+description: In this quickstart, you learn how to create and configure an Azure Route Server using Azure PowerShell.

+ Title: 'Quickstart: Create an Azure Route Server - ARM template'

+description: This quickstart shows you how to create an Azure Route Server using Azure Resource Manager template (ARM template).

+ Title: Resource Manager template samples

+ Title: 'Tutorial: Configure peering between Azure Route Server and Network Virtual Appliance'

+description: Learn how to set up a route server and protect it with Azure DDoS protection.

+ Title: Injecting routes to Azure VMware Solution

+## SAP Integration with Microsoft Services

+In addition to the capabilities to run SAP IaaS and SaaS workloads on Azure, Microsoft offers a variety of capabilities, scenarios, best-practice guides, and tutorials to integrate SAP workloads running anywhere with other Microsoft products and services. Among them are popular services such as Azure Active Directory, Exchange Online, Power Platform and Power BI, Azure Integration Services, Excel, SAP Business Technology Platform, SAP Analytics Cloud, SAP Data Warehouse Cloud, and SAP Success Factors to name a few.

+For more information, see the [SAP Integration with Microsoft Services](workloads/integration-get-started.md) documentation.

+- [Get started with SAP and Azure integration scenarios](workloads/integration-get-started.md)

+Learn more about [using private endpoints to secure traffic between Standard logic apps and Azure virtual networks](../logic-apps/secure-single-tenant-workflow-virtual-network-private-endpoint.md).

+1. In the **Inbound traffic** area, select **Access restriction**.

+ Title: Out-of-the-box (OOTB) content centralization changes

+description: This article describes the centralization changes about to take place for out-of-the-box content in Microsoft Sentinel.

+#Customer intent: As a SIEM decision maker or implementer, I want to know about changes to out of the box content, and how to centralize the management, discovery and inventory of content in Microsoft Sentinel.

+# Microsoft Sentinel out-of-the-box content centralization changes

+Microsoft Sentinel Content hub enables discovery and on-demand installation of out-of-the-box (OOTB) content and solutions in a single step. Previously, some of this OOTB content only existed in various gallery sections of Sentinel. We're excited to announce *all* of the following gallery content templates are now available in content hub as standalone items or part of packaged solutions.

+- **Data connectors**

+- **Hunting queries**

+- **Analytics rule templates**

+- **Playbook templates**

+- **Workbook templates**

+## Content hub changes

+In order to centralize all out-of-the-box content, we're planning to retire the gallery-only content templates. The legacy gallery content templates are no longer being updated consistently, and the content hub is where OOTB content is kept up to date. Content hub also provides update workflows for solutions and automatic updates for standalone content. To facilitate this transition, we're going to publish a central tool to reinstate corresponding **IN USE** retired templates from corresponding Content hub solutions.

+## Sentinel GitHub changes

+Microsoft Sentinel has an official [GitHub repository](https://github.com/Azure/Azure-Sentinel) for community contributions vetted by Microsoft and the community. It's the source for most of the content items in Content hub. For consistent discovery of this content, the OOTB content centralization changes have already been extended to the Sentinel GitHub repo.

+ - All OOTB content packaged from content hub solutions is now stored in the GitHub repo [Solutions folder](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions).

+ - All standalone OOTB content will continue to remain in their respective locations.

+

+Together, these Content hub and Sentinel GitHub repo changes will complete the journey towards centralizing Sentinel content.

+## When is this change coming?

+> [!IMPORTANT]

+> The following timeline is tentative and subject to change.

+>

+The centralization change in the Sentinel portal is expected to go live in all Sentinel workspaces Q2 2023. The Microsoft Sentinel GitHub changes have already been done. Standalone content is available in existing GitHub folders and solutions content has been moved to the solutions folder.

+## Scope of change

+This change is only scoped to *gallery content* type templates. All these same templates and more OOTB content are available in *Content hub* as solutions or standalone content.

+For Microsoft Sentinel GitHub, OOTB content packaged in solutions in content hub is now only listed under the GitHub repo [Solutions folder](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions). The other existing GitHub content is scoped to the following folders and only contains standalone content items. Content in the remaining GitHub folders not called out in this list don't have any changes.

+- [DataConnectors folder](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors)

+- [Detections folder](https://github.com/Azure/Azure-Sentinel/tree/master/Detections) (Analytics rules)

+- [Hunting queries folder](https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries)

+- [Parsers folder](https://github.com/Azure/Azure-Sentinel/tree/master/Parsers)

+- [Playbooks folder](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks)

+- [Workbooks folder](https://github.com/Azure/Azure-Sentinel/tree/master/Workbooks)

+### What's not changing?

