Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
ai-services | Call Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/language-detection/how-to/call-api.md | Analysis is performed upon receipt of the request. Using the language detection When you get results from language detection, you can stream the results to an application or save the output to a file on the local system. -Language detection will return one predominant language for each document you submit, along with it's [ISO 639-1](https://www.iso.org/standard/22109.html) name, a human-readable name, and a confidence score. A positive score of 1 indicates the highest possible confidence level of the analysis. +Language detection will return one predominant language for each document you submit, along with it's [ISO 639-1](https://www.iso.org/standard/22109.html) name, a human-readable name, a confidence score, script name and script code according to the [ISO 15924 standard](https://wikipedia.org/wiki/ISO_15924). A positive score of 1 indicates the highest possible confidence level of the analysis. + ### Ambiguous content In some cases it may be hard to disambiguate languages based on the input. You c For example, "communication" is common to both English and French and if given with limited context the response will be based on the "US" country/region hint. If the origin of the text is known to be coming from France that can be given as a hint. +> [!NOTE] +> Ambiguous content can cause confidence scores to be lower. +> The `countryHint` in the response is only applicable if the confidence score is less than 0.8. + **Input** ```json For example, "communication" is common to both English and French and if given w } ``` -The language detection model now has additional context to make a better judgment: +With the second document, the language detection model has additional context to make a better judgment because it contains the `countryHint` property in the input above. This will return the following output. + **Output** If the analyzer can't parse the input, it returns `(Unknown)`. An example is if } ], "errors": [],- "modelVersion": "2021-01-05" + "modelVersion": "2023-12-01" } ``` The resulting output consists of the predominant language, with a score of less ```json {- "documents": [ - { - "id": "1", - "detectedLanguage": { - "name": "Spanish", - "iso6391Name": "es", - "confidenceScore": 0.88 - }, - "warnings": [] - } - ], - "errors": [], - "modelVersion": "2021-01-05" + "kind": "LanguageDetectionResults", + "results": { + "documents": [ + { + "id": "1", + "detectedLanguage": { + "name": "Spanish", + "iso6391Name": "es", + "confidenceScore": 0.97, + "script": "Latin", + "scriptCode": "Latn" + }, + "warnings": [] + } + ], + "errors": [], + "modelVersion": "2023-12-01" + } +} +``` ++## Script name and script code ++> [!NOTE] +> * Script detection is currently limited to [select languages](../language-support.md#script-detection). +> * The script detection is only available for textual input which is greater than 12 characters in length. ++Language detection offers the ability to detect more than one script per language according to the [ISO 15924 standard](https://wikipedia.org/wiki/ISO_15924). Specifically, Language Detection returns two script-related properties: ++* `script`: The human-readable name of the identified script +* `scriptCode`: The ISO 15924 code for the identified script ++The output of the API includes the value of the `scriptCode` property for documents that are at least 12 characters or greater in length and matches the list of supported languages and scripts. Script detection is designed to benefit users whose language can be transliterated or written in more than one script, such as Kazakh or Hindi language. ++Previously, language detection was designed to detect the language of documents in a wide variety of languages, dialects, and regional variants, but was limited by "Romanization". Romanization refers to conversion of text from one writing system to the Roman (Latin) script, and is necessary to detect many Indo-European languages. However, there are other languages which are written in multiple scripts, such as Kazakh, which can be written in Cyrillic, Perso-Arabic, and Latin scripts. There are also other cases in which users may either choose or are required to transliterate their language in more than one script, such as Hindi transliterated in Latin script, due to the limited availability of keyboards which support its Devanagari script. ++Consequently, language detection's expanded support for script detection behaves as follows: ++**Input** ++```json +{ +    "kind": "LanguageDetection", +    "parameters": { +        "modelVersion": "latest" +    }, +    "analysisInput": { +        "documents": [ +            { +                "id": "1", +                "text": "आप कहाँ जा रहे हैं?" +            }, +            { +                "id": "2", +                "text": "Туған жерім менің - Қазақстаным" +            } +        ] +    } +} +``` ++**Output** ++The resulting output consists of the predominant language, along with a script name, script code, and confidence score. ++```json +{ +    "kind": "LanguageDetectionResults", +    "results": { +        "documents": [ +            { +                "id": "1", +                "detectedLanguage": { +                    "name": "Hindi", +                    "iso6391Name": "hi", +                    "confidenceScore": 1.0, +                    "script": "Devanagari", +                    "scriptCode": "Deva" +                }, +                "warnings": [] +            }, +            { +                "id": "2", +                "detectedLanguage": { +                    "name": "Kazakh", +                    "iso6391Name": "kk", +                    "confidenceScore": 1.0, +                    "script": "Cyrillic", +  "scriptCode": "Cyrl" +                }, +                "warnings": [] +            } +        ], +        "errors": [], +        "modelVersion": "2023-12-01" +    } } ``` ++ ## Service and data limits [!INCLUDE [service limits article](../../includes/service-limits-link.md)] |
ai-services | Use Containers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/language-detection/how-to/use-containers.md | The following table describes the minimum and recommended specifications for the | | Minimum host specs | Recommended host specs | Minimum TPS | Maximum TPS| |||-|--|--|-| **Language detection** | 1 core, 2GB memory | 1 core, 4GB memory |15 | 30| +| **Language detection** | 1 core, 5GB memory | 1 core, 8GB memory |15 | 30| CPU core and memory correspond to the `--cpus` and `--memory` settings, which are used as part of the `docker run` command. |
ai-services | Language Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/language-detection/language-support.md | If you have content expressed in a less frequently used language, you can try La | Telugu | `te` | | Urdu | `ur` | +## Script detection ++| Language |Script code | Scripts | +| | | | +| Bengali (Bengali-Assamese) | `as` | `Latn`, `Beng` | +| Bengali (Bangla) | `bn` | `Latn`, `Beng` | +| Gujarati | `gu` | `Latn`, `Gujr` | +| Hindi | `hi` | `Latn`, `Deva` | +| Kannada | `kn` | `Latn`, `Knda` | +| Malayalam | `ml` | `Latn`, `Mlym` | +| Marathi | `mr` | `Latn`, `Deva` | +| Oriya | `or` | `Latn`, `Orya` | +| Gurmukhi | `pa` | `Latn`, `Guru` | +| Tamil | `ta` | `Latn`, `Taml` | +| Telugu | `te` | `Latn`, `Telu` | +| Arabic | `ur` | `Latn`, `Arab` | +| Cyrillic | `tt` | `Latn`, `Cyrl` | +| Serbian `sr` | `Latn`, `Cyrl` | +| Unified Canadian Aboriginal Syllabics | `iu` | `Latn`, `Cans` | + ## Next steps [Language detection overview](overview.md) |
ai-services | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/language-detection/overview.md | -Language detection is one of the features offered by [Azure AI Language](../overview.md), a collection of machine learning and AI algorithms in the cloud for developing intelligent applications that involve written language. Language detection can detect the language a document is written in, and returns a language code for a wide range of languages, variants, dialects, and some regional/cultural languages. +Language detection is one of the features offered by [Azure AI Language](../overview.md), a collection of machine learning and AI algorithms in the cloud for developing intelligent applications that involve written language. Language detection is able to detect more than 100 languages in their primary script. In addition, it offers [script detection](./how-to/call-api.md#script-name-and-script-code) to detect multiple scripts per language according to the [ISO 15924 standard](https://wikipedia.org/wiki/ISO_15924) for a [select number of languages](./language-support.md#script-detection). This documentation contains the following types of articles: * [**Quickstarts**](quickstart.md) are getting-started instructions to guide you through making requests to the service. * [**How-to guides**](how-to/call-api.md) contain instructions for using the service in more specific or customized ways. +## Language detection features ++* Language detection: Returns one predominant language for each document you submit, along with its ISO 639-1 name, a human-readable name, confidence score, script name and script code according to ISO 15924 standard. ++* Script detection: To distinguish between multiple scripts used to write certain languages, such as Kazakh, language detection returns a script name and script code according to the ISO 15924 standard. ++* Ambiguous content handling: To help disambiguate language based on the input, you can specify an ISO 3166-1 alpha-2 country/region code. For example, the word "communication" is common to both English and French. Specifying the origin of the text as France can help the language detection model determine the correct language. + [!INCLUDE [Typical workflow for pre-configured language features](../includes/overview-typical-workflow.md)] This documentation contains the following types of articles: ## Responsible AI -An AI system includes not only the technology, but also the people who will use it, the people who will be affected by it, and the environment in which it is deployed. Read the [transparency note for language detection](/legal/cognitive-services/language-service/transparency-note-language-detection?context=/azure/ai-services/language-service/context/context) to learn about responsible AI use and deployment in your systems. You can also see the following articles for more information: +An AI system includes not only the technology, but also the people who will use it, the people who will be affected by it, and the environment in which it's deployed. Read the [transparency note for language detection](/legal/cognitive-services/language-service/transparency-note-language-detection?context=/azure/ai-services/language-service/context/context) to learn about responsible AI use and deployment in your systems. You can also see the following articles for more information: [!INCLUDE [Responsible AI links](../includes/overview-responsible-ai-links.md)] |
ai-services | Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/language-detection/quickstart.md | |
ai-services | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/whats-new.md | +## February 2024 ++* Expanded [language detection](./language-detection/how-to/call-api.md#script-name-and-script-code) support for additional scripts according to the [ISO 15924 standard](https://wikipedia.org/wiki/ISO_15924) is now available starting in API version `2023-11-15-preview`. + ## January 2024 * [Native document support](native-document-support/use-native-documents.md) is now available in `2023-11-15-preview` public preview. |
ai-services | Use Your Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/use-your-data.md | When you want to reuse the same URL/web address, you can select [Azure AI Search -## Ingestion parameters --You can use the following parameter to change how your data is ingested in Azure OpenAI Studio, Azure AI Studio, and the ingestion API. Changing the parameter requires re-ingesting your data into Azure Search. --|Parameter name | Description | -||| -| **Chunk size** | Azure OpenAI on your data processes your documents by splitting them into chunks before indexing them in Azure Search. The chunk size is the maximum number of tokens for any chunk in the search index. The default chunk size is 1024 tokens. However, given the uniqueness of your data, you might find a different chunk size (such as 256, 512, or 1,536 tokens for example) more effective. Adjusting the chunk size can enhance the performance of the chat bot. While finding the optimal chunk size requires some trial and error, start by considering the nature of your dataset. A smaller chunk size is generally better for datasets with direct facts and less context, while a larger chunk size might be beneficial for more contextual information, though it can affect retrieval performance. This is the `chunkSize` parameter in the API.| -- ## Runtime parameters You can modify the following additional settings in the **Data parameters** section in Azure OpenAI Studio and [the API](../reference.md#completions-extensions). You do not need to re-ingest your data when you update these parameters. You can modify the following additional settings in the **Data parameters** sect |Parameter name | Description | ||| | **Limit responses to your data** | This flag configures the chatbot's approach to handling queries unrelated to the data source or when search documents are insufficient for a complete answer. When this setting is disabled, the model supplements its responses with its own knowledge in addition to your documents. When this setting is enabled, the model attempts to only rely on your documents for responses. This is the `inScope` parameter in the API. |-|**Top K Documents** | This parameter is an integer that can be set to 3, 5, 10, or 20, and controls the number of document chunks provided to the large language model for formulating the final response. By default, this is set to 5. The search process can be noisy and sometimes, due to chunking, relevant information may be spread across multiple chunks in the search index. Selecting a top-K number, like 5, ensures that the model can extract relevant information, despite the inherent limitations of search and chunking. However, increasing the number too high can potentially distract the model. Additionally, the maximum number of documents that can be effectively used depends on the version of the model, as each has a different context size and capacity for handling documents. If you find that responses are missing important context, try increasing this parameter. Conversely, if you think the model is providing irrelevant information alongside useful data, consider decreasing it. When experimenting with the [chunk size](#ingestion-parameters), we recommend adjusting the top-K parameter to achieve the best performance. Usually, it is beneficial to change the top-K value in the opposite direction of your chunk size adjustment. For example, if you decrease the chunk size from the default of 1024, you might want to increase the top-K value to 10 or 20. This ensures a similar amount of information is provided to the model, as reducing the chunk size decreases the amount of information in the 5 documents given to the model. This is the `topNDocuments` parameter in the API. | +|**Top K Documents** | This parameter is an integer that can be set to 3, 5, 10, or 20, and controls the number of document chunks provided to the large language model for formulating the final response. By default, this is set to 5. The search process can be noisy and sometimes, due to chunking, relevant information may be spread across multiple chunks in the search index. Selecting a top-K number, like 5, ensures that the model can extract relevant information, despite the inherent limitations of search and chunking. However, increasing the number too high can potentially distract the model. Additionally, the maximum number of documents that can be effectively used depends on the version of the model, as each has a different context size and capacity for handling documents. If you find that responses are missing important context, try increasing this parameter. Conversely, if you think the model is providing irrelevant information alongside useful data, consider decreasing it. This is the `topNDocuments` parameter in the API. | | **Strictness** | Determines the system's aggressiveness in filtering search documents based on their similarity scores. The system queries Azure Search or other document stores, then decides which documents to provide to large language models like ChatGPT. Filtering out irrelevant documents can significantly enhance the performance of the end-to-end chatbot. Some documents are excluded from the top-K results if they have low similarity scores before forwarding them to the model. This is controlled by an integer value ranging from 1 to 5. Setting this value to 1 means that the system will minimally filter documents based on search similarity to the user query. Conversely, a setting of 5 indicates that the system will aggressively filter out documents, applying a very high similarity threshold. If you find that the chatbot omits relevant information, lower the filter's strictness (set the value closer to 1) to include more documents. Conversely, if irrelevant documents distract the responses, increase the threshold (set the value closer to 5). This is the `strictness` parameter in the API. | |
ai-services | Use Your Data Securely | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/use-your-data-securely.md | To enable the developers to use these resources to build applications, the admin |Role| Resource | Description | |--|--|--| | `Cognitive Services OpenAI Contributor` | Azure OpenAI | Call public ingestion API from Azure OpenAI Studio. The `Contributor` role is not enough, because if you only have `Contributor` role, you cannot call data plane API via Microsoft Entra ID authentication, and Microsoft Entra ID authentication is required in the secure setup described in this article. |+| `Cognitive Services User` | Azure OpenAI | List API-Keys from Azure OpenAI Studio.| | `Contributor` | Azure AI Search | List API-Keys to list indexes from Azure OpenAI Studio.| | `Contributor` | Storage Account | List Account SAS to upload files from Azure OpenAI Studio.| | `Contributor` | The resource group or Azure subscription where the developer need to deploy the web app to | Deploy web app to the developer's Azure subscription.| |
ai-services | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/whats-new.md | Azure OpenAI Service now supports text to speech APIs with OpenAI's voices. Get - [Fine-tuning & function calling](./how-to/fine-tuning-functions.md) - [`gpt-35-turbo 1106` support](./concepts/models.md#fine-tuning-models) -### Chunk size parameter for Azure OpenAI on your data --- You can now set the [chunk size](./concepts/use-your-data.md#ingestion-parameters) parameter when your data is ingested. Adjusting the chunk size can enhance the model's responses by setting the maximum number of tokens for any given chunk of your data in the search index.- ### New regional support for Azure OpenAI on your data You can now use Azure OpenAI on your data in the following Azure region: |
ai-services | Embedded Speech | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/embedded-speech.md | zone_pivot_groups: programming-languages-set-thirteen # Embedded Speech +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + Embedded Speech is designed for on-device [speech to text](speech-to-text.md) and [text to speech](text-to-speech.md) scenarios where cloud connectivity is intermittent or unavailable. For example, you can use embedded speech in industrial equipment, a voice enabled air conditioning unit, or a car that might travel out of range. You can also develop hybrid cloud and offline solutions. For scenarios where your devices must be in a secure environment like a bank or government entity, you should first consider [disconnected containers](../containers/disconnected-containers.md). > [!IMPORTANT] |
ai-services | How To Configure Openssl Linux | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-configure-openssl-linux.md | zone_pivot_groups: programming-languages-set-three # Configure OpenSSL for Linux +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + With the Speech SDK, [OpenSSL](https://www.openssl.org) is dynamically configured to the host-system version. > [!NOTE] |
ai-services | How To Configure Rhel Centos 7 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-configure-rhel-centos-7.md | +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + To use the Speech SDK on Red Hat Enterprise Linux (RHEL) 7 x64 and CentOS 7 x64, update the C++ compiler (for C++ development) and the shared C++ runtime library on your system. ## Install dependencies |
ai-services | Setup Platform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/quickstarts/setup-platform.md | +#customer intent: As a developer, I want to install the Speech SDK for the language of my choice to implement Speech AI in applications. -# Install the Speech SDK +# Quickstart: Install the Speech SDK ::: zone pivot="programming-language-csharp" [!INCLUDE [C# include](../includes/quickstarts/platform/csharp.md)] zone_pivot_groups: programming-languages-ai-services [!INCLUDE [Python include](./../includes/quickstarts/platform/python.md)] ::: zone-end -## Next steps +## Related content - [Speech to text quickstart](../get-started-speech-to-text.md) - [Text to speech quickstart](../get-started-text-to-speech.md) |
ai-services | What Are Ai Services | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/what-are-ai-services.md | Azure AI services provides a layered security model, including [authentication]( ## Certifications and compliance -Azure AI services has been awarded certifications such as CSA STAR Certification, FedRAMP Moderate, and HIPAA BAA. You can [download](https://gallery.technet.microsoft.com/Overview-of-Azure-c1be3942 "Download") certifications for your own audits and security reviews. +Azure AI services has been awarded certifications such as CSA STAR Certification, FedRAMP Moderate, and HIPAA BAA. To understand privacy and data management, go to the [Trust Center](https://servicetrust.microsoft.com/ "Trust Center"). |
ai-studio | Ai Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/concepts/ai-resources.md | Connections can be set up as shared with all projects in the same Azure AI hub r Azure AI Studio layers on top of existing Azure services including Azure AI and Azure Machine Learning services. While this might not be visible on the display names in Azure portal, AI Studio, or when using the SDK or CLI, some of these architectural details become apparent when you work with the Azure REST APIs, use Azure cost reporting, or use infrastructure-as-code templates such as Azure Bicep or Azure Resource Manager. From an Azure Resource Provider perspective, Azure AI Studio resource types map to the following resource provider kinds: -|Resource type|Resource provider|Kind| -|||| -|Azure AI hub resources|Microsoft.MachineLearningServices/workspace|hub| -|Azure AI project|Microsoft.MachineLearningServices/workspace|project| -|Azure AI services|Microsoft.CognitiveServices/account|AIServices| -|Azure AI OpenAI Service|Microsoft.CognitiveServices/account|OpenAI| --When you create a new Azure AI hub resource, a set of dependent Azure resources are required to store data that you upload or get generated when working in AI Studio. If not provided by you, these resources are automatically created. --|Dependent Azure resource|Note| -||| -|Azure AI services|Either Azure AI services multi-service provider, or Azure OpenAI Service. Provides API endpoints and keys for prebuilt AI services.| -|Azure Storage account|Stores artifacts for your projects like flows and evaluations. For data isolation, storage containers are prefixed using the project GUID, and conditionally secured using Azure ABAC for the project identity.| -|Azure Key Vault| Stores secrets like connection strings for your resource connections. For data isolation, secrets can't be retrieved across projects via APIs.| -|Azure Container Registry| Stores docker images created when using custom runtime for prompt flow. For data isolation, docker images are prefixed using the project GUID.| -|Azure Application Insights| Used as log storage when you opt in for application-level logging for your deployed prompt flows.| ++When you create a new Azure AI hub resource, a set of dependent Azure resources are required to store data that you upload or get generated when working in AI studio. If not provided by you, and required, these resources are automatically created. + ## Managing cost |
ai-studio | Architecture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/concepts/architecture.md | + + Title: Architecture ++description: Learn about the architecture of Azure AI Studio. +++ Last updated : 02/06/2024++++++# Azure AI Studio architecture + ++AI Studio provides a unified experience for AI developers and data scientists to build, evaluate, and deploy AI models through a web portal, SDK, or CLI. It's built on capabilities and services provided by other Azure services. ++The top level AI Studio resources (AI hub and AI projects) are based on Azure Machine Learning. Other resources, such as Azure OpenAI, Azure AI Services, and Azure AI Search, are used by the AI hub and AI project. ++- **AI hub**: The AI hub is the top-level resource in AI Studio. The Azure resource provider for an AI hub is `Microsoft.MachineLearningServices/workspaces`, and the kind of resource is `Hub`. It provides the following features: + - Data upload and artifact storage. + - Hub-scoped connections to Azure services such as Azure OpenAI, Azure AI Services, and Azure AI Search. + - Base model endpoints for Azure OpenAI, Speech, and Vision. + - Compute resources. + - Security and governance. +- **AI project**: An AI project is a child resource of the AI hub. The Azure resource provider for an AI project is `Microsoft.MachineLearningServices/workspaces`, and the kind of resource is `Project`. It inherits the AI hub's connections, and compute resources. When a new AI project is created from the AI hub, the security settings of the AI hub are applied to it. The AI project provides the following features: + - Groups of components such as datasets, models, and indexes. + - An isolated data container (within the storage inherited from the AI hub). + - Project-scoped connections. For example, a project might need access to data stored in a separate Azure Storage account. + - Open source model deployments from catalog and fine-tuned model endpoints. + +An AI hub can have multiple child AI projects. Each AI project can have its own set of project-scoped connections. +++### Tenant separation ++While most of the resources used by Azure AI Studio live in your Azure subscription, some resources exist in the Azure AI Studio tenant. The Azure AI Studio tenant is a separate Microsoft Entra ID tenant that provides some of the services used by Azure AI Studio. The following resources are in the Azure AI Studio tenant: ++- **Managed compute resources**: Provided by Azure Batch resources in the Azure AI Studio tenant. +- **Managed virtual network**: Provided by Azure Virtual Network resources in the Azure AI Studio tenant. If FQDN rules are enabled, an Azure Firewall (standard) is added and charged to your subscription. For more information, see [Configure a managed virtual network for Azure AI Studio](../how-to/configure-managed-network.md). +- **Metadata storage**: Provided by Azure Cosmos DB, Azure AI Search, and Azure Storage Account in the Azure AI Studio tenant. If you use customer-managed keys, these resources are created in your subscription. For more information, see [Customer-managed keys](../../ai-services/encryption/cognitive-services-encryption-keys-portal.md?context=/azure/ai-studio/context/context). + +## Azure resource providers ++Since Azure AI Studio is built from other Azure services, the resource providers for these services must be registered in your Azure subscription. The following table lists the resource, provider, and resource provider kinds: +++When you create a new Azure AI hub resource, a set of dependent Azure resources are required to store data, manage security, and provide compute resources. The following table lists the dependent Azure resources and their resource providers: ++> [!TIP] +> If you don't provide a dependent resource when creating an AI hub, and it's a required dependency, AI Studio creates the resource for you. +++For information on registering resource providers, see [Register an Azure resource provider](/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider). ++## Role-based access control and control plane proxy ++Azure AI Services and Azure OpenAI provide control plane endpoints for operations such as listing model deployments. These endpoints are secured using a separate Azure role-based access control (RBAC) configuration than the one used for Azure AI hub. ++To reduce the complexity of Azure RBAC management, AI Studio provides a *control plane proxy* that allows you to perform operations on connected Azure AI Services and Azure OpenAI resources. Performing operations on these resources through the control plane proxy only requires Azure RBAC permissions on the AI hub. The Azure AI Studio service then performs the call to the Azure AI Services or Azure OpenAI control plane endpoint on your behalf. ++For more information, see [Role-based access control in Azure AI Studio](rbac-ai-studio.md). ++## Encryption ++Azure AI Studio uses encryption to protect data at rest and in transit. By default, Microsoft-managed keys are used for encryption, however you can use your own encryption keys. For more information, see [Customer-managed keys](../../ai-services/encryption/cognitive-services-encryption-keys-portal.md?context=/azure/ai-studio/context/context). ++## Virtual network ++Azure AI hub can be configured to use a *managed* virtual network. The managed virtual network secures communications between the AI hub, AI projects, and managed resources such as computes. If your dependency services (Azure Storage, Key Vault, and Container Registry) have public access disabled, a private endpoint for each dependency service is created to secure communication between the AI hub/project and the dependency service. ++> [!NOTE] +> If you want to use a virtual network to secure communications between your clients and the AI hub or AI project, you must use an Azure Virtual Network that you create and manage. For example, an Azure Virtual Network that uses a VPN or ExpressRoute connection to your on-premises network. ++For more information on how to configure a managed virtual network, see [Configure a managed virtual network for Azure AI Studio](../how-to/configure-managed-network.md). ++## Azure Monitor ++Azure monitor and Azure Log Analytics provide monitoring and logging for the underlying resources used by Azure AI Studio. Since Azure AI Studio is built on Azure Machine Learning, Azure OpenAI, Azure AI Services, and Azure AI Search, use the following articles to learn how to monitor the ++| Resource | Monitoring and logging | +| | | +| Azure AI hub and AI project | [Monitor Azure Machine Learning](/azure/machine-learning/monitor-azure-machine-learning) | +| Azure OpenAI | [Monitor Azure OpenAI](/azure/ai-services/openai/how-to/monitoring) | +| Azure AI Services | [Monitor Azure AI (training)](/training/modules/monitor-ai-services/) | +| Azure AI Search | [Monitor Azure AI Search](/azure/search/monitor-azure-cognitive-search) | ++## Price and quota ++For more information on price and quota, use the following articles: ++- [Plan and manage costs](../how-to/costs-plan-manage.md) +- [Commitment tier pricing](../how-to/commitment-tier.md) +- [Quota management](../how-to/quota.md) ++## Next steps ++Create an AI hub using one of the following methods: ++- [Azure AI Studio](../how-to/create-azure-ai-resource.md#create-an-azure-ai-hub-resource-in-ai-studio): Create an AI hub for getting started. +- [Azure portal](../how-to/create-azure-ai-resource.md#create-a-secure-azure-ai-hub-resource-in-the-azure-portal): Create an AI hub with your own networking, encryption, identity and access management, dependent resources, and resource tag settings. +- [Bicep template](../how-to/create-azure-ai-hub-template.md). |
ai-studio | Create Azure Ai Hub Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/create-azure-ai-hub-template.md | + + Title: Create an AI hub using a Bicep template ++description: Use a Microsoft Bicep template to create a new Azure AI hub. +++ Last updated : 02/12/2024++++#Customer intent: As a DevOps person, I need to automate or customize the creation of an AI hub by using templates. +++# Use an Azure Resource Manager template to create an Azure AI hub +++Use a [Microsoft Bicep](/azure/azure-resource-manager/bicep/overview) template to create an Azure AI hub resource for Azure AI Studio. A template makes it easy to create resources as a single, coordinated operation. A Bicep template is a text document that defines the resources that are needed for a deployment. It might also specify deployment parameters. Parameters are used to provide input values when using the template. ++The template used in this article can be found at [https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.machinelearningservices/aistudio-basics](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.machinelearningservices/aistudio-basics). Both the source `main.bicep` file and the compiled Azure Resource Manager template (`main.json`) file are available. This template creates the following resources: ++- An Azure Resource Group (if one doesn't already exist) +- An Azure AI hub resource +- Azure Storage Account +- Azure Key Vault +- Azure Container Registry +- Azure Application Insights +- Azure AI services (created by the template) ++## Prerequisites ++- An Azure subscription. If you don't have one, create a [free account](https://azure.microsoft.com/free/). ++- A copy of the template files from the GitHub repo. To clone the GitHub repo to your local machine, you can use [Git](https://git-scm.com/). Use the following command to clone the quickstart repository to your local machine and navigate to the `aistudio-basics` directory. ++ # [Azure CLI](#tab/cli) ++ ```azurecli + git clone https://github.com/Azure/azure-quickstart-templates + cd azure-quickstart-templates/quickstarts/microsoft.machinelearningservices/aistudio-basics + ``` ++ # [Azure PowerShell](#tab/powershell) ++ ```azurepowershell + git clone https://github.com/Azure/azure-quickstart-templates + cd azure-quickstart-templates\quickstarts\microsoft.machinelearningservices\aistudio-basics + ``` ++ ++- The Bicep command-line tools. To install the Bicep command-line tools, use the [Install the Bicep CLI](/azure/azure-resource-manager/bicep/install) article. ++## Understanding the template ++The Bicep template is made up of the following files: ++| File | Description | +| - | -- | +| [main.bicep](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.machinelearningservices/aistudio-basics/main.bicep) | The main Bicep file that defines the parameters and variables. Passing parameters & variables to other modules in the `modules` subdirectory. | +| [ai-resource.bicep](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.machinelearningservices/aistudio-basics/modules/ai-resource.bicep) | Defines the Azure AI hub resource. | +| [dependent-resources.bicep](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.machinelearningservices/aistudio-basics/modules/dependent-resources.bicep) | Defines the dependent resources for the Azure AI hub. Azure Storage Account, Container Registry, Key Vault, and Application Insights. | ++> [!IMPORTANT] +> The example templates may not always use the latest API version for the Azure resources it creates. Before using the template, we recommend modifying it to use the latest API versions. Each Azure service has its own set of API versions. For information on the API for a specific service, check the service information in the [Azure REST API reference](/rest/api/azure/). +> +> The AI hub resource is based on Azure Machine Learning. For information on the latest API versions for Azure Machine Learning, see the [Azure Machine Learning REST API reference](/rest/api/azureml/). To update this API version, find the `Microsoft.MachineLearningServices/<resource>` entry for the resource type and update it to the latest version. The following example is an entry for the Azure AI hub that uses an API version of `2023-08-01-preview`: +> +>```bicep +>resource aiResource 'Microsoft.MachineLearningServices/workspaces@2023-08-01-preview' = { +>``` ++### Azure Resource Manager template ++While the Bicep domain-specific language (DSL) is used to define the resources, the Bicep file is compiled into an Azure Resource Manager template when you deploy the template. The `main.json` file included in the GitHub repository is a compiled Azure Resource Manager version of the template. This file is generated from the `main.bicep` file using the Bicep command-line tools. For example, when you deploy the Bicep template it generates the `main.json` file. You can also manually create the `main.json` file using the `bicep build` command without deploying the template. ++```azurecli +bicep build main.bicep +``` ++For more information, see the [Bicep CLI](/azure/azure-resource-manager/bicep/bicep-cli) article. +++## Configure the template ++To run the Bicep template, use the following commands from the `aistudio-basics` directory: ++1. To create a new Azure Resource Group, use the following command. Replace `exampleRG` with the name of your resource group, and `eastus` with the Azure region to use: ++ # [Azure CLI](#tab/cli) ++ ```azurecli + az group create --name exampleRG --location eastus + ``` + # [Azure PowerShell](#tab/powershell) ++ ```azurepowershell + New-AzResourceGroup -Name exampleRG -Location eastus + ``` ++ ++1. To run the template, use the following command. Replace `myai` with the name to use for your resources. This value is used, along with generated prefixes and suffixes, to create a unique name for the resources created by the template. ++ > [!TIP] + > The `aiResourceName` must be 5 or less characters. It can't be entirely numeric or contain the following characters: `~ ! @ # $ % ^ & * ( ) = + _ [ ] { } \ | ; : . ' " , < > / ?`. ++ # [Azure CLI](#tab/cli) ++ ```azurecli + az deployment group create --resource-group exampleRG --template-file main.bicep --parameters aiResourceName=myai + ``` ++ # [Azure PowerShell](#tab/powershell) ++ ```azurepowershell + New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile main.bicep -aiResourceName myai + ``` ++ ++ Once the operation completes, you can use your Azure AI hub to create AI projects, manage resources, and collaborate with others. ++## Next steps ++- [Create a project](create-projects.md) +- [Learn more about Azure AI Studio](../what-is-ai-studio.md) +- [Learn more about Azure AI hub resources](../concepts/ai-resources.md) |
ai-studio | Prompt Flow Tools Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-studio/how-to/prompt-flow-tools/prompt-flow-tools-overview.md | The following table provides an index of tools in prompt flow. | Tool name | Description | Environment | Package name | ||--|-|--|-| [LLM](./llm-tool.md) | Use Azure Open AI large language models (LLM) for tasks such as text completion or chat. | Default | [promptflow-tools](https://pypi.org/project/promptflow-tools/) | +| [LLM](./llm-tool.md) | Use Azure OpenAI large language models (LLM) for tasks such as text completion or chat. | Default | [promptflow-tools](https://pypi.org/project/promptflow-tools/) | | [Prompt](./prompt-tool.md) | Craft a prompt by using Jinja as the templating language. | Default | [promptflow-tools](https://pypi.org/project/promptflow-tools/) | | [Python](./python-tool.md) | Run Python code. | Default | [promptflow-tools](https://pypi.org/project/promptflow-tools/) | | [Azure OpenAI GPT-4 Turbo with Vision](./azure-open-ai-gpt-4v-tool.md) | Use AzureOpenAI GPT-4 Turbo with Vision model deployment to analyze images and provide textual responses to questions about them. | Default | [promptflow-tools](https://pypi.org/project/promptflow-tools/) | The following table provides an index of tools in prompt flow. | [Vector Index Lookup](./vector-index-lookup-tool.md) | Search text or a vector-based query from a vector index. | Default | [promptflow-vectordb](https://pypi.org/project/promptflow-vectordb/) | | [Faiss Index Lookup](./faiss-index-lookup-tool.md) | Search a vector-based query from the Faiss index file. | Default | [promptflow-vectordb](https://pypi.org/project/promptflow-vectordb/) | | [Vector DB Lookup](./vector-db-lookup-tool.md) | Search a vector-based query from an existing vector database. | Default | [promptflow-vectordb](https://pypi.org/project/promptflow-vectordb/) |-| [Embedding](./embedding-tool.md) | Use Azure Open AI embedding models to create an embedding vector that represents the input text. | Default | [promptflow-tools](https://pypi.org/project/promptflow-tools/) | +| [Embedding](./embedding-tool.md) | Use Azure OpenAI embedding models to create an embedding vector that represents the input text. | Default | [promptflow-tools](https://pypi.org/project/promptflow-tools/) | | [Serp API](./serp-api-tool.md) | Use Serp API to obtain search results from a specific search engine. | Default | [promptflow-tools](https://pypi.org/project/promptflow-tools/) | The following table shows an index of custom tools created by the community to extend prompt flow's capabilities for specific use cases. They aren't officially maintained or endorsed by prompt flow team. For questions or issues when using a tool, please see the support contact in the description. |
aks | Azure Cni Overlay | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-cni-overlay.md | az aks update --name $clusterName \ The `--pod-cidr` parameter is required when upgrading from legacy CNI because the pods need to get IPs from a new overlay space, which doesn't overlap with the existing node subnet. The pod CIDR also can't overlap with any VNet address of the node pools. For example, if your VNet address is *10.0.0.0/8*, and your nodes are in the subnet *10.240.0.0/16*, the `--pod-cidr` can't overlap with *10.0.0.0/8* or the existing service CIDR on the cluster. -### Kubenet Cluster Upgrade (Preview) ---You must have the latest aks-preview Azure CLI extension installed and register the `Microsoft.ContainerService` `AzureOverlayPreview` feature flag. +### Kubenet Cluster Upgrade Update an existing Kubenet cluster to use Azure CNI Overlay using the [`az aks update`][az-aks-update] command. az aks update --name $clusterName \ --network-plugin-mode overlay ``` -Since the cluster is already using a private CIDR for pods, you don't need to specify the `--pod-cidr` parameter and the Pod CIDR will remain the same. +Since the cluster is already using a private CIDR for pods which doesn't overlap with the VNet IP space, you don't need to specify the `--pod-cidr` parameter and the Pod CIDR will remain the same. > [!NOTE] > When upgrading from Kubenet to CNI Overlay, the route table will no longer be required for pod routing. If the cluster is using a customer provided route table, the routes which were being used to direct pod traffic to the correct node will automatically be deleted during the migration operation. If the cluster is using a managed route table (the route table was created by AKS and lives in the node resource group) then that route table will be deleted as part of the migration. |
aks | Azure Cni Powered By Cilium | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/azure-cni-powered-by-cilium.md | By making use of eBPF programs loaded into the Linux kernel and a more efficient - Functionality equivalent to existing Azure CNI and Azure CNI Overlay plugins -- Faster service routing+- Improved Service routing - More efficient network policy enforcement |
aks | Ingress Basic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/ingress-basic.md | helm install ingress-nginx ingress-nginx/ingress-nginx ` --set controller.service.externalTrafficPolicy=Local ``` +> [!NOTE] +> In this tutorial, "service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path" is being set to "/healthz". This means if the response code of the requests to "/healthz" is not "200", the whole ingress controller will be down. You can modify the value to other URI in your own scenario. You cannot delete this part or unset the value, or the ingress controller will still be down. +> The package "ingress-nginx" used in this tutorial, which is provided by [Kubernetes official](https://github.com/kubernetes/ingress-nginx), will always return "200" response code if requesting "/healthz", as it is designed as "[default backend](https://kubernetes.github.io/ingress-nginx/user-guide/default-backend/)" for users to have a quick start, unless it is being overwritten by ingress rules. + ## Customized configuration |
aks | Upgrade Aks Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/upgrade-aks-cluster.md | During the cluster upgrade process, AKS performs the following operations: * [Cordon and drain][kubernetes-drain] one of the old nodes to minimize disruption to running applications. If you're using max surge, it [cordons and drains][kubernetes-drain] as many nodes at the same time as the number of buffer nodes specified. * For long running pods, you can configure the node drain timeout, which allows for custom wait time on the eviction of pods and graceful termination per node. If not specified, the default is 30 minutes. * When the old node is fully drained, it's reimaged to receive the new version and becomes the buffer node for the following node to be upgraded.-* Optionally, you can set a duration of time to wait between draining a node and proceeding to reimage it and move on to the next node. A short interval allows you to complete other tasks, such as checking application health from a Grafana dashboard during the upgrade process. We recommend a short timeframe for the upgrade process, as close to 0 minutes as reasonably possible. Otherwise, a higher node soak time (preview) affects how long before you discover an issue. The minimum soak time value is 0 minutes, with a maximum of 30 minutes. If not specified, the default value is 0 minutes. +* Optionally, you can set a duration of time to wait between draining a node and proceeding to reimage it and move on to the next node. A short interval allows you to complete other tasks, such as checking application health from a Grafana dashboard during the upgrade process. We recommend a short timeframe for the upgrade process, as close to 0 minutes as reasonably possible. Otherwise, a higher node soak time affects how long before you discover an issue. The minimum soak time value is 0 minutes, with a maximum of 30 minutes. If not specified, the default value is 0 minutes. * This process repeats until all nodes in the cluster are upgraded. * At the end of the process, the last buffer node is deleted, maintaining the existing agent node count and zone balance. At times, you may have a long running workload on a certain pod and it can't be az aks nodepool update -n mynodepool -g MyResourceGroup --cluster-name MyManagedCluster --drainTimeoutInMinutes 45 ``` -#### Set node soak time value (preview) +#### Set node soak time value To allow for a duration of time to wait between draining a node and proceeding to reimage it and move on to the next node, you can set the soak time to a value between 0 and 30 minutes. If no node soak time value is specified, the default is 0 minutes. --> [!NOTE] -> To use node soak duration (preview), you must have the aks-preview Azure CLI extension version 0.5.173 or later installed. --* Enable the aks-preview Azure CLI. -- ```azurecli-interactive - az extension add --name aks-preview - ``` - * Set node soak time for new or existing node pools using the [`az aks nodepool add`][az-aks-nodepool-add], [`az aks nodepool update`][az-aks-nodepool-update], or [`az aks nodepool upgrade`][az-aks-nodepool-upgrade] command. ```azurecli-interactive |
aks | Upgrade Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/upgrade-cluster.md | Persistent volume claims (PVCs) backed by Azure locally redundant storage (LRS) ## Optimize upgrades to improve performance and minimize disruptions -The combination of [Planned Maintenance Window][planned-maintenance], [Max Surge](./upgrade-aks-cluster.md#customize-node-surge-upgrade), [Pod Disruption Budget][pdb-spec], [node drain timeout][drain-timeout], and [node soak time][soak-time] (preview) can significantly increase the likelihood of node upgrades completing successfully by the end of the maintenance window while also minimizing disruptions. +The combination of [Planned Maintenance Window][planned-maintenance], [Max Surge](./upgrade-aks-cluster.md#customize-node-surge-upgrade), [Pod Disruption Budget][pdb-spec], [node drain timeout][drain-timeout], and [node soak time][soak-time] can significantly increase the likelihood of node upgrades completing successfully by the end of the maintenance window while also minimizing disruptions. * [Planned Maintenance Window][planned-maintenance] enables service teams to schedule auto-upgrade during a predefined window, typically a low-traffic period, to minimize workload impact. We recommend a window duration of at least *four hours*. * [Max Surge](./upgrade-aks-cluster.md#customize-node-surge-upgrade) on the node pool allows requesting extra quota during the upgrade process and limits the number of nodes selected for upgrade simultaneously. A higher max surge results in a faster upgrade process. We don't recommend setting it at 100%, as it upgrades all nodes simultaneously, which can cause disruptions to running applications. We recommend a max surge quota of *33%* for production node pools. * [Pod Disruption Budget][pdb-spec] is set for service applications and limits the number of pods that can be down during voluntary disruptions, such as AKS-controlled node upgrades. It can be configured as `minAvailable` replicas, indicating the minimum number of application pods that need to be active, or `maxUnavailable` replicas, indicating the maximum number of application pods that can be terminated, ensuring high availability for the application. Refer to the guidance provided for configuring [Pod Disruption Budgets (PDBs)][pdb-concepts]. PDB values should be validated to determine the settings that work best for your specific service. * [Node drain timeout][drain-timeout] on the node pool allows you to configure the wait duration for eviction of pods and graceful termination per node during an upgrade. This option is useful when dealing with long running workloads. When the node drain timeout is specified (in minutes), AKS respects waiting on pod disruption budgets. If not specified, the default timeout is 30 minutes.-* [Node soak time][soak-time] (preview) helps stagger node upgrades in a controlled manner and can minimize application downtime during an upgrade. You can specify a wait time, preferably as reasonably close to 0 minutes as possible, to check application readiness between node upgrades. If not specified, the default value is 0 minutes. Node soak time works together with the max surge and node drain timeout properties available in the node pool to deliver the right outcomes in terms of upgrade speed and application availability. -- > [!NOTE] - > To use node soak duration (preview), you must have the `aks-preview` Azure CLI extension version 0.5.173 or later installed. +* [Node soak time][soak-time] helps stagger node upgrades in a controlled manner and can minimize application downtime during an upgrade. You can specify a wait time, preferably as reasonably close to 0 minutes as possible, to check application readiness between node upgrades. If not specified, the default value is 0 minutes. Node soak time works together with the max surge and node drain timeout properties available in the node pool to deliver the right outcomes in terms of upgrade speed and application availability. ## Next steps This article listed different upgrade options for AKS clusters. For a detailed d <!-- LINKS - internal --> [aks-tutorial-prepare-app]: ./tutorial-kubernetes-prepare-app.md [drain-timeout]: ./upgrade-aks-cluster.md#set-node-drain-timeout-value-[soak-time]: ./upgrade-aks-cluster.md#set-node-soak-time-value-preview +[soak-time]: ./upgrade-aks-cluster.md#set-node-soak-time-value [nodepool-upgrade]: manage-node-pools.md#upgrade-a-single-node-pool [planned-maintenance]: planned-maintenance.md [specific-nodepool]: node-image-upgrade.md#upgrade-a-specific-node-pool |
aks | Use Network Policies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/use-network-policies.md | Azure Network Policy Manager doesn't support IPv6. Otherwise, Azure Network Poli ## Scale -With Azure Network Policy Manager for Linux, we don't recommend scaling beyond 250 nodes and 20k pods. If you attempt to scale beyond these limits, you may encounter Out of Memory (OOM) kills. To increase your memory limit, contact us on [aks-acn-github]. +With Azure Network Policy Manager for Linux, we don't recommend scaling beyond 250 nodes and 20k pods. If you attempt to scale beyond these limits, you may encounter Out of Memory (OOM) kills. To increase your memory limit, please create a support ticket. ## Create an AKS cluster and enable Network Policy To learn more about policies, see [Kubernetes network policies][kubernetes-netwo [calico-support]: https://www.tigera.io/tigera-products/calico/ [calico-logs]: https://docs.tigera.io/calico/3.25/operations/troubleshoot/component-logs [calico-aks-cleanup]: https://github.com/Azure/aks-engine/blob/master/docs/topics/calico-3.3.1-cleanup-after-upgrade.yaml-[aks-acn-github]: https://github.com/Azure/azure-container-networking/issues <!-- LINKS - internal --> [install-azure-cli]: /cli/azure/install-azure-cli |
api-center | Enable Api Center Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-center/enable-api-center-portal.md | +> [!VIDEO https://www.youtube.com/embed/7Z45FdCLFbA] + [!INCLUDE [api-center-preview-feedback](includes/api-center-preview-feedback.md)] +++ ## Prerequisites * An API center in your Azure subscription. If you haven't created one already, see [Quickstart: Create your API center](set-up-api-center.md). |
api-center | Import Api Management Apis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-center/import-api-management-apis.md | When you add an API from an API Management instance to your API center: After adding an API from API Management, you can add metadata and documentation in your API center to help stakeholders discover, understand, and consume the API. +> [!VIDEO https://www.youtube.com/embed/SuGkhuBUV5k] + [!INCLUDE [api-center-preview-feedback](includes/api-center-preview-feedback.md)] ## Prerequisites Use a wildcard (`*`) to specify all APIs from the API Management instance. 1. Use the `az apic service import-from-apim` command to import the APIs. Substitute the names of your API center and resource group, and use `*` to specify all APIs from the API Management instance. ```azurecli- #! /bin/bash apiIDs="$apimID/apis/*" |
api-center | Manage Apis Azure Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-center/manage-apis-azure-cli.md | +> [!VIDEO https://www.youtube.com/embed/Dvar8Dg25s0] + [!INCLUDE [api-center-preview-feedback](includes/api-center-preview-feedback.md)] ## Prerequisites |
api-center | Use Vscode Extension | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-center/use-vscode-extension.md | To discover, try, and consume APIs in your [API center](overview.md), you can us * **Consume APIs** - Generate API SDK clients for your favorite language including JavaScript, TypeScript, .NET, Python, and Java, using the Microsoft Kiota engine that generates SDKs for Microsoft Graph, GitHub, and more. +> [!VIDEO https://www.youtube.com/embed/62X0NALedCc] + > [!NOTE] > The API Center extension for Visual Studio Code is in preview. Learn more about the [extension preview](https://marketplace.visualstudio.com/items?itemName=apidev.azure-api-center). |
app-service | Monitor Instances Health Check | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/monitor-instances-health-check.md | If your app is only scaled to one instance and becomes unhealthy, it will not be ### Why are the Health check requests not showing in my web server logs? -The Health check requests are sent to your site internally, so the request won't show in [the web server logs](troubleshoot-diagnostic-logs.md#enable-web-server-logging). This also means the request will have an origin of `127.0.0.1` since the request is being sent internally. You can add log statements in your Health check code to keep logs of when your Health check path is pinged. +The Health check requests are sent to your site internally, so the request won't show in [the web server logs](troubleshoot-diagnostic-logs.md#enable-web-server-logging). You can add log statements in your Health check code to keep logs of when your Health check path is pinged. ### Are the Health check requests sent over HTTP or HTTPS? |