+The active or custom items created in any manner (from templates or otherwise) are **NOT** impacted by this change. More specifically, the following are **NOT** affected by this change:

+- Data Connectors with *Status = Connected*.

+- Alert rules or detections (enabled or disabled) in the **'Active rules'** tab in the Analytics gallery.

+- Saved workbooks in the **'My workbooks'** tab in the Workbooks gallery.

+- Cloned content or *Content source = Custom* in the Hunting gallery.

+- Active playbooks (enabled or disabled) in the **'Active playbooks'** tab in the Automation gallery.

+Any OOTB content templates installed from content hub (identifiable as *Content source = Content hub*) are NOT affected by this change.

+### What's changing?

+All template galleries will display an in-product warning banner. This banner will contain a link to a tool that will run within the Microsoft Sentinel portal. Activating the tool will initiate a guided experience to reinstate the content templates for the **IN USE** retired templates from the Content hub. This tool only needs to be run once per workspace, so be sure to plan with your organization. Once the tool runs successfully, the warning banner will resolve and no longer be visible from the template galleries of that workspace.

+Specific impact to the gallery content templates for each of these galleries are detailed in the following table. Expect these changes when the OOTB content centralization goes live.

+| Content Type | Impact |

+| - | - |

+| [Data connectors](connect-data-sources.md) | The templates identifiable as `content source = "Gallery content"` and `Status = "Not connected"` will no longer appear in the data connectors gallery. |

+| [Analytics templates](detect-threats-built-in.md#view-built-in-detections) | The templates identifiable as `source name = "Gallery content"` will no longer appear in the Analytics template gallery. |

+| [Hunting](hunting.md#use-built-in-queries) | The templates with `Content source = "Gallery content"` will no longer appear in the Hunting gallery. |

+| [Workbooks templates](get-visibility.md#use-built-in-workbooks) | The templates with `Content source = "Gallery content"` will no longer appear in the Workbooks template gallery. |

+| [Playbooks templates](use-playbook-templates.md#explore-playbook-templates) | The templates identifiable as `source name = "Gallery content"` will no longer appear in the Automation Playbook templates gallery. |

+Here's an example of an Analytics rule before and after the centralization changes and the tool has run.

+- The active Analytics rule won't change at all. We can see it's based on an Analytics rule template that will be retired.

+ :::image type="content" source="media/sentinel-content-centralize/before-tool-analytic-rule-active-2.png" alt-text="This screenshot shows an active Analytics rule before centralization changes.":::

+- This screenshot shows an Analytics rule template that will be retired.

+ :::image type="content" source="media/sentinel-content-centralize/before-tool-analytic-rule-templates-2.png" alt-text="This screenshot shows the Analytics rule template that will be retired.":::

+- After the tool has been run to reinstate the Analytics rule template, the source changes to the solution it's reinstated from.

+ :::image type="content" source="media/sentinel-content-centralize/after-tool-analytic-rule-template-2.png" alt-text="This screenshot shows the Analytics rule template after being reinstated from the Content hub Azure Active Directory solution.":::

+## Action needed

+- Starting now, install new OOTB content from Content hub and update solutions as needed to have the latest version of templates.

+- For existing gallery content templates in use, get future updates by installing the respective solutions or standalone content items from Content hub. The gallery content in the feature galleries may be out-of-date.

+- If you have applications or processes that directly get OOTB content from the Microsoft Sentinel GitHub repository, update the locations to include getting OOTB content from the solutions folder in addition to existing content folders.

+- Plan with your organization who and when will run the tool when you see the warning banner and the change goes live in Q2 2023. The tool needs to be run once in a workspace to reinstate all **IN USE** retired templates from the Content hub.

+- Review the FAQs section to learn more details that may be applicable to your environment.

+## Content centralization FAQs

+#### Will my SOC alert generation or incidents generation and management be impacted by this change?

+No, there's no impact to active alert rules or detections, or active playbooks, or cloned hunting queries, or saved workbooks. The OOTB content centralization change won't impact your current incident generation and management processes.

+#### Are there any gallery content exceptions?

+Yes, the following Analytics rule template types are exempt from this change.

+- Anomalies rule templates

+- Fusion rule templates

+- ML (Machine Learning) Behavior Analytics rule templates

+- Microsoft Security (incident creation) rule templates

+- Threat Intelligence rule template

+#### Will any of the APIs be impacted with this change?

+Yes. Currently the only Sentinel REST API calls that exist for content template management are the `Get` and `List` operations for alert rule templates. These operations only surface gallery content templates and won't be updated. For more information on these operations see the current [Alert Rule Templates REST API reference](/rest/api/securityinsights/stable/alert-rule-templates).