automanage | Automanage Arc | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/automanage-arc.md | Last updated 05/12/2022 # Azure Automanage for Machines Best Practices - Azure Arc-enabled servers +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + These Azure services are automatically onboarded for you when you use Automanage Machine Best Practices on an Azure Arc-enabled server VM. They are essential to our best practices white paper, which you can find in our [Cloud Adoption Framework](/azure/cloud-adoption-framework/manage/azure-server-management). For all of these services, we will auto-onboard, auto-configure, monitor for drift, and remediate if drift is detected. To learn more, go to [Azure Automanage for virtual machines](overview-about.md). |
automanage | Automanage Linux | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/automanage-linux.md | +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + These Azure services are automatically onboarded for you when you use Automanage Machine Best Practices Profiles on a Linux VM. They are essential to our best practices white paper, which you can find in our [Cloud Adoption Framework](/azure/cloud-adoption-framework/manage/azure-server-management). For all of these services, we will auto-onboard, auto-configure, monitor for drift, and remediate if drift is detected. To learn more, go to [Azure Automanage for virtual machines](overview-about.md). |
automation | Automation Runbook Types | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-runbook-types.md | Title: Azure Automation runbook types description: This article describes the types of runbooks that you can use in Azure Automation and considerations for determining which type to use. Previously updated : 01/23/2024 Last updated : 02/12/2024 The Azure Automation Process Automation feature supports several types of runboo | [Graphical](#graphical-runbooks)|Graphical runbook based on Windows PowerShell and created and edited completely in the graphical editor in Azure portal. | | [Graphical PowerShell Workflow](#graphical-runbooks)|Graphical runbook based on Windows PowerShell Workflow and created and edited completely in the graphical editor in Azure portal. | +> [!NOTE] +> Azure Automation will follow the support lifecycle of PowerShell and Python language versions in accordance with the timelines published by parent products [PowerShell](https://learn.microsoft.com/powershell/scripting/install/powershell-support-lifecycle?view=powershell-7.3&preserve-view=true#powershell-end-of-support-dates) and [Python](https://devguide.python.org/versions/) respectively. We recommend you to use runbooks with supported language versions. + Take into account the following considerations when determining which type to use for a particular runbook. * You can't convert runbooks from graphical to text type, or the other way around. Take into account the following considerations when determining which type to us PowerShell runbooks are based on Windows PowerShell. You directly edit the code of the runbook using the text editor in the Azure portal. You can also use any offline text editor and [import the runbook](manage-runbooks.md) into Azure Automation. -The PowerShell version is determined by the **Runtime version** specified (that is version 7.2, 7.1 (preview) or 5.1). The Azure Automation service supports the latest PowerShell runtime. +The PowerShell version is determined by the **Runtime version** specified (that is version 7.2, 7.1 (preview) or 5.1). The same Azure sandbox and Hybrid Runbook Worker can execute multiple **PowerShell** runbooks targeting different runtime versions side by side. |
azure-app-configuration | Monitor App Configuration Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/monitor-app-configuration-reference.md | Resource Provider and Type: [App Configuration Platform Metrics](../azure-monito | Daily Storage Usage | Percent | Represents the amount of storage in use as a percentage of the maximum allowance. This metric is updated at least once daily. | | Request Quota Usage | Percent | Represents the current total request usage in percentage. | | Replication Latency | Milliseconds | Represents the average time it takes for a replica to be consistent with current state. |+| Snapshot Storage Size | Count | Represents the total storage usage of configuration snapshot(s) in bytes. | For more information, see a list of [all platform metrics supported in Azure Monitor](../azure-monitor/essentials/metrics-supported.md). App Configuration has the following dimensions associated with its metr | Daily Storage Usage | This metric does not have any dimensions. | | Request Quota Usage | The supported dimensions are the **OperationType** ("Read"or "Write") and **Endpoint** of each request. | | Replication Latency | The **Endpoint** of the replica that data was replicated to is included as a dimension. |+| Snapshot Storage Size | This metric does not have any dimensions. | For more information on what metric dimensions are, see [Multi-dimensional metrics](../azure-monitor/essentials/data-platform-metrics.md#multi-dimensional-metrics). |
azure-app-configuration | Monitor App Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/monitor-app-configuration.md | You can analyze metrics for App Configuration with metrics from other Azure serv * Daily Storage Usage * Request Quota Usage * Replication Latency+* Snapshot Storage Size In the portal, navigate to the **Metrics** section and select the **Metric Namespaces** and **Metrics** you want to analyze. This screenshot shows you the metrics view when selecting **Http Incoming Request Count** for your configuration store. |
azure-arc | Cluster Connect | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/cluster-connect.md | On the existing Arc-enabled cluster, create the ClusterRoleBinding with either M ```console $TOKEN = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((kubectl get secret demo-user-secret -o jsonpath='{$.data.token}')))) ```+ +1. Get the token to output to console. + + ```console + echo $TOKEN + ``` |
azure-functions | Deploy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/start-stop-vms/deploy.md | For each scenario, you can target the action against one or more subscriptions, ```json { "Action": "start",- "EnableClassic": true, + "EnableClassic": false, "RequestScopes": { "ExcludedVMLists": [], "VMLists": [ In an environment that includes two or more components on multiple Azure Resourc ```json { "Action": "start",- "EnableClassic": true, + "EnableClassic": false, "RequestScopes": { "ExcludedVMLists": [], "VMLists": [ To learn more about how Azure Monitor metric alerts work and how to configure th "AutoStop_Threshold": "5", "AutoStop_TimeAggregationOperator": "Average", "AutoStop_TimeWindow": "06:00:00",- "EnableClassic": true, + "EnableClassic": false, "RequestScopes": { "ExcludedVMLists": [], "ResourceGroups": [ To learn more about how Azure Monitor metric alerts work and how to configure th "AutoStop_Threshold": "5", "AutoStop_TimeAggregationOperator": "Average", "AutoStop_TimeWindow": "06:00:00",- "EnableClassic": true, + "EnableClassic": false, "RequestScopes": { "ExcludedVMLists": [], "VMLists": [ |
azure-monitor | Javascript Sdk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/javascript-sdk.md | If you want to use the extra features provided by plugins for specific framework - [React plugin](javascript-framework-extensions.md?tabs=react) - [React native plugin](javascript-framework-extensions.md?tabs=reactnative)-- [Angular plugin](javascript-framework-extensions.md?tabs=reactnative)+- [Angular plugin](javascript-framework-extensions.md?tabs=angular) ### Confirm data is flowing |
azure-monitor | Azure Monitor Workspace Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/azure-monitor-workspace-overview.md | This section provides answers to common questions. An Azure Monitor workspace is a unique environment for data collected by Azure Monitor. Each workspace has its own data repository, configuration, and permissions. Azure Monitor workspaces will eventually contain all metrics collected by Azure Monitor, including native metrics. Currently, the only data hosted by an Azure Monitor workspace is Prometheus metrics. +You cannot use quota limits, similar to the Log Anlytics Workspace (Daily Cap or Data retention) in the Azure Monitor workspace. + ### Can I delete Prometheus metrics from an Azure Monitor workspace? Data is removed from the Azure Monitor workspace according to its data retention period, which is 18 months. |
azure-monitor | Platform Logs Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/platform-logs-overview.md | The following table lists the platform logs that are available at different laye | Log | Layer | Description | |:|:|:|-| [Resource logs](./resource-logs.md) | Azure Resources | Resource logs provide an insight into operations that were performed within an Azure resource. This is know as the *data plane*. Examples include getting a secret from a key vault, or making a request to a database. The contents of resource logs varies according to the Azure service and resource type.<br><br>*Resource logs were previously referred to as diagnostic logs.* | +| [Resource logs](./resource-logs.md) | Azure Resources | Resource logs provide an insight into operations that were performed within an Azure resource. This is known as the *data plane*. Examples include getting a secret from a key vault, or making a request to a database. The contents of resource logs varies according to the Azure service and resource type.<br><br>*Resource logs were previously referred to as diagnostic logs.* | | [Activity logs](../essentials/activity-log.md) | Azure Subscription |Activity logs provide an insight into the operations performed *on* each Azure resource in the subscription from the outside, known as the *management plane*. in addition to updates on Service Health events. Use the Activity log to determine *what*, *who*, and *when* for any write operation (PUT, POST, DELETE) executed on the resources in your subscription. There's a single activity log for each Azure subscription. | | [Microsoft Entra logs](../../active-directory/reports-monitoring/overview-reports.md) | Azure Tenant | Microsoft Entra logs contain the history of sign-in activity and an audit trail of changes made in Microsoft Entra ID for a particular tenant. | |
azure-netapp-files | Azure Netapp Files Network Topologies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/azure-netapp-files-network-topologies.md | Configuring UDRs on the source VM subnets with the address prefix of delegated s > To access an Azure NetApp Files volume from an on-premises network via a VNet gateway (ExpressRoute or VPN) and firewall, configure the route table assigned to the VNet gateway to include the `/32` IPv4 address of the Azure NetApp Files volume listed and point to the firewall as the next hop. Using an aggregate address space that includes the Azure NetApp Files volume IP address will not forward the Azure NetApp Files traffic to the firewall. >[!NOTE]->If you want to configure a UDR route in the VM VNet, to control the routing of packets destined for a VNet-peered Azure NetApp Files standard volume, the UDR prefix must be more specific or equal to the delegated subnet size of the Azure NetApp Files volume. If the UDR prefix is of size greater than the delegated subnet size, it will not be effective. +>If you want to configure a UDR route in the VM VNet, to control the routing of packets destined for a regionally VNet-peered Azure NetApp Files standard volume, the UDR prefix must be more specific or equal to the delegated subnet size of the Azure NetApp Files volume. If the UDR prefix is of size greater than the delegated subnet size, it will not be effective. ## Azure native environments |
azure-netapp-files | Configure Customer Managed Keys | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/configure-customer-managed-keys.md | -Customer-managed keys for Azure NetApp Files volume encryption enable you to use your own keys rather than a Microsoft-managed key when creating a new volume. With customer-managed keys, you can fully manage the relationship between a key's life cycle, key usage permissions, and auditing operations on keys. +Customer-managed keys for Azure NetApp Files volume encryption enable you to use your own keys rather than a platform-managed key when creating a new volume. With customer-managed keys, you can fully manage the relationship between a key's life cycle, key usage permissions, and auditing operations on keys. The following diagram demonstrates how customer-managed keys work with Azure NetApp Files: The following diagram demonstrates how customer-managed keys work with Azure Net 3. You use the managed identity to which the Azure Key Vault admin granted permissions in step 1 to authenticate access to Azure Key Vault via Microsoft Entra ID. 4. Azure NetApp Files wraps the account encryption key with the customer-managed key in Azure Key Vault. - Customer-managed keys have no performance impact on Azure NetApp Files. Its only difference from Microsoft-managed keys is how the key is managed. + Customer-managed keys have no performance impact on Azure NetApp Files. Its only difference from platform-managed keys is how the key is managed. 1. For read/write operations, Azure NetApp Files sends requests to Azure Key Vault to unwrap the account encryption key to perform encryption and decryption operations. ## Considerations |
azure-netapp-files | Cool Access Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-netapp-files/cool-access-introduction.md | Standard storage with cool access is supported for the following regions: * Sweden Central * UAE North * UK South+* UK West * US Gov Arizona * US Gov Texas * US Gov Virginia * West US+* West US 3 ## Effects of cool access on data |
azure-resource-manager | Linter Rule No Deployments Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/linter-rule-no-deployments-resources.md | Title: Linter rule - no deployments resources description: Linter rule - no deployments resources Previously updated : 10/12/2023 Last updated : 02/12/2024 # Linter rule - no deployments resources Use the following value in the [Bicep configuration file](bicep-config-linter.md ## Solution -The following example fails this test because the template contains a `Microsoft.Resources/deployments` resource on the root level. +In ARM templates, you can reuse or modularize a template through nesting or linking templates using the `Microsoft.Resources/deployments` resource. For more information, see [Using linked and nested templates when deploying Azure resources](../templates/linked-templates.md) The following ARM template is a sample of a nested template: ++```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "storageAccountName": { + "type": "string", + "defaultValue": "[format('{0}{1}', 'store', uniqueString(resourceGroup().id))]" + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "nestedTemplate1", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2023-01-01", + "name": "[parameters('storageAccountName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_LRS" + }, + "kind": "StorageV2" + } + ] + } + } + } + ] +} +``` ++In Bicep, you can still use the `Microsoft.Resources/deployments` resource for nesting ARM templates or linking external ARM templates. But, it's not a great idea because it can lead to unsafe and tricky behaviors due to how it's evaluated multiple times. Also, there's hardly any validation and self completion from Visual Studio Code when you author the Bicep file, making it tough to work with. The following Bicep file fails this test because the template contains `Microsoft.Resources/deployments` resource on the root level. ```bicep-param name string -param specId string -resource foo 'Microsoft.Resources/deployments@2023-07-01' = { - name: name - properties: { +param storageAccountName string = 'store${uniqueString(resourceGroup().id)}' +param location string = resourceGroup().location ++resource nestedTemplate1 'Microsoft.Resources/deployments@2023-07-01' = { + name: 'nestedTemplate1' + properties:{ mode: 'Incremental'- templateLink: { - uri: specId - } - parameters: {} + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [ + { + type: 'Microsoft.Storage/storageAccounts' + apiVersion: '2023-01-01' + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' + } + ] + } + } +} +``` ++To fix the issue, you can use the Bicep CLI [decompile](./bicep-cli.md#decompile) command. For example, the preceding ARM template can be decomplied into the following Bicep files: ++_main.bicep_: ++```bicep +param storageAccountName string = 'store${uniqueString(resourceGroup().id)}' +param location string = resourceGroup().location ++module nestedTemplate1 './nested_nestedTemplate1.bicep' = { + name: 'nestedTemplate1' + params: { + storageAccountName: storageAccountName + location: location + } +} +``` ++_nested_nestedTemplate1.bicep_: ++```bicep +param storageAccountName string +param location string ++resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' +} +``` ++Additionally, you can also refence ARM templates using the [module](./modules.md) statement. ++_main.bicep_: ++```bicep +param storageAccountName string = 'store${uniqueString(resourceGroup().id)}' +param location string = resourceGroup().location ++module nestedTemplate1 './createStorage.json' = { + name: 'nestedTemplate1' + params: { + storageAccountName: storageAccountName + location: location } } ``` -It should be declared as a [Bicep module](./modules.md). +_createStorage.json_: ++```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "storageAccountName": { + "type": "string", + "defaultValue": "[format('{0}{1}', 'store', uniqueString(resourceGroup().id))]" + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]" + } + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2023-01-01", + "name": "[parameters('storageAccountName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_LRS" + }, + "kind": "StorageV2" + } + ] +} +``` ## Next steps |
azure-resource-manager | Tutorial Create Managed App With Custom Provider | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/tutorial-create-managed-app-with-custom-provider.md | az account set --subscription <subscriptionID> az group create --name $resourceGroup --location eastus # Get object ID of your identity-userid=$(az ad user show --upn-or-object-id example@contoso.org --query objectId --output tsv) +userid=$(az ad user list --upn example@contoso.org --query [0].id --output tsv) # Get role definition ID for the Owner role roleid=$(az role definition list --name Owner --query [].name --output tsv) |
backup | Backup Azure Database Postgresql Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-database-postgresql-overview.md | Title: About Azure Database for PostgreSQL backup description: An overview on Azure Database for PostgreSQL backup Previously updated : 01/24/2022 Last updated : 02/09/2024 |
backup | Backup Azure Database Postgresql Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-database-postgresql-troubleshoot.md | Title: Troubleshoot Azure Database for PostgreSQL backup description: Troubleshooting information for backing up Azure Database for PostgreSQL. Previously updated : 06/07/2022 Last updated : 02/09/2024 |
backup | Backup Azure Policy Supported Skus | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-policy-supported-skus.md | +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + Azure Backup provides a built-in policy (using Azure Policy) that can be assigned to **all Azure VMs in a specified location within a subscription or resource group**. When this policy is assigned to a given scope, all new VMs created in that scope are automatically configured for backup to an **existing vault in the same location and subscription**. The table below lists all the VM SKUs supported by this policy. ## Supported VMs* |
backup | Backup Azure Restore Files From Vm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/backup-azure-restore-files-from-vm.md | +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + Azure Backup provides the capability to restore [Azure virtual machines (VMs) and disks](./backup-azure-arm-restore-vms.md) from Azure VM backups, also known as recovery points. This article explains how to recover files and folders from an Azure VM backup. Restoring files and folders is available only for Azure VMs deployed using the Resource Manager model and protected to a Recovery Services vault. |
container-apps | Service Discovery Resiliency | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/service-discovery-resiliency.md | matches: { '5xx' 'reset' 'connect-failure'- 'retriabe-4xx' + 'retriable-4xx' ] } ``` |
cosmos-db | Choose Service | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/cassandra/choose-service.md | In this article, you will learn the differences between [Azure Managed Instance ## Key differences -Azure Managed Instance for Apache Cassandra provides automated deployment, scaling, and operations to maintain the node health for open-source Apache Cassandra instances in Azure. It also provides the capability to scale out the capacity of existing on-premises or cloud self-hosted Apache Cassandra clusters. It scales out by adding managed Cassandra datacenters to the existing cluster ring. +Azure Managed Instance for Apache Cassandra is a fully managed service for pure open-source Apache Cassandra clusters. The service also allows configurations to be overridden, depending on the specific needs of each workload, allowing maximum flexibility and control where needed. It also provides the capability to scale out the capacity of existing on-premises or cloud self-hosted Apache Cassandra clusters. It scales out by adding managed Cassandra datacenters to the existing cluster ring. The RU-based [Azure Cosmos DB for Apache Cassandra](introduction.md) in Azure Cosmos DB is a compatibility layer over Microsoft's globally distributed cloud-native database service [Azure Cosmos DB](../index.yml). The following table shows the common scenarios, workload requirements, and aspir | |Self-hosted Apache Cassandra on-premises or in Azure | Azure Managed Instance for Apache Cassandra | Azure Cosmos DB for Apache Cassandra | ||||| |**Deployment type**| You have a highly customized Apache Cassandra deployment with custom patches or snitches. | You have a standard open-source Apache Cassandra deployment without any custom code. | You are content with a platform that is not Apache Cassandra underneath but is compliant with all open-source client drivers at a [wire protocol](../cassandra-support.md) level. |-|**Operational overhead**| You have existing Cassandra experts who can deploy, configure, and maintain your clusters. | You want to lower the operational overhead for your Apache Cassandra node health, but still maintain control over the platform level configurations such as replication and consistency. | You want to eliminate the operational overhead by using a fully managed Platform-as-as-service database in the cloud. | +|**Operational overhead**| You have existing Cassandra experts who can deploy, configure, and maintain your clusters. | You want to eliminate the operational overhead by using a fully managed Database-as-as-Service for open-source Apache Cassandra, but have the option of controling Cassandra-specific configurations such as replication and consistency when required. | You want to eliminate the operational overhead by using a fully managed Platform-as-as-service database in the cloud. | |**Production Support**| You handle live incidents and outages yourself, including contacting relevant infrastructure teams for compute, networking, storage, etc. | You want a first-party managed service experience that will act as a one-stop shop for supporting live incidents and outages. | You want a first-party managed service experience that will act as a one-stop shop for live incidents and outages. |-|**Software Support**| You handle all patches, and ensure that software is upgraded before end of life.| You want a first-party managed service experience that will offer Cassandra software level support beyond end of live| You want a first-party managed service experience where software level support is completely abstracted.| -|**Operating system requirements**| You have a requirement to maintain custom or golden Virtual Machine operating system images. | You can use vanilla images but want to have control over SKUs, memory, disks, and IOPS. | You want capacity provisioning to be simplified and expressed as a single normalized metric, with a one-to-one relationship to throughput, such as [request units](../request-units.md) in Azure Cosmos DB. | +|**Software Support**| You handle all patches, and ensure that software is upgraded before end of life.| You want a first-party managed service experience that will offer Cassandra software level support beyond end of live, automated patching, and turnkey upgrades for major versions | You want a first-party managed service experience where software level support is completely abstracted.| +|**Operating system requirements**| You have a requirement to maintain custom or golden Virtual Machine operating system images. | You can use vanilla images but want to have control over the selection of SKUs, memory, disks, and IOPS. | You want capacity provisioning to be simplified and expressed as a single normalized metric, with a one-to-one relationship to throughput, such as [request units](../request-units.md) in Azure Cosmos DB. | |**Pricing model**| You want to use management software such as Datastax tooling and are happy with licensing costs. | You prefer pure open-source licensing and VM instance-based pricing. | You want to use cloud-native pricing, which includes [autoscale](scale-account-throughput.md#use-autoscale) and [serverless](../serverless.md) offers. | |**Analytics**| You want full control over the provisioning of analytical pipelines regardless of the overhead to build and maintain them. | You want to use cloud-based analytical services like Azure Databricks. | You want near real-time hybrid transactional analytics built into the platform with [Azure Synapse Link for Azure Cosmos DB](../synapse-link.md). | |**Workload pattern**| Your workload is fairly steady-state and you don't require scaling nodes in the cluster frequently. | Your workload is volatile and you need to be able to scale up or scale down nodes in a data center or add/remove data centers easily. | Your workload is often volatile and you need to be able to scale up or scale down quickly and at a significant volume. | |
cosmos-db | Choose Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/choose-api.md | You can use your existing MongoDB apps with API for MongoDB by just changing the Azure Cosmos DB for PostgreSQL is a managed service for running PostgreSQL at any scale, with the [Citus open source](https://github.com/citusdata/citus) superpower of distributed tables. It stores data either on a single node, or distributed in a multi-node configuration. -Azure Cosmos DB for PostgreSQL is built on native PostgreSQL--rather than a PostgreSQL fork--and lets you choose any major database versions supported by the PostgreSQL community. It's ideal for starting on a single-node database with rich indexing, geospatial capabilities, and JSONB support. Later, if need more performance, you can add nodes to the cluster with zero downtime. +Azure Cosmos DB for PostgreSQL is built on native PostgreSQL--rather than a PostgreSQL fork--and lets you choose any major database versions supported by the PostgreSQL community. It's ideal for starting on a single-node database with rich indexing, geospatial capabilities, and JSONB support. Later, if you need more performance, you can add nodes to the cluster with zero downtime. If youΓÇÖre looking for a managed open source relational database with high performance and geo-replication, Azure Cosmos DB for PostgreSQL is the recommended choice. To learn more, see the [Azure Cosmos DB for PostgreSQL introduction](postgresql/introduction.md). |
defender-for-cloud | Apply Security Baseline | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/apply-security-baseline.md | Last updated 06/27/2023 # Review hardening recommendations +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + > [!NOTE] > As the Log Analytics agent (also known as MMA) is set to retire in [August 2024](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/), all Defender for Servers features that currently depend on it, including those described on this page, will be available through either [Microsoft Defender for Endpoint integration](integration-defender-for-endpoint.md) or [agentless scanning](concept-agentless-data-collection.md), before the retirement date. For more information about the roadmap for each of the features that are currently rely on Log Analytics Agent, see [this announcement](upcoming-changes.md#defender-for-cloud-plan-and-strategy-for-the-log-analytics-agent-deprecation). |
defender-for-cloud | Common Questions Microsoft Defender Vulnerability Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/common-questions-microsoft-defender-vulnerability-management.md | Last updated 11/30/2023 # Common questions about the Microsoft Defender Vulnerability Management solution +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + Get answers to common questions on the new Container VA offering powered by Microsoft Defender Vulnerability Management solution. ## How do I transition to the container vulnerability assessment powered by Microsoft Defender Vulnerability Management? There's no difference for coverage of language specific packages between the Qua - Vulnerability reports for OS packages are enriched with evidence on commands that can be used to find the vulnerable package. ## Next steps- + - Learn about [Defender for Containers](defender-for-containers-introduction.md) - Learn more about [Vulnerability assessments for Azure with Microsoft Defender Vulnerability Management](agentless-vulnerability-assessment-azure.md) - Learn more about [Vulnerability assessments for AWS with Microsoft Defender Vulnerability Management](agentless-vulnerability-assessment-aws.md) |
defender-for-cloud | Custom Security Policies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/custom-security-policies.md | zone_pivot_groups: manage-asc-initiatives # Create custom standards and recommendations (Azure) -Security recommendations in Microsoft Defender for Cloud help you to improve and harden your security posture. Recommendations are based on the security standards you define in subscriptions that have Defender for Cloud onboarded. +Security recommendations in Microsoft Defender for Cloud help you to improve and harden your security posture. Recommendations are based on the security standards you define in subscriptions that have Defender for Cloud onboarded. [Security standards](security-policy-concept.md) can be based on regulatory compliance standards, and on customized standards. This article describes how to create custom standards and recommendations. Security recommendations in Microsoft Defender for Cloud help you to improve and ::: zone pivot="azure-portal" - ## Create a custom standard in the portal 1. Sign in to the [Azure portal](https://portal.azure.com). Security recommendations in Microsoft Defender for Cloud help you to improve and 1. Select the relevant subscription or management group. - 1. Select **Security policies** > **+ Create** > **Custom standard**. :::image type="content" source="media/custom-security-policies/create-custom-standard.png" alt-text="Screenshot that shows how to create a custom security standard." lightbox="media/custom-security-policies/create-custom-standard.png"::: -1. Enter a name and description. +1. Enter a name and description. > [!IMPORTANT] > Make sure the name is unique. If you create a custom standard with the same name as an existing standard, it causes a conflict in the information displayed in the dashboard. If you want to create a custom recommendation for Azure resources, you currently ::: zone pivot="rest-api" - ## Create a custom recommendation/standard (legacy) You can create custom recommendations and standards in Defender for cloud by creating policy definitions and initiatives in Azure Policy, and onboarding them in Defender for Cloud. Here's how you do that: 1. Create one or more policy definitions in the [Azure Policy portal](../governance/policy/tutorials/create-custom-policy-definition.md), or [programatically](../governance/policy/how-to/programmatically-create.md). 1. [Create a policy initiative](../governance/policy/concepts/initiative-definition-structure.md) that contains the custom policy definitions. - ## Onboard the initiative as a custom standard (legacy) [Policy assignments](../governance/policy/concepts/assignment-structure.md) are used by Azure Policy to assign Azure resources to a policy or initiative. Here's how you do that: To onboard an initiative to a custom security standard in Defender for you, you need to include `"ASC":"true"` in the request body as shown here. The `ASC` field onboards the initiative to Microsoft Defender for Cloud. Here's an example of how to do that.- + ### Example to onboard a custom initiative -``` +```json PUT PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policySetDefinitions/{policySetDefinitionName}?api-version=2021-06-01 Here's an example of how to do that. This example shows you how to remove an assignment: -``` +```json DELETE https://management.azure.com/{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}?api-version=2018-05-01 ``` ::: zone-end - ## Enhance custom recommendations (legacy) -The built-in recommendations supplied with Microsoft Defender for Cloud include details such as severity levels and remediation instructions. If you want to add this type of information to custom recommendations for Azure, use the REST API. +The built-in recommendations supplied with Microsoft Defender for Cloud include details such as severity levels and remediation instructions. If you want to add this type of information to custom recommendations for Azure, use the REST API. The two types of information you can add are: The metadata should be added to the policy definition for a policy that is part ```json "metadata": {- "securityCenter": { - "RemediationDescription": "Custom description goes here", - "Severity": "High" + "securityCenter": { + "RemediationDescription": "Custom description goes here", + "Severity": "High" }, ``` Here's another example of a custom policy including the metadata/securityCenter ```json { "properties": {- "displayName": "Security - ERvNet - AuditRGLock", - "policyType": "Custom", - "mode": "All", - "description": "Audit required resource groups lock", - "metadata": { - "securityCenter": { - "RemediationDescription": "Resource Group locks can be set via Azure Portal -> Resource Group -> Locks", - "Severity": "High" - } - }, - "parameters": { - "expressRouteLockLevel": { - "type": "String", - "metadata": { - "displayName": "Lock level", - "description": "Required lock level for ExpressRoute resource groups." - }, - "allowedValues": [ - "CanNotDelete", - "ReadOnly" - ] - } - }, - "policyRule": { - "if": { - "field": "type", - "equals": "Microsoft.Resources/subscriptions/resourceGroups" - }, - "then": { - "effect": "auditIfNotExists", - "details": { - "type": "Microsoft.Authorization/locks", - "existenceCondition": { - "field": "Microsoft.Authorization/locks/level", - "equals": "[parameters('expressRouteLockLevel')]" - } - } - } - } + "displayName": "Security - ERvNet - AuditRGLock", + "policyType": "Custom", + "mode": "All", + "description": "Audit required resource groups lock", + "metadata": { + "securityCenter": { + "RemediationDescription": "Resource Group locks can be set via Azure Portal -> Resource Group -> Locks", + "Severity": "High" + } + }, + "parameters": { + "expressRouteLockLevel": { + "type": "String", + "metadata": { + "displayName": "Lock level", + "description": "Required lock level for ExpressRoute resource groups." + }, + "allowedValues": [ + "CanNotDelete", + "ReadOnly" + ] + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Resources/subscriptions/resourceGroups" + }, + "then": { + "effect": "auditIfNotExists", + "details": { + "type": "Microsoft.Authorization/locks", + "existenceCondition": { + "field": "Microsoft.Authorization/locks/level", + "equals": "[parameters('expressRouteLockLevel')]" + } + } + } + } } } ``` For another example for using the securityCenter property, see [this section of the REST API documentation](/rest/api/defenderforcloud/assessments-metadata/create-in-subscription#examples). - ## Next steps - [Learn about](create-custom-recommendations.md) Defender for Cloud security standards and recommendations.-- [Learn about](create-custom-recommendations.md) creating custom standards for AWS accounts and GCP projects.+- [Learn about](create-custom-recommendations.md) creating custom standards for AWS accounts and GCP projects. |
defender-for-cloud | Data Aware Security Dashboard Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/data-aware-security-dashboard-overview.md | Title: The data-aware security dashboard -description: Learn about the capabilities and functions of the data-aware security view in Microsoft Defender for Cloud +description: Learn about the capabilities and functions of the data-aware security view in Microsoft Defender for Cloud. Previously updated : 12/18/2023 Last updated : 02/11/2024 -# Data security dashboard +# Data security dashboard (Preview) -The data security dashboard addresses the need for an interactive, data-centric security dashboard that illuminates significant risks to customers' sensitive data. This tool effectively prioritizes alerts and potential attack paths for data across multicloud data resources, making data protection management less overwhelming and more effective. +Microsoft Defender for Cloud's data security dashboard provides an interactive view of significant risks to sensitive data. It prioritizes alerts and potential attack paths across multicloud data resources, making data protection management more effective. -## Capabilities +With the data security dashboard you can: -- You can view a centralized summary of your cloud data estate that identifies the location of sensitive data, so that you can discover the most critical data resources affected.-- You can identify the data resources that are at risk and that require attention, so that you can prioritize actions that explore, prevent and respond to sensitive data breaches.-- Investigate active high severity threats that lead to sensitive data+- Easily locate and summarize sensitive data resources in your cloud data estate. +- Identify and prioritize data resources at risk to prevent and respond to sensitive data breaches. +- Investigate active high severity threats that lead to sensitive data. - Explore potential threats data by highlighting [attack paths](concept-attack-path.md) that lead to sensitive data. - Explore useful data insights by highlighting useful data queries in the [security explorer](how-to-manage-cloud-security-explorer.md). -You can select any element on the page to get more detailed information. +To access the data security dashboard in Defender for Cloud, select **Data Security**. -| Aspect | Details | -||| -|Release state: | Public Preview | -| Prerequisites: | Defender for CSPM fully enabled, including sensitive data discovery <br/> Workload protection for database and storage to explore active risks | -| Required roles and permissions: | No other roles needed on top of what is required for the security explorer. | -| Clouds: | :::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds <br/> :::image type="icon" source="./media/icons/no-icon.png"::: Azure Government <br/> :::image type="icon" source="./media/icons/no-icon.png"::: Azure China 21Vianet | ## Prerequisites -In order to view the dashboard, you must enable Defender CSPM and also enable the sensitive data discovery extensions button underneath. In addition, to receive the alerts for data sensitivity, you must also enable the Defender for Storage plan. +**To view the dashboard**: +- You must [enable Defender CSPM](tutorial-enable-cspm-plan.md). +- [Enable sensitive data discovery](tutorial-enable-cspm-plan.md#enable-the-components-of-the-defender-cspm-plan) within the Defender CSPM plan. -The feature is turned on at the subscription level. +**To receive the alerts for data sensitivity**: -## Required permissions and roles --- To view the dashboard you must have either one of the following:-- - permissions: +- You must [enable Defender for Storage](tutorial-enable-storage-plan.md). - - Microsoft.Security/assessments/read - - Microsoft.Security/assessments/subassessments/read - - Microsoft.Security/alerts/read -- - the minimum required privileged RBAC role of **Security Reader**. +## Required permissions and roles -- Each Azure subscription must be registered for the **Microsoft.Security** resource provider:+**Permissions**: - 1. Sign-in to the Azure portal. - 1. Select the affected subscription. - 1. In the left-side menu, select the resource provider. +- Microsoft.Security/assessments/read +- Microsoft.Security/assessments/subassessments/read +- Microsoft.Security/alerts/read - :::image type="content" source="media/data-aware-security-dashboard/select-resource-provider.png" alt-text="Screenshot that shows where to select the resource provider." lightbox="media/data-aware-security-dashboard/select-resource-provider.png"::: +**Role** - the minimum required privileged role-based access control role of **Security explorer**. - 1. Search for and select the **Microsoft.Security** resource provider from the list. - 1. Select **Register**. +- Register each relevant Azure subscription to the [Microsoft.Security resource provider](/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider). -Learn more about [how to register for Azure resource provider](/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider). +> [!NOTE] +> The data security dashboard feature is turned on at the subscription level. ## Data security overview section The data security overview section provides a general overview of your cloud dat :::image type="content" source="media/data-aware-security-dashboard/data-security-overview.png" alt-text="Screenshot that shows the overview section of the data security view." lightbox="media/data-aware-security-dashboard/data-security-overview.png"::: -**By coverage status** - displays the limited data coverage for resources without Defender CSPM workload protection: +- **Coverage status** - displays the limited data coverage for resources without Defender CSPM workload protection: ++ - **Covered** ΓÇô resources that have the necessary Defender CSPM, or Defender for Storage, or Defender for Databases enabled. + - **Partially covered** ΓÇô missing either the Defender CSPM, Defender for Storage, or Defender for Storage plan. Select the tooltip to present a detailed view of what is missing. + - **Not covered** - resources that aren't covered by Defender CSPM, or Defender for Storage, or Defender for Databases. -- **Covered** ΓÇô resources that have the necessary Defender CSPM, or Defender for Storage, or Defender for Databases enabled.-- **Partially covered** ΓÇô missing either the Defender CSPM, Defender for Storage, or Defender for Storage plan. Select the tooltip to present a detailed view of what is missing. - **Sensitive resources** ΓÇô displays how many resources are sensitive.-- **Sensitive resources requiring attention** - displays the number of sensitive resources that have either high severity security alerts or attack paths.++ - **Sensitive resources requiring attention** - displays the number of sensitive resources that have either high severity security alerts or attack paths. ## Top issues The **Top issues** section provides a highlighted view of top active and potential risks to sensitive data. - **Sensitive data resources with high severity alerts** - summarizes the active threats to sensitive data resources and which data types are at risk.+ - **Sensitive data resources in attack paths** - summarizes the potential threats to sensitive data resources by presenting attack paths leading to sensitive data resources and which data types are at potential risk.+ - **Data queries in security explorer** - presents the top data-related queries in security explorer that helps focus on multicloud risks to sensitive data. :::image type="content" source="media/data-aware-security-dashboard/top-issues.png" alt-text="Screenshot that shows the top issues section of the data security view." lightbox="media/data-aware-security-dashboard/top-issues.png"::: The **Closer look** section provides a more detailed view into the sensitive dat :::image type="content" source="media/data-aware-security-dashboard/closer-look.png" alt-text="Screenshot that shows the closer look section of the data security dashboard." lightbox="media/data-aware-security-dashboard/closer-look.png"::: -You can select the **Manage data sensitivity settings** to get to the **Data sensitivity** page. The **Data sensitivity** page allows you to manage the data sensitivity settings of cloud resources at the tenant level, based on selective info types and labels originating from the Purview compliance portal, and [customize sensitivity settings](data-sensitivity-settings.md) such as creating your own customized info types and labels, and setting sensitivity label thresholds. +You can select the **Manage data sensitivity settings** to get to the **Data sensitivity** page. The **Data sensitivity** page allows you to manage the data sensitivity settings of cloud resources at the tenant level, based on selective info types and labels originating from the Purview compliance portal, and [customize sensitivity settings](data-sensitivity-settings.md) such as creating your own customized info types and labels, and setting sensitivity label thresholds. :::image type="content" source="media/data-aware-security-dashboard/manage-security-sensitivity-settings.png" alt-text="Screenshot that shows where to access managing data sensitivity settings." lightbox="media/data-aware-security-dashboard/manage-security-sensitivity-settings.png"::: ### Data resources security status -**Sensitive resources status over time** - displays how data security evolves over time with a graph that shows the number of sensitive resources affected by alerts, attack paths, and recommendations within a defined period (last 30, 14, or 7 days). +**Sensitive resources status over time** - displays how data security evolves over time with a graph that shows the number of sensitive resources affected by alerts, attack paths, and recommendations within a defined period (last 30, 14, or 7 days). :::image type="content" source="media/data-aware-security-dashboard/data-resources-security-status.png" alt-text="Screenshot that shows the data resources security status section of the data security view." lightbox="media/data-aware-security-dashboard/data-resources-security-status.png"::: |
defender-for-cloud | Defender For Apis Manage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-apis-manage.md | You can learn more about how to [build queries with cloud security explorer](how ## Next steps [Learn about](defender-for-apis-introduction.md) Defender for APIs.-- |
defender-for-cloud | Defender For Apis Prepare | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-apis-prepare.md | Review the requirements on this page before setting up [Microsoft Defender for A ## Cloud and region support Defender for APIs is available in the Azure commercial cloud, in these regions:+ - Asia (Southeast Asia, EastAsia) - Australia (Australia East, Australia Southeast, Australia Central, Australia Central 2) - Brazil (Brazil South, Brazil Southeast) Defender for APIs is available in the Azure commercial cloud, in these regions: Review the latest cloud support information for Defender for Cloud plans and features in the [cloud support matrix](support-matrix-cloud-environment.md). - ## API support **Feature** | **Supported**- | + | Availability | This feature is available in the Premium, Standard, Basic, and Developer tiers of Azure API Management.-API gateways | Azure API Management<br/><br/> Defender for APIs currently doesn't onboard APIs that are exposed using the API Management [self-hosted gateway](../api-management/self-hosted-gateway-overview.md), or managed using API Management [workspaces](../api-management/workspaces-overview.md). +API gateways | Azure API Management<br/><br/> Defender for APIs currently doesn't onboard APIs that are exposed using the API Management [self-hosted gateway](../api-management/self-hosted-gateway-overview.md), or managed using API Management [workspaces](../api-management/workspaces-overview.md). API types | Currently, Defender for APIs discovers and analyzes REST APIs. Multi-region support | There is currently limited support for API security insights for APIs published in Azure API Management multi-region deployments. Security insights, including data classifications, assessments of inactive APIs, unauthenticated APIs, and external APIs, is limited to supporting API traffic to the primary region (no support for security insights for secondary regions). All security detections and subsequently generated security alerts will work for API traffic sent to both primary and secondary regions. Multi-region support | There is currently limited support for API security insig To explore API security risks using Cloud Security Explorer, the Defender Cloud Security Posture Management (CSPM) plan must be enabled. [Learn more](concept-cloud-security-posture-management.md). - ## Onboarding requirements Onboarding requirements for Defender for APIs are as follows. Onboarding location | You can [enable Defender for APIs in the Defender for Clou ## Next steps [Enable and onboard](defender-for-apis-deploy.md) Defender for APIs.- |
defender-for-cloud | Defender For Apis Validation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-apis-validation.md | This page will walk you through the steps to trigger an alert for one of your AP 1. In the value field enter **javascript:**. - :::image type="content" source="media/defender-for-apis-validation/postman-keys.png" alt-text="Screenshot that shows where to enter the keys and their values in Postman."::: + :::image type="content" source="media/defender-for-apis-validation/postman-keys.png" alt-text="Screenshot that shows where to enter the keys and their values in Postman."::: 1. Select **Send** |
defender-for-cloud | Defender For Containers Vulnerability Assessment Azure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-containers-vulnerability-assessment-azure.md | +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + > [!IMPORTANT] > > The Defender for Cloud Containers Vulnerability Assessment powered by Qualys is now on a retirement path completing on **March 1st, 2024**. If you are currently using container vulnerability assessment powered by Qualys, start planning your transition to [Vulnerability assessments for Azure with Microsoft Defender Vulnerability Management](agentless-vulnerability-assessment-azure.md). |
defender-for-cloud | Defender For Containers Vulnerability Assessment Elastic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-containers-vulnerability-assessment-elastic.md | +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + Defender for Containers lets you scan the container images stored in your Amazon AWS Elastic Container Registry (ECR) as part of the protections provided within Microsoft Defender for Cloud. To enable scanning of vulnerabilities in containers, you have to [connect your AWS account to Defender for Cloud](quickstart-onboard-aws.md) and [enable Defender for Containers](defender-for-containers-enable.md). The agentless scanner, powered by the open-source scanner Trivy, scans your ECR repositories and reports vulnerabilities. Vulnerability findings for an image are still shown in the recommendation for 48 1. When you're sure the updated image has been pushed, scanned, and is no longer appearing in the recommendation, delete the ΓÇ£oldΓÇ¥ vulnerable image from your registry. -<!-- +<!-- ## Disable specific findings > [!NOTE] |
defender-for-cloud | Defender For Databases Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-databases-introduction.md | Threat intelligence enriched security alerts are triggered when there are: > [!TIP] > View the full list of security alerts for database servers [in the alerts reference page](alerts-reference.md#alerts-osrdb). -- ## Next steps In this article, you learned about Microsoft Defender for open-source relational databases. |
defender-for-cloud | Defender For Dns Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-dns-introduction.md | In this article, you learned about Microsoft Defender for DNS. For related material, see the following article: Security alerts might be generated by Defender for Cloud or received from other security products. To export all of these alerts to Microsoft Sentinel, any third-party SIEM, or any other external tool, follow the instructions in [Exporting alerts to a SIEM](continuous-export.md).- |
defender-for-cloud | Defender For Key Vault Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-key-vault-introduction.md | -Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. +Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. -Enable **Microsoft Defender for Key Vault** for Azure-native, advanced threat protection for Azure Key Vault, providing an additional layer of security intelligence. +Enable **Microsoft Defender for Key Vault** for Azure-native, advanced threat protection for Azure Key Vault, providing an additional layer of security intelligence. ## Availability Enable **Microsoft Defender for Key Vault** for Azure-native, advanced threat pr |Pricing:|**Microsoft Defender for Key Vault** is billed as shown on the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/)| |Clouds:|:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/no-icon.png"::: National (Azure Government, Microsoft Azure operated by 21Vianet)| - ## What are the benefits of Microsoft Defender for Key Vault? Microsoft Defender for Key Vault detects unusual and potentially harmful attempts to access or exploit Key Vault accounts. This layer of protection helps you address threats even if you're not a security expert, and without the need to manage third-party security monitoring systems. -When anomalous activities occur, Defender for Key Vault shows alerts and optionally sends them via email to relevant members of your organization. These alerts include the details of the suspicious activity and recommendations on how to investigate and remediate threats. +When anomalous activities occur, Defender for Key Vault shows alerts and optionally sends them via email to relevant members of your organization. These alerts include the details of the suspicious activity and recommendations on how to investigate and remediate threats. ## Microsoft Defender for Key Vault alerts+ When you get an alert from Microsoft Defender for Key Vault, we recommend you investigate and respond to the alert as described in [Respond to Microsoft Defender for Key Vault](defender-for-key-vault-usage.md). Microsoft Defender for Key Vault protects applications and credentials, so even if you're familiar with the application or user that triggered the alert, it's important to check the situation surrounding every alert. The alerts appear in Key Vault's **Security** page, the Workload protections, and Defender for Cloud's security alerts page. :::image type="content" source="./media/defender-for-key-vault-intro/key-vault-security-page.png" alt-text="Azure Key Vault's security page"::: - > [!TIP] > You can simulate Microsoft Defender for Key Vault alerts by following the instructions in [Validating Azure Key Vault threat detection in Microsoft Defender for Cloud](https://techcommunity.microsoft.com/t5/azure-security-center/validating-azure-key-vault-threat-detection-in-azure-security/ba-p/1220336). - ## Respond to Microsoft Defender for Key Vault alerts+ When you receive an alert from [Microsoft Defender for Key Vault](defender-for-key-vault-introduction.md), we recommend you investigate and respond to the alert as described below. Microsoft Defender for Key Vault protects applications and credentials, so even if you're familiar with the application or user that triggered the alert, it's important to verify the situation surrounding every alert. Alerts from Microsoft Defender for Key Vault includes these elements: - Object ID-- User Principal Name or IP address of the suspicious resource +- User Principal Name or IP address of the suspicious resource Depending on the *type* of access that occurred, some fields might not be available. For example, if your key vault was accessed by an application, you won't see an associated User Principal Name. If the traffic originated from outside of Azure, you won't see an Object ID. Depending on the *type* of access that occurred, some fields might not be availa 1. Verify whether the traffic originated from within your Azure tenant. If the key vault firewall is enabled, it's likely that you've provided access to the user or application that triggered this alert. 1. If you can't verify the source of the traffic, continue to [Step 2. Respond accordingly](#step-2-respond-accordingly).-1. If you can identify the source of the traffic in your tenant, contact the user or owner of the application. +1. If you can identify the source of the traffic in your tenant, contact the user or owner of the application. > [!CAUTION] > Microsoft Defender for Key Vault is designed to help identify suspicious activity caused by stolen credentials. **Don't** dismiss the alert simply because you recognize the user or application. Contact the owner of the application or the user and verify the activity was legitimate. You can create a suppression rule to eliminate noise if necessary. Learn more in [Suppress security alerts](alerts-suppression-rules.md). +### Step 2: Respond accordingly -### Step 2: Respond accordingly If you don't recognize the user or application, or if you think the access shouldn't have been authorized: - If the traffic came from an unrecognized IP Address: If you don't recognize the user or application, or if you think the access shoul 1. Determine whether there's a need to reduce or revoke Microsoft Entra permissions. ### Step 3: Measure the impact+ When the event has been mitigated, investigate the secrets in your key vault that were affected:+ 1. Open the **Security** page on your Azure key vault and view the triggered alert. 1. Select the specific alert that was triggered and review the list of the secrets that were accessed and the timestamp. 1. Optionally, if you have key vault diagnostic logs enabled, review the previous operations for the corresponding caller IP, user principal, or object ID. -### Step 4: Take action +### Step 4: Take action + When you've compiled your list of the secrets, keys, and certificates that were accessed by the suspicious user or application, you should rotate those objects immediately. 1. Affected secrets should be disabled or deleted from your key vault. When you've compiled your list of the secrets, keys, and certificates that were In this article, you learned about Microsoft Defender for Key Vault. -For related material, see the following articles: +For related material, see the following articles: - [Key Vault security alerts](alerts-reference.md#alerts-azurekv)--The Key Vault section of the reference table for all Microsoft Defender for Cloud alerts - [Continuously export Defender for Cloud data](continuous-export.md) |
defender-for-cloud | Defender For Resource Manager Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-resource-manager-introduction.md | -The cloud management layer is a crucial service connected to all your cloud resources. Because of this, it is also a potential target for attackers. Consequently, we recommend security operations teams monitor the resource management layer closely. +The cloud management layer is a crucial service connected to all your cloud resources. Because of this, it is also a potential target for attackers. Consequently, we recommend security operations teams monitor the resource management layer closely. Microsoft Defender for Resource Manager automatically monitors the resource management operations in your organization, whether they're performed through the Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic clients. Defender for Cloud runs advanced security analytics to detect threats and alerts you about suspicious activity. Microsoft Defender for Resource Manager automatically monitors the resource mana |Pricing:|**Microsoft Defender for Resource Manager** is billed as shown on the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/)| |Clouds:|:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Azure Government<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Microsoft Azure operated by 21Vianet| - ## What are the benefits of Microsoft Defender for Resource Manager? Microsoft Defender for Resource Manager protects against issues including: |
defender-for-cloud | Defender For Resource Manager Usage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-resource-manager-usage.md | Security alerts from Defender for Resource Manager are based on threats detected Defender for Resource Manager provides visibility into activity that comes from third party service providers that have delegated access as part of the resource manager alerts. For example, `Azure Resource Manager operation from suspicious proxy IP address - delegated access`. -`Delegated access` refers to access with [Azure Lighthouse](/azure/lighthouse/overview) or with [Delegated administration privileges](/partner-center/dap-faq). +`Delegated access` refers to access with [Azure Lighthouse](/azure/lighthouse/overview) or with [Delegated administration privileges](/partner-center/dap-faq). Alerts that show `Delegated access` also include a customized description and remediation steps. To investigate security alerts from Defender for Resource > [!TIP] > For a better, richer investigation experience, stream your Azure activity logs to Microsoft Sentinel as described in [Connect data from Azure Activity log](../sentinel/data-connectors/azure-activity.md). -## Step 3: Immediate mitigation +## Step 3: Immediate mitigation 1. Remediate compromised user accounts: - If theyΓÇÖre unfamiliar, delete them as they might have been created by a threat actor This page explained the process of responding to an alert from Defender for Reso - [Overview of Microsoft Defender for Resource Manager](defender-for-resource-manager-introduction.md) - [Suppress security alerts](alerts-suppression-rules.md) - [Continuously export Defender for Cloud data](continuous-export.md)- |
defender-for-cloud | Overview Page | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/overview-page.md | The center of the page displays the **feature tiles**, each linking to a high pr - **Security posture** - Defender for Cloud continually assesses your resources, subscriptions, and organization for security issues. It then aggregates all the findings into a single score so that you can understand, at a glance, your current security situation: the higher the score, the lower the identified risk level. [Learn more](secure-score-security-controls.md). - **Workload protections** - This is the cloud workload protection platform (CWPP) integrated within Defender for Cloud for advanced, intelligent protection of your workloads running on Azure, on-premises machines, or other cloud providers. For each resource type, there's a corresponding Microsoft Defender plan. The tile shows the coverage of your connected resources (for the currently selected subscriptions) and the recent alerts, color-coded by severity. Learn more about [the Defender plans](defender-for-cloud-introduction.md#protect-cloud-workloads).-- **Regulatory compliance** - Defender for Cloud provides insights into your compliance posture based on continuous assessments of your Azure environment. Defender for Cloud analyzes risk factors in your environment according to security best practices. These assessments are mapped to compliance controls from a supported set of standards. [Learn more](regulatory-compliance-dashboard.md).+- **Regulatory compliance** - Based on continuous assessments of your hybrid and multi-cloud resources, Defender for Cloud provides insights into your compliance with the standards that matter to your organization. Defender for Cloud analyzes risk factors in your environment according to security best practices. These assessments are mapped to compliance controls from a supported set of standards. [Learn more](regulatory-compliance-dashboard.md). - **Inventory** - The asset inventory page of Microsoft Defender for Cloud provides a single page for viewing the security posture of the resources you've connected to Microsoft Defender for Cloud. All resources with unresolved security recommendations are shown in the inventory. If you've enabled the integration with Microsoft Defender for Endpoint and enabled Microsoft Defender for Servers, you'll also have access to a software inventory. The tile on the overview page shows you at a glance the total healthy and unhealthy resources (for the currently selected subscriptions). [Learn more](asset-inventory.md). ## Insights |
defender-for-cloud | Regulatory Compliance Dashboard | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/regulatory-compliance-dashboard.md | Title: Improve regulatory compliance in Microsoft Defender for Cloud description: Learn how to improve regulatory compliance in Microsoft Defender for Cloud. Previously updated : 06/18/2023 Last updated : 02/11/2024 # Improve regulatory compliance When you add any standard to your compliance dashboard (including compliance sta Compliance Manager thus provides improvement actions and status across your cloud infrastructure and all other digital assets in this central tool. For more information, see [multicloud support in Microsoft Purview Compliance Manager](/microsoft-365/compliance/compliance-manager-multicloud). --- ## Before you start - By default, when you enable Defender for Cloud on an Azure subscription, AWS account, or GCP plan, the MCSB plan is enabled-- You can add additional non-default compliance standards when at least one paid plan is enabled in Defender for Cloud.+- You can add more non-default compliance standards when at least one paid plan is enabled in Defender for Cloud. - You must be signed in with an account that has reader access to the policy compliance data. The **Reader** role for the subscription has access to the policy compliance data, but the **Security Reader** role doesn't. At a minimum, you need to have **Resource Policy Contributor** and **Security Admin** roles assigned. - ## Assess regulatory compliance The **Regulatory compliance** dashboard shows which compliance standards are enabled. It shows the controls within each standard, and security assessments for those controls. The status of these assessments reflects your compliance with the standard. The dashboard helps you to focus on gaps in standards, and to monitor compliance over time. --1. In the Defender for Cloud portal open the **Regulatory compliance** page. +1. In the Defender for Cloud portal, open the **Regulatory compliance** page. :::image type="content" source="./media/regulatory-compliance-dashboard/compliance-drilldown.png" alt-text="Screenshot that shows the exploration of the details of compliance with a specific standard." lightbox="media/regulatory-compliance-dashboard/compliance-drilldown.png"::: You can use information in the dashboard to investigate issues that might affect 1. Select **Control details**. - :::image type="content" source="media/regulatory-compliance-dashboard/control-detail.png" alt-text="Screenshot that shows you where to navigate to select control details on the screen."::: + :::image type="content" source="media/regulatory-compliance-dashboard/control-detail.png" alt-text="Screenshot that shows you where to navigate to select control details on the screen." lightbox="media/regulatory-compliance-dashboard/control-detail.png"::: - Select **Overview** to see the specific information about the Control you selected. - Select **Your Actions** to see a detailed view of automated and manual actions you need to take to improve your compliance posture. You can use information in the dashboard to investigate issues that might affect 1. Under **Your Actions**, you can select a down arrow to view more details and resolve the recommendation for that resource. - :::image type="content" source="media/regulatory-compliance-dashboard/down-arrow.png" alt-text="Screenshot that shows you where the down arrow is on the screen."::: + :::image type="content" source="media/regulatory-compliance-dashboard/down-arrow.png" alt-text="Screenshot that shows you where the down arrow is on the screen." lightbox="media/regulatory-compliance-dashboard/down-arrow.png"::: For more information about how to apply recommendations, see [Implementing security recommendations in Microsoft Defender for Cloud](review-security-recommendations.md). You can use information in the dashboard to investigate issues that might affect The regulatory compliance has both automated and manual assessments that might need to be remediated. Using the information in the regulatory compliance dashboard, improve your compliance posture by resolving recommendations directly within the dashboard. - 1. In the Defender for Cloud portal, open **Regulatory compliance**. 1. Select a regulatory compliance standard, and select a compliance control to expand it. The regulatory compliance has both automated and manual assessments that might n 1. Select a particular resource to view more details and resolve the recommendation for that resource. <br>For example, in the **Azure CIS 1.1.0** standard, select the recommendation **Disk encryption should be applied on virtual machines**. - :::image type="content" source="./media/regulatory-compliance-dashboard/sample-recommendation.png" alt-text="Screenshot that shows that selecting a recommendation from a standard leads directly to the recommendation details page."::: + :::image type="content" source="./media/regulatory-compliance-dashboard/sample-recommendation.png" alt-text="Screenshot that shows that selecting a recommendation from a standard leads directly to the recommendation details page." lightbox="media/regulatory-compliance-dashboard/sample-recommendation.png"::: 1. In this example, when you select **Take action** from the recommendation details page, you arrive in the Azure Virtual Machine pages of the Azure portal, where you can enable encryption from the **Security** tab: - :::image type="content" source="./media/regulatory-compliance-dashboard/encrypting-vm-disks.png" alt-text="Screenshot that shows the take action button on the recommendation details page leads to the remediation options."::: + :::image type="content" source="./media/regulatory-compliance-dashboard/encrypting-vm-disks.png" alt-text="Screenshot that shows the take action button on the recommendation details page leads to the remediation options." lightbox="media/regulatory-compliance-dashboard/encrypting-vm-disks.png"::: For more information about how to apply recommendations, see [Implementing security recommendations in Microsoft Defender for Cloud](review-security-recommendations.md). 1. After you take action to resolve recommendations, you'll see the result in the compliance dashboard report because your compliance score improves. --Assessments run approximately every 12 hours, so you will see the impact on your compliance data only after the next run of the relevant assessment. +Assessments run approximately every 12 hours, so you'll see the impact on your compliance data only after the next run of the relevant assessment. ## Remediate a manual assessment The regulatory compliance has automated and manual assessments that might need to be remediated. Manual assessments are assessments that require input from the customer to remediate them. - 1. In the Defender for Cloud portal, open **Regulatory compliance**. 1. Select a regulatory compliance standard, and select a compliance control to expand it. The regulatory compliance has automated and manual assessments that might need t The report provides a high-level summary of your compliance status for the selected standard based on Defender for Cloud assessments data. The report's organized according to the controls of that particular standard. The report can be shared with relevant stakeholders, and might provide evidence to internal and external auditors. - :::image type="content" source="./media/regulatory-compliance-dashboard/download-report.png" alt-text="Screenshot that shows using the toolbar in Defender for Cloud's regulatory compliance dashboard to download compliance reports."::: + :::image type="content" source="./media/regulatory-compliance-dashboard/download-report.png" alt-text="Screenshot that shows using the toolbar in Defender for Cloud's regulatory compliance dashboard to download compliance reports." lightbox="media/regulatory-compliance-dashboard/download-report.png"::: 1. To download Azure and Dynamics **certification reports** for the standards applied to your subscriptions, use the **Audit reports** option. - :::image type="content" source="media/release-notes/audit-reports-regulatory-compliance-dashboard.png" alt-text="Screenshot that shows using the toolbar in Defender for Cloud's regulatory compliance dashboard to download Azure and Dynamics certification reports."::: + :::image type="content" source="media/release-notes/audit-reports-regulatory-compliance-dashboard.png" alt-text="Screenshot that shows using the toolbar in Defender for Cloud's regulatory compliance dashboard to download Azure and Dynamics certification reports." lightbox="media/release-notes/audit-reports-regulatory-compliance-dashboard.png"::: 1. Select the tab for the relevant reports types (PCI, SOC, ISO, and others) and use filters to find the specific reports you need: - :::image type="content" source="media/release-notes/audit-reports-list-regulatory-compliance-dashboard-ga.png" alt-text="Screenshot that shows filtering the list of available Azure Audit reports using tabs and filters."::: + :::image type="content" source="media/release-notes/audit-reports-list-regulatory-compliance-dashboard-ga.png" alt-text="Screenshot that shows filtering the list of available Azure Audit reports using tabs and filters." lightbox="media/release-notes/audit-reports-list-regulatory-compliance-dashboard-ga.png"::: For example, from the PCI tab you can download a ZIP file containing a digitally signed certificate demonstrating Microsoft Azure, Dynamics 365, and Other Online Services' compliance with ISO22301 framework, together with the necessary collateral to interpret and present the certificate. - When you download one of these certification reports, you'll be shown the following privacy notice:- + _By downloading this file, you are giving consent to Microsoft to store the current user and the selected subscriptions at the time of download. This data is used in order to notify you in case of changes or updates to the downloaded audit report. This data is used by Microsoft and the audit firms that produce the certification/reports only when notification is required._ ### Check compliance offerings status Use continuous export data to an Azure Event Hubs or a Log Analytics workspace: :::image type="content" source="media/regulatory-compliance-dashboard/export-compliance-data-snapshot.png" alt-text="Screenshot that shows how to continuously export a weekly snapshot of regulatory compliance data." lightbox="media/regulatory-compliance-dashboard/export-compliance-data-snapshot.png"::: > [!TIP]-> You can also manually export reports about a single point in time directly from the regulatory compliance dashboard. Generate these **PDF/CSV reports** or **Azure and Dynamics certification reports** using the **Download report** or **Audit reports** toolbar options. +> You can also manually export reports about a single point in time directly from the regulatory compliance dashboard. Generate these **PDF/CSV reports** or **Azure and Dynamics certification reports** using the **Download report** or **Audit reports** toolbar options. ## Trigger a workflow when assessments change For example, you might want Defender for Cloud to email a specific user when a c To learn more, see these related pages: - [Customize the set of standards in your regulatory compliance dashboard](update-regulatory-compliance-packages.md) - Learn how to select which standards appear in your regulatory compliance dashboard.-- [Managing security recommendations in Defender for Cloud](review-security-recommendations.md) - Learn how to use recommendations in Defender for Cloud to help protect your Azure resources.+- [Managing security recommendations in Defender for Cloud](review-security-recommendations.md) - Learn how to use recommendations in Defender for Cloud to help protect your multicloud resources. - Check out [common questions](faq-regulatory-compliance.yml) about regulatory compliance. |
defender-for-cloud | Remediate Vulnerability Findings Vm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/remediate-vulnerability-findings-vm.md | Last updated 11/09/2021 # View and remediate findings from vulnerability assessment solutions on your VMs +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + When your vulnerability assessment tool reports vulnerabilities to Defender for Cloud, Defender for Cloud presents the findings and related information as recommendations. In addition, the findings include related information such as remediation steps, relevant CVEs, CVSS scores, and more. You can view the identified vulnerabilities for one or more subscriptions, or for a specific VM. ## View findings from the scans of your virtual machines |
defender-for-cloud | Review Security Recommendations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/review-security-recommendations.md | It's important to review all of the details related to a recommendation before t - **Last change date** - The date this recommendation last had a change - **Owner** - The person assigned to this recommendation. - **Due date** - The assigned date the recommendation must be resolved by.- - **Findings by severity** - The total findings by severity. + - **Severity** - The severity of the recommendation (High, Medium, or Low). More details below. - **Tactics & techniques** - The tactics and techniques mapped to MITRE ATT&CK. :::image type="content" source="./media/review-security-recommendations/recommendation-details-page.png" alt-text="Screenshot of the recommendation details page with labels for each element." lightbox="./media/security-policy-concept/recommendation-details-page.png"::: You can perform many actions to interact with recommendations. If an option isn' :::image type="content" source="media/review-security-recommendations/recommendation-graph.png" alt-text="Screenshot of the graph tab in a recommendation that shows all of the attack paths for that recommendation." lightbox="media/review-security-recommendations/recommendation-graph.png"::: +## How are recommendations classified? ++Every security recommendation from Defender for Cloud is assigned one of three severity ratings: + +- **High severity**: These recommendations should be addressed immediately, as they indicate a critical security vulnerability that could be exploited by an attacker to gain unauthorized access to your systems or data. Examples of high severity recommendations are when weΓÇÖve discovered unprotected secrets on a machine, overly-permissive inbound NSG rules, clusters allowing images to be deployed from untrusted registries, and unrestricted public access to storage accounts or databases. ++- **Medium severity**: These recommendations indicate a potential security risk that should be addressed in a timely manner, but may not require immediate attention. Examples of medium severity recommendations might include containers sharing sensitive host namespaces, web apps not using managed identities, Linux machines not requiring SSH keys during authentication, and unused credentials being left in the system after 90 days of inactivity. ++- **Low severity**: These recommendations indicate a relatively minor security issue that can be addressed at your convenience. Examples of low severity recommendations might include the need to disable local authentication in favor of Microsoft Entra ID, health issues with your endpoint protection solution, best practices not being followed with network security groups, or misconfigured logging settings that could make it harder to detect and respond to security incidents. + +Of course, the internal views of an organization might differ with MicrosoftΓÇÖs classification of a specific recommendation. So, it's always a good idea to review each recommendation carefully and consider its potential impact on your security posture before deciding how to address it. + ## Manage recommendations assigned to you Defender for Cloud supports governance rules for recommendations, to specify a recommendation owner or due date for action. Governance rules help ensure accountability and an SLA for recommendations. |
defender-for-cloud | Secret Scanning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/secret-scanning.md | Title: Manage secrets with agentless secrets scanning description: Learn how to scan your servers for secrets with Defender for Server's agentless secrets scanning. Previously updated : 12/20/2023 Last updated : 01/22/2024 # Manage secrets with agentless secrets scanning Attackers can move laterally across networks, find sensitive data, and exploit v Defender for Cloud's agentless secrets scanning for Virtual Machines (VM) locates plaintext secrets that exist in your environment. If secrets are detected, Defender for Cloud can assist your security team to prioritize and take actionable remediation steps to minimize the risk of lateral movement, all without affecting your machine's performance. -By using agentless secrets scanning, you can proactively discover the following types of secrets across your environments (in Azure, AWS and GCP cloud providers): +By using agentless secrets scanning, you can proactively discover the following types of secrets across your environments (in Azure, AWS, and GCP cloud providers): - Insecure SSH private keys: By using agentless secrets scanning, you can proactively discover the following - Plaintext OpenAI API Key. - Plaintext Azure Batch Shared Access Key. - Plaintext NPM Author Token.-- Plaintext Azure Subscription Management Certificate. +- Plaintext Azure Subscription Management Certificate. Secrets findings can be found using the [Cloud Security Explorer](#remediate-secrets-with-cloud-security-explorer) and the [Secrets tab](#remediate-secrets-from-your-asset-inventory) with their metadata like secrets type, file name, file path, last access time, and more. -The following secrets can also be accessed from the `Security Recommendations` and `Attack Path`, across Azure, AWS and GCP cloud providers: +The following secrets can also be accessed from the `Security Recommendations` and `Attack Path`, across Azure, AWS, and GCP cloud providers: - Insecure SSH private keys: - Supporting RSA algorithm for PuTTy files. - PKCS#8 and PKCS#1 standards. - OpenSSH standard.+ - Plaintext Azure database connection string: - Plaintext Azure SQL connection strings, supports SQL PAAS. The following secrets can also be accessed from the `Security Recommendations` a - Plaintext Azure database for MySQL. - Plaintext Azure database for MariaDB. - Plaintext Azure Cosmos DB, including PostgreSQL, MySQL and MariaDB.+ - Plaintext AWS RDS connection string, supports SQL PAAS: - Plaintext Amazon Aurora with Postgres and MySQL flavors. The agentless scanner verifies whether SSH private keys can be used to move late - An Azure account. If you don't already have an Azure account, you can [create your Azure free account today](https://azure.microsoft.com/free/). -- Access to [Defender for Cloud](get-started.md)+- Access to [Defender for Cloud](get-started.md). - [Enable](enable-enhanced-security.md#enable-defender-plans-to-get-the-enhanced-security-features) either or both of the following two plans: - [Defender for Servers Plan 2](plan-defender-for-servers-select-plan.md) For requirements for agentless scanning, see [Learn about agentless scanning](co ## Remediate secrets with attack path -Attack path analysis is a graph-based algorithm that scans your [cloud security graph](concept-attack-path.md#what-is-cloud-security-graph). These scans expose exploitable paths that attackers might use to breach your environment to reach your high-impact assets. Attack path analysis exposes attack paths and suggests recommendations as to how best remediate issues that break the attack path and prevent successful breach. +Attack path analysis is a graph-based algorithm that scans your [cloud security graph](concept-attack-path.md#what-is-cloud-security-graph). These scans expose exploitable paths that attackers might use to breach your environment to reach your high-impact assets. Attack path analysis exposes attack paths and suggests recommendations for how to best remediate issues that break the attack path and prevent successful breach. Attack path analysis takes into account the contextual information of your environment to identify issues that might compromise it. This analysis helps prioritize the riskiest issues for faster remediation. -The attack path page shows an overview of your attack paths, affected resources and a list of active attack paths. +The attack path page shows an overview of your attack paths, affected resources, and a list of active attack paths. ### Azure VM supported attack path scenarios Agentless secrets scanning for GCP VM instances supports the following attack pa ## Remediate secrets with recommendations -If a secret is found on your resource, that resource triggers an affiliated recommendation that is located under the Remediate vulnerabilities security control on the Recommendations page. Depending on your resources, either or both of the following recommendations appear: +If a secret is found on your resource, that resource triggers an affiliated recommendation that is located under the Remediate vulnerabilities security control on the Recommendations page. Depending on your resources, one or more of the following recommendations appears: - **Azure resources**: `Machines should have secrets findings resolved` -- **AWS resources**: `EC2 instances should have secret findings resolved`+- **AWS resources**: `EC2 instances should have secrets findings resolved` -- **GCP resources**: `VM instances should have secret findings resolved`+- **GCP resources**: `VM instances should have secrets findings resolved` **To remediate secrets from the recommendations page**: If a secret is found on your resource, that resource triggers an affiliated reco 1. Expand the **Remediate vulnerabilities** security control. -1. Select either: +1. Select one of the following: - - **Azure resources**: `Machines should have secret findings resolved` - - **AWS resources**: `EC2 instances should have secret findings resolved` - - **GCP resources**: `VM instances should have secret findings resolved` + - **Azure resources**: `Machines should have secrets findings resolved` + - **AWS resources**: `EC2 instances should have secrets findings resolved` + - **GCP resources**: `VM instances should have secrets findings resolved` :::image type="content" source="media/secret-scanning/recommendation-findings.png" alt-text="Screenshot that shows either of the two results under the Remediate vulnerabilities security control." lightbox="media/secret-scanning/recommendation-findings.png"::: If a secret is found on your resource, that resource triggers an affiliated reco 1. Expand **Affected resources** to review the resources affected by this secret. -1. (Optional) You can select an affected resource to see that resources information. +1. (Optional) You can select an affected resource to see that resource's information. -Secrets that don't have a known attack path, are referred to as `secrets without an identified target resource`. +Secrets that don't have a known attack path are referred to as `secrets without an identified target resource`. ## Remediate secrets with cloud security explorer The [cloud security explorer](concept-attack-path.md#what-is-cloud-security-expl - **VM with plaintext secret that can authenticate to another VM** - Returns all Azure VMs, AWS EC2 instances, or GCP VM instances with plaintext secret that can access other VMs or EC2s. - **VM with plaintext secret that can authenticate to a storage account** - Returns all Azure VMs, AWS EC2 instances, or GCP VM instances with plaintext secret that can access storage accounts.- - **VM with plaintext secret that can authenticate to a SQL database** - Returns all Azure VMs, AWS EC2 instances, or GCP VM instances with plaintext secret that can access SQL databases. + - **VM with plaintext secret that can authenticate to an SQL database** - Returns all Azure VMs, AWS EC2 instances, or GCP VM instances with plaintext secret that can access SQL databases. -If you don't want to use any of the available templates, you can also [build your own query](how-to-manage-cloud-security-explorer.md) on the cloud security explorer. +If you don't want to use any of the available templates, you can also [build your own query](how-to-manage-cloud-security-explorer.md) in the cloud security explorer. ## Remediate secrets from your asset inventory Different types of secrets have different sets of additional information. For ex ## Next steps -- [Use asset inventory to manage your resources' security posture](asset-inventory.md)+- [Use asset inventory to manage your resources' security posture](asset-inventory.md). |
defender-for-cloud | Support Matrix Cloud Environment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/support-matrix-cloud-environment.md | In the support table, **NA** indicates that the feature isn't available. |[Recommendation exemptions](exempt-resource.md) | Preview | NA | NA| |[Secure score](secure-score-security-controls.md) | GA | GA | GA| |[DevOps security posture](concept-devops-environment-posture-management-overview.md) | Preview | NA | NA|+| **DEFENDER CSPM FEATURES** | | | | +| [Data security dashboard](data-aware-security-dashboard-overview.md) | Preview | NA | NA | |**DEFENDER FOR CLOUD PLANS** | | || |[Defender CSPM](concept-cloud-security-posture-management.md)| GA | NA | NA| |[Defender for APIs](defender-for-apis-introduction.md). | GA | NA | NA| |
defender-for-cloud | Support Matrix Defender For Containers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/support-matrix-defender-for-containers.md | +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + This article summarizes support information for Container capabilities in Microsoft Defender for Cloud. > [!NOTE] |
defender-for-cloud | Upcoming Changes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/upcoming-changes.md | Title: Important upcoming changes -description: Upcoming changes to Microsoft Defender for Cloud that you might need to be aware of and for which you might need to plan +description: Upcoming changes to Microsoft Defender for Cloud that you might need to be aware of and for which you might need to plan. Previously updated : 02/01/2024 Last updated : 02/11/2024 # Important upcoming changes to Microsoft Defender for Cloud If you're looking for the latest release notes, you can find them in the [What's | Planned change | Announcement date | Estimated date for change | |--|--|--|+| [Deprecation of recommendation related to Defender for AI](#deprecation-of-recommendation-related-to-defender-for-ai) | February 12, 2024 | March 14, 2024 | | [Decommissioning of Microsoft.SecurityDevOps resource provider](#decommissioning-of-microsoftsecuritydevops-resource-provider) | February 5, 2024 | March 6, 2024 | | [Changes in endpoint protection recommendations](#changes-in-endpoint-protection-recommendations) | February 1, 2024 | February 28, 2024 | | [Change in pricing for multicloud container threat detection](#change-in-pricing-for-multicloud-container-threat-detection) | January 30, 2024 | April 2024 | If you're looking for the latest release notes, you can find them in the [What's | [Deprecating two security incidents](#deprecating-two-security-incidents) | | November 2023 | | [Defender for Cloud plan and strategy for the Log Analytics agent deprecation](#defender-for-cloud-plan-and-strategy-for-the-log-analytics-agent-deprecation) | | August 2024 | +## Deprecation of recommendation related to Defender for AI ++**Announcement date: February 12, 2024** ++**Estimated date of change: March 14, 2024** ++The recommendation [`Public network access should be disabled for Cognitive Services accounts`](https://ms.portal.azure.com/?feature.msaljs=true#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/684a5b6d-a270-61ce-306e-5cea400dc3a7) is set to be deprecated. The related policy definition [`Cognitive Services accounts should disable public network access`](https://ms.portal.azure.com/?feature.msaljs=true#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) is also being removed from the regulatory compliance dashboard. ++This recommendation is already being covered by another networking recommendation for Azure AI Services, [`Cognitive Services accounts should restrict network access`](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/f738efb8-005f-680d-3d43-b3db762d6243/showSecurityCenterCommandBar~/false). ++See the [list of security recommendations](recommendations-reference.md). + ## Decommissioning of Microsoft.SecurityDevOps resource provider **Announcement date: February 5, 2024** Microsoft Defender for Cloud is decommissioning the resource provider `Microsoft Customers that are still using the API version **2022-09-01-preview** under `Microsoft.SecurityDevOps` to query Defender for Cloud DevOps security data will be impacted. To avoid disruption to their service, customer will need to update to the new API version **2023-09-01-preview** under the `Microsoft.Security` provider. -Customers currently using Defender for Cloud DevOps security from Azure portal will not be impacted. +Customers currently using Defender for Cloud DevOps security from Azure portal won't be impacted. For details on the new API version, see [Microsoft Defender for Cloud REST APIs](/rest/api/defenderforcloud/). For details on the new API version, see [Microsoft Defender for Cloud REST APIs] **Estimated date of change: February 2024** -As use of the Azure Monitor Agent (AMA) and the Log Analytics agent (also known as the Microsoft Monitoring Agent (MMA)) is [phased out in Defender for Servers](https://techcommunity.microsoft.com/t5/user/ssoregistrationpage?dest_url=https:%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fblogs%2Fblogworkflowpage%2Fblog-id%2FMicrosoftDefenderCloudBlog%2Farticle-id%2F1269), existing endpoint recommendations which rely on those agents, will be replaced with new recommendations. The new recommendations rely on [agentless machine scanning](concept-agentless-data-collection.md) which allows the recommendations to discover and assesses the configuration of supported endpoint detection and response solutions and offers remediation steps, if issues are found. +As use of the Azure Monitor Agent (AMA) and the Log Analytics agent (also known as the Microsoft Monitoring Agent (MMA)) is [phased out in Defender for Servers](https://techcommunity.microsoft.com/t5/user/ssoregistrationpage?dest_url=https:%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fblogs%2Fblogworkflowpage%2Fblog-id%2FMicrosoftDefenderCloudBlog%2Farticle-id%2F1269), existing endpoint recommendations, which rely on those agents, will be replaced with new recommendations. The new recommendations rely on [agentless machine scanning](concept-agentless-data-collection.md) which allows the recommendations to discover and assesses the configuration of supported endpoint detection and response solutions and offers remediation steps, if issues are found. These public preview recommendations will be deprecated. These public preview recommendations will be deprecated. The current generally available recommendations will remain supported until August 2024. -As part of that deprecation, weΓÇÖll be introducing new agentless endpoint protection recommendations. These recommendations will be available in Defender for Servers Plan 2 and the Defender CSPM plan. They will support Azure and multicloud machines. On-premises machines are not supported. +As part of that deprecation, weΓÇÖll be introducing new agentless endpoint protection recommendations. These recommendations will be available in Defender for Servers Plan 2 and the Defender CSPM plan. They'll support Azure and multicloud machines. On-premises machines aren't supported. | Preliminary recommendation name | Estimated release date | |--|--|--| When [multicloud container threat detection](support-matrix-defender-for-contain **Estimated date for change: March 7, 2024** -Defender for Cloud will begin enforcing the Defender CSPM plan check for premium DevOps security value beginning **March 7th, 2024**. If you have the Defender CSPM plan enabled on a cloud environment (Azure, AWS, GCP) within the same tenant your DevOps connectors are created in, you'll continue to receive premium DevOps capabilities at no additional cost. If you aren't a Defender CSPM customer, you have until **March 7th, 2024** to enable Defender CSPM before losing access to these security features. To enable Defender CSPM on a connected cloud environment before March 7, 2024, follow the enablement documentation outlined [here](tutorial-enable-cspm-plan.md#enable-the-components-of-the-defender-cspm-plan). +Defender for Cloud will begin enforcing the Defender CSPM plan check for premium DevOps security value beginning **March 7th, 2024**. If you have the Defender CSPM plan enabled on a cloud environment (Azure, AWS, GCP) within the same tenant your DevOps connectors are created in, you'll continue to receive premium DevOps capabilities at no extra cost. If you aren't a Defender CSPM customer, you have until **March 7th, 2024** to enable Defender CSPM before losing access to these security features. To enable Defender CSPM on a connected cloud environment before March 7, 2024, follow the enablement documentation outlined [here](tutorial-enable-cspm-plan.md#enable-the-components-of-the-defender-cspm-plan). For more information about which DevOps security features are available across both the Foundational CSPM and Defender CSPM plans, see [our documentation outlining feature availability](devops-support.md#feature-availability). For more information on the code to cloud security capabilities in Defender CSPM **Estimated date of change: February 2024** -In Azure, agentless scanning for VMs uses a built-in role (called [VM scanner operator](/azure/defender-for-cloud/faq-permissions)) with the minimum necessary permissions required to scan and assess your VMs for security issues. To continuously provide relevant scan health and configuration recommendations for VMs with encrypted volumes, an update to this role's permissions is planned. The update includes the addition of the ```Microsoft.Compute/DiskEncryptionSets/read``` permission. This permission solely enables improved identification of encrypted disk usage in VMs. It doesn't provide Defender for Cloud any additional capabilities to decrypt or access the content of these encrypted volumes beyond the encryption methods [already supported](/azure/defender-for-cloud/concept-agentless-data-collection#availability) prior to this change. This change is expected to take place during February 2024 and no action is required on your end. +In Azure, agentless scanning for VMs uses a built-in role (called [VM scanner operator](/azure/defender-for-cloud/faq-permissions)) with the minimum necessary permissions required to scan and assess your VMs for security issues. To continuously provide relevant scan health and configuration recommendations for VMs with encrypted volumes, an update to this role's permissions is planned. The update includes the addition of the ```Microsoft.Compute/DiskEncryptionSets/read``` permission. This permission solely enables improved identification of encrypted disk usage in VMs. It doesn't provide Defender for Cloud any more capabilities to decrypt or access the content of these encrypted volumes beyond the encryption methods [already supported](/azure/defender-for-cloud/concept-agentless-data-collection#availability) prior to this change. This change is expected to take place during February 2024 and no action is required on your end. ## Deprecation of two recommendations related to PCI The `Key Vaults should have purge protection enabled` recommendation is deprecat |--|--|--|--| | [Key vaults should have deletion protection enabled](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0b60c0b2-2dc2-4e1c-b5c9-abbed971de53)| A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. | audit, deny, disabled | [2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_Recoverable_Audit.json) | -See the [full index of Azure Policy built-in policy definitions for Key Vault](../key-vault/policy-reference.md) +See the [full index of Azure Policy built-in policy definitions for Key Vault](../key-vault/policy-reference.md). ## Preview alerts for DNS servers to be deprecated |
defender-for-iot | Configure Mirror Span | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/traffic-mirroring/configure-mirror-span.md | Cisco2960# configure terminal Cisco2960(config)# monitor session 1 source interface fastehernet 0/2 - 23 rx Cisco2960(config)# monitor session 1 destination interface fastethernet 0/24 Cisco2960(config)# end-Cisco2960# show monitor 1 +Cisco2960# show monitor session 1 Cisco2960# running-copy startup-config ``` |
expressroute | Traffic Collector | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/traffic-collector.md | ExpressRoute Traffic Collector is supported in the following regions: | | -- | | North American | <ul><li>Canada East</li><li>Canada Central</li><li>Central US</li><li>Central US EUAP</li><li>North Central US</li><li>South Central US</li><li>West Central US</li><li>East US</li><li>East US 2</li><li>West US</li><li>West US 2</li><li>West US 3</li></ul> | | South America | <ul><li>Brazil South</li><li>Brazil Southeast</li></ul> |-| Europe | <ul><li>West Europe</li><li>North Europe</li><li>UK South</li><li>UK West</li><li>France Central</li><li>France South</li><li>Germany North</li><li>Sweden Central</li><li>Sweden South</li><li>Switzerland North</li><li>Switzerland West</li><li>Norway East</li><li>Norway West</li></ul> | -| Asia | <ul><li>East Asia</li><li>Central India</li><li>South India</li><li>Japan West</li><li>Korea South</li><li>UAE North</li></ul> | +| Europe | <ul><li>West Europe</li><li>North Europe</li><li>UK South</li><li>UK West</li><li>France Central</li><li>France South</li><li>Germany North</li><li>Germany West Central</li><li>Sweden Central</li><li>Sweden South</li><li>Switzerland North</li><li>Switzerland West</li><li>Norway East</li><li>Norway West</li></ul> | +| Asia | <ul><li>East Asia</li><li>Southeast Asia</li><li>Central India</li><li>South India</li><li>Japan West</li><li>Korea South</li><li>UAE North</li></ul> | | Africa | <ul><li>South Africa North</li><li>South Africa West</li></ul> | | Pacific | <ul><li>Australia Central</li><li>Australia Central 2</li><li>Australia East</li><li>Australia Southeast</li></ul> | |
governance | Built In Packages | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/built-in-packages.md | Title: List of built-in packages for guest configuration description: List of all built-in packages for guest configuration mapped to each policy definition and the PowerShell modules that are used by each package. Last updated 08/04/2021++ |
governance | Guest Configuration Baseline Docker | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/guest-configuration-baseline-docker.md | Title: Reference - Azure Policy guest configuration baseline for Docker description: Details of the Docker baseline on Azure implemented through Azure Policy guest configuration. Last updated 05/17/2022++ |
governance | Guest Configuration Baseline Linux | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/guest-configuration-baseline-linux.md | Title: Reference - Azure Policy guest configuration baseline for Linux description: Details of the Linux baseline on Azure implemented through Azure Policy guest configuration. Last updated 09/21/2022++ |
governance | Guest Configuration Baseline Windows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/guest-configuration-baseline-windows.md | Title: Reference - Azure Policy guest configuration baseline for Windows description: Details of the Windows baseline on Azure implemented through Azure Policy guest configuration. Last updated 02/14/2023++ |
hdinsight | Apache Hbase Phoenix Zeppelin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hbase/apache-hbase-phoenix-zeppelin.md | description: Learn how to use Apache Zeppelin to run Apache Base queries with Ph Previously updated : 01/31/2023 Last updated : 02/12/2024 # Use Apache Zeppelin to run Apache Phoenix queries over Apache HBase in Azure HDInsight -Apache Phoenix is an open source, massively parallel relational database layer built on HBase. Phoenix allows you to use SQL like queries over HBase. Phoenix uses JDBC drivers underneath to enable you to create, delete, alter SQL tables, indexes, views and sequences. You can also use Phoenix to update rows individually and in bulk. Phoenix uses a NOSQL native compilation rather than using MapReduce to compile queries, enabling the creation of low-latency applications on top of HBase. +Apache Phoenix is an open source, massively parallel relational database layer built on HBase. Phoenix allows you to use SQL like queries over HBase. Phoenix uses JDBC drivers underneath to enable you to create, delete, alter SQL tables, indexes, views, and sequences. You can also use Phoenix to update rows individually and in bulk. Phoenix uses a NOSQL native compilation rather than using MapReduce to compile queries, enabling the creation of low-latency applications on top of HBase. Apache Zeppelin is an open source web-based notebook that enables you to create data-driven, collaborative documents using interactive data analytics and languages such as SQL and Scala. It helps data developers & data scientists develop, organize, execute, and share code for data manipulation. It allows you to visualize results without referring to the command line or needing the cluster details. -HDInsight users can use Apache Zeppelin to query Phoenix tables. Apache Zeppelin is integrated with HDInsight cluster and there are no additional steps to use it. Simply create a Zeppelin Notebook with JDBC interpreter and start writing your Phoenix SQL queries +HDInsight users can use Apache Zeppelin to query Phoenix tables. Apache Zeppelin is integrated with HDInsight cluster and there are no additional steps to use it. Create a Zeppelin Notebook with JDBC interpreter and start writing your Phoenix SQL queries ## Prerequisites An Apache HBase cluster on HDInsight. See [Get started with Apache HBase](./apac ); ``` - The **%jdbc(phoenix)** statement in the first line tells the notebook to use the Phoenix JDBC interpreter. + The **%jdbc(phoenix)** statement in the frontline tells the notebook to use the Phoenix JDBC interpreter. 1. View created tables. |
hdinsight | Apache Hbase Using Phoenix Query Server Rest Sdk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hbase/apache-hbase-using-phoenix-query-server-rest-sdk.md | description: Install and use the REST SDK for the Phoenix Query Server in Azure Previously updated : 01/31/2023 Last updated : 02/12/2024 # Apache Phoenix Query Server REST SDK |
hdinsight | Hdinsight Apps Publish Applications | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-apps-publish-applications.md | description: Learn how to create an HDInsight application, and then publish it i Previously updated : 01/04/2023 Last updated : 02/12/2024 # Publish an HDInsight application in the Azure Marketplace |
hdinsight | Hdinsight Retired Versions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-retired-versions.md | Title: Azure HDInsight retired versions description: Learn about retired versions in Azure HDInsight. Previously updated : 01/30/2023 Last updated : 02/12/2024 # Retired HDInsight versions |
hdinsight | Optimize Pig Ambari | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/optimize-pig-ambari.md | Title: Optimize Apache Pig with Apache Ambari in Azure HDInsight description: Use the Apache Ambari web UI to configure and optimize Apache Pig. Previously updated : 01/31/2023 Last updated : 02/12/2024 # Optimize Apache Pig with Apache Ambari in Azure HDInsight |
hdinsight | Apache Spark Python Package Installation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/spark/apache-spark-python-package-installation.md | description: Step-by-step instructions on how to use script action to configure Previously updated : 01/31/2023 Last updated : 02/12/2024 # Safely manage Python environment on Azure HDInsight using Script Action There are two types of open-source components that are available in the HDInsigh ## Understand default Python installation -HDInsight Spark clusters have Anaconda installed. There are two Python installations in the cluster, Anaconda Python 2.7 and Python 3.5. The table below shows the default Python settings for Spark, Livy, and Jupyter. +HDInsight Spark clusters have Anaconda installed. There are two Python installations in the cluster, Anaconda Python 2.7 and Python 3.5. The following table shows the default Python settings for Spark, Livy, and Jupyter. |Setting |Python 2.7|Python 3.5| |-|-|-| HDInsight Spark clusters have Anaconda installed. There are two Python installat |Livy version|Default set to 2.7|Can change config to 3.5| |Jupyter|PySpark kernel|PySpark3 kernel| -For the Spark 3.1.2 version, the Apache PySpark kernel is removed and a new Python 3.8 environment is installed under `/usr/bin/miniforge/envs/py38/bin` which is used by the PySpark3 kernel. The `PYSPARK_PYTHON` and `PYSPARK3_PYTHON` environment variables are updated with the following: +For the Spark 3.1.2 version, the Apache PySpark kernel is removed and a new Python 3.8 environment is installed under `/usr/bin/miniforge/envs/py38/bin`, which is used by the PySpark3 kernel. The `PYSPARK_PYTHON` and `PYSPARK3_PYTHON` environment variables are updated with the following: ```bash export PYSPARK_PYTHON=${PYSPARK_PYTHON:-/usr/bin/miniforge/envs/py38/bin/python} export PYSPARK3_PYTHON=${PYSPARK_PYTHON:-/usr/bin/miniforge/envs/py38/bin/python ## Safely install external Python packages -HDInsight cluster depends on the built-in Python environment, both Python 2.7 and Python 3.5. Directly installing custom packages in those default built-in environments may cause unexpected library version changes. And break the cluster further. To safely install custom external Python packages for your Spark applications, follow below steps. +HDInsight cluster depends on the built-in Python environment, both Python 2.7 and Python 3.5. Directly installing custom packages in those default built-in environments may cause unexpected library version changes. And break the cluster further. To safely install custom external Python packages for your Spark applications, follow the steps. -1. Create Python virtual environment using conda. A virtual environment provides an isolated space for your projects without breaking others. When creating the Python virtual environment, you can specify Python version that you want to use. You still need to create virtual environment even though you would like to use Python 2.7 and 3.5. This requirement is to make sure the cluster's default environment not getting broke. Run script actions on your cluster for all nodes with below script to create a Python virtual environment. +1. Create Python virtual environment using conda. A virtual environment provides an isolated space for your projects without breaking others. When creating the Python virtual environment, you can specify Python version that you want to use. You still need to create virtual environment even though you would like to use Python 2.7 and 3.5. This requirement is to make sure the cluster's default environment not getting broke. Run script actions on your cluster for all nodes with following script to create a Python virtual environment. - `--prefix` specifies a path where a conda virtual environment lives. There are several configs that need to be changed further based on the path specified here. In this example, we use the py35new, as the cluster has an existing virtual environment called py35 already. - `python=` specifies the Python version for the virtual environment. In this example, we use version 3.5, the same version as the cluster built in one. You can also use other Python versions to create the virtual environment. HDInsight cluster depends on the built-in Python environment, both Python 2.7 an sudo /usr/bin/anaconda/bin/conda create --prefix /usr/bin/anaconda/envs/py35new python=3.5 anaconda=4.3 --yes ``` -2. Install external Python packages in the created virtual environment if needed. Run script actions on your cluster for all nodes with below script to install external Python packages. You need to have sudo privilege here to write files to the virtual environment folder. +2. Install external Python packages in the created virtual environment if needed. Run script actions on your cluster for all nodes with following script to install external Python packages. You need to have sudo privilege here to write files to the virtual environment folder. Search the [package index](https://pypi.python.org/pypi) for the complete list of packages that are available. You can also get a list of available packages from other sources. For example, you can install packages made available through [conda-forge](https://conda-forge.org/feedstocks/). - Use below command if you would like to install a library with its latest version: + Use following command if you would like to install a library with its latest version: - Use conda channel: HDInsight cluster depends on the built-in Python environment, both Python 2.7 an 3. Change Spark and Livy configs and point to the created virtual environment. - 1. Open Ambari UI, go to Spark2 page, Configs tab. + 1. Open Ambari UI, go to Spark 2 page, Configs tab. :::image type="content" source="./media/apache-spark-python-package-installation/ambari-spark-and-livy-config.png" alt-text="Change Spark and Livy config through Ambari" border="true"::: - 2. Expand Advanced livy2-env, add below statements at bottom. If you installed the virtual environment with a different prefix, change the path correspondingly. + 2. Expand Advanced livy2-env, add following statements at bottom. If you installed the virtual environment with a different prefix, change the path correspondingly. ```bash export PYSPARK_PYTHON=/usr/bin/anaconda/envs/py35new/bin/python HDInsight cluster depends on the built-in Python environment, both Python 2.7 an :::image type="content" source="./media/apache-spark-python-package-installation/ambari-spark-config.png" alt-text="Change Spark config through Ambari" border="true"::: - 4. Save the changes and restart affected services. These changes need a restart of Spark2 service. Ambari UI will prompt a required restart reminder, click Restart to restart all affected services. + 4. Save the changes and restart affected services. These changes need a restart of Spark 2 service. Ambari UI will prompt a required restart reminder, click Restart to restart all affected services. :::image type="content" source="./media/apache-spark-python-package-installation/ambari-restart-services.png" alt-text="Restart services" border="true"::: HDInsight cluster depends on the built-in Python environment, both Python 2.7 an spark.conf.set("spark.yarn.appMasterEnv.PYSPARK_DRIVER_PYTHON", "/usr/bin/anaconda/envs/py35/bin/python") ``` - If you are using livy, add the following properties to the request body: + If you are using `livy`, add the following properties to the request body: ``` "conf" : { HDInsight cluster depends on the built-in Python environment, both Python 2.7 an } ``` -4. If you would like to use the new created virtual environment on Jupyter. Change Jupyter configs and restart Jupyter. Run script actions on all header nodes with below statement to point Jupyter to the new created virtual environment. Make sure to modify the path to the prefix you specified for your virtual environment. After running this script action, restart Jupyter service through Ambari UI to make this change available. +4. If you would like to use the new created virtual environment on Jupyter. Change Jupyter configs and restart Jupyter. Run script actions on all header nodes with following statement to point Jupyter to the new created virtual environment. Make sure to modify the path to the prefix you specified for your virtual environment. After running this script action, restart Jupyter service through Ambari UI to make this change available. ```bash sudo sed -i '/python3_executable_path/c\ \"python3_executable_path\" : \"/usr/bin/anaconda/envs/py35new/bin/python3\"' /home/spark/.sparkmagic/config.json ``` - You could double confirm the Python environment in Jupyter Notebook by running below code: + You could double confirm the Python environment in Jupyter Notebook by running the code: :::image type="content" source="./media/apache-spark-python-package-installation/check-python-version-in-jupyter.png" alt-text="Check Python version in Jupyter Notebook" border="true"::: |