+New content hub REST API operations will be available soon to enable OOTB content management scenarios more broadly. This API update will include operations for the same content types scoped in the centralization changes (data connectors, playbook templates, workbook templates, analytic rule templates, hunting queries). A mechanism to update Analytics rule templates installed on the workspace is also on the roadmap.

+**Action needed:** Plan to update your applications and processes to utilize the new content hub OOTB content management API operations when those are available in Q2 2023.

+#### How will the central tool identify my in-use OOTB content templates?

+The tool builds a list of solutions based on two criteria: data connectors with `Status = "Connected"` and **IN USE** Playbook templates. Once the proposed list of solutions is generated, the tool will present them for approval. If approved, the tool installs all those solutions. Because the OOTB content is reinstated based on solutions you may get more templates than you might actually be using.

+Please note that this central tool is a best-effort to get your **IN USE** OOTB content templates reinstated from Content hub. You can install OOTB content omitted directly from Content hub.

+#### What if I'm using APIs to connect data sources in my Sentinel workspace?

+Currently, if an API data connection matches the data connector data type, it will show up as `Status = "Connected"` in the Data connectors gallery. After the centralization changes go live, the specific data connector needs to be installed from a respective solution to get the same behavior.

+**Action needed:** Plan to update processes or tooling for your data connector deployments to install from Content hub solution(s) before the connecting with data ingestion APIs. The REST API operator for installing a solution will be coming in Q2 2023 with the OOTB content management APIs.

+#### What if I'm working with content using Repositories feature in Microsoft Sentinel?

+Repositories specifically deploy custom or active content in Microsoft Sentinel. Content deployed through the Repositories feature won't be impacted by the OOTB content centralization changes.

+## Next steps

+Take a look at these other resources for OOTB content and Content hub.

+- [About OOTB content and solutions in Microsoft Sentinel](sentinel-solutions.md)

+- [Discover OOTB content and solutions in Content hub](sentinel-solutions-deploy.md)

+- [How to install and update OOTB content and solutions in Content hub](sentinel-solutions-deploy.md#install-or-update-content)

+- [Bulk install and update solutions and standalone content in Content hub](sentinel-solutions-deploy.md#bulk-install-and-update-content)

+- [How to enable OOTB content and solutions in Content hub](sentinel-solutions-deploy.md#enable-content-items-in-a-solution)

+- Video: [Using content hub to manage your SIEM content](https://www.youtube.com/watch?v=OtHs4dnR0yA&list=PL3ZTgFEc7LyvY90VTpKVFf70DXM7--47u&index=10)

+ :::image type="content" source="media/spring-cloud-access-app-vnet/create-dns-record.png" alt-text="Screenshot of the Azure portal showing the Connected devices page for a virtual network, filtered for kubernetes-internal devices, with the IP Address for the service runtime subnet highlighted." lightbox="media/spring-cloud-access-app-vnet/create-dns-record.png":::

+ >[!NOTE]

+ >The name you choose for the prefix needs to be a unique name.

+ Title: Configure private IP addresses for VMs (Classic) - Azure portal

+ Title: Configure private IP addresses for VMs (Classic) - Azure PowerShell

+ Title: Azure Storage Explorer Accessibility

+ Title: Manage Azure Blob Storage resources with Storage Explorer

+ Title: Using Storage Explorer with Azure Files

+ Title: Get started with Storage Explorer

+|**WAF Total Requests**|Count of successful requests that WAF engine has served| Action, Country/Region, Method, Mode, Policy Name, Policy Scope|

+|**WAF Managed Rule Matches**|Count of total managed rule matches| Action, Country/Region, Mode, Policy Name, Policy Scope, Rule Group, Rule ID, Rule Set Name|

+|**WAF Custom Rule Matches**|Count of custom rule matches| Action, Country/Region, Mode, Policy Name, Policy Scope, Rule Name|

+|**WAF Bot Protection Matches**¹|Count of total bot protection rule matches that have been blocked or logged from malicious IP addresses. The IP addresses are sourced from the Microsoft Threat Intelligence feed.| Action, Country/Region, Bot Type, Mode, Policy Name, Policy Scope|

+¹ Only Bot Manager Rule Set 0.1 will be displayed under ΓÇ£WAF Bot Protection MatchesΓÇ¥. Requests matching Bot Manager Rule Set 1.0 will increase ΓÇ£WAF Total RequestsΓÇ¥ metrics, not ΓÇ£WAF Bot Protection MatchesΓÇ¥.