healthcare-apis | Fhir Faq | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/fhir/fhir-faq.md | Azure API for FHIR was our initial generally available product and is being reti By default each Azure Health Data Services, FHIR instance is limited to storage capacity of 4TB. To provision a FHIR instance with storage capacity beyond 4TB, create support request with Issue type 'Service and Subscription limit (quotas)'.-> [!NOTE] -> Due to issue in billing metrics for storage. Customers opting for more than 4TB storage capacity will not be billed for storage till the issue is addressed. ### What's the difference between the FHIR service in Azure Health Data Services and the open-source FHIR server? |
healthcare-apis | Release Notes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/release-notes.md | By adding more storage, organizations can handle large data sets to enable analy To request storage greater than 4 TB, [create a support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview) on the Azure portal and use the issue type **Service and Subscription limit (quotas)**. -> [!NOTE] -> Due to an issue with billing metrics for storage, customers who opt for more than 4 TB of storage capacity won't be billed for storage until the issue is resolved. - ## December 2023 ### Azure Health Data Services |
internet-peering | How To Exchange Route Server Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/internet-peering/how-to-exchange-route-server-portal.md | Title: Create or modify an Exchange peering with Route Server - Azure portal+ description: Create or modify an Exchange peering with Route Server using the Azure portal.-+ Previously updated : 01/23/2023-- Last updated : 02/12/2024+ +#CustomerIntent: As an administrator, I want to learn how to create or modify an an Exchange peering with Route Server using the Azure portal so I can manage my Exchange peerings. # Create or modify an Exchange peering with Route Server using the Azure portal -This article describes how to create a Microsoft Exchange peering with a route server using the Azure portal. This article also shows how to check the status of the resource, update it, or delete and deprovision it. +In this article, you learn how to create a Microsoft Exchange peering with a route server using the Azure portal. This article also shows you how to check the status of the resource, update it, or delete and deprovision it. +## Prerequisites -## Before you begin -* Review the [prerequisites](prerequisites.md) and the [Exchange peering walkthrough](walkthrough-exchange-all.md) before you begin configuration. -* If you already have Exchange peerings with Microsoft that aren't converted to Azure resources, see [Convert a legacy Exchange peering to an Azure resource by using the portal](howto-legacy-exchange-portal.md). +- Review the [Prerequisites to set up peering with Microsoft](prerequisites.md) and the [Exchange peering walkthrough](walkthrough-exchange-all.md) before you begin configuration. +- If you already have an Exchange peering with Microsoft that isn't converted to Azure resources, see [Convert a legacy Exchange peering to an Azure resource by using the portal](howto-legacy-exchange-portal.md). +- Associate your public ASN with your Azure subscription. For more information, see [Associate peer ASN to Azure subscription using the Azure portal](howto-subscription-association-portal.md). ## Create and provision an Exchange peering -### Sign in to the portal and select your subscription +In this section, you learn how to create an Exchange peering with a route server using the Azure portal. -### <a name=create></a>Create an Exchange peering with route server +1. Sign in to the [Azure portal](https://portal.azure.com). +1. In the search box at the top of the portal, enter ***peering***. Select **Peerings** in the search results. -As an Internet Exchange Provider, you can create an exchange peering request by [Creating a Peering]( https://go.microsoft.com/fwlink/?linkid=2129593). + :::image type="content" source="./media/how-to-exchange-route-server-portal/internet-peering-portal-search.png" alt-text="Screenshot of searching for internet peerings in the Azure portal." lightbox="./media/how-to-exchange-route-server-portal/internet-peering-portal-search.png"::: -1. On the **Create a Peering** page, on the **Basics** tab, fill in the boxes as shown here: +1. In the **Peerings** page, select **+ Create** to create a new peering. - > [!div class="mx-imgBorder"] - > ![Register Peering Service](./media/setup-basics-tab.png) + :::image type="content" source="./media/how-to-exchange-route-server-portal/peerings-portal.png" alt-text="Screenshot of internet peerings page in the Azure portal." lightbox="./media/how-to-exchange-route-server-portal/peerings-portal.png"::: -* Select your Azure Subscription. +1. In the **Basics** tab of **Create a peering**, enter or select your Azure subscription, resource group, name, and ASN of the peering: -* For Resource group, you can either choose an existing resource group from the drop-down list or create a new group by selecting Create new. We'll create a new resource group for this example. + :::image type="content" source="./media/how-to-exchange-route-server-portal/create-peering-basics.png" alt-text="Screenshot of the Basics tab of creating a peering in the Azure portal."::: -* Name corresponds to the resource name and can be anything you choose. + > [!IMPORTANT] + > You can only choose an ASN with ValidationState as Approved before you submit a peering request. After submitting a PeerAsn request, wait for about 12 hours for the ASN association to be approved. If the ASN you select is pending validation, you'll see an error message. If you don't see the ASN you needed to choose, check that you selected the correct subscription. If so, check if you have already created PeerAsn. For more information, see [Associate peer ASN to Azure subscription using the Azure portal](howto-subscription-association-portal.md). -* Region is auto-selected if you chose an existing resource group. If you chose to create a new resource group, you also need to choose the Azure region where you want the resource to reside. +1. Select **Next: Configuration** to continue. In the **Configuration** tab, you MUST choose the following required configurations to create a peering for Peering Service Exchange with Route Server: - >[!NOTE] - >The region where a resource group resides is independent of the location where you want to create peering with Microsoft. But it's a best practice to organize your peering resources within resource groups that reside in the closest Azure regions. For example, for peerings in Ashburn, you can create a resource group in East US or East US2. + - Peering type: **Direct**. + - Microsoft network: **AS8075 (with exchange route server)**. + - SKU: **Premium Free**. -* Select your ASN in the **PeerASN** box. +1. Select your **Metro**, then select **Create new** to add a connection to your peering. - >[!IMPORTANT] - >You can only choose an ASN with ValidationState as Approved before you submit a peering request. If you just submitted your PeerAsn request, wait for 12 hours or so for ASN association to be approved. If the ASN you select is pending validation, you'll see an error message. If you don't see the ASN you need to choose, check that you selected the correct subscription. If so, check if you have already created PeerAsn by using **[Associate Peer ASN to Azure subscription](https://go.microsoft.com/fwlink/?linkid=2129592)**. + :::image type="content" source="./media/how-to-exchange-route-server-portal/create-peering-configuration.png" alt-text="Screenshot of the Configuration tab of creating a peering in the Azure portal."::: -* Select **Next: Configuration** to continue. +1. In **Direct Peering Connection**, enter or select your peering facility details then select **Save**. -#### Configure connections and submit + :::image type="content" source="./media/how-to-exchange-route-server-portal/direct-peering-connection.png" alt-text="Screenshot of creating a direct peering connection."::: -1. On the Create a Peering page, on the Configuration tab, fill in the boxes as shown here: + > [!NOTE] + > - Peering connections for Peering Service Exchange with Route Server must have **Peer** as the Session Address Provider. + > - *Use for Peering Service* is disabled by default. It can be enabled after the exchange provider signs a Peering Service agreement with Microsoft. + +1. Select **Review + create**. Review the summary and select **Create** after the validation passes. - > [!div class="mx-imgBorder"] - > ![Configure route server](./media/setup-exchange-conf-tab-routeserver.png) - - * For Peering type, select **Direct** - * For Microsoft network, select **AS8075 with exchange route server**. - * For SKU, select **Premium Free**. - * Select the **Metro** location where you want to set up peering. + Allow time for the resource to finish deploying. When deployment is successful, your peering is created and provisioning begins. -1. Under **Peering Connections**, select **Create new** + > [!NOTE] + > For normal Internet Service Providers (ISP) who are a Microsoft Peering Service partner, customer IP prefixes registration is required. However, in the case of exchange partners with a route server, it is required to register customer ASNs and not prefixes. Same ASN key would be valid for the customer's prefix registration. -1. Under **Direct Peering Connection**, fill in the following BGP session details: +1. Open the peering in the Azure portal, and select **Registered ASNs**. - > [!div class="mx-imgBorder"] - > ![Screenshot shows the Direct Peering Connection pane with details added.](./media/setup-exchange-conf-tab-direct-route.png) + :::image type="content" source="./media/how-to-exchange-route-server-portal/registered-asn.png" alt-text="Screenshot shows how to go to Registered ASNs from the Peering Overview page in the Azure portal."::: +1. Select **Add registered ASN** to create a new customer Autonomous System Number (ASN) under your exchange subscription. - * Peering Facility, select the appropriate physical location for the peering - * Session Address Provider, select Peer - * Session IPv4 prefix will be provided by the exchange provider peer - * Peer session IPv4 address, will be selected by the exchange peer for the route server from their IP prefix range. - * Microsoft session IPv4 address, will be the router IP allocated from the IP prefix range. - * Session IPv6 is optional at this time. - * Maximum advertised IPv4 prefix can be up to 20000. - * Use for Peering Service is disabled by default. It can be enabled once the exchange provider has signed a Peering Service Agreement with Microsoft. + :::image type="content" source="./media/how-to-exchange-route-server-portal/register-new-asn.png" alt-text="Screenshot shows how to register an ASN in the Azure portal."::: -1. Upon completion, select **Save**. +1. Select **Save**. -1. Under Create a peering, you'll see validation passed. Once validation passed, select **Create** +1. In **Registered ASNs**, each ASN has an associated Prefix Key assigned to it. As an exchange provider, you need to provide this Prefix Key to your customer so they can register Peering Service under their subscription. - > [!div class="mx-imgBorder"] - > ![Validation of settings](./media/setup-exchange-conf-tab-validation.png) - >[!NOTE] - >For normal Internet Service Providers (ISP) who are a Microsoft Peering Service partner, customer IP prefixes registration is required. However, in the case of exchange partners with a route server, it is required to register customer ASNs and not prefixes. Same ASN key would be valid for the customer's prefix registration. +### <a name=get></a>Verify an Exchange peering -1. Select **Registered ASNs** under the Settings section. +In this section, you learn how to view a peering to verify its configuration and state. - > [!div class="mx-imgBorder"] - > ![Screenshot shows the Peering pane with the Registered A S Ns menu item called out.](./media/setup-exchange-registered-asn.png) +1. In the search box at the top of the portal, enter ***peering***. Select **Peerings** in the search results. -1. Select **Add registered ASN** to create a new customer ASN under your exchange subscription. +1. Select the peering resource that you want to view. - > [!div class="mx-imgBorder"] - > ![Screenshot shows the Register an A S N pane with Name and A S N text boxes.](./media/setup-exchange-register-new-asn.png) +1. Select **Connections** to view the PeerAsn information. -1. Under Register an ASN, select a Name, populate the customer ASN, and select Save. + :::image type="content" source="./media/how-to-exchange-route-server-portal/peering-connections.png" alt-text="Screenshot shows the connections of a peering in the Azure portal." lightbox="./media/how-to-exchange-route-server-portal/peering-connections.png"::: -1. Under Registered ASNs, there will be an associated Prefix Key assigned to each ASN. As an exchange provider, you'll need to provide this Prefix Key to your customer so they can register Peering Service under their subscription. + At the top of the screen, you see a summary of peering connections between your ASN and Microsoft, across different facilities within the metro. - > [!div class="mx-imgBorder"] - > ![Screenshot shows the Registered A S Ns pane with prefix keys.](./media/setup-exchange-register-asn-prefixkey.png) + > [!NOTE] + > - **Connection State** corresponds to the state of the peering connection setup. The states displayed in this field follow the state diagram shown in the [Exchange peering walkthrough](walkthrough-exchange-all.md). + > - **IPv4 Session State** and **IPv6 Session State** correspond to the IPv4 and IPv6 BGP session states respectively. + > - When you select a row at the top of the screen, the **Connection** section at the bottom shows details for each connection. Select the arrows to expand **Configuration**, **IPv4 address**, and **IPv6 address**. +## <a name="modify"></a>Modify an Exchange peering +In this section, you learn how to modify an Exchange peering. +1. In the search box at the top of the portal, enter ***peering***. Select **Peerings** in the search results. -### <a name=get></a>Verify an Exchange peering +1. Select the peering resource that you want to modify. -## <a name="modify"></a>Modify an Exchange peering +1. Select **Connections**. ++### Add Exchange peering connections ++1. Select the **+ Add connections** button to add and configure a new peering connection. ++ :::image type="content" source="./media/how-to-exchange-route-server-portal/add-connection.png" alt-text="Screenshot shows how to add a new peering connection in the Azure portal." lightbox="./media/how-to-exchange-route-server-portal/add-connection.png"::: ++1. In **Exchange Peering Connection**, enter or select the required information and then select **Save**. For more information, see [Create and provision an Exchange peering](#create-and-provision-an-exchange-peering). ++ :::image type="content" source="./media/how-to-exchange-route-server-portal/exchange-peering-connection.png" alt-text="Screenshot shows the exchange peering connection page in the Azure portal."::: ++### Remove Exchange peering connections ++1. Right-click the peering connection you want to delete, and then select **Delete connection**. ++ :::image type="content" source="./media/how-to-exchange-route-server-portal/delete-connection.png" alt-text="Screenshot shows how to delete a peering connection in the Azure portal." lightbox="./media/how-to-exchange-route-server-portal/delete-connection.png"::: ++1. Confirm the delete by entering **yes** and then select **Delete**. ++ :::image type="content" source="./media/how-to-exchange-route-server-portal/delete-confirmation.png" alt-text="Screenshot shows the confirmation page to delete a peering connection in the Azure portal."::: ++### Add an IPv4 or IPv6 session on Active connections ++1. Right-click the peering connection you want to delete, and then select **Edit connection**. ++ :::image type="content" source="./media/how-to-exchange-route-server-portal/edit-connection.png" alt-text="Screenshot shows how to edit a peering connection in the Azure portal." lightbox="./media/how-to-exchange-route-server-portal/edit-connection.png"::: ++1. Modify the **IPv4 address** or **IPv6 address** information, and select **Save**. ++ :::image type="content" source="./media/how-to-exchange-route-server-portal/edit-exchange-peering-connection.png" alt-text="Screenshot shows the edit peering connection page in the Azure portal."::: ++### Remove an IPv4 or IPv6 session on Active connections ++To remove an IPv4 or IPv6 session from an existing connection, contact [Microsoft peering](mailto:peeringexperience@microsoft.com). This operation isn't currently supported using the Azure portal. ## <a name="delete"></a>Deprovision an Exchange peering -## Next steps +To deprovision an Exchange peering, contact [Microsoft peering](mailto:peeringexperience@microsoft.com). This operation isn't currently supported using the Azure portal or PowerShell. ++## Related content -- [Create or modify a Direct peering by using the portal](howto-direct-portal.md).-- [Convert a legacy Direct peering to an Azure resource by using the portal](howto-legacy-direct-portal.md).+- [Internet peering for Peering Service Exchange with Route Server partner walkthrough](walkthrough-exchange-route-server-partner.md). +- [Convert a legacy Exchange peering to an Azure resource using the Azure portal](howto-legacy-exchange-portal.md). - [Internet peering frequently asked questions (FAQ)](faqs.md). |
internet-peering | Howto Peering Service Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/internet-peering/howto-peering-service-portal.md | Title: Enable Azure Peering Service on a Direct peering - Azure portal -description: Enable Azure Peering Service on a Direct peering using the Azure portal. -++description: Learn how to enable Azure Peering Service on a Direct peering using the Azure portal. + Previously updated : 01/23/2023-- Last updated : 02/12/2024++#CustomerIntent: As an administrator, I want to learn how to enable Azure Peering Service on a Direct peering using the Azure portal so I can manage my Direct peerings. # Enable Azure Peering Service on a Direct peering using the Azure portal -> [!div class="op_single_selector"] -> - [Azure portal](howto-peering-service-portal.md) -> - [PowerShell](howto-peering-service-powershell.md) +In this article, you learn how to enable [Azure Peering Service](../peering-service/about.md) on a Direct peering using the Azure portal. To learn how to enable Peering Service on a Direct peering using Azure PowerShell, see [Enable Azure Peering Service on a Direct peering using PowerShell](howto-peering-service-powershell.md). -This article describes how to enable [Azure Peering Service](../peering-service/about.md) on a Direct peering by using the Azure portal. +## Prerequisites -If you prefer, you can complete this guide by using [PowerShell](howto-peering-service-powershell.md). +- Complete the [Prerequisites to set up peering with Microsoft](prerequisites.md) before you begin configuration. -## Before you begin -* Review the [prerequisites](prerequisites.md) before you begin configuration. -* Choose a Direct peering in your subscription for which you want to enable Peering Service. If you don't have one, either convert a legacy Direct peering or create a new Direct peering: - * To convert a legacy Direct peering, follow the instructions in [Convert a legacy Direct peering to an Azure resource by using the portal](howto-legacy-direct-portal.md). - * To create a new Direct peering, follow the instructions in [Create or modify a Direct peering by using the portal](howto-direct-portal.md). +- A Direct peering in your subscription for which you want to enable Peering Service. If you don't have one, either convert a legacy Direct peering or create a new Direct peering. For more information, see [Convert a legacy Direct peering to an Azure resource](howto-legacy-direct-portal.md) or [Create or modify a Direct peering](howto-direct-portal.md). ## Enable Peering Service on a Direct peering -### <a name= get></a>View Direct peering +In this section, you learn how to enable Peering Service on a Direct peering using the Azure portal. -### <a name= get></a>Enable the Direct peering for Peering Service +1. Sign in to the [Azure portal](https://portal.azure.com). -After you open a Direct peering in the previous step, enable it for Peering Service. +1. In the search box at the top of the portal, enter ***peering***. Select **Peerings** in the search results. -## Modify a Direct peering connection + :::image type="content" source="./media/howto-peering-service-portal/internet-peering-portal-search.png" alt-text="Screenshot of searching for internet peerings in the Azure portal." lightbox="./media/howto-peering-service-portal/internet-peering-portal-search.png"::: ++1. Select the peering resource that you want to enable Peering Service for its connection. ++1. Select **Connections**. ++ :::image type="content" source="./media/howto-peering-service-portal/peering-connections.png" alt-text="Screenshot shows the connections of a peering in the Azure portal." lightbox="./media/howto-peering-service-portal/peering-connections.png"::: ++1. Right-click the peering connection you want to enable Peering Service for, and then select **Edit connection**. ++ :::image type="content" source="./media/howto-peering-service-portal/edit-connection.png" alt-text="Screenshot shows how to edit a peering connection in the Azure portal." lightbox="./media/howto-peering-service-portal/edit-connection.png"::: -To modify connection settings, see the "Modify a Direct peering" section in [Create or modify a Direct peering by using the portal](howto-direct-portal.md). +1. Select **Enabled** for **Use for Peering Service**. -## Next steps + :::image type="content" source="./media/howto-peering-service-portal/edit-direct-peering-connection.png" alt-text="Screenshot shows how to enable Azure Peering Service on a Direct peering connection in the Azure portal."::: ++1. Select **Save**. ++1. Once the deployment is complete, select **Registered prefixes** to register a prefix to the peering. ++ :::image type="content" source="./media/howto-peering-service-portal/add-registered-prefix.png" alt-text="Screenshot shows how to add registered prefixes in the Azure portal." lightbox="./media/howto-peering-service-portal/add-registered-prefix.png"::: ++1. Enter a name and prefix, then select **Save**. ++ :::image type="content" source="./media/howto-peering-service-portal/register-prefix-configure.png" alt-text="Screenshot shows how to register a prefix in the Azure portal."::: + + After a prefix is created, you can see it in the list of prefixes in **Registered prefixes** page. ++1. Select the prefix you created to see the details, which include the **Prefix key**. This key must be provided to the customer so they can use it to register their prefix in their subscription. ++ :::image type="content" source="./media/howto-peering-service-portal/prefix-details.png" alt-text="Screenshot shows the prefix details including the prefix key in the Azure portal."::: ++## Modify a Direct peering connection -- For frequently asked questions, see the [Peering Service FAQ](faqs.md#peering-service).-- To learn how to manage an Exchange peering, see [Create or modify Exchange peering using the Azure portal](howto-exchange-portal.md).-- To learn how to convert an Exchange peering to an Azure resource, see [Convert a legacy Exchange peering to an Azure resource using the Azure portal](howto-legacy-exchange-portal.md).+To modify connection settings, see the **Modify a Direct peering** section in [Create or modify a Direct peering by using the portal](howto-direct-portal.md). +## Related content +- [Internet peering for Azure Peering Service partner walkthrough](walkthrough-peering-service-all.md). +- [Enable Azure Peering Service Voice on a Direct peering by using the Azure portal](howto-peering-service-voice-portal.md). +- [Internet peering frequently asked questions (FAQ)](faqs.md). |
internet-peering | Howto Subscription Association Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/internet-peering/howto-subscription-association-portal.md | Title: Associate peer ASN to Azure subscription - Azure portal -description: Associate peer ASN to Azure subscription using the Azure portal. -+ Title: Associate your ASN to Azure subscription - Azure portal ++description: Learn how to associate peer ASN to Azure subscription using the Azure portal. + Previously updated : 01/23/2023-- Last updated : 02/12/2024++#CustomerIntent: As an administrator, I want to learn how to create a PeerASN resource so I can associate my peer ASN to Azure subscription and submit peering requests. -# Associate peer ASN to Azure subscription using the Azure portal +# Associate your ASN with an Azure subscription using the Azure portal -> [!div class="op_single_selector"] -> - [Azure portal](howto-subscription-association-portal.md) -> - [PowerShell](howto-subscription-association-powershell.md) +In this article, you learn how to associate your Autonomous System Number (ASN) with an Azure subscription using the Azure portal. To learn how to associate your ASN with an Azure subscription using Azure PowerShell, see [Associate peer ASN to Azure subscription using PowerShell](howto-subscription-association-powershell.md). -As an Internet Service Provider or Internet Exchange Provider, before you submit a peering request, you should first associate your ASN with an Azure subscription by following the steps in this article. +As an Internet Service Provider or Internet Exchange Provider, you must associate your peer ASN with an Azure subscription before you submit a peering request. -If you prefer, you can complete this guide using the [PowerShell](howto-subscription-association-powershell.md). +## Prerequisites -## Create PeerAsn to associate your ASN with Azure Subscription +- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). -### Sign in to the portal +- Peering provider. For more information, see [Register Peering provider](#register-peering-provider). -### Register for peering resource provider -Register for peering resource provider in your subscription by following these steps. If you don't register for peering resource provider, then Azure resources required to set up peering aren't accessible. +## Register Peering provider -1. Select **Subscriptions** on the top left corner of the portal. If you don't see it, select **More services** and search for it. +In this section, you learn how to check if the peering provider is registered in your subscription and how to register it if not registered. Peering resource provider is required to set up peering. If you previously registered the peering resource provider, you can skip this section. - > [!div class="mx-imgBorder"] - > ![Open subscriptions](./media/rp-subscriptions-open.png) +1. Sign in to the [Azure portal](https://portal.azure.com). -1. Select the subscription you want to use for peering. +1. In the search box at the top of the portal, enter ***Subscriptions***. Select **Subscriptions** in the search results. - > [!div class="mx-imgBorder"] - > ![Launch subscription](./media/rp-subscriptions-launch.png) + :::image type="content" source="./media/howto-subscription-association-portal/subscriptions-portal-search.png" alt-text="Screenshot of searching for subscriptions in the Azure portal." lightbox="./media/howto-subscription-association-portal/subscriptions-portal-search.png"::: -1. Once the subscription opens, select **Resource providers**. Then, in the right pane, search for *peering* in the search window, or use the scroll bar to find **Microsoft.Peering** and look at the **Status**. If the status is ***Registered***, skip the following steps and proceed to **Create PeerAsn**. If the status is ***NotRegistered***, select **Microsoft.Peering** and select **Register**. +1. Select the Azure subscription that you want to enable the provider for. - > [!div class="mx-imgBorder"] - > ![Registration start](./media/rp-register-start.png) +1. Under **Settings**, select **Resource providers**. -1. Observe that the status changes to ***Registering***. +1. Enter ***peering*** in the filter box. - > [!div class="mx-imgBorder"] - > ![Registration in-progress](./media/rp-register-progress.png) +1. Confirm the status of the provider is **Registered**. If the status is **NotRegistered**, select the **Microsoft.Peering** provider then select **Register**. -1. Wait for a min or so for it to complete registration. Then, select **Refresh** and verify that the status is ***Registered***. + :::image type="content" source="./media/howto-subscription-association-portal/register-microsoft-peering-provider.png" alt-text="Screenshot shows how to register Peering provider in the Azure portal." lightbox="./media/howto-subscription-association-portal/register-microsoft-peering-provider.png"::: - > [!div class="mx-imgBorder"] - > ![Registration completed](./media/rp-register-completed.png) +## Create PeerAsn to associate your ASN with Azure Subscription -### Create PeerAsn -As an Internet Service Provider or Internet Exchange Provider, you can create a new PeerAsn resource for associating an Autonomous System Number (ASN) with Azure subscription on the [Associate a Peer ASN page](https://go.microsoft.com/fwlink/?linkid=2129592) . You can associate multiple ASNs to a subscription by creating a **PeerAsn** for each ASN you need to associate. +As an Internet Service Provider or Internet Exchange Provider, you can create a new PeerAsn resource to associate an Autonomous System Number (ASN) with an Azure subscription. You can associate multiple ASNs to a subscription by creating a **PeerAsn** for each ASN you need to associate. -1. On the **Associate a Peer ASN** page, under **Basics** tab, fill out the fields as following: +1. Sign in to the [Azure portal](https://portal.azure.com). - > [!div class="mx-imgBorder"] - > ![PeerAsn Basics Tab](./media/peerasn-basics-tab.png) +1. Go to the [Associate a Peer ASN](https://go.microsoft.com/fwlink/?linkid=2129592) page. - * **Name** corresponds to resource name and can be anything you choose. - * Select the **Subscription** that you need to associate the ASN with. - * **Peer name** corresponds to your company's name and needs to be as close as possible to your PeeringDB profile. - * Enter your ASN in the **Peer ASN** field. - * Select **Create new** and enter **EMAIL ADDRESS** and **PHONE NUMBER** for your Network Operations Center (NOC) -1. Then, select **Review + create** and observe that portal runs basic validation of the information you entered. +1. On the **Associate a Peer ASN**, enter or select the following values in the **Basics** tab: - > [!div class="mx-imgBorder"] - > ![Screenshot shows the Associate a Peer A S N Basics tab.](./media/peerasn-review-tab-validation.png) + | Setting | Value | + | | | + | **Project details** | | + | Name | Enter a name for the PeerASN resource that you're creating. | + | Subscription | Select your Azure subscription that you want to associate the ASN with. | + | **Instance details** | | + | Peer name | Enter your company name. This name must be as close as possible to your PeeringDB profile. | + | Peer ASN | Enter your ASN. | -1. Once the message in the ribbon turns to *Validation Passed*, verify your information and submit the request by clicking **Create**. If the validation doesn't pass, then select **Previous** and repeat the previous steps to modify your request and ensure the values you enter have no errors. + :::image type="content" source="./media/howto-subscription-association-portal/associate-peer-asn.png" alt-text="Screenshot shows how to associate a peer ASN in the Azure portal." lightbox="./media/howto-subscription-association-portal/associate-peer-asn.png"::: - > [!div class="mx-imgBorder"] - > ![Screenshot shows the Associate a Peer A S N Basics tab with Validation passed.](./media/peerasn-review-tab.png) +1. Select **Create new** and enter **Email address** and **Phone number** of your Network Operations Center (NOC). -1. After you submit the request, wait for it to complete deployment. If deployment fails, contact [Microsoft peering](mailto:peering@microsoft.com). A successful deployment will appear as follows: +1. Select **Review + create**. - > [!div class="mx-imgBorder"] - > ![PeerAsn Success](./media/peerasn-success.png) +1. Review the settings, and then select **Create**. If deployment fails, contact [Microsoft peering](mailto:peering@microsoft.com). -### View status of a PeerAsn -Once PeerAsn resource is deployed successfully, you'll need to wait for Microsoft to approve the association request. It may take up to 12 hours for approval. Once approved, you'll receive a notification to the email address entered in the above section. +## View status of a PeerAsn ++Once PeerAsn resource is deployed successfully, you must wait for Microsoft to approve the association request. It might take up to 12 hours for approval. Once approved, you receive a notification to the email address you entered during the creation of PeerASN resource. > [!IMPORTANT]-> Wait for the ValidationState to turn "Approved" before submitting a peering request. It may take up to 12 hours for this approval. +> Wait for the **ValidationState** to turn **Approved** before submitting a peering request. It may take up to 12 hours for this approval. ## Modify PeerAsn-Modifying PeerAsn isn't currently supported. If you need to modify, contact [Microsoft peering](mailto:peering@microsoft.com). ++Modifying a PeerAsn isn't currently supported. If you need to modify a PeerASN, contact [Microsoft peering](mailto:peering@microsoft.com). ## Delete PeerAsn-Deleting a PeerAsn isn't currently supported. If you need to delete PeerAsn, contact [Microsoft peering](mailto:peering@microsoft.com). -## Next steps +Deleting a PeerAsn isn't currently supported. If you need to delete a PeerAsn, contact [Microsoft peering](mailto:peering@microsoft.com). ++## Related content - [Create or modify a Direct peering using the Azure portal](howto-direct-portal.md).-- [Convert a legacy Direct peering to Azure resource using the Azure portal](howto-legacy-direct-portal.md). - [Create or modify Exchange peering using the Azure portal](howto-exchange-portal.md).-- [Convert a legacy Exchange peering to Azure resource using the Azure portal](howto-legacy-exchange-portal.md).-- [Internet peering frequently asked questions (FAQ)](faqs.md).-+- [Internet peering frequently asked questions (FAQ)](faqs.md). |
iot-dps | Iot Dps Customer Data Requests | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-dps/iot-dps-customer-data-requests.md | - Title: Customer data request featuresΓÇï for Azure DPS devices -description: For devices managed in Azure Device Provisioning Service (DPS) that are personal, this article shows admins how to export or delete personal data. -- Previously updated : 05/16/2018------# Summary of customer data request featuresΓÇï --The Azure IoT Hub Device Provisioning Service is a REST API-based cloud service targeted at enterprise customers that enables seamless, automated zero-touch provisioning of devices to Azure IoT Hub with security that begins at the device and ends with the cloud. ---Individual devices are assigned a registration ID and device ID by a tenant administrator. Data from and about these devices is based on these IDs. Microsoft maintains no information and has no access to data that would allow correlation of these devices to an individual. --Many of the devices managed in Device Provisioning Service are not personal devices, for example an office thermostat or factory robot. Customers may, however, consider some devices to be personally identifiable and at their discretion may maintain their own asset or inventory tracking methods that tie devices to individuals. Device Provisioning Service manages and stores all data associated with devices as if it were personal data. --Tenant administrators can use either the Azure portal or the service's REST APIs to fulfill information requests by exporting or deleting data associated with a device ID or registration ID. --> [!NOTE] -> Devices that have been provisioned in Azure IoT Hub through Device Provisioning Service have additional data stored in the Azure IoT Hub service. See the [Azure IoT Hub reference documentation](../iot-hub/iot-hub-customer-data-requests.md) in order to complete a full request for a given device. --## Deleting customer data --Device Provisioning Service stores enrollments and registration records. Enrollments contain information about devices that are allowed to be provisioned, and registration records show which devices have already gone through the provisioning process. --Tenant administrators may remove enrollments from the Azure portal, and this removes any associated registration records as well. --For more information, see [How to manage device enrollments](how-to-manage-enrollments.md). --It is also possible to perform delete operations for enrollments and registration records using REST APIs: --* To delete enrollment information for a single device, you can use [Device Enrollment - Delete](/rest/api/iot-dps/service/individual-enrollment/delete). -* To delete enrollment information for a group of devices, you can use [Device Enrollment Group - Delete](/rest/api/iot-dps/service/enrollment-group/delete). -* To delete information about devices that have been provisioned, you can use [Registration State - Delete Registration State](/rest/api/iot-dps/service/device-registration-state/delete). --## Exporting customer data --Device Provisioning Service stores enrollments and registration records. Enrollments contain information about devices that are allowed to be provisioned, and registration records show which devices have already gone through the provisioning process. --Tenant administrators can view enrollments and registration records through the Azure portal and export them using copy and paste. --For more information on how to manage enrollments, see [How to manage device enrollments](how-to-manage-enrollments.md). --It is also possible to perform export operations for enrollments and registration records using REST APIs: --* To export enrollment information for a single device, you can use [Device Enrollment - Get](/rest/api/iot-dps/service/individual-enrollment/get). -* To export enrollment information for a group of devices, you can use [Device Enrollment Group - Get](/rest/api/iot-dps/service/enrollment-group/get). -* To export information about devices that have already been provisioned, you can use [Registration State - Get Registration State](/rest/api/iot-dps/service/device-registration-state/get). --> [!NOTE] -> When you use Microsoft's enterprise services, Microsoft generates some information, known as system-generated logs. Some Device Provisioning Service system-generated logs are not accessible or exportable by tenant administrators. These logs constitute factual actions conducted within the service and diagnostic data related to individual devices. --## Links to additional documentation --For full documentation of Device Provisioning Service APIs, see [Azure IoT Hub Device Provisioning Service REST API](/rest/api/iot-dps). --Azure IoT Hub [customer data request features](../iot-hub/iot-hub-customer-data-requests.md). |
iot-dps | Iot Dps Customer Managed Keys | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-dps/iot-dps-customer-managed-keys.md | - Title: Azure Device Provisioning Service data encryption at rest via customer-managed keys| Microsoft Docs -description: Encryption of data at rest with customer-managed keys for Device Provisioning Service ---- Previously updated : 02/24/2020-----# Encryption of data at rest with customer-managed keys for Device Provisioning Service --## Overview --Device Provisioning Service (DPS) supports encryption of data at rest with customer-managed keys (CMK), also known as bring your own key (BYOK). DPS provides encryption of data at rest and in transit as it's written in our datacenters and decrypts it for you, as you access it. By default, DPS uses Microsoft-managed keys to encrypt the data at rest. With CMK, you can get an additional layer of encryption on top of default platform encryption by choosing to encrypt data at rest with a key-encryption-key, managed through your [Azure Key Vault](https://azure.microsoft.com/services/key-vault/). This gives you the flexibility to create, rotate, disable and revoke keys. If CMK is configured for your DPS, it implies that double encryption is enabled with two layers of protection actively protecting your data. --This capability requires the creation of a new DPS. To try this capability, contact us through [Microsoft support](https://azure.microsoft.com/support/create-ticket/). Share your company name and subscription ID when contacting Microsoft support. ---## Next steps --* [Learn more about Device Provisioning Service](./index.yml) --* [Learn more about Azure Key Vault](../key-vault/general/overview.md) |
iot-dps | Tutorial Group Enrollments | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-dps/tutorial-group-enrollments.md | - Title: Tutorial - Provision simulated X.509 device to Azure IoT Hub using Java and enrollment groups -description: In this tutorial, create and provision a simulated X.509 device using Java device and service SDK and enrollment groups for IoT Hub Device Provisioning Service (DPS) -- Previously updated : 11/12/2019--------# Tutorial: Create and provision a simulated X.509 device using Java device and service SDK and group enrollments for IoT Hub Device Provisioning Service --These steps show how to simulate an X.509 device on your development machine running Windows OS, and use a code sample to connect this simulated device with the Device Provisioning Service and your IoT hub using enrollment groups. --Make sure to complete the steps in the [Setup IoT Hub Device Provisioning Service with the Azure portal](./quick-setup-auto-provision.md) before you proceed. ---## Prerequisites --1. Make sure you have [Java SE Development Kit 8](/azure/developer/java/fundamentals/java-support-on-azure) installed on your machine. --1. Download and install [Maven](https://maven.apache.org/install.html). --1. Make sure `git` is installed on your machine and is added to the environment variables accessible to the command window. See [Software Freedom Conservancy's Git client tools](https://git-scm.com/download/) for the latest version of `git` tools to install, which includes the **Git Bash**, the command-line app that you can use to interact with your local Git repository. --1. Use the following [Certificate Overview](https://github.com/Azure/azure-iot-sdk-c/blob/master/tools/CACertificates/CACertificateOverview.md) to create your test certificates. -- > [!NOTE] - > This step requires [OpenSSL](https://www.openssl.org/), which can either be built and installed from source or downloaded and installed from a [3rd-party](https://wiki.openssl.org/index.php/Binaries) such as [this](https://sourceforge.net/projects/openssl/). If you have already created your _root_, _intermediate_ and _device_ certificates you may skip this step. - > -- 1. Run through the first two steps to create your _root_ and _intermediate_ certificates. -- 1. Sign in to the Azure portal, click on the **All resources** button on the left-hand menu and open your provisioning service. -- 1. On the Device Provisioning Service summary blade, select **Certificates** and click the **Add** button at the top. -- 1. Under the **Add Certificate**, enter the following information: - - Enter a unique certificate name. - - Select the **_RootCA.pem_** file you created. - - Once complete, click the **Save** button. -- ![Add certificate](./media/tutorial-group-enrollments/add-certificate.png) -- 1. Select the newly created certificate: - - Click **Generate Verification Code**. Copy the code generated. - - Run the verification step. Enter the _verification code_ or right-click to paste in your running PowerShell window. Press **Enter**. - - Select the newly created **_verifyCert4.pem_** file in the Azure portal. Click **Verify**. -- ![Validate certificate](./media/tutorial-group-enrollments/validate-certificate.png) -- 1. Finish by running the steps to create your device certificates and clean-up resources. -- > [!NOTE] - > When creating device certificates be sure to use only lower-case alphanumerics and hyphens in your device name. - > ---## Create a device enrollment entry --1. Open a command prompt. Clone the GitHub repo for Java SDK code samples: -- ```cmd/sh - git clone https://github.com/Azure/azure-iot-sdk-java.git --recursive - ``` --1. In the downloaded source code, navigate to the sample folder **_azure-iot-sdk-java/provisioning/provisioning-samples/service-enrollment-group-sample_**. Open the file **_/src/main/java/samples/com/microsoft/azure/sdk/iot/ServiceEnrollmentGroupSample.java_** in an editor of your choice, and add the following details: -- 1. Add the `[Provisioning Connection String]` for your provisioning service, from the portal as following: -- 1. Navigate to your provisioning service in the [Azure portal](https://portal.azure.com). -- 1. Open the **Shared access policies**, and select a policy that has the *EnrollmentWrite* permission. -- 1. Copy the **Primary key connection string**. -- ![Get the provisioning connection string from portal](./media/tutorial-group-enrollments/provisioning-string.png) -- 1. In the sample code file **_ServiceEnrollmentGroupSample.java_**, replace the `[Provisioning Connection String]` with the **Primary key connection string**. -- ```java - private static final String PROVISIONING_CONNECTION_STRING = "[Provisioning Connection String]"; - ``` -- 1. Open your intermediate signing certificate file in a text editor. Update the `PUBLIC_KEY_CERTIFICATE_STRING` value with the value of your intermediate signing certificate. -- If you generated your device certificates with Bash shell, *./certs/azure-iot-test-only.intermediate.cert.pem* contains the intermediate certificate key. If your certs were generated with PowerShell, *./Intermediate1.pem* will be your intermediate certificate file. -- ```java - private static final String PUBLIC_KEY_CERTIFICATE_STRING = - "--BEGIN CERTIFICATE--\n" + - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" + - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" + - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" + - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" + - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" + - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" + - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" + - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" + - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" + - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" + - "--END CERTIFICATE--\n"; - ``` -- 1. Navigate to the IoT hub linked to your provisioning service in the [Azure portal](https://portal.azure.com). Open the **Overview** tab for the hub, and copy the **Hostname**. Assign this **Hostname** to the *IOTHUB_HOST_NAME* parameter. -- ```java - private static final String IOTHUB_HOST_NAME = "[Host name].azure-devices.net"; - ``` -- 1. Study the sample code. It creates, updates, queries, and deletes a group enrollment for X.509 devices. To verify successful enrollment in portal, temporarily comment out the following lines of code at the end of the _ServiceEnrollmentGroupSample.java_ file: -- ```java - // ************************************** Delete info of enrollmentGroup *************************************** - System.out.println("\nDelete the enrollmentGroup..."); - provisioningServiceClient.deleteEnrollmentGroup(enrollmentGroupId); - ``` -- 1. Save the file _ServiceEnrollmentGroupSample.java_. --1. Open a command window, and navigate to the folder **_azure-iot-sdk-java/provisioning/provisioning-samples/service-enrollment-group-sample_**. --1. Build the sample code by using this command: -- ```cmd\sh - mvn install -DskipTests - ``` --1. Run the sample by using these commands at the command window: -- ```cmd\sh - cd target - java -jar ./service-enrollment-group-sample-{version}-with-deps.jar - ``` --1. Observe the output window for successful enrollment. -- ![Successful enrollment](./media/tutorial-group-enrollments/enrollment.png) --1. Navigate to your provisioning service in the Azure portal. Click **Manage enrollments**. Notice that your group of X.509 devices appears under the **Enrollment Groups** tab, with an auto-generated *GROUP NAME*. --## Simulate the device --1. On the Device Provisioning Service summary blade, select **Overview** and note your _ID Scope_ and _Provisioning Service Global Endpoint_. -- ![Service information](./media/tutorial-group-enrollments/extract-dps-endpoints.png) --1. Open a command prompt. Navigate to the sample project folder. -- ```cmd/sh - cd azure-iot-sdk-java/provisioning/provisioning-samples/provisioning-X509-sample - ``` --1. Edit `/src/main/java/samples/com/microsoft/azure/sdk/iot/ProvisioningX509Sample.java` to include your _ID Scope_ and _Provisioning Service Global Endpoint_ that you noted previously. -- ```java - private static final String idScope = "[Your ID scope here]"; - private static final String globalEndpoint = "[Your Provisioning Service Global Endpoint here]"; - private static final ProvisioningDeviceClientTransportProtocol PROVISIONING_DEVICE_CLIENT_TRANSPORT_PROTOCOL = ProvisioningDeviceClientTransportProtocol.HTTPS; - private static final int MAX_TIME_TO_WAIT_FOR_REGISTRATION = 10000; // in milli seconds - private static final String leafPublicPem = "<Your Public PEM Certificate here>"; - private static final String leafPrivateKey = "<Your Private PEM Key here>"; - ``` --1. Update the `leafPublicPem` and `leafPrivateKey` variables with your public and private device certificates. -- If you generated your device certificates with PowerShell, the files mydevice* contain the public key, private key, and PFX for the device. -- If you generated your device certificates with Bash shell, ./certs/new-device.cert.pem contains the public key. The device's private key will be in the ./private/new-device.key.pem file. -- Open your public key file and update the `leafPublicPem` variable with that value. Copy the text from _--BEGIN PRIVATE KEY--_ to _--END PRIVATE KEY--_. -- ```java - private static final String leafPublicPem = "--BEGIN CERTIFICATE--\n" + - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" + - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" + - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" + - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" + - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" + - "--END CERTIFICATE--\n"; - ``` -- Open your private key file and update the `leafPrivatePem` variable with that value. Copy the text from _--BEGIN RSA PRIVATE KEY--_ to _--END RSA PRIVATE KEY--_. -- ```java - private static final String leafPrivateKey = "--BEGIN RSA PRIVATE KEY--\n" + - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" + - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" + - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" + - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" + - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" + - "--END RSA PRIVATE KEY--\n"; - ``` --1. Add a new variable just below `leafPrivateKey` for your intermediate certificate. Name this new variable `intermediateKey`. Give it the value of your intermediate signing certificate. -- If you generated your device certificates with Bash shell, *./certs/azure-iot-test-only.intermediate.cert.pem* contains the intermediate certificate key. If your certs were generated with PowerShell, *./Intermediate1.pem* will be your intermediate certificate file. -- ```java - private static final String intermediateKey = "--BEGIN CERTIFICATE--\n" + - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" + - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" + - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" + - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" + - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n" + - "--END CERTIFICATE--\n"; - ``` --1. In the `main` function, add the `intermediateKey` to the `signerCertificates` collection before the initialization of `securityProviderX509`. -- ```java - public static void main(String[] args) throws Exception - { - ... -- try - { - ProvisioningStatus provisioningStatus = new ProvisioningStatus(); -- // Add intermediate certificate as part of the certificate key chain. - signerCertificates.add(intermediateKey); -- SecurityProvider securityProviderX509 = new SecurityProviderX509Cert(leafPublicPem, leafPrivateKey, signerCertificates); - ``` --1. Save your changes and build the sample. Navigate to the target folder and execute the created jar file. -- ```cmd/sh - mvn clean install - cd target - java -jar ./provisioning-x509-sample-{version}-with-deps.jar - ``` -- ![Successful registration](./media/tutorial-group-enrollments/registration.png) --1. In the portal, navigate to the IoT hub linked to your provisioning service and open the **Device Explorer** blade. On successful provisioning of the simulated X.509 device to the hub, its device ID appears on the **Device Explorer** blade, with *STATUS* as **enabled**. Note that you might need to click the **Refresh** button at the top if you already opened the blade prior to running the sample device application. -- ![Device is registered with the IoT hub](./media/tutorial-group-enrollments/hub-registration.png) ---## Clean up resources --If you plan to continue working on and exploring the device client sample, do not clean up the resources created in this Quickstart. If you do not plan to continue, use the following steps to delete all resources created by this Quickstart. --1. Close the device client sample output window on your machine. -1. From the left-hand menu in the Azure portal, click **All resources** and then select your Device Provisioning Service. Open the **Manage Enrollments** blade for your service, and then click the **Individual Enrollments** tab. Select the *REGISTRATION ID* of the device you enrolled in this Quickstart, and click the **Delete** button at the top. -1. From the left-hand menu in the Azure portal, click **All resources** and then select your IoT hub. Open the **IoT Devices** blade for your hub, select the *DEVICE ID* of the device you registered in this Quickstart, and then click **Delete** button at the top. ---## Next steps --In this tutorial, youΓÇÖve created a simulated X.509 device on your Windows machine and provisioned it to your IoT hub using the Azure IoT Hub Device Provisioning Service and enrollment groups. To learn more about your X.509 device, continue to device concepts. --> [!div class="nextstepaction"] -> [IoT Hub Device Provisioning Service concepts](concepts-service.md) |
iot-operations | Howto Configure Tls Manual | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-operations/manage-mqtt-connectivity/howto-configure-tls-manual.md | Here, `mqtts-endpoint` and `localhost` are the Subject Alternative Names (SANs) Both EC and RSA keys are supported, but all certificates in the chain must use the same key algorithm. If you import your own CA certificates, ensure that the server certificate uses the same key algorithm as the CAs. -## Import server certificate as a Kubernetes secret +## Import server certificate chain as a Kubernetes secret -Create a Kubernetes secret with the certificate and key using kubectl. +1. Create a full server certificate chain, where the order of the certificates matters: the server certificate is the first one in the file, the intermediate is the second. -```bash -kubectl create secret tls server-cert-secret -n azure-iot-operations \ cert mqtts-endpoint.crt \key mqtts-endpoint.key-``` + ```bash + cat mqtts-endpoint.crt intermediate_ca.crt > server_chain.pem + ``` ++1. Create a Kubernetes secret with the server certificate chain and server key using kubectl. ++ ```bash + kubectl create secret tls server-cert-secret -n azure-iot-operations \ + --cert server_chain.crt \ + --key mqtts-endpoint.key + ``` ## Enable TLS for a listener Once the BrokerListener resource is created, the operator automatically creates ## Connect to the broker with TLS -1. To test the TLS connection with mosquitto, first create a full certificate chain file with Step CLI. +To test the TLS connection with mosquitto client, publish a message and pass the root CA certificate in the parameter `--cafile`. - ```bash - cat root_ca.crt intermediate_ca.crt > chain.pem - ``` --1. Use mosquitto to publish a message. -- ```console - $ mosquitto_pub -d -h localhost -p 8885 -i "my-client" -t "test-topic" -m "Hello" --cafile chain.pem - Client my-client sending CONNECT - Client my-client received CONNACK (0) - Client my-client sending PUBLISH (d0, q0, r0, m1, 'test-topic', ... (5 bytes)) - Client my-client sending DISCONNECT - ``` +```console +$ mosquitto_pub -d -h localhost -p 8885 -i "my-client" -t "test-topic" -m "Hello" --cafile root_ca.crt +Client my-client sending CONNECT +Client my-client received CONNACK (0) +Client my-client sending PUBLISH (d0, q0, r0, m1, 'test-topic', ... (5 bytes)) +Client my-client sending DISCONNECT +``` > [!TIP] > To use localhost, the port must be available on the host machine. For example, `kubectl port-forward svc/mqtts-endpoint 8885:8885 -n azure-iot-operations`. With some Kubernetes distributions like K3d, you can add a forwarded port with `k3d cluster edit $CLUSTER_NAME --port-add 8885:8885@loadbalancer`. -Remember to specify username, password, etc. if authentication is enabled. +> [!NOTE] +> To connect to the broker you need to distribute root of trust to the clients, also known as trust bundle. In this case the root of trust is the self-signed root CA created Step CLI. Distribution of root of trust is required for the client to verify the server certificate chain. If your MQTT clients are workloads on the Kubernetes cluster you also need to create a ConfigMap with the root CA and mount it in your Pod. ++Remember to specify username, password, etc. if MQ authentication is enabled. ### Use external IP for the server certificate |
key-vault | About Keys Details | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/keys/about-keys-details.md | In addition to the key material, the following attributes may be specified. In a There are more read-only attributes that are included in any response that includes key attributes: - *created*: IntDate, optional. The *created* attribute indicates when this version of the key was created. The value is null for keys created prior to the addition of this attribute. Its value MUST be a number containing an IntDate value. -- *updated*: IntDate, optional. The *updated* attribute indicates when this version of the key was updated. The value is null for keys that were last updated prior to the addition of this attribute. Its value MUST be a number containing an IntDate value. +- *updated*: IntDate, optional. The *updated* attribute indicates when this version of the key was updated. The value is null for keys that were last updated prior to the addition of this attribute. Its value MUST be a number containing an IntDate value. +- *hsmPlatform*: string, optional. The underlying HSM Platform that is protecting a key. + - A hsmPlatform value of 2 means the key is protected by our latest FIPS 140 Level 3 validated HSM platform. + - A hsmPlatform value of 1 means the key is protected by our previous FIPS 140 Level 2 HSM platform using nCipher HSMs. + - A hsmPlatform value of 0 means the key is protected by a FIPS 140 Level 1 HSM software cryptographic module. + - if this is not set by a Managed HSM pool, it is protected by our latest FIPS 140 Level 3 validated HSM platform. + +ItΓÇÖs important to note that keys are bound to the HSM in which they were created. New keys are seamlessly created and stored in the new HSMs. While there is no way to migrate or transfer keys, new key versions are automatically in the new HSMs. For more information on how to migrate to a new key, see [How to migrate key workloads](../general/migrate-key-workloads.md). For more information on IntDate and other data types, see [About keys, secrets, and certificates: [Data types](../general/about-keys-secrets-certificates.md#data-types). |
key-vault | About Keys | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/keys/about-keys.md | tags: azure-resource-manager Previously updated : 01/24/2023 Last updated : 02/09/2024 Cryptographic keys in Key Vault are represented as JSON Web Key [JWK] objects. T The base JWK/JWA specifications are also extended to enable key types unique to the Azure Key Vault and Managed HSM implementations. -HSM-protected keys (also referred to as HSM-keys) are processed in an HSM (Hardware Security Module) and always remain HSM protection boundary. +HSM Keys in vaults are protected". The Software keys are not protected by HSMs. -- Vaults use **FIPS 140-2 Level 2** validated HSMs to protect HSM-keys in shared HSM backend infrastructure. +- Keys stored in vaults benefit from robust protection using **FIPS 140-2 HSMs**. There are two distinct HSM platforms available: 1, which protects key versions with **FIPS 140-2 Level 2** and 2, which protects keys with **FIPS 140-2 Level 3** HSMs depending on when the key was created. All new keys and key versions are now created using platform 2 (except UK geo). To determine which HSM Platform is protecting a key version, get it's [hsmPlatform](about-keys-details.md#key-attributes). - Managed HSM uses **FIPS 140-2 Level 3** validated HSM modules to protect your keys. Each HSM pool is an isolated single-tenant instance with its own [security domain](../managed-hsm/security-domain.md) providing complete cryptographic isolation from all other HSMs sharing the same hardware infrastructure. These keys are protected in single-tenant HSM-pools. You can import an RSA, EC, and symmetric key, in soft form or by exporting from a supported HSM device. You can also generate keys in HSM pools. When you import HSM keys using the method described in the [BYOK (bring your own key) specification](../keys/byok-specification.md), it enables secure transportation key material into Managed HSM pools. Key Vault supports RSA and EC keys. Managed HSM supports RSA, EC, and symmetric |Key type and destination|Compliance| |||-|Software-protected keys in vaults (Premium & Standard SKUs) | FIPS 140-2 Level 1| -|HSM-protected keys in vaults (Premium SKU)| FIPS 140-2 Level 2| -|HSM-protected keys in Managed HSM|FIPS 140-2 Level 3| +|Software-protected (hsmPlatform 0) keys in vaults | FIPS 140-2 Level 1| +|hsmPlatform 1 protected keys in vaults (Premium SKU)| FIPS 140-2 Level 2| +|hsmPlatform 2 protected keys in vaults (Premium SKU)| FIPS 140-2 Level 3| +|Keys in Managed HSM are always HSM protected|FIPS 140-2 Level 3| ||| See [Key types, algorithms, and operations](about-keys-details.md) for details about each key type, algorithms, operations, attributes, and tags. |
lab-services | How To Prepare Windows Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lab-services/how-to-prepare-windows-template.md | Title: Prepare Windows lab template description: Prepare a Windows-based lab template in Azure Lab Services. Configure commonly used software and OS settings, such as Windows Update, OneDrive, and Microsoft 365. -+ Folders like Documents, Downloads, and Pictures are often used to store lab user Learn how to [find your Microsoft 365 organization ID](/onedrive/find-your-office-365-tenant-id). Alternately, you can also get the organization ID by using the following PowerShell script: ```powershell- Install-Module MSOnline -Confirm - Connect-MsolService - $officeTenantID = Get-MSOLCompanyInformation | - Select-Object -expand objectID | - Select-Object -expand Guid + Install-Module Microsoft.Graph -Scope CurrentUser + Connect-MgGraph -Scopes "User.Read" + $officeTenantID = Get-MgOrganization | Select-Object -expand Id ``` 1. Configure OneDrive to prompt to move known folders to OneDrive by using the following PowerShell script: |
machine-learning | Ubuntu Upgrade | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/data-science-virtual-machine/ubuntu-upgrade.md | Last updated 04/19/2023 # Upgrade your Data Science Virtual Machine to Ubuntu 20.04 +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + If you have a Data Science Virtual Machine running an older release such as Ubuntu 18.04 or CentOS, you should migrate your DSVM to Ubuntu 20.04. Migrating will ensure that you get the latest operating system patches, drivers, preinstalled software, and library versions. This document tells you how to migrate from either older versions of Ubuntu or from CentOS. ## Prerequisites |
machine-learning | How To Setup Customer Managed Keys | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-setup-customer-managed-keys.md | In the [customer-managed keys concepts article](concept-customer-managed-keys.md | Resource provider | Why it's needed | | -- | -- | | Microsoft.MachineLearningServices | Creating the Azure Machine Learning workspace.- | Microsoft.Storage Azure | Storage Account is used as the default storage for the workspace. + | Microsoft.Storage | Storage Account is used as the default storage for the workspace. | Microsoft.KeyVault |Azure Key Vault is used by the workspace to store secrets. | Microsoft.DocumentDB/databaseAccounts | Azure Cosmos DB instance that logs metadata for the workspace. | Microsoft.Search/searchServices | Azure Search provides indexing capabilities for the workspace. |
machine-learning | How To Train With Datasets | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/v1/how-to-train-with-datasets.md | +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. [!INCLUDE [sdk v1](../includes/machine-learning-sdk-v1.md)] |
managed-instance-apache-cassandra | Best Practice Performance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-instance-apache-cassandra/best-practice-performance.md | keywords: azure performance cassandra # Best practices for optimal performance -Azure Managed Instance for Apache Cassandra provides automated deployment and scaling operations for managed open-source Apache Cassandra datacenters. This article provides tips on how to optimize performance. +Azure Managed Instance for Apache Cassandra is a fully managed service for pure open-source Apache Cassandra clusters. The service also allows configurations to be overridden, depending on the specific needs of each workload, allowing maximum flexibility and control where needed. This article provides tips on how to optimize performance. ## Optimal setup and configuration |
managed-instance-apache-cassandra | Configure Hybrid Cluster Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-instance-apache-cassandra/configure-hybrid-cluster-cli.md | ms.devlang: azurecli # Quickstart: Configure a hybrid cluster with Azure Managed Instance for Apache Cassandra -Azure Managed Instance for Apache Cassandra provides automated deployment and scaling operations for managed open-source Apache Cassandra datacenters. This service helps you accelerate hybrid scenarios and reduce ongoing maintenance. +Azure Managed Instance for Apache Cassandra is a fully managed service for pure open-source Apache Cassandra clusters. The service also allows configurations to be overridden, depending on the specific needs of each workload, allowing maximum flexibility and control where needed. This quickstart demonstrates how to use the Azure CLI commands to configure a hybrid cluster. If you have existing datacenters in an on-premises or self-hosted environment, you can use Azure Managed Instance for Apache Cassandra to add other datacenters to that cluster and maintain them. |
managed-instance-apache-cassandra | Create Cluster Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-instance-apache-cassandra/create-cluster-cli.md | ms.devlang: azurecli # Quickstart: Create an Azure Managed Instance for Apache Cassandra cluster using Azure CLI -Azure Managed Instance for Apache Cassandra provides automated deployment and scaling operations for managed open-source Apache Cassandra datacenters. This service helps you accelerate hybrid scenarios and reduce ongoing maintenance. +Azure Managed Instance for Apache Cassandra is a fully managed service for pure open-source Apache Cassandra clusters. The service also allows configurations to be overridden, depending on the specific needs of each workload, allowing maximum flexibility and control where needed. This quickstart demonstrates how to use the Azure CLI commands to create a cluster with Azure Managed Instance for Apache Cassandra. It also shows to create a datacenter, and scale nodes up or down within the datacenter. |
managed-instance-apache-cassandra | Create Cluster Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-instance-apache-cassandra/create-cluster-portal.md | -Azure Managed Instance for Apache Cassandra provides automated deployment and scaling operations for managed open-source Apache Cassandra datacenters, accelerating hybrid scenarios and reducing ongoing maintenance. +Azure Managed Instance for Apache Cassandra is a fully managed service for pure open-source Apache Cassandra clusters. The service also allows configurations to be overridden, depending on the specific needs of each workload, allowing maximum flexibility and control where needed This quickstart demonstrates how to use the Azure portal to create an Azure Managed Instance for Apache Cassandra cluster. |
managed-instance-apache-cassandra | Create Multi Region Cluster | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-instance-apache-cassandra/create-multi-region-cluster.md | ms.devlang: azurecli # Quickstart: Create a multi-region cluster with Azure Managed Instance for Apache Cassandra -Azure Managed Instance for Apache Cassandra provides automated deployment and scaling operations for managed open-source Apache Cassandra datacenters. This service helps you accelerate hybrid scenarios and reduce ongoing maintenance. +Azure Managed Instance for Apache Cassandra is a fully managed service for pure open-source Apache Cassandra clusters. The service also allows configurations to be overridden, depending on the specific needs of each workload, allowing maximum flexibility and control where needed. This quickstart demonstrates how to use the Azure CLI commands to configure a multi-region cluster in Azure. |
managed-instance-apache-cassandra | Dba Commands | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-instance-apache-cassandra/dba-commands.md | -Azure Managed Instance for Apache Cassandra provides automated deployment, scaling, and [management operations](management-operations.md) for open-source Apache Cassandra data centers. The automation in the service should be sufficient for many use cases. However, this article describes how to run DBA commands manually when the need arises. +Azure Managed Instance for Apache Cassandra is a fully managed service for pure open-source Apache Cassandra clusters. The service also allows configurations to be overridden, depending on the specific needs of each workload, allowing maximum flexibility and control where needed. This article describes how to run DBA commands manually when the need arises. > [!IMPORTANT] > Nodetool and sstable commands are in public preview. |
managed-instance-apache-cassandra | Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-instance-apache-cassandra/introduction.md | Last updated 11/02/2021 # What is Azure Managed Instance for Apache Cassandra? -The Azure Managed Instance for Apache Cassandra service provides automated deployment and scaling operations for managed open-source Apache Cassandra datacenters. This service helps you accelerate hybrid scenarios and reduce ongoing maintenance. +Azure Managed Instance for Apache Cassandra is a fully managed service for pure open-source Apache Cassandra clusters. The service also allows configurations to be overridden, depending on the specific needs of each workload, allowing maximum flexibility and control where needed. :::image type="content" source="./media/introduction/icon.gif" alt-text="Azure Managed Instance for Apache Cassandra is a managed service for Apache Cassandra." border="false"::: |
managed-instance-apache-cassandra | Management Operations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-instance-apache-cassandra/management-operations.md | Last updated 11/02/2021 # Management operations in Azure Managed Instance for Apache Cassandra -Azure Managed Instance for Apache Cassandra provides automated deployment and scaling operations for managed open-source Apache Cassandra data centers. This article defines the management operations and features provided by the service. It also explains the separation of responsibilities between the Azure support team and customers when maintaining standalone and [hybrid](configure-hybrid-cluster.md) clusters. +Azure Managed Instance for Apache Cassandra is a fully managed service for pure open-source Apache Cassandra clusters. The service also allows configurations to be overridden, depending on the specific needs of each workload, allowing maximum flexibility and control where needed. This article defines the management operations and features provided by the service. It also explains the separation of responsibilities between the Azure support team and customers when maintaining [hybrid](configure-hybrid-cluster.md) clusters. ## Compaction Snapshot backups are enabled by default and taken every 24 hours. Backups are st To restore from an existing backup, file a [support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest) in the Azure portal. When filing the support case, you need to: -1. Provide the backup id from portal for the backup you want to restore. This can be found in the portal: +1. Provide the backup ID from portal for the backup you want to restore. This can be found in the portal: - :::image type="content" source="./media/management-operations/backup.png" alt-text="Screenshot of backup schedule configuration page highlighting backup id." lightbox="./media/management-operations/backup.png" border="true"::: + :::image type="content" source="./media/management-operations/backup.png" alt-text="Screenshot of backup schedule configuration page highlighting backup ID." lightbox="./media/management-operations/backup.png" border="true"::: 1. If restore of the whole cluster is not required, provide the keyspace and table (if applicable) that needs to be restored. 1. Advise whether you want the backup to be restored in the existing cluster, or in a new cluster. |
managed-instance-apache-cassandra | Materialized Views | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-instance-apache-cassandra/materialized-views.md | Last updated 02/15/2022 # Materialized views in Azure Managed Instance for Apache Cassandra -Azure Managed Instance for Apache Cassandra provides automated deployment and scaling operations for managed open-source Apache Cassandra data centers. This article discusses how to enable materialized views. +Azure Managed Instance for Apache Cassandra is a fully managed service for pure open-source Apache Cassandra clusters. The service also allows configurations to be overridden, depending on the specific needs of each workload, allowing maximum flexibility and control where needed. This article discusses how to enable materialized views. ## Materialized view support Materialized views are disabled by default, but users can enable them on their cluster. However, we discourage users of Azure Managed Instance for Apache Cassandra from using materialized views. They are experimental (see |
managed-instance-apache-cassandra | Network Rules | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-instance-apache-cassandra/network-rules.md | -The Azure SQL Managed Instance for Apache Casandra service requires certain network rules to properly manage the service. By ensuring you have the proper rules exposed, you can keep your service secure and prevent operational issues. +The Azure Managed Instance for Apache Cassandra service requires certain network rules to properly manage the service. By ensuring you have the proper rules exposed, you can keep your service secure and prevent operational issues. > [!WARNING] > We recommend exercising caution when applying changes to firewall rules for an existing cluster. For example, if rules are not applied correctly, they might not be applied to existing connections, so it may appear that firewall changes have not caused any problems. However, automatic updates of the Cassandra Managed Instance nodes may subsequently fail. We recommend monitoring connectivity after any major firewall updates for some time to ensure there are no issues. |
managed-instance-apache-cassandra | Resilient Applications | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-instance-apache-cassandra/resilient-applications.md | keywords: azure high availability disaster recovery cassandra resiliency # Best practices for high availability and disaster recovery -Azure Managed Instance for Apache Cassandra provides automated deployment and scaling operations for managed open-source Apache Cassandra datacenters. Apache Cassandra is a great choice for building highly resilient applications due to it's distributed nature and masterless architecture ΓÇô any node in the database can provide the exact same functionality as any other node ΓÇô contributing to CassandraΓÇÖs robustness and resilience. This article provides tips on how to optimize high availability and how to approach disaster recover. +Azure Managed Instance for Apache Cassandra is a fully managed service for pure open-source Apache Cassandra clusters. The service also allows configurations to be overridden, depending on the specific needs of each workload, allowing maximum flexibility and control where needed. ++Apache Cassandra is a great choice for building highly resilient applications due to it's distributed nature and masterless architecture ΓÇô any node in the database can provide the exact same functionality as any other node ΓÇô contributing to CassandraΓÇÖs robustness and resilience. This article provides tips on how to optimize high availability and how to approach disaster recover. ## RPO and RTO -RPO (recovery point objective) and RTO (recovery time objective), will both typically be very low (close to zero) for Apache Cassandra as long as you have: +RPO (recovery point objective) and RTO (recovery time objective), will both typically be low (close to zero) for Apache Cassandra as long as you have: - A [multi-region deployment](create-multi-region-cluster.md) with cross region replication, and a [replication factor](https://cassandra.apache.org/doc/latest/cassandra/architecture/dynamo.html#replication-strategy) of 3. - Enabled availability zones (select option when creating a cluster in the [portal](create-cluster-portal.md) or via [Azure CLI](create-cluster-cli.md)). - Configured application-level failover using load balancing policy in the [client driver](https://cassandra.apache.org/doc/latest/cassandra/getting_started/drivers.html) and/or load balancing-level failover using traffic manager/Azure front door. -RTO ("how long you are down in an outage") will be low because the cluster will be resilient across both zones and regions, and because Apache Cassandra itself is a highly fault tolerant, masterless system (all nodes can write) by default. RPO ("how much data can you lose in an outage") will be low because data will be sychronised between all nodes and data centers, so data loss in an outage would be minimal. +RTO ("how long you're down in an outage") will be low because the cluster will be resilient across both zones and regions, and because Apache Cassandra itself is a highly fault tolerant, masterless system (all nodes can write) by default. RPO ("how much data can you lose in an outage") will be low because data will be synchronised between all nodes and data centers, so data loss in an outage would be minimal. > [!NOTE]- > It is not theoretically possible to achieve both RTO=0 *and* RPO=0 per [Cap Theorem](https://en.wikipedia.org/wiki/CAP_theorem). You will need to evaluate the trade off between consistency and availability/optimal performance - this will look different for each application. For example, if your application is read heavy, it might be better to cope with increased latency of cross-region writes to avoid data loss (favoring consistency). If the appplication is write heavy, and on a tight latency budget, the risk of losing some of the most recent writes in a major regional outage might be acceptable (favoring availability). + > It's not theoretically possible to achieve both RTO=0 *and* RPO=0 per [Cap Theorem](https://en.wikipedia.org/wiki/CAP_theorem). You will need to evaluate the trade off between consistency and availability/optimal performance - this will look different for each application. For example, if your application is read heavy, it might be better to cope with increased latency of cross-region writes to avoid data loss (favoring consistency). If the appplication is write heavy, and on a tight latency budget, the risk of losing some of the most recent writes in a major regional outage might be acceptable (favoring availability). ## Availability zones Cassandra's masterless architecture brings fault tolerance from the ground up, a ## Multi-region redundancy -Cassandra's architecture, coupled with Azure availability zones support, gives you some level of fault tolerance and resiliency. However, it's important to consider the impact of regional outages for your applications. We highly recommend deploying [multi region clusters](create-multi-region-cluster.md) to safeguard against region level outages. Although they are rare, the potential impact is severe. +Cassandra's architecture, coupled with Azure availability zones support, gives you some level of fault tolerance and resiliency. However, it's important to consider the impact of regional outages for your applications. We highly recommend deploying [multi region clusters](create-multi-region-cluster.md) to safeguard against region level outages. Although they're rare, the potential impact is severe. -For business continuity, it is not sufficient to only make the database multi-region. Other parts of your application also need to be deployed in the same manner either by being distributed, or with adequate mechanisms to fail over. If your users are spread across many geo locations, a multi-region data center deployment for your database has the added benefit of reducing latency, since all nodes in all data centers across the cluster can then serve both reads and writes from the region that is closest to them. However, if the application is configured to be "active-active", it's important to consider how [CAP theorem](https://cassandra.apache.org/doc/latest/cassandra/architecture/guarantees.html#what-is-cap) applies to the consistency of your data between replicas (nodes), and the trade-offs required to delivery high availability. +For business continuity, it isn't sufficient to only make the database multi-region. Other parts of your application also need to be deployed in the same manner either by being distributed, or with adequate mechanisms to fail over. If your users are spread across many geo locations, a multi-region data center deployment for your database has the added benefit of reducing latency, since all nodes in all data centers across the cluster can then serve both reads and writes from the region that is closest to them. However, if the application is configured to be "active-active", it's important to consider how [CAP theorem](https://cassandra.apache.org/doc/latest/cassandra/architecture/guarantees.html#what-is-cap) applies to the consistency of your data between replicas (nodes), and the trade-offs required to delivery high availability. In CAP theorem terms, Cassandra is by default an AP (Available Partition-tolerant) database system, with highly [tunable consistency](https://cassandra.apache.org/doc/4.1/cassandra/architecture/dynamo.html#tunable-consistency). For most use cases, we recommend using local_quorum for reads. - In active-passive for writes there's a trade-off between reliability and performance: for reliability we recommend QUORUM_EACH but for most users LOCAL_QUORUM or QUORUM is a good compromise. Note however that in the case of a regional outage, some writes might be lost in LOCAL_QUORUM. - In the case of an application being run in parallel QUORUM_EACH writes are preferred for most cases to ensure consistency between the two data centers.-- If your goal is to favor consistency (lower RPO) rather than latency or availability (lower RTO), this should be reflected in your consistency settings and replication factor. As a rule of thumb, the number of quorum nodes required for a read plus the number of quorum nodes required for a write should be greater than the replication factor. For example, if you have a replication factor of 3, and quorum_one on reads (1 node), you should do quorum_all on writes (3 nodes), so that the total of 4 is greater than the replication factor of 3.+- If your goal is to favor consistency (lower RPO) rather than latency or availability (lower RTO), this should be reflected in your consistency settings and replication factor. As a rule of thumb, the number of quorum nodes required for a read plus the number of quorum nodes required for a write should be greater than the replication factor. For example, if you have a replication factor of 3, and quorum_one on reads (one node), you should do quorum_all on writes (three nodes), so that the total of 4 is greater than the replication factor of 3. ## Replication |
migrate | Concepts Assessment Calculation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/concepts-assessment-calculation.md | Here's what's included in an Azure VM assessment: **Currency** | The billing currency for your account. **Discount (%)** | Any subscription-specific discounts you receive on top of the Azure offer. The default setting is 0%. **VM uptime** | The duration in days per month and hours per day for Azure VMs that won't run continuously. Cost estimates are based on that duration.<br><br> The default values are 31 days per month and 24 hours per day.-**Azure Hybrid Benefit** | Specifies whether you have software assurance and are eligible for [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/). If the setting has the default value "Yes," Azure prices for operating systems other than Windows are considered for Windows VMs. +**Azure Hybrid Benefit** | Specifies whether you have software assurance and are eligible for [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) to use your existing OS licenses. If the setting is enabled, Azure prices for selected operating systems are not considered for VM costing. **EA subscription** | Specifies that an Enterprise Agreement (EA) subscription is used for cost estimation. Takes into account the discount applicable to the subscription. <br><br> Leave the settings for reserved instances, discount (%) and VM uptime properties with their default settings. **Security** | Specifies whether you want to assess readiness and cost for security tooling on Azure. If the setting has the default value **Yes, with Microsoft Defender for Cloud**, it will assess security readiness and costs for your Azure VM with Microsoft Defender for Cloud. |
migrate | Concepts Azure Sql Assessment Calculation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/concepts-azure-sql-assessment-calculation.md | Target and pricing settings | **Savings options - SQL Server on Azure VM (IaaS)* Target and pricing settings | **Currency** | The billing currency for your account. Target and pricing settings | **Discount (%)** | Any subscription-specific discounts you receive on top of the Azure offer. The default setting is 0%. Target and pricing settings | **VM uptime** | Specify the duration (days per month/hour per day) that servers/VMs run. This is useful for computing cost estimates for SQL Server on Azure VM where you're aware that Azure VMs might not run continuously. <br/> Cost estimates for servers where recommended target is *SQL Server on Azure VM* are based on the duration specified. Default is 31 days per month/24 hours per day.-Target and pricing settings | **Azure Hybrid Benefit** | Specify whether you already have a Windows Server and/or SQL Server license. Azure Hybrid Benefit is a licensing benefit that helps you to significantly reduce the costs of running your workloads in the cloud. It works by letting you use your on-premises Software Assurance-enabled Windows Server and SQL Server licenses on Azure. For example, if you have a SQL Server license and they're covered with active Software Assurance of SQL Server Subscriptions, you can apply for the Azure Hybrid Benefit when you bring licenses to Azure. -Assessment criteria | **Sizing criteria** | Set to *Performance-based* by default, which means Azure Migrate collects performance metrics pertaining to SQL instances and the databases managed by it to recommend an optimal-sized SQL Server on Azure VM and/or Azure SQL Database and/or Azure SQL Managed Instance configuration. <br/><br/> You can change this to *As on-premises* to get recommendations based on just the on-premises SQL Sever configuration without the performance metric based optimizations. +Target and pricing settings | **Azure Hybrid Benefit** | Specify whether you already have a Windows Server and/or SQL Server license or Enterprise Linux subscription. Azure Hybrid Benefit is a licensing benefit that helps you to significantly reduce the costs of running your workloads in the cloud. It works by letting you use your on-premises Software Assurance-enabled Windows Server and SQL Server licenses on Azure. For example, if you have a SQL Server license and they're covered with active Software Assurance of SQL Server Subscriptions, you can apply for the Azure Hybrid Benefit when you bring licenses to Azure. +Assessment criteria | **Sizing criteria** | Set to *Performance-based* by default, which means Azure Migrate collects performance metrics pertaining to SQL instances and the databases managed by it to recommend an optimal-sized SQL Server on Azure VM and/or Azure SQL Database and/or Azure SQL Managed Instance configuration. <br/><br/> You can change this to *As on-premises* to get recommendations based on just the on-premises SQL Server configuration without the performance metric based optimizations. Assessment criteria | **Performance history** | Indicate the data duration on which you want to base the assessment. (Default is one day) Assessment criteria | **Percentile utilization** | Indicate the percentile value you want to use for the performance sample. (Default is 95th percentile) Assessment criteria | **Comfort factor** | Indicate the buffer you want to use during assessment. This accounts for issues like seasonal usage, short performance history, and likely increases in future usage. After sizing recommendations are complete, Azure SQL assessment calculates the c ### Compute cost - To calculate the compute cost for an Azure SQL configuration, the assessment considers the following properties:- - Azure Hybrid Benefit for SQL and Windows licenses + - Azure Hybrid Benefit for SQL and Windows licenses or Enterprise Linux subscription - Environment type - Reserved capacity - Azure target location |
migrate | Deploy Appliance Script Government | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/deploy-appliance-script-government.md | Check that the zipped file is secure, before you deploy it. **Download** | **Hash value** | - [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | 7EF01AE30F7BB8F4486EDC1688481DB656FB8ECA7B9EF6363B4DAB1CFCFDA141 + [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857 ### Run the script Check that the zipped file is secure, before you deploy it. **Download** | **Hash value** | - [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | 7EF01AE30F7BB8F4486EDC1688481DB656FB8ECA7B9EF6363B4DAB1CFCFDA141 + [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857 ### Run the script Check that the zipped file is secure, before you deploy it. **Download** | **Hash value** | - [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | 7EF01AE30F7BB8F4486EDC1688481DB656FB8ECA7B9EF6363B4DAB1CFCFDA141 + [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857 > [!NOTE] > The same script can be used to set up Physical appliance for Azure Government cloud with either public or private endpoint connectivity. |
migrate | Deploy Appliance Script | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/deploy-appliance-script.md | Check that the zipped file is secure, before you deploy it. **Download** | **Hash value** | - [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | 7EF01AE30F7BB8F4486EDC1688481DB656FB8ECA7B9EF6363B4DAB1CFCFDA141 + [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857 > [!NOTE] > The same script can be used to set up VMware appliance for either Azure public or Azure Government cloud. Check that the zipped file is secure, before you deploy it. **Download** | **Hash value** | - [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | 7EF01AE30F7BB8F4486EDC1688481DB656FB8ECA7B9EF6363B4DAB1CFCFDA141 + [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857 > [!NOTE] > The same script can be used to set up Hyper-V appliance for either Azure public or Azure Government cloud. |
migrate | Discover And Assess Using Private Endpoints | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/discover-and-assess-using-private-endpoints.md | Check that the zipped file is secure, before you deploy it. **Download** | **Hash value** | - [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | 7EF01AE30F7BB8F4486EDC1688481DB656FB8ECA7B9EF6363B4DAB1CFCFDA141 + [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857 > [!NOTE] > The same script can be used to set up an appliance with private endpoint connectivity for any of the chosen scenarios, such as VMware, Hyper-V, physical or other to deploy an appliance with the desired configuration. |
migrate | How To Create Assessment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/how-to-create-assessment.md | Run an assessment as follows: - Cost estimates are based on the duration specified. - Default is 31 days per month/24 hours per day. - In **EA Subscription**, specify whether to take an Enterprise Agreement (EA) subscription discount into account for cost estimation. - - In **Azure Hybrid Benefit**, specify whether you already have a Windows Server license. If you do and they're covered with active Software Assurance of Windows Server Subscriptions, you can apply for the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) when you bring licenses to Azure. + - In **Azure Hybrid Benefit**, specify whether you already have a Windows Server license or Enterprise Linux subscription. If you do and they're covered with active Software Assurance of Windows Server or Enterprise Linux Subscriptions, you can apply for the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) when you bring licenses to Azure. 1. Select **Save** if you make changes. |
migrate | How To Create Azure Sql Assessment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/how-to-create-azure-sql-assessment.md | Run an assessment as follows: Target and pricing settings | **Currency** | The billing currency for your account. Target and pricing settings | **Discount (%)** | Any subscription-specific discounts you receive on top of the Azure offer. The default setting is 0%. Target and pricing settings | **VM uptime** | Specify the duration (days per month/hour per day) that servers/VMs run. This is useful for computing cost estimates for SQL Server on Azure VM where you're aware that Azure VMs might not run continuously. <br/> Cost estimates for servers where recommended target is *SQL Server on Azure VM* are based on the duration specified. Default is 31 days per month/24 hours per day.- Target and pricing settings | **Azure Hybrid Benefit** | Specify whether you already have a Windows Server and/or SQL Server license. Azure Hybrid Benefit is a licensing benefit that helps you to significantly reduce the costs of running your workloads in the cloud. It works by letting you use your on-premises Software Assurance-enabled Windows Server and SQL Server licenses on Azure. For example, if you have a SQL Server license and they're covered with active Software Assurance of SQL Server Subscriptions, you can apply for the Azure Hybrid Benefit when you bring licenses to Azure. + Target and pricing settings | **Azure Hybrid Benefit** | Specify whether you already have a Windows Server and/or SQL Server license or Enterprise Linux subscription. Azure Hybrid Benefit is a licensing benefit that helps you to significantly reduce the costs of running your workloads in the cloud. It works by letting you use your on-premises Software Assurance-enabled Windows Server and SQL Server licenses on Azure. For example, if you have a SQL Server license and they're covered with active Software Assurance of SQL Server Subscriptions, you can apply for the Azure Hybrid Benefit when you bring licenses to Azure. Assessment criteria | **Sizing criteria** | Set to *Performance-based* by default, which means Azure Migrate collects performance metrics pertaining to SQL instances and the databases managed by it to recommend an optimal-sized SQL Server on Azure VM and/or Azure SQL Database and/or Azure SQL Managed Instance configuration.<br/><br/> You can change this to *As on-premises* to get recommendations based on just the on-premises SQL Server configuration without the performance metric based optimizations. Assessment criteria | **Performance history** | Indicate the data duration on which you want to base the assessment. (Default is one day) Assessment criteria | **Percentile utilization** | Indicate the percentile value you want to use for the performance sample. (Default is 95th percentile) |
migrate | How To Modify Assessment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/how-to-modify-assessment.md | An assessment done in Azure Migrate Discovery and assessment has three stages. A | **Target location** | The Azure location to which you want to migrate.<br/> Azure VM assessment currently supports these target regions: Australia East, Australia Southeast, Brazil South, Canada Central, Canada East, Central India, Central US, China East, China North, East Asia, East US, East US2, Germany Central, Germany Northeast, Japan East, Japan West, Korea Central, Korea South, North Central US, North Europe, South Central US, Southeast Asia, South India, UK South, UK West, US Gov Arizona, US Gov Texas, US Gov Virginia, West Central US, West Europe, West India, West US, and West US2. **Storage type** | You can use this property to specify the type of disks you want to move to, in Azure.<br/><br/> For as-on-premises sizing, you can specify the target storage type either as Premium-managed disks, Standard SSD-managed disks or Standard HDD-managed disks. For performance-based sizing, you can specify the target disk type either as Automatic, Premium-managed disks, Standard HDD-managed disks, or Standard SSD-managed disks.<br/><br/> When you specify the storage type as automatic, the disk recommendation is done based on the performance data of the disks (IOPS and throughput). If you specify the storage type as premium/standard, the assessment will recommend a disk SKU within the storage type selected. If you want to achieve a single instance VM SLA of 99.9%, you may want to specify the storage type as Premium-managed disks. This ensures that all disks in the assessment are recommended as Premium-managed disks. Azure-**Reserved Instances (RI)** | This property helps you specify if you have [Reserved Instances](https://azure.microsoft.com/pricing/reserved-vm-instances/) in Azure, cost estimations in the assessment are then done taking into RI discounts. Reserved instances are currently only supported for Pay-As-You-Go offer in Azure Migrate. +**Reserved Instances (RI)** | This property helps you specify if you have [Reserved Instances](https://azure.microsoft.com/pricing/reserved-vm-instances/) in Azure, cost estimations in the assessment are then done taking into RI discounts. Reserved instances are currently only supported for pay-as-you-go offer in Azure Migrate. **Sizing criterion** | The criterion to be used to right-size VMs for Azure. You can either do *performance-based* sizing or size the VMs *as on-premises*, without considering the performance history. **Performance history** | The duration to consider for evaluating the performance data of machines. This property is only applicable when sizing criterion is *performance-based*. **Percentile utilization** | The percentile value of the performance sample set to be considered for right-sizing. This property is only applicable when sizing is *performance-based*. An assessment done in Azure Migrate Discovery and assessment has three stages. A **Currency** | Billing currency. **Discount (%)** | Any subscription-specific discount you receive on top of the Azure offer.<br/> The default setting is 0%. **VM uptime** | If your VMs are not going to be running 24x7 in Azure, you can specify the duration (number of days per month and number of hours per day) for which they would be running and the cost estimations would be done accordingly.<br/> The default value is 31 days per month and 24 hours per day.-**Azure Hybrid Benefit** | Specify whether you have software assurance and are eligible for [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/). If set to Yes, non-Windows Azure prices are considered for Windows VMs. By default, Azure Hybrid Benefit is set to Yes. +**Azure Hybrid Benefit** | Specify whether you have software assurance and are eligible for [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/). If the setting is enabled, Azure prices for selected operating systems are not considered for VM costing. ## What's in an Azure VMware Solution (AVS) assessment? You can also edit the assessment properties when you're creating an assessment. - [Learn more](concepts-assessment-calculation.md) about how Azure VM assessments are calculated. - [Learn more](concepts-azure-sql-assessment-calculation.md) about how Azure SQL assessments are calculated.-- [Learn more](concepts-azure-vmware-solution-assessment-calculation.md) about how AVS assessments are calculated.+- [Learn more](concepts-azure-vmware-solution-assessment-calculation.md) about how AVS assessments are calculated. |
migrate | How To Scale Out For Migration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/how-to-scale-out-for-migration.md | In **Download Azure Migrate appliance**, click **Download**. You need to downlo - ```C:\>CertUtil -HashFile <file_location> [Hashing Algorithm]``` - Example usage: ```C:\>CertUtil -HashFile C:\Users\administrator\Desktop\AzureMigrateInstaller.zip SHA256 ``` > 3. Download the [latest version](https://go.microsoft.com/fwlink/?linkid=2191847) of the scale-out appliance installer from the portal if the computed hash value doesn't match this string:-7EF01AE30F7BB8F4486EDC1688481DB656FB8ECA7B9EF6363B4DAB1CFCFDA141 +a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857 ### 3. Run the Azure Migrate installer script |
migrate | How To Set Up Appliance Physical | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/how-to-set-up-appliance-physical.md | Check that the zipped file is secure, before you deploy it. **Download** | **Hash value** | - [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | 7EF01AE30F7BB8F4486EDC1688481DB656FB8ECA7B9EF6363B4DAB1CFCFDA141 + [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857 > [!NOTE] > The same script can be used to set up Physical appliance for either Azure public or Azure Government cloud. |
migrate | How To Set Up Appliance Vmware | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/how-to-set-up-appliance-vmware.md | Before you deploy the OVA file, verify that the file is secure: **Algorithm** | **Download** | **SHA256** | | - VMware (85.8 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | 7EF01AE30F7BB8F4486EDC1688481DB656FB8ECA7B9EF6363B4DAB1CFCFDA141 + VMware (85.8 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857 #### Create the appliance server |
migrate | Tutorial Assess Aws | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-assess-aws.md | Run an assessment as follows: - Cost estimates are based on the duration specified. - Default is 31 days per month/24 hours per day. - In **EA Subscription**, specify whether to take an Enterprise Agreement (EA) subscription discount into account for cost estimation. - - In **Azure Hybrid Benefit**, specify whether you already have a Windows Server license. If you do and they're covered with active Software Assurance of Windows Server Subscriptions, you can apply for the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) when you bring licenses to Azure. + - In **Azure Hybrid Benefit**, specify whether you already have a Windows Server license or Enterprise Linux subscription. If you do and they're covered with active Software Assurance of Windows Server or Enterprise Linux Subscriptions, you can apply for the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) when you bring licenses to Azure. 1. Select **Save** if you make changes. |
migrate | Tutorial Assess Gcp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-assess-gcp.md | Run an assessment as follows: - Cost estimates are based on the duration specified. - Default is 31 days per month/24 hours per day. - In **EA Subscription**, specify whether to take an Enterprise Agreement (EA) subscription discount into account for cost estimation. - - In **Azure Hybrid Benefit**, specify whether you already have a Windows Server license. If you do and they're covered with active Software Assurance of Windows Server Subscriptions, you can apply for the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) when you bring licenses to Azure. + - In **Azure Hybrid Benefit**, specify whether you already have a Windows Server license or Enterprise Linux subscription. If you do and they're covered with active Software Assurance of Windows Server or Enterprise Linux Subscriptions, you can apply for the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) when you bring licenses to Azure. 1. Select **Save** if you make changes. |
migrate | Tutorial Assess Hyper V | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-assess-hyper-v.md | Run an assessment as follows: - Cost estimates are based on the duration specified. - Default is 31 days per month/24 hours per day. - In **EA Subscription**, specify whether to take an Enterprise Agreement (EA) subscription discount into account for cost estimation. - - In **Azure Hybrid Benefit**, specify whether you already have a Windows Server license. If you do and they're covered with active Software Assurance of Windows Server Subscriptions, you can apply for the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) when you bring licenses to Azure. + - In **Azure Hybrid Benefit**, specify whether you already have a Windows Server license or Enterprise Linux subscription. If you do and they're covered with active Software Assurance of Windows Server or Enterprise Linux Subscriptions, you can apply for the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) when you bring licenses to Azure. 1. Select **Save** if you make changes. 1. In **Assess Servers**, select **Next**. |
migrate | Tutorial Assess Physical | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-assess-physical.md | Run an assessment as follows: - Cost estimates are based on the duration specified. - Default is 31 days per month/24 hours per day. - In **EA Subscription**, specify whether to take an Enterprise Agreement (EA) subscription discount into account for cost estimation. - - In **Azure Hybrid Benefit**, specify whether you already have a Windows Server license. If you do and they're covered with active Software Assurance of Windows Server Subscriptions, you can apply for the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) when you bring licenses to Azure. + - In **Azure Hybrid Benefit**, specify whether you already have a Windows Server license or Enterprise Linux subscription. If you do and they're covered with active Software Assurance of Windows Server or Enterprise Linux Subscriptions, you can apply for the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) when you bring licenses to Azure. 1. Select **Save** if you make changes. |
migrate | Tutorial Assess Sql | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-assess-sql.md | Run an assessment as follows: Target and pricing settings | **Currency** | The billing currency for your account. Target and pricing settings | **Discount (%)** | Any subscription-specific discounts you receive on top of the Azure offer. The default setting is 0%. Target and pricing settings | **VM uptime** | Specify the duration (days per month/hour per day) that servers/VMs run. This is useful for computing cost estimates for SQL Server on Azure VM where you're aware that Azure VMs might not run continuously. <br/> Cost estimates for servers where recommended target is *SQL Server on Azure VM* are based on the duration specified. Default is 31 days per month/24 hours per day.- Target and pricing settings | **Azure Hybrid Benefit** | Specify whether you already have a Windows Server and/or SQL Server license. Azure Hybrid Benefit is a licensing benefit that helps you to significantly reduce the costs of running your workloads in the cloud. It works by letting you use your on-premises Software Assurance-enabled Windows Server and SQL Server licenses on Azure. For example, if you have a SQL Server license and they're covered with active Software Assurance of SQL Server Subscriptions, you can apply for the Azure Hybrid Benefit when you bring licenses to Azure. + Target and pricing settings | **Azure Hybrid Benefit** | Specify whether you already have a Windows Server and/or SQL Server license or Enterprise Linux subscription. Azure Hybrid Benefit is a licensing benefit that helps you to significantly reduce the costs of running your workloads in the cloud. It works by letting you use your on-premises Software Assurance-enabled Windows Server and SQL Server licenses on Azure. For example, if you have a SQL Server license and they're covered with active Software Assurance of SQL Server Subscriptions, you can apply for the Azure Hybrid Benefit when you bring licenses to Azure. Assessment criteria | **Sizing criteria** | Set to *Performance-based* by default, which means Azure Migrate collects performance metrics pertaining to SQL instances and the databases managed by it to recommend an optimal-sized SQL Server on Azure VM and/or Azure SQL Database and/or Azure SQL Managed Instance configuration.<br/><br/> You can change this to *As on-premises* to get recommendations based on just the on-premises SQL Server configuration without the performance metric based optimizations. Assessment criteria | **Performance history** | Indicate the data duration on which you want to base the assessment. (Default is one day) Assessment criteria | **Percentile utilization** | Indicate the percentile value you want to use for the performance sample. (Default is 95th percentile) |
migrate | Tutorial Assess Vmware Azure Vm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-assess-vmware-azure-vm.md | Run an assessment as follows: - Cost estimates are based on the duration specified. - Default is 31 days per month/24 hours per day. - In **EA Subscription**, specify whether to take an Enterprise Agreement (EA) subscription discount into account for cost estimation. - - In **Azure Hybrid Benefit**, specify whether you already have a Windows Server license. If you do and they're covered with active Software Assurance of Windows Server Subscriptions, you can apply for the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) when you bring licenses to Azure. + - In **Azure Hybrid Benefit**, specify whether you already have a Windows Server license or Enterprise Linux subscription. If you do and they're covered with active Software Assurance of Windows Server or Enterprise Linux Subscriptions, you can apply for the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) when you bring licenses to Azure. 1. Select **Save** if you make changes. 1. In **Assess Servers**, select **Next**. |
migrate | Tutorial Assess Vmware Azure Vmware Solution | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-assess-vmware-azure-vmware-solution.md | Run an assessment as follows: Target and pricing settings | **Currency** | The billing currency for your account. Target and pricing settings | **Discount (%)** | Any subscription-specific discounts you receive on top of the Azure offer. The default setting is 0%. Target and pricing settings | **VM uptime** | Specify the duration (days per month/hour per day) that servers/VMs run. This is useful for computing cost estimates for SQL Server on Azure VM where you're aware that Azure VMs might not run continuously. <br/> Cost estimates for servers where recommended target is *SQL Server on Azure VM* are based on the duration specified. Default is 31 days per month/24 hours per day.- Target and pricing settings | **Azure Hybrid Benefit** | Specify whether you already have a Windows Server and/or SQL Server license. Azure Hybrid Benefit is a licensing benefit that helps you to significantly reduce the costs of running your workloads in the cloud. It works by letting you use your on-premises Software Assurance-enabled Windows Server and SQL Server licenses on Azure. For example, if you have a SQL Server license and they're covered with active Software Assurance of SQL Server Subscriptions, you can apply for the Azure Hybrid Benefit when you bring licenses to Azure. + Target and pricing settings | **Azure Hybrid Benefit** | Specify whether you already have a Windows Server and/or SQL Server license or Enterprise Linux subscription. Azure Hybrid Benefit is a licensing benefit that helps you to significantly reduce the costs of running your workloads in the cloud. It works by letting you use your on-premises Software Assurance-enabled Windows Server and SQL Server licenses on Azure. For example, if you have a SQL Server license and they're covered with active Software Assurance of SQL Server Subscriptions, you can apply for the Azure Hybrid Benefit when you bring licenses to Azure. Assessment criteria | **Sizing criteria** | Set to be *Performance-based* by default, which means Azure Migrate collects performance metrics pertaining to SQL instances and the databases managed by it to recommend an optimal-sized SQL Server on Azure VM and/or Azure SQL Database and/or Azure SQL Managed Instance configuration. Assessment criteria | **Performance history** | Indicate the data duration on which you want to base the assessment. (Default is one day) Assessment criteria | **Percentile utilization** | Indicate the percentile value you want to use for the performance sample. (Default is 95th percentile) |
migrate | Tutorial Discover Aws | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-discover-aws.md | Check that the zipped file is secure, before you deploy it. **Scenario** | **Download*** | **Hash value** | | - Physical (85 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | 7EF01AE30F7BB8F4486EDC1688481DB656FB8ECA7B9EF6363B4DAB1CFCFDA141 + Physical (85 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857 - For Azure Government: **Scenario** | **Download*** | **Hash value** | | - Physical (85 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | 7EF01AE30F7BB8F4486EDC1688481DB656FB8ECA7B9EF6363B4DAB1CFCFDA141 + Physical (85 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857 ### 3. Run the Azure Migrate installer script |
migrate | Tutorial Discover Gcp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-discover-gcp.md | Check that the zipped file is secure before you deploy it. **Scenario** | **Download** | **Hash value** | | - Physical (85 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | 7EF01AE30F7BB8F4486EDC1688481DB656FB8ECA7B9EF6363B4DAB1CFCFDA141 + Physical (85 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857 - For Azure Government: **Scenario** | **Download** | **Hash value** | | - Physical (85 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | 7EF01AE30F7BB8F4486EDC1688481DB656FB8ECA7B9EF6363B4DAB1CFCFDA141 + Physical (85 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857 ### 3. Run the Azure Migrate installer script |
migrate | Tutorial Discover Hyper V | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-discover-hyper-v.md | Check that the zipped file is secure, before you deploy it. **Scenario** | **Download** | **SHA256** | | - Hyper-V (8.91 GB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191848) | AE53454E448064839AEBFDE1EE6DBF63222686CFB37B7E2E125D44A8B24EB504 + Hyper-V (8.91 GB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191848) | 952e493a63a45f97ecdc0945807d504f4bd2f0f4f8248472b784c3e6bd25eb13 - For Azure Government: **Scenario*** | **Download** | **SHA256** | | - Hyper-V (85.8 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | 7EF01AE30F7BB8F4486EDC1688481DB656FB8ECA7B9EF6363B4DAB1CFCFDA141 + Hyper-V (85.8 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857 ### 3. Create an appliance |
migrate | Tutorial Discover Physical | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-discover-physical.md | Check that the zipped file is secure, before you deploy it. **Download** | **Hash value** | - [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | 7EF01AE30F7BB8F4486EDC1688481DB656FB8ECA7B9EF6363B4DAB1CFCFDA141 + [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857 > [!NOTE] > The same script can be used to set up Physical appliance for either Azure public or Azure Government cloud with public or private endpoint connectivity. |
migrate | Tutorial Discover Vmware | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-discover-vmware.md | Before you deploy the OVA file, verify that the file is secure: **Algorithm** | **Download** | **SHA256** | | - VMware (85.8 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | 7ef01ae30f7bb8f4486edc1688481db656fb8eca7b9ef6363b4dab1cfcfda141 + VMware (85.8 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857 #### Create the appliance server |
migrate | Tutorial Migrate Aws Virtual Machines | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-migrate-aws-virtual-machines.md | Title: Discover, assess, and migrate Amazon Web Services (AWS) EC2 VMs to Azure -description: This article describes how to migrate AWS VMs to Azure with Azure Migrate. +description: This article describes how to migrate AWS VMs to Azure with Azure Migrate and Modernize. -> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. --This tutorial shows you how to discover, assess, and migrate Amazon Web Services (AWS) virtual machines (VMs) to Azure VMs, using Azure Migrate: Server Assessment and Migration and modernization tools. +> This article references CentOS, a Linux distribution that's nearing end-of-life status. Please consider your use and plan accordingly. +This tutorial shows you how to discover, assess, and migrate Amazon Web Services (AWS) virtual machines (VMs) to Azure VMs by using Azure Migrate: Server Assessment and the Migration and modernization tool. > [!NOTE] > You migrate AWS VMs to Azure by treating them as physical servers. -In this tutorial, you'll learn how to: +In this tutorial, you learn how to: > [!div class="checklist"] > > * Verify prerequisites for migration.-> * Prepare Azure resources with the Migration and modernization tool. Set up permissions for your Azure account and resources to work with Azure Migrate. -> * Prepare AWS EC2 instances for migration. -> * Add the Migration and modernization tool in the Azure Migrate hub. +> * Prepare Azure resources with the Migration and modernization tool. Set up permissions for your Azure account and resources to work with Azure Migrate and Modernize. +> * Prepare AWS Elastic Compute Cloud (EC2) instances for migration. +> * Add the Migration and modernization tool in the Azure Migrate and Modernize hub. > * Set up the replication appliance and deploy the configuration server.-> * Install the Mobility service on AWS VMs you want to migrate. +> * Install the Mobility service on the AWS VMs you want to migrate. > * Enable replication for VMs. > * Track and monitor the replication status. > * Run a test migration to make sure everything's working as expected. If you don't have an Azure subscription, create a [free account](https://azure.m ## Discover and assess -Before you migrate to Azure, we recommend that you perform a VM discovery and migration assessment. This assessment helps right-size your AWS VMs for migration to Azure, and estimate potential Azure run costs. +Before you migrate to Azure, we recommend that you perform a VM discovery and migration assessment. This assessment helps right-size your AWS VMs for migration to Azure and estimate potential Azure run costs. -Set up an assessment as follows: +To set up an assessment: 1. Follow the [tutorial](./tutorial-discover-physical.md) to set up Azure and prepare your AWS VMs for an assessment. Note that: - - Azure Migrate uses password authentication when discovering AWS instances. AWS instances don't support password authentication by default. Before you can discover instance, you need to enable password authentication. - - For Windows machines, allow WinRM port 5985 (HTTP). This allows remote WMI calls. + - Azure Migrate and Modernize uses password authentication to discover AWS instances. AWS instances don't support password authentication by default. Before you can discover an instance, you need to enable password authentication. + - For Windows machines, allow WinRM port 5985 (HTTP). This port allows remote WMI calls. - For Linux machines:- 1. Sign into each Linux machine. - 2. Open the sshd_config file : vi /etc/ssh/sshd_config - 3. In the file, locate the **PasswordAuthentication** line, and change the value to **yes**. - 4. Save the file and close it. Restart the ssh service. - - If you're using a root user to discover your Linux VMs, ensure root login is allowed on the VMs. - 1. Sign into each Linux machine - 2. Open the sshd_config file : vi /etc/ssh/sshd_config - 3. In the file, locate the **PermitRootLogin** line, and change the value to **yes**. - 4. Save the file and close it. Restart the ssh service. --2. Then, follow this [tutorial](./tutorial-assess-physical.md) to set up an Azure Migrate project and appliance to discover and assess your AWS VMs. --Although we recommend that you try out an assessment, performing an assessment isn’t a mandatory step to be able to migrate VMs. + 1. Sign in to each Linux machine. + 1. Open the *sshd_config* file: `vi /etc/ssh/sshd_config`. + 1. In the file, locate the `PasswordAuthentication` line and change the value to `yes`. + 1. Save the file and close it. Restart the ssh service. + - If you're using a root user to discover your Linux VMs, ensure that root login is allowed on the VMs. + 1. Sign in to each Linux machine. + 1. Open the *sshd_config* file: `vi /etc/ssh/sshd_config`. + 1. In the file, locate the `PermitRootLogin` line and change the value to `yes`. + 1. Save the file and close it. Restart the ssh service. +1. Then, follow this [tutorial](./tutorial-assess-physical.md) to set up an Azure Migrate project and appliance to discover and assess your AWS VMs. +Although we recommend that you try out an assessment, performing an assessment isn't a mandatory step to be able to migrate VMs. ## Prerequisites -- Ensure that the AWS VMs you want to migrate are running a supported OS version. AWS VMs are treated like physical machines for the purpose of the migration. Review the [supported operating systems and kernel versions](../site-recovery/vmware-physical-azure-support-matrix.md#replicated-machines) for the physical server migration workflow. You can use standard commands like *hostnamectl* or *uname -a* to check the OS and kernel versions for your Linux VMs. We recommend you perform a test migration (test failover) to validate if the VM works as expected before proceeding with the actual migration.+- Ensure that the AWS VMs you want to migrate are running a supported operating system (OS) version. AWS VMs are treated like physical machines for the migration. Review the [supported operating systems and kernel versions](../site-recovery/vmware-physical-azure-support-matrix.md#replicated-machines) for the physical server migration workflow. You can use standard commands like `hostnamectl` or `uname -a` to check the OS and kernel versions for your Linux VMs. We recommend that you perform a test migration (test failover) to validate if the VM works as expected before you proceed with the migration. - Make sure your AWS VMs comply with the [supported configurations](./migrate-support-matrix-physical-migration.md#physical-server-requirements) for migration to Azure.-- Verify that the AWS VMs that you replicate to Azure comply with [Azure VM requirements.](./migrate-support-matrix-physical-migration.md#azure-vm-requirements)-- There are some changes needed on the VMs before you migrate them to Azure.- - For some operating systems, Azure Migrate makes these changes automatically. +- Verify that the AWS VMs that you replicate to Azure comply with [Azure VM requirements](./migrate-support-matrix-physical-migration.md#azure-vm-requirements). +- Some changes are needed on the VMs before you migrate them to Azure: + - For some operating systems, Azure Migrate and Modernize makes these changes automatically. - It's important to make these changes before you begin migration. If you migrate the VM before you make the change, the VM might not boot up in Azure.-Review [Windows](prepare-for-migration.md#windows-machines) and [Linux](prepare-for-migration.md#linux-machines) changes you need to make. +Review the [Windows](prepare-for-migration.md#windows-machines) and [Linux](prepare-for-migration.md#linux-machines) changes you need to make. ### Prepare Azure resources for migration Prepare Azure for migration with the Migration and modernization tool. -**Task** | **Details** +Task | Details | -**Create an Azure Migrate project** | Your Azure account needs Contributor or Owner permissions to [create a new project](./create-manage-projects.md). -**Verify permissions for your Azure account** | Your Azure account needs permissions to create a VM, and write to an Azure managed disk. +Create an Azure Migrate project | Your Azure account needs Contributor or Owner permissions to [create a new project](./create-manage-projects.md). +Verify permissions for your Azure account | Your Azure account needs permissions to create a VM and write to an Azure managed disk. -### Assign permissions to create project +### Assign permissions to create a project -1. In the Azure portal, open the subscription, and select **Access control (IAM)**. -2. In **Check access**, find the relevant account, and click it to view permissions. -3. You should have **Contributor** or **Owner** permissions. +1. In the Azure portal, open the subscription and select **Access control (IAM)**. +1. In **Check access**, find the relevant account and select it to view permissions. +1. You should have **Contributor** or **Owner** permissions. - If you just created a free Azure account, you're the owner of your subscription. - If you're not the subscription owner, work with the owner to assign the role. ### Assign Azure account permissions -Assign the Virtual Machine Contributor role to the Azure account. This provides permissions to: +Assign the VM Contributor role to the Azure account. This role provides permissions to: - Create a VM in the selected resource group. - Create a VM in the selected virtual network. Assign the Virtual Machine Contributor role to the Azure account. This provides ### Create an Azure network -[Set up](../virtual-network/manage-virtual-network.md#create-a-virtual-network) an Azure virtual network (VNet). When you replicate to Azure, the Azure VMs that are created are joined to the Azure VNet that you specify when you set up migration. +[Set up](../virtual-network/manage-virtual-network.md#create-a-virtual-network) an Azure virtual network. When you replicate to Azure, the Azure VMs that are created are joined to the Azure virtual network that you specified when you set up migration. ## Prepare AWS instances for migration To prepare for AWS to Azure migration, you need to prepare and deploy a replicat ### Prepare a machine for the replication appliance -The Migration and modernization tool uses a replication appliance to replicate machines to Azure. The replication appliance runs the following components. +The Migration and modernization tool uses a replication appliance to replicate machines to Azure. The replication appliance runs the following components: -- **Configuration server**: The configuration server coordinates communications between the AWS environment and Azure, and manages data replication.-- **Process server**: The process server acts as a replication gateway. It receives replication data, optimizes it with caching, compression, and encryption, and sends it to a cache storage account in Azure.+- **Configuration server**: The configuration server coordinates communications between the AWS environment and Azure and manages data replication. +- **Process server**: The process server acts as a replication gateway. It receives replication data and optimizes that data with caching, compression, and encryption. Then it sends the data to a cache storage account in Azure. -Prepare for appliance deployment as follows: +To prepare for appliance deployment: - Set up a separate EC2 VM to host the replication appliance. This instance must be running Windows Server 2012 R2 or Windows Server 2016. [Review](./migrate-replication-appliance.md#appliance-requirements) the hardware, software, and networking requirements for the appliance.-- The appliance shouldn't be installed on a source VM that you want to replicate or on the Azure Migrate discovery and assessment appliance you may have installed before. It should be deployed on a different VM.-- The source AWS VMs to be migrated should have a network line of sight to the replication appliance. Configure necessary security group rules to enable this. It's recommended that the replication appliance is deployed in the same VPC as the source VMs to be migrated. If the replication appliance needs to be in a different VPC, the VPCs need to be connected through VPC peering.+- The appliance shouldn't be installed on a source VM that you want to replicate or on the Azure Migrate: Discovery and assessment appliance you might have installed before. It should be deployed on a different VM. +- The source AWS VMs to be migrated should have a network line of sight to the replication appliance. Configure necessary security group rules to enable this capability. We recommend that you deploy the replication appliance in the same virtual private cloud (VPC) as the source VMs to be migrated. If the replication appliance needs to be in a different VPC, the VPCs must be connected through VPC peering. - The source AWS VMs communicate with the replication appliance on ports HTTPS 443 (control channel orchestration) and TCP 9443 (data transport) inbound for replication management and replication data transfer. The replication appliance in turn orchestrates and sends replication data to Azure over port HTTPS 443 outbound. To configure these rules, edit the security group inbound/outbound rules with the appropriate ports and source IP information. - ![AWS security groups ](./media/tutorial-migrate-aws-virtual-machines/aws-security-groups.png) -+ ![Screenshot that shows AWS security groups.](./media/tutorial-migrate-aws-virtual-machines/aws-security-groups.png) - ![Edit security settings ](./media/tutorial-migrate-aws-virtual-machines/edit-security-settings.png) + ![Screenshot that shows editing security settings.](./media/tutorial-migrate-aws-virtual-machines/edit-security-settings.png) - The replication appliance uses MySQL. Review the [options](migrate-replication-appliance.md#mysql-installation) for installing MySQL on the appliance. - Review the Azure URLs required for the replication appliance to access [public](migrate-replication-appliance.md#url-access) and [government](migrate-replication-appliance.md#azure-government-url-access) clouds. ## Set up the replication appliance -The first step of migration is to set up the replication appliance. To set up the appliance for AWS VMs migration, you must download the installer file for the appliance, and then run it on the [VM you prepared](#prepare-a-machine-for-the-replication-appliance). +The first step of migration is to set up the replication appliance. To set up the appliance for AWS VMs migration, you must download the installer file for the appliance and then run it on the [VM you prepared](#prepare-a-machine-for-the-replication-appliance). ### Download the replication appliance installer -1. In the Azure Migrate project > **Servers, databases and web apps**, in **Migration and modernization**, select **Discover**. +1. In the Azure Migrate project, select **Servers, databases, and web apps** > **Migration and modernization** > **Discover**. - ![Discover VMs](./media/tutorial-migrate-physical-virtual-machines/migrate-discover.png) + ![Screenshot that shows the Discover button.](./media/tutorial-migrate-physical-virtual-machines/migrate-discover.png) ++1. In **Discover machines** > **Are your machines virtualized?**, select **Not virtualized/Other**. +1. In **Target region**, select the Azure region to which you want to migrate the machines. +1. Select **Confirm that the target region for migration is \<region-name\>**. +1. Select **Create resources**. This step creates an Azure Site Recovery vault in the background. + - If you already set up migration with the Migration and modernization tool, the target option can't be configured because resources were set up previously. + - You can't change the target region for this project after you select this button. + - To migrate your VMs to a different region, you need to create a new or different Azure Migrate project. -2. In **Discover machines** > **Are your machines virtualized?**, click **Not virtualized/Other**. -3. In **Target region**, select the Azure region to which you want to migrate the machines. -4. Select **Confirm that the target region for migration is \<region-name\>**. -5. Click **Create resources**. This creates an Azure Site Recovery vault in the background. - - If you've already set up migration with the Migration and modernization tool, the target option can't be configured, since resources were set up previously. - - You can't change the target region for this project after clicking this button. - - To migrate your VMs to a different region, you'll need to create a new/different Azure Migrate project. > [!NOTE]- > If you selected private endpoint as the connectivity method for the Azure Migrate project when it was created, the Recovery Services vault will also be configured for private endpoint connectivity. Ensure that the private endpoints are reachable from the replication appliance. [**Learn more**](troubleshoot-network-connectivity.md) + > If you selected private endpoint as the connectivity method for the Azure Migrate project when it was created, the Recovery Services vault is also configured for private endpoint connectivity. Ensure that the private endpoints are reachable from the replication appliance. [Learn more](troubleshoot-network-connectivity.md). -6. In **Do you want to install a new replication appliance?**, select **Install a replication appliance**. -7. In **Download and install the replication appliance software**, download the appliance installer, and the registration key. You need to the key in order to register the appliance. The key is valid for five days after it's downloaded. +1. In **Do you want to install a new replication appliance?**, select **Install a replication appliance**. +1. In **Download and install the replication appliance software**, download the appliance installer and the registration key. You need the key to register the appliance. The key is valid for five days after download. - ![Download provider](media/tutorial-migrate-physical-virtual-machines/download-provider.png) + ![Screenshot that shows the Download button.](media/tutorial-migrate-physical-virtual-machines/download-provider.png) -8. Copy the appliance setup file and key file to the Windows Server 2016 or Windows Server 2012 AWS VM you created for the replication appliance. -9. Run the replication appliance setup file, as described in the next procedure. - 1. Under **Before You Begin**, select **Install the configuration server and process server**, and then select **Next**. - 2. In **Third-Party Software License**, select **I accept the third-party license agreement**, and then select **Next**. - 3. In **Registration**, select **Browse**, and then go to where you put the vault registration key file. Select **Next**. - 4. In **Internet Settings**, select **Connect to Azure Site Recovery without a proxy server**, and then select **Next**. - 5. The **Prerequisites Check** page runs checks for several items. When it's finished, select **Next**. - 6. In **MySQL Configuration**, provide a password for the MySQL DB, and then select **Next**. - 7. In **Environment Details**, select **No**. You don't need to protect your VMs. Then, select **Next**. - 8. In **Install Location**, select **Next** to accept the default. - 9. In **Network Selection**, select **Next** to accept the default. - 10. In **Summary**, select **Install**. - 11. **Installation Progress** shows you information about the installation process. When it's finished, select **Finish**. A window displays a message about a reboot. Select **OK**. - 12. Next, a window displays a message about the configuration server connection passphrase. Copy the passphrase to your clipboard and save the passphrase in a temporary text file on the source VMs. You’ll need this passphrase later, during the mobility service installation process. +1. Copy the appliance setup file and key file to the Windows Server 2016 or Windows Server 2012 AWS VM you created for the replication appliance. +1. Run the replication appliance setup file, as described in the next procedure. + 1. Under **Before You Begin**, select **Install the configuration server and process server**. Then select **Next**. + 1. In **Third-Party Software License**, select **I accept the third-party license agreement**. Then select **Next**. + 1. In **Registration**, select **Browse**, and then go to where you put the vault registration key file. Select **Next**. + 1. In **Internet Settings**, select **Connect to Azure Site Recovery without a proxy server**. Then select **Next**. + 1. The **Prerequisites Check** page runs checks for several items. When it's finished, select **Next**. + 1. In **MySQL Configuration**, provide a password for the MySQL database. Then select **Next**. + 1. In **Environment Details**, select **No**. You don't need to protect your VMs. Then select **Next**. + 1. In **Install Location**, select **Next** to accept the default. + 1. In **Network Selection**, select **Next** to accept the default. + 1. In **Summary**, select **Install**. + 1. **Installation Progress** shows you information about the installation process. When it's finished, select **Finish**. A window displays a message about a reboot. Select **OK**. + 1. Next, a window displays a message about the configuration server connection passphrase. Copy the passphrase to your clipboard and save the passphrase in a temporary text file on the source VMs. You need this passphrase later during the Mobility service installation process. -10. After the installation completes, the Appliance configuration wizard will be launched automatically (You can also launch the wizard manually by using the cspsconfigtool shortcut that is created on the desktop of the appliance). In this tutorial, we'll be manually installing the Mobility Service on source VMs to be replicated, so create a dummy account in this step and proceed. You can provide the following details for creating the dummy account - "guest" as the friendly name, "username" as the username, and "password" as the password for the account. You'll be using this dummy account in the Enable Replication stage. +1. After the installation finishes, the Appliance configuration wizard launches automatically. (You can also launch the wizard manually by using the `cspsconfigtool` shortcut that was created on the appliance desktop.) In this tutorial, we manually install the Mobility service on source VMs to be replicated. You need to create a dummy account in this step to proceed. For your dummy account, use "guest" as the friendly name, "username" as the username, and "password" as the password for the account. You use this dummy account in the Enable Replication stage. -11. After the appliance has restarted after setup, in **Discover machines**, select the new appliance in **Select Configuration Server**, and click **Finalize registration**. Finalize registration performs a couple of final tasks to prepare the replication appliance. +1. After the appliance restarts after setup, in **Discover machines**, select the new appliance in **Select Configuration Server** and select **Finalize registration**. The **Finalize registration** step performs a couple of final tasks to prepare the replication appliance. - ![Finalize registration](./media/tutorial-migrate-physical-virtual-machines/finalize-registration.png) + ![Screenshot that shows Finalize registration.](./media/tutorial-migrate-physical-virtual-machines/finalize-registration.png) ## Install the Mobility service agent -A Mobility service agent must be pre-installed on the source AWS VMs to be migrated before you can initiate replication. The approach you choose to install the Mobility service agent may depend on your organization's preferences and existing tools, but be aware that the "push" installation method built into Azure Site Recovery is not currently supported. Approaches you may want to consider: +A Mobility service agent must be preinstalled on the source AWS VMs to be migrated before you can initiate replication. The approach you choose to install the Mobility service agent might depend on your organization's preferences and existing tools. The "push" installation method built into Site Recovery isn't currently supported. Approaches you might want to consider: - [AWS System Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html) - [System Center Configuration Manager](../site-recovery/vmware-azure-mobility-install-configuration-mgr.md)-- [Arc for Servers and Custom Script Extensions](../azure-arc/servers/overview.md)+- [Azure Arc for servers and custom script extensions](../azure-arc/servers/overview.md) - [Manual installation](../site-recovery/vmware-physical-mobility-service-overview.md) ## Enable replication for AWS VMs A Mobility service agent must be pre-installed on the source AWS VMs to be migra > [!NOTE] > Through the portal, you can add up to 10 VMs for replication at once. To replicate more VMs simultaneously, you can add them in batches of 10. -1. In the Azure Migrate project > **Servers, databases and web apps** > **Migration and modernization**, select **Replicate**. +1. In the Azure Migrate project, select **Servers, databases, and web apps** > **Migration and modernization** > **Replicate**. ++ ![Screenshot that shows selecting Replicate.](./media/tutorial-migrate-physical-virtual-machines/select-replicate.png) - ![Replicate VMs](./media/tutorial-migrate-physical-virtual-machines/select-replicate.png) +1. In **Replicate**, > **Source settings** > **Are your machines virtualized?**, select **Not virtualized/Other**. +1. In **On-premises appliance**, select the name of the Azure Migrate appliance that you set up. +1. In **Process Server**, select the name of the replication appliance. +1. In **Guest credentials**, select the dummy account you created previously during the [replication installer setup](#download-the-replication-appliance-installer) to install the Mobility service manually. (Push installation isn't supported.) Then select **Next: Virtual machines**. -2. In **Replicate**, > **Source settings** > **Are your machines virtualized?**, select **Not virtualized/Other**. -3. In **On-premises appliance**, select the name of the Azure Migrate appliance that you set up. -4. In **Process Server**, select the name of the replication appliance. -5. In **Guest credentials**, please select the dummy account created previously during the [replication installer setup](#download-the-replication-appliance-installer) to install the Mobility service manually (push install is not supported). Then click **Next: Virtual machines**. + ![Screenshot that shows replicating settings.](./media/tutorial-migrate-physical-virtual-machines/source-settings.png) +1. In **Virtual Machines**, in **Import migration settings from an assessment?**, leave the default setting **No, I'll specify the migration settings manually**. +1. Check each VM you want to migrate. Then select **Next: Target settings**. - ![Replicate Settings](./media/tutorial-migrate-physical-virtual-machines/source-settings.png) -6. In **Virtual Machines**, in **Import migration settings from an assessment?**, leave the default setting **No, I'll specify the migration settings manually**. -7. Check each VM you want to migrate. Then click **Next: Target settings**. + :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/select-vms-inline.png" alt-text="Screenshot that shows selecting VMs." lightbox="./media/tutorial-migrate-physical-virtual-machines/select-vms-expanded.png"::: - :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/select-vms-inline.png" alt-text="Screenshot on selecting VMs." lightbox="./media/tutorial-migrate-physical-virtual-machines/select-vms-expanded.png"::: +1. In **Target settings**, select the subscription and target region to which you'll migrate. Specify the resource group in which the Azure VMs will reside after migration. +1. In **Virtual Network**, select the Azure virtual network/subnet to which the Azure VMs will be joined after migration. +1. In **Cache storage account**, keep the default option to use the cache storage account that was automatically created for the project. Use the dropdown list if you want to specify a different storage account to use as the cache storage account for replication. <br/> -8. In **Target settings**, select the subscription, and target region to which you'll migrate, and specify the resource group in which the Azure VMs will reside after migration. -9. In **Virtual Network**, select the Azure VNet/subnet to which the Azure VMs will be joined after migration. -10. In **Cache storage account**, keep the default option to use the cache storage account that is automatically created for the project. Use the dropdown if you'd like to specify a different storage account to use as the cache storage account for replication. <br/> > [!NOTE] >- > - If you selected private endpoint as the connectivity method for the Azure Migrate project, grant the Recovery Services vault access to the cache storage account. [**Learn more**](migrate-servers-to-azure-using-private-link.md#grant-access-permissions-to-the-recovery-services-vault) - > - To replicate using ExpressRoute with private peering, create a private endpoint for the cache storage account. [**Learn more**](migrate-servers-to-azure-using-private-link.md#create-a-private-endpoint-for-the-storage-account-1) -11. In **Availability options**, select: - - Availability Zone to pin the migrated machine to a specific Availability Zone in the region. Use this option to distribute servers that form a multi-node application tier across Availability Zones. If you select this option, you'll need to specify the Availability Zone to use for each of the selected machine in the Compute tab. This option is only available if the target region selected for the migration supports Availability Zones - - Availability Set to place the migrated machine in an Availability Set. The target Resource Group that was selected must have one or more availability sets in order to use this option. - - No infrastructure redundancy required option if you don't need either of these availability configurations for the migrated machines. --12. In **Disk encryption type**, select: - - Encryption-at-rest with platform-managed key - - Encryption-at-rest with customer-managed key - - Double encryption with platform-managed and customer-managed keys + > - If you selected private endpoint as the connectivity method for the Azure Migrate project, grant the Recovery Services vault access to the cache storage account. [Learn more](migrate-servers-to-azure-using-private-link.md#grant-access-permissions-to-the-recovery-services-vault). + > - To replicate by using Azure ExpressRoute with private peering, create a private endpoint for the cache storage account. [Learn more](migrate-servers-to-azure-using-private-link.md#create-a-private-endpoint-for-the-storage-account-1). +1. In **Availability options**, select: + - **Availability Zone**: Pins the migrated machine to a specific availability zone in the region. Use this option to distribute servers that form a multinode application tier across availability zones. If you select this option, you need to specify the availability zone to use for each of the selected machines on the **Compute** tab. This option is only available if the target region selected for the migration supports availability zones. + - **Availability Set**: Places the migrated machine in an availability set. The target resource group that was selected must have one or more availability sets in order to use this option. + - **No infrastructure redundancy required**: Select this option if you don't need either of these availability configurations for the migrated machines. ++1. In **Disk encryption type**, select: + - Encryption-at-rest with a platform-managed key. + - Encryption-at-rest with a customer-managed key. + - Double encryption with platform-managed and customer-managed keys. > [!NOTE]- > To replicate VMs with CMK, you'll need to [create a disk encryption set](../virtual-machines/disks-enable-customer-managed-keys-portal.md#set-up-your-disk-encryption-set) under the target Resource Group. A disk encryption set object maps Managed Disks to a Key Vault that contains the CMK to use for SSE. --13. In **Azure Hybrid Benefit**: + > To replicate VMs with customer-managed keys, you need to [create a disk encryption set](../virtual-machines/disks-enable-customer-managed-keys-portal.md#set-up-your-disk-encryption-set) under the target resource group. A disk encryption set object maps managed disks to an Azure Key Vault instance that contains the customer-managed key to use for server-side encryption. - - Select **No** if you don't want to apply Azure Hybrid Benefit. Then click **Next**. - - Select **Yes** if you have Windows Server machines that are covered with active Software Assurance or Windows Server subscriptions, and you want to apply the benefit to the machines you're migrating. Then click **Next**. +1. In **Azure Hybrid Benefit**: + - Select **No** if you don't want to apply Azure Hybrid Benefit. Then select **Next**. + - Select **Yes** if you have Windows Server machines that are covered with active Software Assurance or Windows Server subscriptions, and you want to apply the benefit to the machines you're migrating. Then select **Next**. - ![Target settings](./media/tutorial-migrate-vmware/target-settings.png) + ![Screenshot that shows Target settings.](./media/tutorial-migrate-vmware/target-settings.png) -14. In **Compute**, review the VM name, size, OS disk type, and availability configuration (if selected in the previous step). VMs must conform with [Azure requirements](migrate-support-matrix-physical-migration.md#azure-vm-requirements). -- - **VM size**: If you're using assessment recommendations, the VM size dropdown shows the recommended size. Otherwise Azure Migrate picks a size based on the closest match in the Azure subscription. Alternatively, pick a manual size in **Azure VM size**. +1. In **Compute**, review the VM name, size, OS disk type, and availability configuration (if selected in the previous step). VMs must conform with [Azure requirements](migrate-support-matrix-physical-migration.md#azure-vm-requirements). + - **VM size**: If you're using assessment recommendations, the VM size dropdown list shows the recommended size. Otherwise, Azure Migrate and Modernize picks a size based on the closest match in the Azure subscription. Alternatively, pick a manual size in **Azure VM size**. - **OS disk**: Specify the OS (boot) disk for the VM. The OS disk is the disk that has the operating system bootloader and installer.- - **Availability Zone**: Specify the Availability Zone to use. - - **Availability Set**: Specify the Availability Set to use. + - **Availability Zone**: Specify the availability zone to use. + - **Availability Set**: Specify the availability set to use. -15. In **Disks**, specify whether the VM disks should be replicated to Azure, and select the disk type (standard SSD/HDD or premium managed disks) in Azure. Then click **Next**. +1. In **Disks**, specify whether the VM disks should be replicated to Azure and select the disk type (standard SSD/HDD or premium managed disks) in Azure. Then select **Next**. - You can exclude disks from replication.- - If you exclude disks, won't be present on the Azure VM after migration. + - If you exclude disks, they won't be present on the Azure VM after migration. - :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/disks-inline.png" alt-text="Screenshot shows the Disks tab of the Replicate dialog box." lightbox="./media/tutorial-migrate-physical-virtual-machines/disks-expanded.png"::: + :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/disks-inline.png" alt-text="Screenshot that shows the Disks tab in the Replicate dialog." lightbox="./media/tutorial-migrate-physical-virtual-machines/disks-expanded.png"::: -1. In **Tags**, choose to add tags to your Virtual machines, Disks, and NICs. +1. In **Tags**, choose to add tags to your virtual machines, disks, and NICs. - :::image type="content" source="./media/tutorial-migrate-vmware/tags-inline.png" alt-text="Screenshot shows the tags tab of the Replicate dialog box." lightbox="./media/tutorial-migrate-vmware/tags-expanded.png"::: + :::image type="content" source="./media/tutorial-migrate-vmware/tags-inline.png" alt-text="Screenshot that shows the Tags tab in the Replicate dialog." lightbox="./media/tutorial-migrate-vmware/tags-expanded.png"::: -16. In **Review and start replication**, review the settings, and click **Replicate** to start the initial replication for the servers. +1. In **Review and start replication**, review the settings and select **Replicate** to start the initial replication for the servers. > [!NOTE]-> You can update replication settings any time before replication starts, **Manage** > **Replicating machines**. Settings can't be changed after replication starts. +> To update replication settings any time before replication starts, select **Manage** > **Replicating machines**. Settings can't be changed after replication starts. ## Track and monitor replication status -- When you click **Replicate** a Start Replication job begins.+- When you select **Replicate**, a Start Replication job begins. - When the Start Replication job finishes successfully, the VMs begin their initial replication to Azure.-- After initial replication finishes, delta replication begins. Incremental changes to AWS VM disks are periodically replicated to the replica disks in Azure.+- After that initial replication finishes, delta replication begins. Incremental changes to AWS VM disks are periodically replicated to the replica disks in Azure. You can track job status in the portal notifications. -You can monitor replication status by clicking on **Replicating servers** in **Migration and modernization**. +You can monitor replication status by selecting **Replicating servers** in **Azure Migrate: Server Migration**. -![Monitor replication](./media/tutorial-migrate-physical-virtual-machines/replicating-servers.png) +![Screenshot that shows the Replicating servers option.](./media/tutorial-migrate-physical-virtual-machines/replicating-servers.png) ## Run a test migration -When delta replication begins, you can run a test migration for the VMs, before running a full migration to Azure. The test migration is highly recommended and provides an opportunity to discover any potential issues and fix them before you proceed with the actual migration. It's advised that you do this at least once for each VM before you migrate it. +When delta replication begins, you can run a test migration for the VMs before you run a full migration to Azure. We highly recommend the test migration. It provides an opportunity to discover any potential issues and fix them before you proceed with the actual migration. We recommend that you do this step at least once for each VM before you migrate it. -- Running a test migration checks that migration will work as expected, without impacting the AWS VMs, which remain operational, and continue replicating.-- Test migration simulates the migration by creating an Azure VM using replicated data (usually migrating to a non-production VNet in your Azure subscription).+- Running a test migration checks that migration works as expected without affecting the AWS VMs, which remain operational and continue replicating. +- Test migration simulates the migration by creating an Azure VM by using replicated data. (The test usually migrates to a nonproduction virtual network in your Azure subscription.) - You can use the replicated test Azure VM to validate the migration, perform app testing, and address any issues before full migration. -Do a test migration as follows: +To do a test migration: -1. In **Migration goals** > **Servers, databases and web apps** > **Migration and modernization**, select **Test migrated servers**. +1. In **Migration goals**, select **Servers, databases, and web apps** > **Migration and modernization** > **Test migrated servers**. - ![Test migrated servers](./media/tutorial-migrate-physical-virtual-machines/test-migrated-servers.png) + ![Screenshot that shows Test migrated servers.](./media/tutorial-migrate-physical-virtual-machines/test-migrated-servers.png) -2. Right-click the VM to test, and click **Test migrate**. +1. Right-click the VM you want to test and select **Test migrate**. - ![Test migration](./media/tutorial-migrate-physical-virtual-machines/test-migrate.png) + ![Screenshot that shows Test migrate.](./media/tutorial-migrate-physical-virtual-machines/test-migrate.png) -3. In **Test Migration**, select the Azure VNet in which the Azure VM will be located after the migration. We recommend you use a non-production VNet. -4. The **Test migration** job starts. Monitor the job in the portal notifications. -5. After the migration finishes, view the migrated Azure VM in **Virtual Machines** in the Azure portal. The machine name has a suffix **-Test**. -6. After the test is done, right-click the Azure VM in **Replicating machines**, and click **Clean up test migration**. +1. In **Test Migration**, select the Azure virtual network in which the Azure VM will be located after the migration. We recommend that you use a nonproduction virtual network. +1. The Test Migration job starts. Monitor the job in the portal notifications. +1. After the migration finishes, view the migrated Azure VM in **Virtual Machines** in the Azure portal. The machine name has the suffix **-Test**. +1. After the test is finished, right-click the Azure VM in **Replicating machines** and select **Clean up test migration**. - :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/clean-up-inline.png" alt-text="Screenshot showing the result after the cleanup of test migration." lightbox="./media/tutorial-migrate-physical-virtual-machines/clean-up-expanded.png"::: + :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/clean-up-inline.png" alt-text="Screenshot that shows the result after the cleanup of test migration." lightbox="./media/tutorial-migrate-physical-virtual-machines/clean-up-expanded.png"::: > [!NOTE]- > You can now register your servers running SQL server with SQL VM RP to take advantage of automated patching, automated backup and simplified license management using SQL IaaS Agent Extension. + > You can now register your servers running SQL Server with SQL VM RP to take advantage of automated patching, automated backup, and simplified license management by using the SQL IaaS Agent Extension. >- Select **Manage** > **Replicating servers** > **Machine containing SQL server** > **Compute and Network** and select **yes** to register with SQL VM RP.- >- Select Azure Hybrid benefit for SQL Server if you have SQL Server instances that are covered with active Software Assurance or SQL Server subscriptions and you want to apply the benefit to the machines you're migrating.hs. + >- Select **Azure Hybrid Benefit for SQL Server** if you have SQL Server instances that are covered with active Software Assurance or SQL Server subscriptions and you want to apply the benefit to the machines you're migrating to. ## Migrate AWS VMs -After you've verified that the test migration works as expected, you can migrate the AWS VMs. +After you verify that the test migration works as expected, you can migrate the AWS VMs. -1. In the Azure Migrate project > **Servers, databases and web apps** > **Migration and modernization**, select **Replicating servers**. +1. In the Azure Migrate project, select **Servers, databases, and web apps** > **Migration and modernization** > **Replicating servers**. - ![Replicating servers](./media/tutorial-migrate-physical-virtual-machines/replicate-servers.png) + ![Screenshot that shows Replicating servers.](./media/tutorial-migrate-physical-virtual-machines/replicate-servers.png) -2. In **Replicating machines**, right-click the VM > **Migrate**. -3. In **Migrate** > **Shut down virtual machines and perform a planned migration with no data loss**, select **Yes** > **OK**. +1. In **Replicating machines**, right-click the VM and select **Migrate**. +1. In **Migrate** > **Shut down virtual machines and perform a planned migration with no data loss**, select **Yes** > **OK**. > [!NOTE]- > Automatic shutdown isn't supported while migrating AWS virtual machines. - -4. A migration job starts for the VM. You can view the job status by clicking the notification bell icon on the top right of the portal page or by going to the jobs page of the Migration and modernization tool (Click Overview on the tool tile > Select Jobs from the left menu). -5. After the job finishes, you can view and manage the VM from the Virtual Machines page. + > Automatic shutdown isn't supported while migrating AWS VMs. ++1. A migration job starts for the VM. You can view the job status by selecting the notification bell icon on the top right of the portal page. You can also go to the **Jobs** page of the Migration and modernization tool. (Select **Overview** on the tool tile and select **Jobs** from the left menu.) +1. After the job finishes, you can view and manage the VM from the **Virtual Machines** page. ### Complete the migration -1. After the migration is done, right-click the VM > **Stop migration**. This does the following: +1. After the migration is finished, right-click the VM and select **Stop migration**. This action: - Stops replication for the AWS VM. - Removes the AWS VM from the **Replicating servers** count in the Migration and modernization tool. - Cleans up replication state information for the VM.-1. Verify and [troubleshoot any Windows activation issues on the Azure VM.](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems) +1. Verify and [troubleshoot any Windows activation issues on the Azure VM](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems). 1. Perform any post-migration app tweaks, such as updating host names, database connection strings, and web server configurations. 1. Perform final application and migration acceptance testing on the migrated application now running in Azure. 1. Cut over traffic to the migrated Azure VM instance. 1. Update any internal documentation to show the new location and IP address of the Azure VMs. - ## Post-migration best practices - For increased resilience:- - Keep data secure by backing up Azure VMs using the Azure Backup service. [Learn more](../backup/quick-backup-vm-portal.md). + - Keep data secure by backing up Azure VMs by using Azure Backup. [Learn more](../backup/quick-backup-vm-portal.md). - Keep workloads running and continuously available by replicating Azure VMs to a secondary region with Site Recovery. [Learn more](../site-recovery/azure-to-azure-tutorial-enable-replication.md). - For increased security:- - Lock down and limit inbound traffic access with [Microsoft Defender for Cloud - Just in time administration](../security-center/security-center-just-in-time.md). + - Lock down and limit inbound traffic access with [Microsoft Defender for Cloud - Just-in-time administration](../security-center/security-center-just-in-time.md). - Manage and govern updates on Windows and Linux machines with [Azure Update Manager](../update-manager/overview.md).- - Restrict network traffic to management endpoints with [Network Security Groups](../virtual-network/network-security-groups-overview.md). - - Deploy [Azure Disk Encryption](../virtual-machines/disk-encryption-overview.md) to help secure disks, and keep data safe from theft and unauthorized access. - - Read more about [securing IaaS resources](https://azure.microsoft.com/services/virtual-machines/secure-well-managed-iaas/), and visit the [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/). + - Restrict network traffic to management endpoints with [network security groups](../virtual-network/network-security-groups-overview.md). + - Deploy [Azure Disk Encryption](../virtual-machines/disk-encryption-overview.md) to help secure disks and keep data safe from theft and unauthorized access. + - Read more about [securing IaaS resources](https://azure.microsoft.com/services/virtual-machines/secure-well-managed-iaas/) and [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/). - For monitoring and management:- - Consider deploying [Azure Cost Management](../cost-management-billing/cost-management-billing-overview.md) to monitor resource usage and spending. + - Consider deploying [Microsoft Cost Management](../cost-management-billing/cost-management-billing-overview.md) to monitor resource usage and spending. +## Troubleshooting and tips +**Question:** I can't see my AWS VM in the discovered list of servers for migration.<br> +**Answer:** Check if your replication appliance meets the requirements. Make sure Mobility Agent is installed on the source VM to be migrated and is registered to the Configuration Server. Check the network setting and firewall rules to enable a network path between the replication appliance and source AWS VMs. -## Troubleshooting / Tips +**Question:** How do I know if my VM was successfully migrated?<br> +**Answer:** Post migration, you can view and manage the VM from the **Virtual Machines** page. Connect to the migrated VM to validate. -**Question:** I cannot see my AWS VM in the discovered list of servers for migration -**Answer:** Check if your replication appliance meets the requirements. Make sure Mobility Agent is installed on the source VM to be migrated and is registered the Configuration Server. Check the network setting and firewall rules to enable a network path between the replication appliance and source AWS VMs. --**Question:** How do I know if my VM was successfully migrated -**Answer:** Post-migration, you can view and manage the VM from the Virtual Machines page. Connect to the migrated VM to validate. --**Question:** I am unable to import VMs for migration from my previously created Server Assessment results +**Question:** I'm unable to import VMs for migration from my previously created Server Assessment results.<br> **Answer:** Currently, we don't support the import of assessment for this workflow. As a workaround, you can export the assessment and then manually select the VM recommendation during the Enable Replication step. -**Question:** I am getting the error “Failed to fetch BIOS GUID” while trying to discover my AWS VMs -**Answer:** Always use root login for authentication and not any pseudo user. Also review supported operating systems for AWS VMs. --**Question:** My replication status is not progressing. -**Answer:** Check if your replication appliance meets the requirements. Make sure you’ve enabled the required ports on your replication appliance TCP port 9443 and HTTPS 443 for data transport. Ensure that there are no stale duplicate versions of the replication appliance connected to the same project. +**Question:** I'm getting the error "Failed to fetch BIOS GUID" while trying to discover my AWS VMs.<br> +**Answer:** Always use root login for authentication and not any pseudo user. Also, review supported operating systems for AWS VMs. -**Question:** I am unable to Discover AWS Instances using Azure Migrate due to HTTP status code of 504 from the remote Windows management service -**Answer:** Make sure to review the Azure migrate appliance requirements and URL access needs. Make sure no proxy settings are blocking the appliance registration. +**Question:** My replication status isn't progressing.<br> +**Answer:** Check if your replication appliance meets the requirements. Make sure that you enabled the required ports on your replication appliance TCP port 9443 and HTTPS 443 for data transport. Ensure that no stale duplicate versions of the replication appliance are connected to the same project. -**Question:** Do I have to make any changes before I migrate my AWS VMs to Azure -**Answer:** You may have to make these changes before migrating your EC2 VMs to Azure: +**Question:** I'm unable to discover AWS instances by using Azure Migrate and Modernize because of the HTTP status code of 504 from the remote Windows management service.<br> +**Answer:** Make sure to review the Azure Migrate appliance requirements and URL access needs. Make sure no proxy settings are blocking the appliance registration. -- If you're using cloud-init for your VM provisioning, you may want to disable cloud-init on the VM before replicating it to Azure. The provisioning steps performed by cloud-init on the VM maybe AWS specific and won't be valid after the migration to Azure. ​-- If the VM is a PV VM (para-virtualized) and not HVM VM, you may not be able to run it as-is on Azure because para-virtualized VMs use a custom boot sequence in AWS. You may be able to get over this challenge by uninstalling PV drivers before you perform a migration to Azure. -- We always recommend you run a test migration before the final migration. +**Question:** Do I have to make any changes before I migrate my AWS VMs to Azure?<br> +**Answer:** You might have to make the following changes before you migrate your EC2 VMs to Azure: +- If you're using cloud-init for your VM provisioning, you might want to disable cloud-init on the VM before you replicate it to Azure. The provisioning steps performed by cloud-init on the VM might be specific to AWS and won't be valid after the migration to Azure. ​ +- If the VM is a paravirtualized (PV) VM and not a hardware VM, you might not be able to run it as is on Azure. PV VMs use a custom boot sequence in AWS. You might be able to overcome this challenge by uninstalling PV drivers before you perform a migration to Azure. +- We always recommend that you run a test migration before the final migration. -**Question:** Can I migrate AWS VMs running Amazon Linux Operating system -**Answer:** VMs running Amazon Linux can't be migrated as-is as Amazon Linux OS is only supported on AWS. -To migrate workloads running on Amazon Linux, you can spin up a CentOS/RHEL VM in Azure and migrate the workload running on the AWS Linux machine using a relevant workload migration approach. For example, depending on the workload, there may be workload-specific tools to aid the migration – such as for databases or deployment tools in case of web servers. +**Question:** Can I migrate AWS VMs running the Amazon Linux operating system?<br> +**Answer:** VMs running Amazon Linux can't be migrated as is because the Amazon Linux OS is only supported on AWS. +To migrate workloads running on Amazon Linux, you can spin up a CentOS/RHEL VM in Azure. Then you can migrate the workload running on the AWS Linux machine by using a relevant workload migration approach. For example, depending on the workload, there might be workload-specific tools to aid the migration. These tools might be for databases or deployment tools for web servers. ## Next steps -Investigate the [cloud migration journey](/azure/architecture/cloud-adoption/getting-started/migrate) in the Azure Cloud Adoption Framework. +Investigate the [cloud migration journey](/azure/architecture/cloud-adoption/getting-started/migrate) in the Cloud Adoption Framework for Azure. |
migrate | Tutorial Migrate Physical Virtual Machines | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-migrate-physical-virtual-machines.md | Title: Migrate machines as physical server to Azure with Azure Migrate. -description: This article describes how to migrate physical machines to Azure with Azure Migrate. + Title: Migrate machines as physical servers to Azure with Azure Migrate and Modernize +description: This article describes how to migrate physical machines to Azure with Azure Migrate and Modernize. ms. Last updated 01/12/2023 -# Migrate machines as physical servers to Azure +# Migrate machines as physical servers to Azure -This article shows you how to migrate machines as physical servers to Azure, using the Migration and modernization tool. Migrating machines by treating them as physical servers is useful in a number of scenarios: +This article shows you how to migrate machines as physical servers to Azure by using the Migration and modernization tool. Migrating machines by treating them as physical servers is useful in many scenarios: - Migrate on-premises physical servers.-- Migrate VMs virtualized by platforms such as Xen, KVM.-- Migrate Hyper-V or VMware VMs, if for some reason you're unable to use the standard migration process for [Hyper-V](tutorial-migrate-hyper-v.md), or [VMware](server-migrate-overview.md) migration.+- Migrate virtual machines (VMs) virtualized by platforms such as Xen and KVM. +- Migrate Hyper-V or VMware VMs, if you're unable to use the standard migration process for [Hyper-V](tutorial-migrate-hyper-v.md) or [VMware](server-migrate-overview.md) migration. - Migrate VMs running in private clouds.-- Migrate VMs running in public clouds such as Amazon Web Services (AWS) or Google Cloud Platform (GCP).+- Migrate VMs running in public clouds, such as Amazon Web Services (AWS) or Google Cloud Platform (GCP). This tutorial is the third in a series that demonstrates how to assess and migrate physical servers to Azure. In this tutorial, you learn how to: > [!div class="checklist"]-> * Prepare to use Azure with Migration and modernization. -> * Check requirements for machines you want to migrate, and prepare a machine for the Azure Migrate replication appliance that's used to discover and migrate machines to Azure. -> * Add the Migration and modernization tool in the Azure Migrate hub. +> * Prepare to use Azure with the Migration and modernization tool. +> * Check requirements for machines you want to migrate. Prepare a machine for the Azure Migrate and Modernize replication appliance that's used to discover and migrate machines to Azure. +> * Add the Migration and modernization tool in the Azure Migrate and Modernize hub. > * Set up the replication appliance. > * Install the Mobility service on machines you want to migrate. > * Enable replication. This tutorial is the third in a series that demonstrates how to assess and migra > * Run a full migration to Azure. > [!NOTE]-> Tutorials show you the simplest deployment path for a scenario so that you can quickly set up a proof-of-concept. Tutorials use default options where possible, and don't show all possible settings and paths. For detailed instructions, review the How-tos for Azure Migrate. +> Tutorials show you the simplest deployment path for a scenario so that you can quickly set up a proof of concept. Tutorials use default options where possible and don't show all possible settings and paths. For detailed instructions, review the how-to articles for Azure Migrate and Modernize. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/pricing/free-trial/) before you begin. - ## Prerequisites Before you begin this tutorial, you should: Before you begin this tutorial, you should: - [Review](../site-recovery/migrate-tutorial-windows-server-2008.md#limitations-and-known-issues) the limitations related to migrating Windows Server 2008 servers to Azure. > [!NOTE]-> If you're planning to upgrade your Windows operating system, Azure Migrate may download the Windows SetupDiag for error details in case upgrade fails. Ensure the VM created in Azure post the migration has access to [SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142). In case there is no access to SetupDiag, you may not be able to get detailed OS upgrade failure error codes but the upgrade can still proceed. +> If you're planning to upgrade your Windows operating system, Azure Migrate and Modernize might download the Windows SetupDiag utility for error details in case upgrade fails. Ensure that the VM created in Azure after the migration has access to [SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142). If there's no access to SetupDiag, you might not be able to get detailed OS upgrade failure error codes but the upgrade can still proceed. ## Prepare Azure Prepare Azure for migration with the Migration and modernization tool. -**Task** | **Details** +Task | Details | -**Create an Azure Migrate project** | Your Azure account needs Contributor or Owner permissions to [create a new project](./create-manage-projects.md). -**Verify permissions for your Azure account** | Your Azure account needs permissions to create a VM, and write to an Azure managed disk. -+Create an Azure Migrate project | Your Azure account needs Contributor or Owner permissions to [create a new project](./create-manage-projects.md). +Verify permissions for your Azure account | Your Azure account needs permissions to create a VM and write to an Azure managed disk. -### Assign permissions to create project +### Assign permissions to create a project -1. In the Azure portal, open the subscription, and select **Access control (IAM)**. -2. In **Check access**, find the relevant account, and click it to view permissions. -3. You should have **Contributor** or **Owner** permissions. +1. In the Azure portal, open the subscription and select **Access control (IAM)**. +1. In **Check access**, find the relevant account and select it to view permissions. +1. You should have **Contributor** or **Owner** permissions. - If you just created a free Azure account, you're the owner of your subscription. - If you're not the subscription owner, work with the owner to assign the role. - ### Assign Azure account permissions -Assign the Virtual Machine Contributor role to the Azure account. This provides permissions to: +Assign the VM Contributor role to the Azure account. This role provides permissions to: - Create a VM in the selected resource group. - Create a VM in the selected virtual network. - Write to an Azure managed disk. ### Create an Azure network+ > [!IMPORTANT]-> Virtual Networks (VNets) are a regional service, so make sure you create your VNet in the desired target Azure Region. For example: if you are planning on replicating and migrating Virtual Machines from your on-premises environment to the East US Azure Region, then your target VNet **must be created** in the East US Region. To connect VNets in different regions refer to the [Virtual network peering](../virtual-network/virtual-network-peering-overview.md) guide. +> Virtual networks are a regional service, so make sure you create your virtual network in the desired target Azure region. For example, if you're planning on replicating and migrating VMs from your on-premises environment to the East US Azure Region, your target virtual network *must be created* in the East US Region. To connect virtual networks in different regions, see [Virtual network peering](../virtual-network/virtual-network-peering-overview.md). -[Set up](../virtual-network/manage-virtual-network.md#create-a-virtual-network) an Azure virtual network (VNet). When you replicate to Azure, Azure VMs are created and joined to the Azure VNet that you specify when you set up migration. +[Set up](../virtual-network/manage-virtual-network.md#create-a-virtual-network) an Azure virtual network. When you replicate to Azure, Azure VMs are created and joined to the Azure virtual network that you specified when you set up migration. ## Prepare for migration -To prepare for physical server migration, you need to verify the physical server settings, and prepare to deploy a replication appliance. +To prepare for physical server migration, you need to verify the physical server settings and prepare to deploy a replication appliance. ### Check machine requirements for migration Make sure machines comply with requirements for migration to Azure. > [!NOTE]-> When migrating physical machines, the Migration and modernization tool uses the same replication architecture as agent-based disaster recovery in the Azure Site Recovery service, and some components share the same code base. Some content might link to Site Recovery documentation. +> When you migrate physical machines, the Migration and modernization tool uses the same replication architecture as agent-based disaster recovery in Azure Site Recovery. Some components share the same code base. Some content might link to Site Recovery documentation. 1. [Verify](migrate-support-matrix-physical-migration.md#physical-server-requirements) physical server requirements.-2. Verify that on-premises machines that you replicate to Azure comply with [Azure VM requirements](migrate-support-matrix-physical-migration.md#azure-vm-requirements). -3. There are some changes needed on VMs before you migrate them to Azure. - - For some operating systems, Azure Migrate makes these changes automatically. - - It's important to make these changes before you begin migration. If you migrate the VM before you make the change, the VM might not boot up in Azure. +1. Verify that on-premises machines that you replicate to Azure comply with [Azure VM requirements](migrate-support-matrix-physical-migration.md#azure-vm-requirements). +1. Some changes are needed on VMs before you migrate them to Azure: ++ - For some operating systems, Azure Migrate and Modernize makes these changes automatically. + - Make these changes before you begin migration. If you migrate the VM before you make the change, the VM might not boot up in Azure. Review [Windows](prepare-for-migration.md#windows-machines) and [Linux](prepare-for-migration.md#linux-machines) changes you need to make. ### Prepare a machine for the replication appliance -The Migration and modernization tool uses a replication appliance to replicate machines to Azure. The replication appliance runs the following components. +The Migration and modernization tool uses a replication appliance to replicate machines to Azure. The replication appliance runs the following components: -- **Configuration server**: The configuration server coordinates communications between on-premises and Azure, and manages data replication.-- **Process server**: The process server acts as a replication gateway. It receives replication data; optimizes it with caching, compression, and encryption, and sends it to a cache storage account in Azure.+- **Configuration server**: The configuration server coordinates communications between on-premises and Azure and manages data replication. +- **Process server**: The process server acts as a replication gateway. It receives replication data and optimizes that data with caching, compression, and encryption. Then it sends the data to a cache storage account in Azure. -Prepare for appliance deployment as follows: +To prepare for appliance deployment: - You prepare a machine to host the replication appliance. [Review](migrate-replication-appliance.md#appliance-requirements) the machine requirements. - The replication appliance uses MySQL. Review the [options](migrate-replication-appliance.md#mysql-installation) for installing MySQL on the appliance. Prepare for appliance deployment as follows: - Review [port](migrate-replication-appliance.md#port-access) access requirements for the replication appliance. > [!NOTE]-> The replication appliance shouldn't be installed on a source machine that you want to replicate or on the Azure Migrate discovery and assessment appliance you may have installed before. +> The replication appliance shouldn't be installed on a source machine that you want to replicate or on the Azure Migrate: Discovery and assessment appliance you might have installed before. ## Set up the replication appliance -The first step of migration is to set up the replication appliance. To set up the appliance for physical server migration, you download the installer file for the appliance, and then run it on the [machine you prepared](#prepare-a-machine-for-the-replication-appliance). After installing the appliance, you register it with the Migration and modernization tool. -+The first step of migration is to set up the replication appliance. To set up the appliance for physical server migration, download the installer file for the appliance. Then run it on the [machine you prepared](#prepare-a-machine-for-the-replication-appliance). After you install the appliance, register it with the Migration and modernization tool. ### Download the replication appliance installer -1. In the Azure Migrate project > **Servers**, in **Migration and modernization**, select **Discover**. +1. In the Azure Migrate project, select **Servers** > **Migration and modernization** > **Discover**. - ![Discover VMs](./media/tutorial-migrate-physical-virtual-machines/migrate-discover.png) + ![Screenshot that shows discovering VMs.](./media/tutorial-migrate-physical-virtual-machines/migrate-discover.png) -2. In **Discover machines** > **Are your machines virtualized?**, select **Not virtualized/Other**. -3. In **Target region**, select the Azure region to which you want to migrate the machines. -4. Select **Confirm that the target region for migration is region-name**. -5. Click **Create resources**. This creates an Azure Site Recovery vault in the background. - - If you've already set up migration with Migration and modernization, the target option can't be configured, since resources were set up previously. - - You can't change the target region for this project after clicking this button. +1. In **Discover machines** > **Are your machines virtualized?**, select **Not virtualized/Other**. +1. In **Target region**, select the Azure region to which you want to migrate the machines. +1. Select **Confirm that the target region for migration is region-name**. +1. Select **Create resources** to create a Site Recovery vault in the background. + - If you already set up migration with the Migration and modernization tool, the target option can't be configured because resources were set up previously. + - You can't change the target region for this project after selecting this button. - All subsequent migrations are to this region.- > [!NOTE] - > If you selected private endpoint as the connectivity method for the Azure Migrate project when it was created, the Recovery Services vault will also be configured for private endpoint connectivity. Ensure that the private endpoints are reachable from the replication appliance. [**Learn more**](troubleshoot-network-connectivity.md) + + > [!NOTE] + > If you selected private endpoint as the connectivity method for the Azure Migrate project when it was created, the Recovery Services vault is also configured for private endpoint connectivity. Ensure that the private endpoints are reachable from the replication appliance. [Learn more](troubleshoot-network-connectivity.md). -6. In **Do you want to install a new replication appliance?**, select **Install a replication appliance**. -7. In **Download and install the replication appliance software**, download the appliance installer, and the registration key. You need to the key in order to register the appliance. The key is valid for five days after it's downloaded. +1. In **Do you want to install a new replication appliance?**, select **Install a replication appliance**. +1. In **Download and install the replication appliance software**, download the appliance installer and the registration key. You need the key to register the appliance. The key is valid for five days after it was downloaded. - ![Download provider](media/tutorial-migrate-physical-virtual-machines/download-provider.png) + ![Screenshot that shows downloading the provider.](media/tutorial-migrate-physical-virtual-machines/download-provider.png) -8. Copy the appliance setup file and key file to the Windows Server 2016 machine you created for the appliance. +1. Copy the appliance setup file and key file to the Windows Server 2016 machine you created for the appliance. -9. After the installation completes, the Appliance configuration wizard will be launched automatically (You can also launch the wizard manually by using the cspsconfigtool shortcut that is created on the desktop of the appliance). In this tutorial, we'll be manually installing the Mobility Service on source VMs to be replicated, so create a dummy account in this step and proceed. You can provide the following details for creating the dummy account - "guest" as the friendly name, "username" as the username, and "password" as the password for the account. You will be using this dummy account in the Enable Replication stage. +1. After the installation finishes, the Appliance configuration wizard launches automatically. (You can also launch the wizard manually by using the `cspsconfigtool` shortcut that was created on the appliance desktop.) In this tutorial, we manually install the Mobility service on the source VMs to be replicated. You need to create a dummy account in this step to proceed. For your dummy account, use "guest" as the friendly name, "username" as the username, and "password" as the password for the account. You use this dummy account in the Enable Replication stage. -10. After the appliance has restarted after setup, in **Discover machines**, select the new appliance in **Select Configuration Server**, and click **Finalize registration**. Finalize registration performs a couple of final tasks to prepare the replication appliance. +1. After the appliance restarts after setup, in **Discover machines**, select the new appliance in **Select Configuration Server**. Then select **Finalize registration**. The **Finalize registration** step performs a couple of final tasks to prepare the replication appliance. - ![Finalize registration](./media/tutorial-migrate-physical-virtual-machines/finalize-registration.png) + ![Screenshot that shows Finalize registration.](./media/tutorial-migrate-physical-virtual-machines/finalize-registration.png) -Mobility service agent needs to be installed on the servers to get them discovered using replication appliance. Discovered machines appear in Azure Migrate: Server Migration. As VMs are discovered, the **Discovered servers** count rises. +The mobility service agent must be installed on the servers to get them discovered by using the replication appliance. Discovered machines appear in **Azure Migrate: Server Migration**. As VMs are discovered, the **Discovered servers** count rises. -![Discovered servers](./media/tutorial-migrate-physical-virtual-machines/discovered-servers.png) +![Screenshot that shows Discovered servers.](./media/tutorial-migrate-physical-virtual-machines/discovered-servers.png) > [!NOTE]-> It is recommended to perform discovery and asessment prior to the migration using the Azure Migrate: Discovery and assessment tool, a separate lightweight Azure Migrate appliance. You can deploy the appliance as a physical server to continuously discover servers and performance metadata. For detailed steps, see [Discover physical servers](tutorial-discover-physical.md). -+> We recommend that you perform discovery and assessment prior to the migration by using the Azure Migrate: Discovery and assessment tool, a separate lightweight Azure Migrate appliance. You can deploy the appliance as a physical server to continuously discover servers and performance metadata. For detailed steps, see [Discover physical servers](tutorial-discover-physical.md). ## Install the Mobility service agent -A Mobility service agent must be pre-installed on the source physical machines to be migrated before you can initiate replication. The approach you choose to install the Mobility service agent may depend on your organization's preferences and existing tools, but be aware that the "push" installation method built into Azure Site Recovery is not currently supported. Approaches you may want to consider: +A Mobility service agent must be preinstalled on the source physical machines to be migrated before you can start replication. The approach you choose to install the Mobility service agent might depend on your organization's preferences and existing tools. The "push" installation method built into Site Recovery isn't currently supported. Approaches you might want to consider: - [System Center Configuration Manager](../site-recovery/vmware-azure-mobility-install-configuration-mgr.md)-- [Arc for Servers and Custom Script Extensions](../azure-arc/servers/overview.md)+- [Azure Arc for servers and custom script extensions](../azure-arc/servers/overview.md) - [Manual installation](../site-recovery/vmware-physical-mobility-service-overview.md) -1. Extract the contents of the installer tarball to a local folder (for example /tmp/MobSvcInstaller) on the machine, as follows: +1. Extract the contents of the installer tarball to a local folder (for example, */tmp/MobSvcInstaller*) on the machine: + ``` mkdir /tmp/MobSvcInstaller tar -C /tmp/MobSvcInstaller -xvf <Installer tarball> cd /tmp/MobSvcInstaller ```-2. Run the installer script: +1. Run the installer script: + ``` sudo ./install -r MS -v VmWare -q -c CSLegacy ```-3. Register the agent with the replication appliance: +1. Register the agent with the replication appliance: + ``` /usr/local/ASR/Vx/bin/UnifiedAgentConfigurator.sh -i <replication appliance IP address> -P <Passphrase File Path> -c CSLegacy ``` A Mobility service agent must be pre-installed on the source physical machines t Now, select machines for migration. > [!NOTE]-> You can replicate up to 10 machines together. If you need to replicate more, then replicate them simultaneously in batches of 10. +> You can replicate up to 10 machines together. If you need to replicate more, replicate them simultaneously in batches of 10. -1. In the Azure Migrate project > **Servers**, **Migration and modernization**, click **Replicate**. +1. In the Azure Migrate project, select **Servers** > **Migration and modernization** > **Replicate**. - :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/select-replicate.png" alt-text="Screenshot on selecting Replicate option."::: + :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/select-replicate.png" alt-text="Screenshot that shows selecting Replicate."::: -2. In **Replicate**, > **Source settings** > **Are your machines virtualized?**, select **Physical or other (AWS, GCP, Xen, etc.)**. -3. In **On-premises appliance**, select the name of the Azure Migrate appliance that you set up. -4. In **Process Server**, select the name of the replication appliance. -5. In **Guest credentials**, select the dummy account created previously during the [replication installer setup](#download-the-replication-appliance-installer) to install the Mobility service manually (push install is not supported). Then click **Next: Virtual machines**. +1. In **Replicate**, > **Source settings** > **Are your machines virtualized?**, select **Physical or other (AWS, GCP, Xen, etc.)**. +1. In **On-premises appliance**, select the name of the Azure Migrate appliance that you set up. +1. In **Process Server**, select the name of the replication appliance. +1. In **Guest credentials**, select the dummy account created previously during the [replication installer setup](#download-the-replication-appliance-installer) to install the Mobility service manually. (Push installation isn't supported.) Then select **Next: Virtual machines**. - :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/source-settings.png" alt-text="Screenshot on source settings."::: + :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/source-settings.png" alt-text="Screenshot that shows source settings."::: -6. In **Virtual Machines**, in **Import migration settings from an assessment?**, leave the default setting **No, I'll specify the migration settings manually**. -7. Check each VM you want to migrate. Then click **Next: Target settings**. +1. In **Virtual machines**, in **Import migration settings from an assessment?**, leave the default setting **No, I'll specify the migration settings manually**. +1. Check each VM you want to migrate. Then select **Next: Target settings**. - :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/select-vms-inline.png" alt-text="Screenshot on selecting VMs." lightbox="./media/tutorial-migrate-physical-virtual-machines/select-vms-expanded.png"::: + :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/select-vms-inline.png" alt-text="Screenshot that shows selecting VMs." lightbox="./media/tutorial-migrate-physical-virtual-machines/select-vms-expanded.png"::: +1. In **Target settings**, select the subscription and target region to which you'll migrate. Specify the resource group in which the Azure VMs will reside after migration. +1. In **Virtual Network**, select the Azure virtual network/subnet to which the Azure VMs will be joined after migration. +1. In **Cache storage account**, keep the default option to use the cache storage account that's automatically created for the project. Use the dropdown list if you want to specify a different storage account to use as the cache storage account for replication. <br/> -8. In **Target settings**, select the subscription, and target region to which you'll migrate, and specify the resource group in which the Azure VMs will reside after migration. -9. In **Virtual Network**, select the Azure VNet/subnet to which the Azure VMs will be joined after migration. -10. In **Cache storage account**, keep the default option to use the cache storage account that is automatically created for the project. Use the dropdown if you'd like to specify a different storage account to use as the cache storage account for replication. <br/> >[!NOTE]- > - If you selected private endpoint as the connectivity method for the Azure Migrate project, grant the Recovery Services vault access to the cache storage account. [**Learn more**](migrate-servers-to-azure-using-private-link.md#grant-access-permissions-to-the-recovery-services-vault) - > - To replicate using ExpressRoute with private peering, create a private endpoint for the cache storage account. [**Learn more**](migrate-servers-to-azure-using-private-link.md#create-a-private-endpoint-for-the-storage-account-1) + > - If you selected private endpoint as the connectivity method for the Azure Migrate project, grant the Recovery Services vault access to the cache storage account. [Learn more](migrate-servers-to-azure-using-private-link.md#grant-access-permissions-to-the-recovery-services-vault). + > - To replicate by using Azure ExpressRoute with private peering, create a private endpoint for the cache storage account. [Learn more](migrate-servers-to-azure-using-private-link.md#create-a-private-endpoint-for-the-storage-account-1). -11. In **Availability options**, select: - - Availability Zone to pin the migrated machine to a specific Availability Zone in the region. Use this option to distribute servers that form a multi-node application tier across Availability Zones. If you select this option, you'll need to specify the Availability Zone to use for each of the selected machine in the Compute tab. This option is only available if the target region selected for the migration supports Availability Zones - - Availability Set to place the migrated machine in an Availability Set. The target Resource Group that was selected must have one or more availability sets in order to use this option. - - No infrastructure redundancy required option if you don't need either of these availability configurations for the migrated machines. +1. In **Availability options**, select: + - **Availability Zone**: Pins the migrated machine to a specific availability zone in the region. Use this option to distribute servers that form a multinode application tier across availability zones. If you select this option, you need to specify the availability zone to use for each of the selected machines on the **Compute** tab. This option is only available if the target region selected for the migration supports availability zones. + - **Availability Set**: Places the migrated machine in an availability set. The target resource group that was selected must have one or more availability sets in order to use this option. + - **No infrastructure redundancy required**: Select this option if you don't need either of the availability configurations for the migrated machines. -12. In **Disk encryption type**, select: - - Encryption-at-rest with platform-managed key - - Encryption-at-rest with customer-managed key - - Double encryption with platform-managed and customer-managed keys +1. In **Disk encryption type**, select: + - Encryption-at-rest with platform-managed key. + - Encryption-at-rest with customer-managed key. + - Double encryption with platform-managed and customer-managed keys. > [!NOTE]- > To replicate VMs with CMK, you'll need to [create a disk encryption set](../virtual-machines/disks-enable-customer-managed-keys-portal.md#set-up-your-disk-encryption-set) under the target Resource Group. A disk encryption set object maps Managed Disks to a Key Vault that contains the CMK to use for SSE. --13. In **Azure Hybrid Benefit**: + > To replicate VMs with customer-managed keys, you need to [create a disk encryption set](../virtual-machines/disks-enable-customer-managed-keys-portal.md#set-up-your-disk-encryption-set) under the target resource group. A disk encryption set object maps managed disks to an Azure Key Vault instance that contains the customer-managed key to use for server-side encryption. - - Select **No** if you don't want to apply Azure Hybrid Benefit. Then click **Next**. - - Select **Yes** if you have Windows Server machines that are covered with active Software Assurance or Windows Server subscriptions, and you want to apply the benefit to the machines you're migrating. Then click **Next**. +1. In **Azure Hybrid Benefit**: - :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/target-settings.png" alt-text="Screenshot on target settings."::: + - Select **No** if you don't want to apply Azure Hybrid Benefit. Then select **Next**. + - Select **Yes** if you have Windows Server machines that are covered with active Software Assurance or Windows Server subscriptions, and you want to apply the benefit to the machines you're migrating. Then select **Next**. -14. In **Compute**, review the VM name, size, OS disk type, and availability configuration (if selected in the previous step). VMs must conform with [Azure requirements](migrate-support-matrix-physical-migration.md#azure-vm-requirements). + :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/target-settings.png" alt-text="Screenshot that shows Target settings."::: - - **VM size**: If you're using assessment recommendations, the VM size dropdown shows the recommended size. Otherwise Azure Migrate picks a size based on the closest match in the Azure subscription. Alternatively, pick a manual size in **Azure VM size**. +1. In **Compute**, review the VM name, size, OS disk type, and availability configuration (if selected in the previous step). VMs must conform with [Azure requirements](migrate-support-matrix-physical-migration.md#azure-vm-requirements). + - **VM size**: If you're using assessment recommendations, the VM size dropdown list shows the recommended size. Otherwise, Azure Migrate and Modernize picks a size based on the closest match in the Azure subscription. Alternatively, pick a manual size in **Azure VM size**. - **OS disk**: Specify the OS (boot) disk for the VM. The OS disk is the disk that has the operating system bootloader and installer.- - **Availability Zone**: Specify the Availability Zone to use. - - **Availability Set**: Specify the Availability Set to use. + - **Availability Zone**: Specify the availability zone to use. + - **Availability Set**: Specify the availability set to use. -15. In **Disks**, specify whether the VM disks should be replicated to Azure, and select the disk type (standard SSD/HDD or premium managed disks) in Azure. Then click **Next**. +1. In **Disks**, specify whether the VM disks should be replicated to Azure. Select the disk type (standard SSD/HDD or premium managed disks) in Azure. Then select **Next**. - You can exclude disks from replication.- - If you exclude disks, won't be present on the Azure VM after migration. + - If you exclude disks, they won't be present on the Azure VM after migration. - :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/disks-inline.png" alt-text="Screenshot shows the Disks tab of the Replicate dialog box." lightbox="./media/tutorial-migrate-physical-virtual-machines/disks-expanded.png"::: + :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/disks-inline.png" alt-text="Screenshot that shows the Disks tab in the Replicate dialog." lightbox="./media/tutorial-migrate-physical-virtual-machines/disks-expanded.png"::: -16. In **Tags**, choose to add tags to your Virtual machines, Disks, and NICs. +1. In **Tags**, choose to add tags to your VMs, disks, and NICs. - :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/tags-inline.png" alt-text="Screenshot shows the tags tab of the Replicate dialog box." lightbox="./media/tutorial-migrate-physical-virtual-machines/tags-expanded.png"::: + :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/tags-inline.png" alt-text="Screenshot that shows the tags tab in the Replicate dialog." lightbox="./media/tutorial-migrate-physical-virtual-machines/tags-expanded.png"::: --17. In **Review and start replication**, review the settings, and click **Replicate** to start the initial replication for the servers. +1. In **Review and start replication**, review the settings and select **Replicate** to start the initial replication for the servers. > [!NOTE]-> You can update replication settings any time before replication starts, **Manage** > **Replicating machines**. Settings can't be changed after replication starts. +> You can update replication settings any time before replication starts. Select **Manage** > **Replicating machines**. Settings can't be changed after replication starts. ## Track and monitor -- When you click **Replicate** a Start Replication job begins.-- When the Start Replication job finishes successfully, the machines begin their initial replication to Azure.+- When you select **Replicate**, a Start Replication job begins. +- After the Start Replication job finishes successfully, the machines begin their initial replication to Azure. - After initial replication finishes, delta replication begins. Incremental changes to on-premises disks are periodically replicated to the replica disks in Azure. - You can track job status in the portal notifications. -You can monitor replication status by clicking on **Replicating servers** in **Migration and modernization**. -![Monitor replication](./media/tutorial-migrate-physical-virtual-machines/replicating-servers.png) +You can monitor replication status by selecting **Replicating servers** in **Azure Migrate: Server Migration**. +![Screenshot that shows the Replicating servers option.](./media/tutorial-migrate-physical-virtual-machines/replicating-servers.png) ## Run a test migration +When delta replication begins, you can run a test migration for the VMs before you run a full migration to Azure. We highly recommend that you do this step at least once for each machine before you migrate it. -When delta replication begins, you can run a test migration for the VMs, before running a full migration to Azure. We highly recommend that you do this at least once for each machine, before you migrate it. --- Running a test migration checks that migration will work as expected, without impacting the on-premises machines, which remain operational, and continue replicating.-- Test migration simulates the migration by creating an Azure VM using replicated data (usually migrating to a non-production VNet in your Azure subscription).+- Running a test migration checks that migration works as expected, without affecting the on-premises machines, which remain operational and continue replicating. +- Test migration simulates the migration by creating an Azure VM using replicated data. (The test usually migrates to a nonproduction virtual network in your Azure subscription.) - You can use the replicated test Azure VM to validate the migration, perform app testing, and address any issues before full migration. -Do a test migration as follows: +To do a test migration: +1. In **Migration goals**, select **Servers** > **Migration and modernization** > **Test migrated servers**. -1. In **Migration goals** > **Servers** > **Migration and modernization**, click **Test migrated servers**. + :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/test-migrated-servers.png" alt-text="Screenshot that shows Test migrated servers."::: - :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/test-migrated-servers.png" alt-text="Screenshot of Test migrated servers."::: +1. Right-click the VM you want to test and select **Test migrate**. -2. Right-click the VM to test, and click **Test migrate**. + :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/test-migrate-inline.png" alt-text="Screenshot that shows the result after selecting Test migrate." lightbox="./media/tutorial-migrate-physical-virtual-machines/test-migrate-expanded.png"::: - :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/test-migrate-inline.png" alt-text="Screenshot showing the result after clicking test migration." lightbox="./media/tutorial-migrate-physical-virtual-machines/test-migrate-expanded.png"::: - -3. In **Test Migration**, select the Azure VNet in which the Azure VM will be located after the migration. We recommend you use a non-production VNet. -1. You have an option to upgrade the Windows Server OS during test migration. To upgrade, select the **Upgrade available** option. In the pane that appears, select the target OS version that you want to upgrade to and select **Apply**. [Learn more](how-to-upgrade-windows.md). -4. The **Test migration** job starts. Monitor the job in the portal notifications. -5. After the migration finishes, view the migrated Azure VM in **Virtual Machines** in the Azure portal. The machine name has a suffix **-Test**. -6. After the test is done, right-click the Azure VM in **Replicating machines**, and click **Clean up test migration**. +1. In **Test Migration**, select the Azure virtual network in which the Azure VM will be located after the migration. We recommend that you use a nonproduction virtual network. +1. You can upgrade the Windows Server OS during test migration. To upgrade, select the **Upgrade available** option. In the pane that appears, select the target OS version that you want to upgrade to and select **Apply**. [Learn more](how-to-upgrade-windows.md). +1. The Test Migration job starts. Monitor the job in the portal notifications. +1. After the migration finishes, view the migrated Azure VM in **Virtual Machines** in the Azure portal. The machine name has the suffix **-Test**. +1. After the test is finished, right-click the Azure VM in **Replicating machines** and select **Clean up test migration**. - :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/clean-up-inline.png" alt-text="Screenshot of Clean up migration." lightbox="./media/tutorial-migrate-physical-virtual-machines/clean-up-expanded.png"::: + :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/clean-up-inline.png" alt-text="Screenshot that shows Clean up test migration." lightbox="./media/tutorial-migrate-physical-virtual-machines/clean-up-expanded.png"::: > [!NOTE]- > You can now register your servers running SQL server with SQL VM RP to take advantage of automated patching, automated backup and simplified license management using SQL IaaS Agent Extension. + > You can now register your servers running SQL Server with SQL VM RP to take advantage of automated patching, automated backup, and simplified license management by using the SQL IaaS Agent Extension. >- Select **Manage** > **Replicating servers** > **Machine containing SQL server** > **Compute and Network** and select **yes** to register with SQL VM RP.- >- Select Azure Hybrid benefit for SQL Server if you have SQL Server instances that are covered with active Software Assurance or SQL Server subscriptions and you want to apply the benefit to the machines you're migrating.hs. + >- Select **Azure Hybrid Benefit for SQL Server** if you have SQL Server instances that are covered with active Software Assurance or SQL Server subscriptions and you want to apply the benefit to the machines you're migrating. ## Migrate VMs -After you've verified that the test migration works as expected, you can migrate the on-premises machines. +After you verify that the test migration works as expected, you can migrate the on-premises machines. -1. In the Azure Migrate project > **Servers, databases and web apps** > **Migration and modernization**, click **Replicating servers**. +1. In the Azure Migrate project, select **Servers, databases, and web apps** > **Migration and modernization** > **Replicating servers**. - ![Replicating servers](./media/tutorial-migrate-physical-virtual-machines/replicate-servers.png) + ![Screenshot that shows Replicating servers.](./media/tutorial-migrate-physical-virtual-machines/replicate-servers.png) -2. In **Replicating machines**, right-click the VM > **Migrate**. -3. In **Migrate** > **Shut down virtual machines and perform a planned migration with no data loss**, select **No** > **OK**. +1. In **Replicating machines**, right-click the VM and select **Migrate**. +1. In **Migrate** > **Shut down virtual machines and perform a planned migration with no data loss**, select **No** > **OK**. > [!NOTE]- > For minimal data loss, the recommendation is to bring the application down manually as part of the migration window (don't let the applications accept any connections) and then initiate the migration. The server needs to be kept running, so remaining changes can be synchronized before the migration is completed. + > For minimal data loss, we recommend that you bring the application down manually as part of the migration window. (Don't let the applications accept any connections.) Then initiate the migration. The server needs to be kept running so that remaining changes can be synchronized before the migration is finished. -1. You have an option to upgrade the Windows Server OS during migration. To upgrade, select the **Upgrade available** option. In the pane that appears, select the target OS version that you want to upgrade to and select **Apply**. [Learn more](how-to-upgrade-windows.md). -4. A migration job starts for the VM. Track the job in Azure notifications. -5. After the job finishes, you can view and manage the VM from the **Virtual Machines** page. +1. You can upgrade the Windows Server OS during migration. To upgrade, select the **Upgrade available** option. In the pane that appears, select the target OS version that you want to upgrade to and select **Apply**. [Learn more](how-to-upgrade-windows.md). +1. A migration job starts for the VM. Track the job in Azure notifications. +1. After the job finishes, you can view and manage the VM from the **Virtual Machines** page. ## Complete the migration -1. After the migration is done, right-click the VM > **Stop replication**. This does the following: +1. After the migration is finished, right-click the VM and select **Stop replication**. This action: - Stops replication for the on-premises machine. - Removes the machine from the **Replicating servers** count in the Migration and modernization tool. - Cleans up replication state information for the machine.-1. Verify and [troubleshoot any Windows activation issues on the Azure VM.](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems) +1. Verify and [troubleshoot any Windows activation issues on the Azure VM](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems). 1. Perform any post-migration app tweaks, such as updating host names, database connection strings, and web server configurations. 1. Perform final application and migration acceptance testing on the migrated application now running in Azure. 1. Cut over traffic to the migrated Azure VM instance. After you've verified that the test migration works as expected, you can migrate ## Post-migration best practices - For increased resilience:- - Keep data secure by backing up Azure VMs using the Azure Backup service. [Learn more](../backup/quick-backup-vm-portal.md). + - Keep data secure by backing up Azure VMs by using the Azure Backup service. [Learn more](../backup/quick-backup-vm-portal.md). - Keep workloads running and continuously available by replicating Azure VMs to a secondary region with Site Recovery. [Learn more](../site-recovery/azure-to-azure-tutorial-enable-replication.md). - For increased security:- - Lock down and limit inbound traffic access with [Microsoft Defender for Cloud - Just in time administration](../security-center/security-center-just-in-time.md). + - Lock down and limit inbound traffic access with [Microsoft Defender for Cloud - Just-in-time administration](../security-center/security-center-just-in-time.md). - Manage and govern updates on Windows and Linux machines with [Azure Update Manager](../update-manager/overview.md).- - Restrict network traffic to management endpoints with [Network Security Groups](../virtual-network/network-security-groups-overview.md). - - Deploy [Azure Disk Encryption](../virtual-machines/disk-encryption-overview.md) to help secure disks, and keep data safe from theft and unauthorized access. - - Read more about [securing IaaS resources](https://azure.microsoft.com/services/virtual-machines/secure-well-managed-iaas/), and visit the [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/). + - Restrict network traffic to management endpoints with [network security groups](../virtual-network/network-security-groups-overview.md). + - Deploy [Azure Disk Encryption](../virtual-machines/disk-encryption-overview.md) to help secure disks and keep data safe from theft and unauthorized access. + - Read more about [securing IaaS resources](https://azure.microsoft.com/services/virtual-machines/secure-well-managed-iaas/)and [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/). - For monitoring and management:- - Consider deploying [Azure Cost Management](../cost-management-billing/cost-management-billing-overview.md) to monitor resource usage and spending. -+ - Consider deploying [Microsoft Cost Management](../cost-management-billing/cost-management-billing-overview.md) to monitor resource usage and spending. ## Next steps -Investigate the [cloud migration journey](/azure/architecture/cloud-adoption/getting-started/migrate) in the Azure Cloud Adoption Framework. +Investigate the [cloud migration journey](/azure/architecture/cloud-adoption/getting-started/migrate) in the Cloud Adoption Framework for Azure. |
migrate | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/whats-new.md | +## Update (February 2024) ++- Public preview: Envision savings with Azure Hybrid Benefits by bringing your existing Enterprise Linux subscriptions to Azure using Azure VM assessments and business case. + ## Update (January 2024) - Public preview: Using the RVTools XLSX, you can import on-premises servers' configuration into a VMware environment and create quick business case by assessing the cost of Azure and Azure VMware Solution (AVS) environments. [Learn more](migrate-support-matrix-vmware.md#import-servers-using-rvtools-xlsx-preview). |
mysql | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/overview.md | Azure Database for MySQL flexible server is a fully managed production-ready dat The flexible server deployment option offers three compute tiers: Burstable, General Purpose, and Business Critical. Each tier offers different compute and memory capacity to support your database workloads. You can build your first app on a burstable tier for a few dollars a month, and then adjust the scale to meet the needs of your solution. Dynamic scalability enables your database to transparently respond to rapidly changing resource requirements. You only pay for the resources you need, and only when you need them. See [Compute and Storage](concepts-compute-storage.md) for details. Flexible servers are best suited for-- Ease of deployments, simplified scaling, and low database management overhead for functions like backups, high availability, security, and monitoring-- Application developments requiring community version of MySQL with better control and customizations-- Production workloads with same-zone, zone-redundant high availability and managed maintenance windows-- Simplified development experience -- Enterprise grade security, compliance, and privacy+- Ease of deployment, simplified scaling, and low database management overhead for functions such as backups, high availability, security, and monitoring. +- Application developments requiring community version of MySQL with better control and customizations. +- Production workloads with same-zone, zone-redundant high availability, and managed maintenance windows. +- Simplified development experience. +- Enterprise grade security, compliance, and privacy. For latest updates on Azure Database for MySQL flexible server, refer to [What's new in Azure Database for MySQL flexible server](whats-new.md). For more information, see [Scheduled Maintenance](concepts-maintenance.md). The Azure Database for MySQL flexible server service automatically creates server backups and stores them in user configured locally redundant or geo-redundant storage. Backups can be used to restore your server to any point-in-time within the backup retention period. The default backup retention period is seven days. The retention can be optionally configured between 1-35 days. All backups are encrypted using AES 256-bit encryption. -See [Backup concepts](concepts-backup-restore.md) to learn more. +For more information, see [Backup concepts](concepts-backup-restore.md). ## Network Isolation You have two networking options to connect to Azure Database for MySQL flexible - **Public access (allowed IP addresses)** ΓÇô You can deploy your Azure Database for MySQL flexible server instance with a public endpoint. The public endpoint is a publicly resolvable DNS address. The phrase "allowed IP addresses" refers to a range of IPs you choose to give permission to access your server. These permissions are called **firewall rules**. -See [Networking concepts](concepts-networking.md) to learn more. +For more information, see [Networking concepts](concepts-networking.md). ## Adjust performance and scale within seconds Azure Database for MySQL flexible server is available in three service tiers: Burstable, General Purpose, and Business Critical. The Burstable tier is best suited for low-cost development and low concurrency workloads that don't need full-compute capacity continuously. General Purpose and Business Critical are better suited for production workloads requiring high concurrency, scale, and predictable performance. You can build your first app on a small database for a few dollars a month, and then seamlessly adjust the scale to meet the needs of your solution. The storage scaling is online and supports storage autogrowth. Azure Database for MySQL flexible server enables you to provision additional IOPS up to 80 K IOPs above the complimentary IOPS limit independent of storage. Using this feature, you can increase or decrease the number of IOPS provisioned based on your workload requirements at any time. Dynamic scalability enables your database to transparently respond to rapidly changing resource requirements. You only pay for the resources you consume. -See [Compute and Storage concepts](concepts-compute-storage.md) to learn more. +For more information, see [Compute and Storage concepts](concepts-compute-storage.md). ## Scale out your read workload with up to 10 read replicas For more information, see [Data-in replication concepts](concepts-data-in-replic ## Stop/Start server to optimize cost -Azure Database for MySQL flexible server allows you to stop and start servers on-demand to optimize cost. The compute tier billing is stopped immediately when the server is stopped. This can allow you to have significant cost savings during development, testing and for time-bound predictable production workloads. The server remains in stopped state for 30 days unless restarted sooner. +Azure Database for MySQL flexible server allows you to stop and start servers on-demand to optimize cost. The compute tier billing is stopped immediately when the server is stopped. This functionality can allow you to have significant cost savings during development, testing and for time-bound predictable production workloads. The server remains in stopped state for 30 days unless restarted sooner. For more information, see [Server concepts](concept-servers.md). For more information, see [Server concepts](concept-servers.md). Azure Database for MySQL flexible server uses the FIPS 140-2 validated cryptographic module for storage encryption of data at-rest. Data, including backups, and temporary files created while running queries are encrypted. The service uses the AES 256-bit cipher included in Azure storage encryption, and the keys can be system managed (default). -Azure Database for MySQL flexible server encrypts data in-motion with transport layer security enforced by default. Azure Database for MySQL flexible server by default supports encrypted connections using Transport Layer Security (TLS 1.2) and all incoming connections with TLS 1.0 and TLS 1.1 are denied. You can disable TSL/SSL enforcement by setting the require_secure_transport server parameter and then can setting the minimum tls_version for your server. +Azure Database for MySQL flexible server encrypts data in-motion with transport layer security enforced by default. Azure Database for MySQL flexible server by default supports encrypted connections using Transport Layer Security (TLS 1.2) and all incoming connections with TLS 1.0 and TLS 1.1 are denied. You can disable TSL/SSL enforcement by setting the require_secure_transport server parameter and then setting the minimum tls_version for your server. For more information, see [how to use encrypted connections to Azure Database for MySQL flexible server instances](how-to-connect-tls-ssl.md). One advantage of running your workload in Azure is its global reach. Azure Datab | Australia East | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Australia Southeast | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: | | Brazil South | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |-| Canada Central | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: | +| Canada Central | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Canada East | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: | | Central India | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: | | Central US | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: | | China East 2 | :heavy_check_mark: | :heavy_check_mark: | :x: | :x: | | China East 3 | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: | | China North 2 | :heavy_check_mark: | :heavy_check_mark: | :x: | :x: |-| China North 3 | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: | +| China North 3 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | East Asia (Hong Kong SAR) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | East US | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | East US 2 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | One advantage of running your workload in Azure is its global reach. Azure Datab | Korea South | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: | | North Central US | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: | | North Europe | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |-| Norway East | :heavy_check_mark: | :heavy_check_mark: | :x: | :x: | +| Norway East | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: | | Norway West | :heavy_check_mark: | :heavy_check_mark: | :x: | :x: | | Qatar Central | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: | | South Africa North | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: | | South Central US | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | South India | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: | | Southeast Asia | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |-| Sweden Central | :heavy_check_mark: | :heavy_check_mark: | :x: | :x: | -| Switzerland North | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: | -| Switzerland West | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: -| UAE North | :heavy_check_mark: | :heavy_check_mark: | :x: | :x: | +| Sweden Central | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: | +| Switzerland North | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: :heavy_check_mark: | +| Switzerland West | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: | +| UAE Central | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: | +| UAE North | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: | | UK South | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | UK West | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: | | USGov Virginia | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: | |
postgresql | Concepts Compute Storage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/concepts-compute-storage.md | We recommend that you actively monitor the disk space that's in use and increase Storage autogrow can help ensure that your server always has enough storage capacity and doesn't become read-only. When you turn on storage autogrow, the storage will automatically expand without affecting the workload. -For servers with more than 1 TiB of provisioned storage, the storage autogrow mechanism activates when the available space falls to less than 10% of the total capacity or 64 GiB of free space, whichever of the two values are smaller. Conversely, for servers with storage under 1 TiB, this threshold is adjusted to 20% of the available free space or 64 GiB, depending on which of these values is smaller. +For servers with more than 1 TiB of provisioned storage, the storage autogrow mechanism activates when the available space falls to less than 10% of the total capacity or 64 GiB of free space, whichever of the two values is smaller. Conversely, for servers with storage under 1 TiB, this threshold is adjusted to 20% of the available free space or 64 GiB, depending on which of these values is smaller. As an illustration, take a server with a storage capacity of 2 TiB (greater than 1 TiB). In this case, the autogrow limit is set at 64 GiB. This choice is made because 64 GiB is the smaller value when compared to 10% of 2 TiB, which is roughly 204.8 GiB. In contrast, for a server with a storage size of 128 GiB (less than 1 TiB), the autogrow feature activates when there's only 25.8 GiB of space left. This activation is based on the 20% threshold of the total allocated storage (128 GiB), which is smaller than 64 GiB. Azure Database for PostgreSQL flexible server uses [Azure managed disks](/azure/virtual-machines/disks-types). The default behavior is to increase the disk size to the next premium tier. This increase is always double in both size and cost, regardless of whether you start the storage scaling operation manually or through storage autogrow. Enabling storage autogrow is valuable when you're managing unpredictable workloads, because it automatically detects low-storage conditions and scales up the storage accordingly. -The process of scaling storage is performed online without causing any downtime, except when the disk is provisioned at 4,096 GiB. This exception is a limitation of Azure Managed disks. If a disk is already 4,096 GiB, the storage scaling activity will not be triggered, even if storage auto-grow is turned on. In such cases, you need to manually scale your storage. Manual scaling is an offline operation that you should plan according to your business requirements. +The process of scaling storage is performed online without causing any downtime, except when the disk is provisioned at 4,096 GiB. This exception is a limitation of Azure Managed disks. If a disk is already 4,096 GiB, the storage scaling activity will not be triggered, even if storage auto-grow is turned on. In such cases, you need to scale your storage manually. Manual scaling is an offline operation that you should plan according to your business requirements. Remember that storage can only be scaled up, not down. Remember that storage can only be scaled up, not down. ## Premium SSD v2 (preview) -Premium SSD v2 offers higher performance than Premium SSDs while also generally being less costly. You can individually tweak the performance (capacity, throughput, and IOPS) of Premium SSD v2 disks at any time, allowing workloads to be cost efficient while meeting shifting performance needs. For example, a transaction-intensive database might need a large amount of IOPS at a small size, or a gaming application might need a large amount of IOPS but only during peak hours. Because of this, for most general purpose workloads, Premium SSD v2 can provide the best price performance. You can now deploy Azure Database for PostgreSQL flexible server instances with Premium SSD v2 disk in limited regions. +Premium SSD v2 offers higher performance than Premium SSDs while also generally being less costly. You can individually tweak the performance (capacity, throughput, and IOPS) of Premium SSD v2 disks at any time, allowing workloads to be cost-efficient while meeting shifting performance needs. For example, a transaction-intensive database might need a large amount of IOPS at a small size, or a gaming application might need a large amount of IOPS but only during peak hours. Because of this, for most general-purpose workloads, Premium SSD v2 can provide the best price performance. You can now deploy Azure Database for PostgreSQL flexible server instances with Premium SSD v2 disk in limited regions. ### Differences between Premium SSD and Premium SSD v2 -Unlike Premium SSDs, Premium SSD v2 doesn't have dedicated sizes. You can set a Premium SSD v2 to any supported size you prefer, and make granular adjustments (1-GiB increments) as per your workload requirements. Premium SSD v2 doesn't support host caching but still provides significantly lower latency that Premium SSD. Premium SSD v2 capacities range from 1 GiB to 64 TiBs. +Unlike Premium SSDs, Premium SSD v2 doesn't have dedicated sizes. You can set a Premium SSD v2 to any supported size you prefer, and make granular adjustments (1-GiB increments) as per your workload requirements. Premium SSD v2 doesn't support host caching but still provides significantly lower latency than Premium SSD. Premium SSD v2 capacities range from 1 GiB to 64 TiBs. The following table provides a comparison of the five disk types to help you decide which one to use. | | Premium SSD v2 | Premium SSD | | - | -| -- | | **Disk type** | SSD | SSD |-| **Scenario** | Production and performance-sensitive workloads that consistently require low latency and high IOPS and throughput | Production and performance sensitive workloads | +| **Scenario** | Production and performance-sensitive workloads that consistently require low latency and high IOPS and throughput | Production and performance-sensitive workloads | | **Max disk size** | 65,536 GiB |32,767 GiB | | **Max throughput** | 1,200 MB/s | 900 MB/s | | **Max IOPS** | 80,000 | 20,000 | All Premium SSD v2 disks have a baseline of 3000 IOPS that is free of charge. Af #### Premium SSD v2 throughput -All Premium SSD v2 disks have a baseline throughput of 125 MB/s that is free of charge. After 6 GiB, the maximum throughput that can be set increases by 0.25 MB/s per set IOPS. If a disk has 3,000 IOPS, the max throughput it can set is 750 MB/s. To raise the throughput for this disk beyond 750 MB/s, its IOPS must be increased. For example, if you increased the IOPS to 4,000, then the max throughput that can be set is 1,000. 1,200 MB/s is the maximum throughput supported for disks that have 5,000 IOPS or more. Increasing your throughput beyond 125 increases the price of your disk. +All Premium SSD v2 disks have a baseline throughput of 125 MB/s that is free of charge. After 6 GiB, the maximum throughput that can be set increases by 0.25 MB/s per set IOPS. If a disk has 3,000 IOPS, the maximum throughput it can set is 750 MB/s. To raise the throughput for this disk beyond 750 MB/s, its IOPS must be increased. For example, if you increase the IOPS to 4,000, then the maximum throughput that can be set is 1,000. 1,200 MB/s is the maximum throughput supported for disks that have 5,000 IOPS or more. Increasing your throughput beyond 125 increases the price of your disk. > [!NOTE] > Premium SSD v2 is currently in preview for Azure Database for PostgreSQL flexible server. All Premium SSD v2 disks have a baseline throughput of 125 MB/s that is free of #### Premium SSD v2 early preview limitations -- Azure Database for PostgreSQL flexible server with Premium SSD V2 disk can be deployed only in West Europe, East US, Switzerland North regions during early preview, and provided there is still capacity in the selected region. Support for more regions is coming soon.+- Azure Database for PostgreSQL flexible server with Premium SSD V2 disk can be deployed only in East US2, West Europe, East US, Switzerland North regions during early preview. Support for more regions is coming soon. -- During early preview, SSD V2 disk won't have support for High Availability, Read Replicas, Geo Redundant Backups, Customer Managed Keys, Storage Auto-grow features. These features will be supported soon on Premium SSD V2.+- During early preview, SSD V2 disk won't have support for High Availability, Read Replicas, Geo Redundant Backups, Customer Managed Keys, or Storage Auto-grow features. These features will be supported soon on Premium SSD V2. - During early preview, it is not possible to switch between Premium SSD V2 and Premium SSD storage types. |
search | Vector Store | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/vector-store.md | -Vectors are stored in a search index. Use the [Create Index REST API](/rest/api/searchservice/indexes/create-or-update) or an equivalent Azure SDK method to create the vector store. +Vectors are stored in a search index. Use the [Create Index REST API](/rest/api/searchservice/indexes/create-or-update) or an equivalent Azure SDK method to [create the vector store](vector-search-how-to-create-index.md). -## Retrieval patterns +Considerations for vector storage include the following points: -In Azure AI Search, there are two patterns for working with the search engine's response. Your index schema should reflect your primary use case. ++ Schema design to fit your use case.++ Index sizing and search service capacity.++ Vector data ingestion: loading, chunking, and embedding.++ Vector data retrieval from an index is always through the query APIs. Your intended user experience determines whether query results are passed directly to a client app for rendering, or goes through an orchestration layer for generative AI. -+ Send the search results directly to the client app. In a direct response from the search engine, results are returned in a flattened row set, and you can choose which fields are included. It's expected that you would populate the vector store (search index) with nonvector content that's human readable so that you don't have to decode vectors for your response. The search engine matches on vectors, but returns nonvector values from the same search document. +## Vector retrieval patterns -+ Send the search results to a chat model and an orchestration layer that coordinates prompts and maintains chat history for a conversational approach. +In Azure AI Search, there are two patterns for working with search results. -In a chat solution, results are fed into prompt flows and chat models like GPT and Text-Davinci use the search results, with or without their own training data, as grounding data for formulating the response. This is approach is based on [**Retrieval augmented generation (RAG)**](retrieval-augmented-generation-overview.md) architecture. ++ Generative search. Language models formulate a response to the user's query using data from Azure AI Search. This pattern usually includes an orchestration layer to coordinate prompts and maintain context. In this pattern, results are fed into prompt flows and chat models like GPT and Text-Davinci. This approach is based on [**Retrieval augmented generation (RAG)**](retrieval-augmented-generation-overview.md) architecture, where the search index provides the grounding data. -## Basic schema for vectors ++ Classic search. The search engine formulates a response based on content in your index, and you render those results in a client app. In a direct response from the search engine, results are returned in a flattened row set, and you can choose which fields are passed to the client app. It's expected that you would populate the vector store (search index) with nonvector content that's human readable so that you don't have to decode vectors for your response. The search engine matches on vectors, but returns nonvector values from the same search document. -An index schema for a vector store requires a name, a key field, one or more vector fields, and a vector configuration. Content fields are recommended for hybrid queries, or for returning human readable content that doesn't have to be decoded first. For more information about configuring a vector index, see [Create a vector store](vector-search-how-to-create-index.md). +Your index schema should reflect your primary use case. ++## Schema designs for each retrieval pattern ++The following examples highlight the differences in field composition for solutions build for generative AI versus classic search. ++An index schema for a vector store requires a name, a key field, one or more vector fields, and a vector configuration. Nonvector fields are recommended for hybrid queries, or for returning human readable content that doesn't have to be decoded first. For step by step instructions, see [Create a vector store](vector-search-how-to-create-index.md). ++### Basic vector field configuration ++A vector field, such as "content_vector" in the following example, is of type `Collection(Edm.Single)`. It must be searchable and retrievable. It can't be filterable, facetable, or sortable, and it can't have analyzers, normalizers, or synonym map assignments. It must have dimensions set to a value supported by the embedding model. Text-embedding-ada-002 is the mostly commonly used embedding model and it generates embeddings using 1,536 dimensions. A vector search profile is specified in a vector search configuration and assigned to a vector field using the profile name. ++Content (nonvector) fields are useful for human readable text returned directly from the search engine. If you're using language models exclusively for response formulation, you can skip nonvector content fields. This example assumes that "content" is the human readable equivalent of the "content_vector" field. ++Metadata fields are useful for filters, especially if metadata includes origin information about the source document. ```json-{ - "name": "example-index", - "fields": [ - { "name": "id", "type": "Edm.String", "searchable": false, "filterable": true, "retrievable": true, "key": true }, - { "name": "content", "type": "Edm.String", "searchable": true, "retrievable": true, "analyzer": null }, - { "name": "content_vector", "type": "Collection(Edm.Single)", "searchable": true, "filterable": false, "retrievable": true, - "dimensions": 1536, "vectorSearchProfile": null }, - { "name": "metadata", "type": "Edm.String", "searchable": true, "filterable": false, "retrievable": true, "sortable": false, "facetable": false } - ], - "vectorSearch": { - "algorithms": [ - { - "name": "default", - "kind": "hnsw", - "hnswParameters": { - "metric": "cosine", - "m": 4, - "efConstruction": 400, - "efSearch": 500 - }, - "exhaustiveKnnParameters": null - } - ], - "profiles": [], - "vectorizers": [] - } -} +"name": "example-index-basic-vector-field", +"fields": [ + { "name": "id", "type": "Edm.String", "searchable": false, "filterable": true, "retrievable": true, "key": true }, + { "name": "content_vector", "type": "Collection(Edm.Single)", "searchable": true, "filterable": false, "retrievable": true, + "dimensions": 1536, "vectorSearchProfile": null }, + { "name": "content", "type": "Edm.String", "searchable": true, "retrievable": true, "analyzer": null }, + { "name": "metadata", "type": "Edm.String", "searchable": true, "filterable": true, "retrievable": true, "sortable": true, "facetable": true } +] ``` +### Schema generated by the Import and vectorize data wizard ++We recommend the [Import and vectorize data wizard](search-get-started-portal-import-vectors.md) for evaluation and proof-of-concept testing. The wizard generates the example schema in this section. ++The bias of this schema is that search documents are built around data chunks. If a language model formulates the response, you want a schema designed around data chunks. ++Data chunking is necessary for staying within the input limits of language models, but it also improves precision in similarity search when queries can be matched against smaller chunks of content pulled from multiple parent documents. Finally, if you're using semantic ranking, the semantic ranker also has token limits, which are more easily met if data chunking is part of your approach. ++In the following example, for each search document, there's one chunk ID, chunk, title, and vector field. The chunkID and parent ID are populated by the wizard, using base 64 encoding of blob metadata (path). Chunk and title are derived from blob content and blob name. Only the vector field is fully generated. It calls an Azure OpenAI resource that you provide. ++```json +"name": "example-index-from-import-wizard", +"fields": [ + {"name": "chunk_id", "type": "Edm.String", "key": true, "searchable": true, "filterable": true, "retrievable": true, "sortable": true, "facetable": true, "analyzer": "keyword"}, + { "name": "parent_id", "type": "Edm.String", "searchable": true, "filterable": true, "retrievable": true, "sortable": true}, + { "name": "chunk", "type": "Edm.String", "searchable": true, "filterable": false, "retrievable": true, "sortable": false}, + { "name": "title", "type": "Edm.String", "searchable": true, "filterable": true, "retrievable": true, "sortable": false}, + { "name": "vector", "type": "Collection(Edm.Single)", "searchable": true, "retrievable": true, "dimensions": 1536, "vectorSearchProfile": "vector-1707768500058-profile"} +] +``` ++## Vector data retrieval + The vector search algorithms specify the navigation structures used at query time. The structures are created during indexing, but used during queries. The content of your vector fields is determined by the [embedding step](vector-search-how-to-generate-embeddings.md) that vectorizes or encodes your content. If you use the same embedding model for all of your fields, you can [build vector queries](vector-search-how-to-query.md) that cover all of them. -If you use search results as grounding data, where a chat model generates the answer to a query, design a schema that stores chunks of text. Data chunking is a requirement if source files are too large for the embedding model, but it's also efficient for chat if the original source files contain a varied information. -+If you use search results as grounding data, where a chat model generates the answer to a query, design a schema that stores chunks of text. Data chunking is a requirement if source files are too large for the embedding model. It's also efficient for chat if the original source files contain a varied information. -## Next steps +## See also -+ [Try the quickstart](search-get-started-vector.md) -+ [Learn more about vector stores](vector-search-how-to-create-index.md) -+ [Learn more about vector queries](vector-search-how-to-query.md) ++ [Quickstart: Vector search using REST APIs](search-get-started-vector.md)++ [Vector store creation](vector-search-how-to-create-index.md)++ [Vector query creation](vector-search-how-to-query.md) + [Azure Cognitive Search and LangChain: A Seamless Integration for Enhanced Vector Search Capabilities](https://techcommunity.microsoft.com/t5/azure-ai-services-blog/azure-cognitive-search-and-langchain-a-seamless-integration-for/ba-p/3901448) |
security | Azure CA Details | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/azure-CA-details.md | Any entity trying to access Microsoft Entra identity services via the TLS/SSL pr | [DigiCert TLS Hybrid ECC SHA384 2020 CA1](https://crt.sh/?d=3422153452) | 0x0a275fe704d6eecb23d5cd5b4b1a4e04<br>51E39A8BDB08878C52D6186588A0FA266A69CF28 | | [DigiCert TLS RSA SHA256 2020 CA1](https://crt.sh/?d=4385364571) | 0x06d8d904d5584346f68a2fa754227ec4<br>1C58A3A8518E8759BF075B76B750D4F2DF264FCD | | [GeoTrust Global TLS RSA4096 SHA256 2022 CA1](https://crt.sh/?d=6670931375) | 0x0f622f6f21c2ff5d521f723a1d47d62d<br>7E6DB7B7584D8CF2003E0931E6CFC41A3A62D3DF |-| [GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1](https://crt.sh/?d=3112858728) | 0x0c08966535b942a9735265e4f97540bc<br>2F7AA2D86056A8775796F798C481A079E538E004 | | [Microsoft Azure ECC TLS Issuing CA 01](https://www.microsoft.com/pki/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2001.cer) | 0x09dc42a5f574ff3a389ee06d5d4de440<br>92503D0D74A7D3708197B6EE13082D52117A6AB0 | | [Microsoft Azure ECC TLS Issuing CA 01](https://crt.sh/?d=2616305805) | 0x330000001aa9564f44321c54b900000000001a<br>CDA57423EC5E7192901CA1BF6169DBE48E8D1268 | | [Microsoft Azure ECC TLS Issuing CA 02](https://www.microsoft.com/pki/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2002.cer) | 0x0e8dbe5ea610e6cbb569c736f6d7004b<br>1E981CCDDC69102A45C6693EE84389C3CF2329F1 | | [Microsoft Azure ECC TLS Issuing CA 02](https://crt.sh/?d=2616326233) | 0x330000001b498d6736ed5612c200000000001b<br>489FF5765030EB28342477693EB183A4DED4D2A6 |-| [*Microsoft Azure ECC TLS Issuing CA 03*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2003%20-%20xsign.crt) | 0x01529ee8368f0b5d72ba433e2d8ea62d<br>56D955C849887874AA1767810366D90ADF6C8536 | -| [*Microsoft Azure ECC TLS Issuing CA 03*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2003.crt) | 0x330000003322a2579b5e698bcc000000000033<br>91503BE7BF74E2A10AA078B48B71C3477175FEC3 | -| [*Microsoft Azure ECC TLS Issuing CA 04*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2004%20-%20xsign.crt) | 0x02393d48d702425a7cb41c000b0ed7ca<br>FB73FDC24F06998E070A06B6AFC78FDF2A155B25 | -| [*Microsoft Azure ECC TLS Issuing CA 04*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2004.crt) | 0x33000000322164aedab61f509d000000000032<br>406E3B38EFF35A727F276FE993590B70F8224AED | +| [Microsoft Azure ECC TLS Issuing CA 03](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2003%20-%20xsign.crt) | 0x01529ee8368f0b5d72ba433e2d8ea62d<br>56D955C849887874AA1767810366D90ADF6C8536 | +| [Microsoft Azure ECC TLS Issuing CA 03](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2003.crt) | 0x330000003322a2579b5e698bcc000000000033<br>91503BE7BF74E2A10AA078B48B71C3477175FEC3 | +| [Microsoft Azure ECC TLS Issuing CA 04](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2004%20-%20xsign.crt) | 0x02393d48d702425a7cb41c000b0ed7ca<br>FB73FDC24F06998E070A06B6AFC78FDF2A155B25 | +| [Microsoft Azure ECC TLS Issuing CA 04](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2004.crt) | 0x33000000322164aedab61f509d000000000032<br>406E3B38EFF35A727F276FE993590B70F8224AED | | [Microsoft Azure ECC TLS Issuing CA 05](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2005.cer) | 0x0ce59c30fd7a83532e2d0146b332f965<br>C6363570AF8303CDF31C1D5AD81E19DBFE172531 | | [Microsoft Azure ECC TLS Issuing CA 05](https://crt.sh/?d=2616326161) | 0x330000001cc0d2a3cd78cf2c1000000000001c<br>4C15BC8D7AA5089A84F2AC4750F040D064040CD4 | | [Microsoft Azure ECC TLS Issuing CA 06](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2006.cer) | 0x066e79cd7624c63130c77abeb6a8bb94<br>7365ADAEDFEA4909C1BAADBAB68719AD0C381163 | | [Microsoft Azure ECC TLS Issuing CA 06](https://crt.sh/?d=2616326228) | 0x330000001d0913c309da3f05a600000000001d<br>DFEB65E575D03D0CC59FD60066C6D39421E65483 |-| [*Microsoft Azure ECC TLS Issuing CA 07*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2007%20-%20xsign.crt) | 0x0f1f157582cdcd33734bdc5fcd941a33<br>3BE6CA5856E3B9709056DA51F32CBC8970A83E28 | -| [*Microsoft Azure ECC TLS Issuing CA 07*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2007.crt) | 0x3300000034c732435db22a0a2b000000000034<br>AB3490B7E37B3A8A1E715036522AB42652C3CFFE | -| [*Microsoft Azure ECC TLS Issuing CA 08*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2008%20-%20xsign.crt) | 0x0ef2e5d83681520255e92c608fbc2ff4<br>716DF84638AC8E6EEBE64416C8DD38C2A25F6630 | -| [*Microsoft Azure ECC TLS Issuing CA 08*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2008.crt) | 0x3300000031526979844798bbb8000000000031<br>CF33D5A1C2F0355B207FCE940026E6C1580067FD | -| [*Microsoft Azure RSA TLS Issuing CA 03*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2003%20-%20xsign.crt) | 0x05196526449a5e3d1a38748f5dcfebcc<br>F9388EA2C9B7D632B66A2B0B406DF1D37D3901F6 | -| [*Microsoft Azure RSA TLS Issuing CA 03*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2003.crt) | 0x330000003968ea517d8a7e30ce000000000039<br>37461AACFA5970F7F2D2BAC5A659B53B72541C68 | -| [*Microsoft Azure RSA TLS Issuing CA 04*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2004%20-%20xsign.crt) | 0x09f96ec295555f24749eaf1e5dced49d<br>BE68D0ADAA2345B48E507320B695D386080E5B25 | -| [*Microsoft Azure RSA TLS Issuing CA 04*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2004.crt) | 0x330000003cd7cb44ee579961d000000000003c<br>7304022CA8A9FF7E3E0C1242E0110E643822C45E | -| [*Microsoft Azure RSA TLS Issuing CA 07*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2007%20-%20xsign.crt) | 0x0a43a9509b01352f899579ec7208ba50<br>3382517058A0C20228D598EE7501B61256A76442 | -| [*Microsoft Azure RSA TLS Issuing CA 07*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2007.crt) | 0x330000003bf980b0c83783431700000000003b<br>0E5F41B697DAADD808BF55AD080350A2A5DFCA93 | -| [*Microsoft Azure RSA TLS Issuing CA 08*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2008%20-%20xsign.crt) | 0x0efb7e547edf0ff1069aee57696d7ba0<br>31600991ED5FEC63D355A5484A6DCC787EAD89BC | -| [*Microsoft Azure RSA TLS Issuing CA 08*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2008.crt) | 0x330000003a5dc2ffc321c16d9b00000000003a<br>512C8F3FB71EDACF7ADA490402E710B10C73026E | +| [Microsoft Azure ECC TLS Issuing CA 07](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2007%20-%20xsign.crt) | 0x0f1f157582cdcd33734bdc5fcd941a33<br>3BE6CA5856E3B9709056DA51F32CBC8970A83E28 | +| [Microsoft Azure ECC TLS Issuing CA 07](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2007.crt) | 0x3300000034c732435db22a0a2b000000000034<br>AB3490B7E37B3A8A1E715036522AB42652C3CFFE | +| [Microsoft Azure ECC TLS Issuing CA 08](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2008%20-%20xsign.crt) | 0x0ef2e5d83681520255e92c608fbc2ff4<br>716DF84638AC8E6EEBE64416C8DD38C2A25F6630 | +| [Microsoft Azure ECC TLS Issuing CA 08](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2008.crt) | 0x3300000031526979844798bbb8000000000031<br>CF33D5A1C2F0355B207FCE940026E6C1580067FD | +| [Microsoft Azure RSA TLS Issuing CA 03](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2003%20-%20xsign.crt) | 0x05196526449a5e3d1a38748f5dcfebcc<br>F9388EA2C9B7D632B66A2B0B406DF1D37D3901F6 | +| [Microsoft Azure RSA TLS Issuing CA 03](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2003.crt) | 0x330000003968ea517d8a7e30ce000000000039<br>37461AACFA5970F7F2D2BAC5A659B53B72541C68 | +| [Microsoft Azure RSA TLS Issuing CA 04](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2004%20-%20xsign.crt) | 0x09f96ec295555f24749eaf1e5dced49d<br>BE68D0ADAA2345B48E507320B695D386080E5B25 | +| [Microsoft Azure RSA TLS Issuing CA 04](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2004.crt) | 0x330000003cd7cb44ee579961d000000000003c<br>7304022CA8A9FF7E3E0C1242E0110E643822C45E | +| [Microsoft Azure RSA TLS Issuing CA 07](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2007%20-%20xsign.crt) | 0x0a43a9509b01352f899579ec7208ba50<br>3382517058A0C20228D598EE7501B61256A76442 | +| [Microsoft Azure RSA TLS Issuing CA 07](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2007.crt) | 0x330000003bf980b0c83783431700000000003b<br>0E5F41B697DAADD808BF55AD080350A2A5DFCA93 | +| [Microsoft Azure RSA TLS Issuing CA 08](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2008%20-%20xsign.crt) | 0x0efb7e547edf0ff1069aee57696d7ba0<br>31600991ED5FEC63D355A5484A6DCC787EAD89BC | +| [Microsoft Azure RSA TLS Issuing CA 08](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2008.crt) | 0x330000003a5dc2ffc321c16d9b00000000003a<br>512C8F3FB71EDACF7ADA490402E710B10C73026E | | [Microsoft Azure TLS Issuing CA 01](https://www.microsoft.com/pki/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2001.cer) | 0x0aafa6c5ca63c45141ea3be1f7c75317<br>2F2877C5D778C31E0F29C7E371DF5471BD673173 | | [Microsoft Azure TLS Issuing CA 01](https://crt.sh/?d=2616326024) | 0x1dbe9496f3db8b8de700000000001d<br>B9ED88EB05C15C79639493016200FDAB08137AF3 | | [Microsoft Azure TLS Issuing CA 02](https://www.microsoft.com/pki/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2002.cer) | 0x0c6ae97cced599838690a00a9ea53214<br>E7EEA674CA718E3BEFD90858E09F8372AD0AE2AA | Any entity trying to access Microsoft Entra identity services via the TLS/SSL pr | [**DigiCert Global Root G2**](https://cacerts.digicert.com/DigiCertGlobalRootG2.crt) | 0x033af1e6a711a9a0bb2864b11d09fae5<br>DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | | Γöö [Microsoft Azure TLS Issuing CA 01](https://www.microsoft.com/pki/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2001.cer) | 0x0aafa6c5ca63c45141ea3be1f7c75317<br>2F2877C5D778C31E0F29C7E371DF5471BD673173 | | Γöö [Microsoft Azure TLS Issuing CA 02](https://www.microsoft.com/pki/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2002.cer) | 0x0c6ae97cced599838690a00a9ea53214<br>E7EEA674CA718E3BEFD90858E09F8372AD0AE2AA |-| Γöö [*Microsoft Azure RSA TLS Issuing CA 03*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2003%20-%20xsign.crt) | 0x05196526449a5e3d1a38748f5dcfebcc<br>F9388EA2C9B7D632B66A2B0B406DF1D37D3901F6 | -| Γöö [*Microsoft Azure RSA TLS Issuing CA 04*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2004%20-%20xsign.crt) | 0x09f96ec295555f24749eaf1e5dced49d<br>BE68D0ADAA2345B48E507320B695D386080E5B25 | -| Γöö [*Microsoft Azure RSA TLS Issuing CA 07*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2007%20-%20xsign.crt) | 0x0a43a9509b01352f899579ec7208ba50<br>3382517058A0C20228D598EE7501B61256A76442 | -| Γöö [*Microsoft Azure RSA TLS Issuing CA 08*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2008%20-%20xsign.crt) | 0x0efb7e547edf0ff1069aee57696d7ba0<br>31600991ED5FEC63D355A5484A6DCC787EAD89BC | +| Γöö [Microsoft Azure RSA TLS Issuing CA 03](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2003%20-%20xsign.crt) | 0x05196526449a5e3d1a38748f5dcfebcc<br>F9388EA2C9B7D632B66A2B0B406DF1D37D3901F6 | +| Γöö [Microsoft Azure RSA TLS Issuing CA 04](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2004%20-%20xsign.crt) | 0x09f96ec295555f24749eaf1e5dced49d<br>BE68D0ADAA2345B48E507320B695D386080E5B25 | +| Γöö [Microsoft Azure RSA TLS Issuing CA 07](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2007%20-%20xsign.crt) | 0x0a43a9509b01352f899579ec7208ba50<br>3382517058A0C20228D598EE7501B61256A76442 | +| Γöö [Microsoft Azure RSA TLS Issuing CA 08](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2008%20-%20xsign.crt) | 0x0efb7e547edf0ff1069aee57696d7ba0<br>31600991ED5FEC63D355A5484A6DCC787EAD89BC | | Γöö [Microsoft Azure TLS Issuing CA 05](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2005.cer) | 0x0d7bede97d8209967a52631b8bdd18bd<br>6C3AF02E7F269AA73AFD0EFF2A88A4A1F04ED1E5 | | Γöö [Microsoft Azure TLS Issuing CA 06](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20TLS%20Issuing%20CA%2006.cer) | 0x02e79171fb8021e93fe2d983834c50c0<br>30E01761AB97E59A06B41EF20AF6F2DE7EF4F7B0 | | [**DigiCert Global Root G3**](https://cacerts.digicert.com/DigiCertGlobalRootG3.crt) | 0x055556bcf25ea43535c3a40fd5ab4572<br>7E04DE896A3E666D00E687D33FFAD93BE83D349E | | Γöö [Microsoft Azure ECC TLS Issuing CA 01](https://www.microsoft.com/pki/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2001.cer) | 0x09dc42a5f574ff3a389ee06d5d4de440<br>92503D0D74A7D3708197B6EE13082D52117A6AB0 | | Γöö [Microsoft Azure ECC TLS Issuing CA 02](https://www.microsoft.com/pki/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2002.cer) | 0x0e8dbe5ea610e6cbb569c736f6d7004b<br>1E981CCDDC69102A45C6693EE84389C3CF2329F1 |-| Γöö [*Microsoft Azure ECC TLS Issuing CA 03*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2003%20-%20xsign.crt) | 0x01529ee8368f0b5d72ba433e2d8ea62d<br>56D955C849887874AA1767810366D90ADF6C8536 | -| Γöö [*Microsoft Azure ECC TLS Issuing CA 04*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2004%20-%20xsign.crt) | 0x02393d48d702425a7cb41c000b0ed7ca<br>FB73FDC24F06998E070A06B6AFC78FDF2A155B25 | -| Γöö [*Microsoft Azure ECC TLS Issuing CA 07*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2007%20-%20xsign.crt) | 0x0f1f157582cdcd33734bdc5fcd941a33<br>3BE6CA5856E3B9709056DA51F32CBC8970A83E28 | -| Γöö [*Microsoft Azure ECC TLS Issuing CA 08*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2008%20-%20xsign.crt) | 0x0ef2e5d83681520255e92c608fbc2ff4<br>716DF84638AC8E6EEBE64416C8DD38C2A25F6630 | +| Γöö [Microsoft Azure ECC TLS Issuing CA 03](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2003%20-%20xsign.crt) | 0x01529ee8368f0b5d72ba433e2d8ea62d<br>56D955C849887874AA1767810366D90ADF6C8536 | +| Γöö [Microsoft Azure ECC TLS Issuing CA 04](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2004%20-%20xsign.crt) | 0x02393d48d702425a7cb41c000b0ed7ca<br>FB73FDC24F06998E070A06B6AFC78FDF2A155B25 | | Γöö [Microsoft Azure ECC TLS Issuing CA 05](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2005.cer) | 0x0ce59c30fd7a83532e2d0146b332f965<br>C6363570AF8303CDF31C1D5AD81E19DBFE172531 | | Γöö [Microsoft Azure ECC TLS Issuing CA 06](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2006.cer) | 0x066e79cd7624c63130c77abeb6a8bb94<br>7365ADAEDFEA4909C1BAADBAB68719AD0C381163 |+| Γöö [Microsoft Azure ECC TLS Issuing CA 07](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2007%20-%20xsign.crt) | 0x0f1f157582cdcd33734bdc5fcd941a33<br>3BE6CA5856E3B9709056DA51F32CBC8970A83E28 | +| Γöö [Microsoft Azure ECC TLS Issuing CA 08](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2008%20-%20xsign.crt) | 0x0ef2e5d83681520255e92c608fbc2ff4<br>716DF84638AC8E6EEBE64416C8DD38C2A25F6630 | | [**Microsoft ECC Root Certificate Authority 2017**](https://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crt) | 0x66f23daf87de8bb14aea0c573101c2ec<br>999A64C37FF47D9FAB95F14769891460EEC4C3C5 | | Γöö [Microsoft Azure ECC TLS Issuing CA 01](https://crt.sh/?d=2616305805) | 0x330000001aa9564f44321c54b900000000001a<br>CDA57423EC5E7192901CA1BF6169DBE48E8D1268 | | Γöö [Microsoft Azure ECC TLS Issuing CA 02](https://crt.sh/?d=2616326233) | 0x330000001b498d6736ed5612c200000000001b<br>489FF5765030EB28342477693EB183A4DED4D2A6 |-| Γöö [*Microsoft Azure ECC TLS Issuing CA 03*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2003.crt) | 0x330000003322a2579b5e698bcc000000000033<br>91503BE7BF74E2A10AA078B48B71C3477175FEC3 | -| Γöö [*Microsoft Azure ECC TLS Issuing CA 04*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2004.crt) | 0x33000000322164aedab61f509d000000000032<br>406E3B38EFF35A727F276FE993590B70F8224AED | +| Γöö [Microsoft Azure ECC TLS Issuing CA 03](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2003.crt) | 0x330000003322a2579b5e698bcc000000000033<br>91503BE7BF74E2A10AA078B48B71C3477175FEC3 | +| Γöö [Microsoft Azure ECC TLS Issuing CA 04](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2004.crt) | 0x33000000322164aedab61f509d000000000032<br>406E3B38EFF35A727F276FE993590B70F8224AED | | Γöö [Microsoft Azure ECC TLS Issuing CA 05](https://crt.sh/?d=2616326161) | 0x330000001cc0d2a3cd78cf2c1000000000001c<br>4C15BC8D7AA5089A84F2AC4750F040D064040CD4 | | Γöö [Microsoft Azure ECC TLS Issuing CA 06](https://crt.sh/?d=2616326228) | 0x330000001d0913c309da3f05a600000000001d<br>DFEB65E575D03D0CC59FD60066C6D39421E65483 |-| Γöö [*Microsoft Azure ECC TLS Issuing CA 07*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2007.crt) | 0x3300000034c732435db22a0a2b000000000034<br>AB3490B7E37B3A8A1E715036522AB42652C3CFFE | -| Γöö [*Microsoft Azure ECC TLS Issuing CA 08*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2008.crt) | 0x3300000031526979844798bbb8000000000031<br>CF33D5A1C2F0355B207FCE940026E6C1580067FD | +| Γöö [Microsoft Azure ECC TLS Issuing CA 07](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2007.crt) | 0x3300000034c732435db22a0a2b000000000034<br>AB3490B7E37B3A8A1E715036522AB42652C3CFFE | +| Γöö [Microsoft Azure ECC TLS Issuing CA 08](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2008.crt) | 0x3300000031526979844798bbb8000000000031<br>CF33D5A1C2F0355B207FCE940026E6C1580067FD | | Γöö [Microsoft ECC TLS Issuing AOC CA 01](https://crt.sh/?d=4789656467) |33000000282bfd23e7d1add707000000000028<br>30ab5c33eb4b77d4cbff00a11ee0a7507d9dd316 | | Γöö [Microsoft ECC TLS Issuing AOC CA 02](https://crt.sh/?d=4814787086) |33000000290f8a6222ef6a5695000000000029<br>3709cd92105d074349d00ea8327f7d5303d729c8 | | Γöö [Microsoft ECC TLS Issuing EOC CA 01](https://crt.sh/?d=4814787088) |330000002a2d006485fdacbfeb00000000002a<br>5fa13b879b2ad1b12e69d476e6cad90d01013b46 | | Γöö [Microsoft ECC TLS Issuing EOC CA 02](https://crt.sh/?d=4814787085) |330000002be6902838672b667900000000002b<br>58a1d8b1056571d32be6a7c77ed27f73081d6e7a | | [**Microsoft RSA Root Certificate Authority 2017**](https://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt) | 0x1ed397095fd8b4b347701eaabe7f45b3<br>73A5E64A3BFF8316FF0EDCCC618A906E4EAE4D74 |-| Γöö [*Microsoft Azure RSA TLS Issuing CA 03*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2003.crt) | 0x330000003968ea517d8a7e30ce000000000039<br>37461AACFA5970F7F2D2BAC5A659B53B72541C68 | -| Γöö [*Microsoft Azure RSA TLS Issuing CA 04*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2004.crt) | 0x330000003cd7cb44ee579961d000000000003c<br>7304022CA8A9FF7E3E0C1242E0110E643822C45E | -| Γöö [*Microsoft Azure RSA TLS Issuing CA 07*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2007.crt) | 0x330000003bf980b0c83783431700000000003b<br>0E5F41B697DAADD808BF55AD080350A2A5DFCA93 | -| Γöö [*Microsoft Azure RSA TLS Issuing CA 08*](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2008.crt) | 0x330000003a5dc2ffc321c16d9b00000000003a<br>512C8F3FB71EDACF7ADA490402E710B10C73026E | +| Γöö [Microsoft Azure RSA TLS Issuing CA 03](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2003.crt) | 0x330000003968ea517d8a7e30ce000000000039<br>37461AACFA5970F7F2D2BAC5A659B53B72541C68 | +| Γöö [Microsoft Azure RSA TLS Issuing CA 04](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2004.crt) | 0x330000003cd7cb44ee579961d000000000003c<br>7304022CA8A9FF7E3E0C1242E0110E643822C45E | +| Γöö [Microsoft Azure RSA TLS Issuing CA 07](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2007.crt) | 0x330000003bf980b0c83783431700000000003b<br>0E5F41B697DAADD808BF55AD080350A2A5DFCA93 | +| Γöö [Microsoft Azure RSA TLS Issuing CA 08](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2008.crt) | 0x330000003a5dc2ffc321c16d9b00000000003a<br>512C8F3FB71EDACF7ADA490402E710B10C73026E | | Γöö [Microsoft Azure TLS Issuing CA 01](https://crt.sh/?d=2616326024) | 0x1dbe9496f3db8b8de700000000001d<br>B9ED88EB05C15C79639493016200FDAB08137AF3 | | Γöö [Microsoft Azure TLS Issuing CA 02](https://crt.sh/?d=2616326032) | 0x330000001ec6749f058517b4d000000000001e<br>C5FB956A0E7672E9857B402008E7CCAD031F9B08 | | Γöö [Microsoft Azure TLS Issuing CA 05](https://crt.sh/?d=2616326057) | 0x330000001f9f1fa2043bc28db900000000001f<br>56F1CA470BB94E274B516A330494C792C419CF87 | |
security | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/overview.md | Azure networking supports various secure remote access scenarios. Some of these - [Connect Azure Virtual Networks to each other](../../vpn-gateway/vpn-gateway-vnet-vnet-rm-ps.md) +### Azure Virtual Network Manager ++[Azure Virtual Network Manager](../../virtual-network-manager/overview.md) provides a centralized solution for protecting your virtual networks at scale. It uses [security admin rules](../../virtual-network-manager/concept-security-admins.md) to centrally define and enforce security policies for your virtual networks across your entire organization. Security admin rules takes precedence over network security group(NSGs) rules and are applied on the virtual network. This allows organizations to enforce core policies with security admin rules, while still enabling downstream teams to tailor NSGs according to their specific needs at the subnet and NIC levels. Depending on the needs of your organization, you can use **Allow**, **Deny**, or **Always Allow** rule actions to enforce security policies. ++| Rule Action | Description | +|-|-| +| **Allow** | Allows the specified traffic by default. Downstream NSGs still receive this traffic and may deny it.| +| **Always Allow** | Always allow the specified traffic, regardless of other rules with lower priority or NSGs. This can be used to ensure that monitoring agent, domain controller, or management traffic is not blocked. | +| **Deny** | Block the specified traffic. Downstream NSGs will not evaluate this traffic after being denied by a security admin rule, ensuring your high-risk ports for existing and new virtual networks are protected by default. | ++In Azure Virtual Network Manager, [network groups](../../virtual-network-manager/concept-network-groups.md) allow you to group virtual networks together for centralized management and enforcement of security policies. Network groups are a logical grouping of virtual networks based on your needs from a topology and security perspective. You can manually update the virtual network membership of your network groups or you can [define conditional statements with Azure Policy](../../virtual-network-manager/concept-azure-policy-integration.md) to dynamically update network groups to automatically update your network group membership. + ### Azure Private Link [Azure Private Link](https://azure.microsoft.com/services/private-link/) enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services privately in your virtual network over a [private endpoint](../../private-link/private-endpoint-overview.md). Setup and consumption using Azure Private Link is consistent across Azure PaaS, customer-owned, and shared partner services. Traffic from your virtual network to the Azure service always remains on the Microsoft Azure backbone network. |
sentinel | Create Codeless Connector Legacy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/create-codeless-connector-legacy.md | After creating your [JSON configuration file](#create-a-connector-json-configura # [Connect via API](#tab/connect-via-api) - Use the CONNECT endpoint to send a PUT method and pass the JSON configuration directly in the body of the message. For more information, see [auth configuration](#auth-configuration). + Use the [CONNECT](/rest/api/securityinsights/data-connectors/connect) endpoint to send a PUT method and pass the JSON configuration directly in the body of the message. For more information, see [auth configuration](#auth-configuration). Use the following API attributes, depending on the [authType](#authtype) defined. For each `authType` parameter, all listed attributes are mandatory and are string values. |
sentinel | Create Codeless Connector | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/create-codeless-connector.md | To understand how to create a complex DCR with multiple data flows, see the [DCR This component renders the UI for the data connector in the Microsoft Sentinel data connector gallery. Each data connector may have only one UI definition. -Build the data connector user interface with the **Data Connector Definition** API. Use the [Data connector definitions reference](data-connector-ui-definitions-reference.md) as a supplement to explain the API elements in greater detail. +Build the data connector user interface with the [**Data Connector Definition** API](/rest/api/securityinsights/data-connector-definitions). Use the [Data connector definitions reference](data-connector-ui-definitions-reference.md) as a supplement to explain the API elements in greater detail. Notes: 1) The `kind` property for API polling connector should always be `Customizable`. |
sentinel | Data Connector Ui Definitions Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connector-ui-definitions-reference.md | -To create a data connector with the Codeless Connector Platform (CCP), use this document as a supplement to the Microsoft Sentinel REST API for Data Connector Definitions reference docs. Specifically this reference document expands on the following section: +To create a data connector with the Codeless Connector Platform (CCP), use this document as a supplement to the [Microsoft Sentinel REST API for Data Connector Definitions](/rest/api/securityinsights/data-connector-definitions) reference docs. Specifically this reference document expands on the following section: - `connectorUiConfig` - defines the visual elements and text displayed on the data connector page in Microsoft Sentinel. For more information, see [Create a codeless connector](create-codeless-connecto ## Data connector definitions - Create or update -Reference the Create Or Update operation in the REST API docs to find the latest stable or preview API version. The difference between the `create` and the `update` operation is the update requires the `etag` value. +Reference the Create Or Update operation in the REST API docs to find the latest stable or preview API version. Only the `update` operation requires the `etag` value. **PUT** method ```http https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{r ## URI parameters -For more information, see [Data Connector Definitions - Create or Update URI Parameters](/rest/api/securityinsights/data-connectors/create-or-update#uri-parameters) - |Name | Description | ||| | **dataConnectorDefinition** | The data connector definition must be a unique name and is the same as the `name` parameter in the [request body](#request-body).| Some **InstallAgent** types appear as a button, others appear as a link. Here ar ## Example data connector definition -The following example brings together some of the components defined in this article as a JSON body format to use with the Create Or Update data connector API. +The following example brings together some of the components defined in this article as a JSON body format to use with the Create Or Update data connector definition API. For more examples of the `connectorUiConfig` review [other CCP data connectors](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors#codeless-connector-platform-ccp-preview--native-microsoft-sentinel-polling). Even connectors using the legacy CCP have valid examples of the UI creation. |
sentinel | Threat Intelligence Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/threat-intelligence-integration.md | For more information about how to find and manage the solutions, see [Discover a ### Recorded Future Security Intelligence Platform - Find and enable incident enrichment playbooks for [Recorded Future](https://www.recordedfuture.com/integrations/microsoft-azure/) in the [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks). Search for subfolders beginning with "RecordedFuture_".-- See the Recorded Future Logic App [connector documentation](/connectors/recordedfuture/).+- See the Recorded Future Logic App [connector documentation](/connectors/recordedfuturev2/). ### ReversingLabs TitaniumCloud - Find and enable incident enrichment playbooks for [ReversingLabs](https://www.reversinglabs.com/products/file-reputation-service) in the [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ReversingLabs/Playbooks/ReversingLabs-EnrichFileHash).-- See the ReversingLabs Intelligence Logic App connector documentation.+- See the ReversingLabs TitaniumCloud Logic App [connector documentation](/connectors/reversinglabstitaniu/). ### RiskIQ Passive Total |
sentinel | Workspace Manager | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/workspace-manager.md | Common reasons for failure include: - Currently, deleting content residing in member workspace(s) centrally via workspace manager isn't supported. ### API references-- Workspace Manager Assignment Jobs-- Workspace Manager Assignments-- *Workspace Manager Configurations*-- Workspace Manager Groups-- Workspace Manager Members+- [Workspace Manager Assignment Jobs](/rest/api/securityinsights/workspace-manager-assignment-jobs) +- [Workspace Manager Assignments](/rest/api/securityinsights/workspace-manager-assignments) +- [Workspace Manager Configurations](/rest/api/securityinsights/workspace-manager-configurations) +- [Workspace Manager Groups](/rest/api/securityinsights/workspace-manager-groups) +- [Workspace Manager Members](/rest/api/securityinsights/workspace-manager-members) ## Next steps - [Manage multiple tenants in Microsoft Sentinel as an MSSP](multiple-tenants-service-providers.md) |
site-recovery | Azure To Azure Support Matrix | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/azure-to-azure-support-matrix.md | Title: Support matrix for Azure VM disaster recovery with Azure Site Recovery description: Summarizes support for Azure VMs disaster recovery to a secondary region with Azure Site Recovery. Previously updated : 12/19/2023 Last updated : 02/08/2024 Windows 7 (x64) with SP1 onwards | From version [9.30](https://support.microsoft #### Linux +> [!NOTE] +> Mobility service versions `9.58` and `9.59` are not released for Azure to Azure Site Recovery. + **Operating system** | **Details** | -Red Hat Enterprise Linux | 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6,[7.7](https://support.microsoft.com/help/4528026/update-rollup-41-for-azure-site-recovery), [7.8](https://support.microsoft.com/help/4564347/), [7.9](https://support.microsoft.com/help/4578241/), [8.0](https://support.microsoft.com/help/4531426/update-rollup-42-for-azure-site-recovery), 8.1, [8.2](https://support.microsoft.com/help/4570609/), [8.3](https://support.microsoft.com/help/4597409/), [8.4](https://support.microsoft.com/topic/883a93a7-57df-4b26-a1c4-847efb34a9e8) (4.18.0-305.30.1.el8_4.x86_64 or higher), [8.5](https://support.microsoft.com/topic/883a93a7-57df-4b26-a1c4-847efb34a9e8) (4.18.0-348.5.1.el8_5.x86_64 or higher), [8.6](https://support.microsoft.com/topic/update-rollup-62-for-azure-site-recovery-e7aff36f-b6ad-4705-901c-f662c00c402b), 8.7, 8.8, 8.9, 9.0. <br> **Note**: Support for Red Hat Enterprise Linux 9.1 is removed from support matrix as issues were observed while using Azure Site Recovery with Red Hat Enterprise Linux 9.1. +Red Hat Enterprise Linux | 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6,[7.7](https://support.microsoft.com/help/4528026/update-rollup-41-for-azure-site-recovery), [7.8](https://support.microsoft.com/help/4564347/), [7.9](https://support.microsoft.com/help/4578241/), [8.0](https://support.microsoft.com/help/4531426/update-rollup-42-for-azure-site-recovery), 8.1, [8.2](https://support.microsoft.com/help/4570609/), [8.3](https://support.microsoft.com/help/4597409/), [8.4](https://support.microsoft.com/topic/883a93a7-57df-4b26-a1c4-847efb34a9e8) (4.18.0-305.30.1.el8_4.x86_64 or higher), [8.5](https://support.microsoft.com/topic/883a93a7-57df-4b26-a1c4-847efb34a9e8) (4.18.0-348.5.1.el8_5.x86_64 or higher), [8.6](https://support.microsoft.com/topic/update-rollup-62-for-azure-site-recovery-e7aff36f-b6ad-4705-901c-f662c00c402b), 8.7, 8.8, 8.9, 9.0, 9.1, 9.2, 9.3 <br> RHEL `9.x` is supported for the [following kernel versions](#supported-kernel-versions-for-red-hat-enterprise-linux-for-azure-virtual-machines). CentOS | 6.5, 6.6, 6.7, 6.8, 6.9, 6.10 </br> 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, [7.8](https://support.microsoft.com/help/4564347/), [7.9 pre-GA version](https://support.microsoft.com/help/4578241/), 7.9 GA version is supported from 9.37 hot fix patch** </br> 8.0, 8.1, [8.2](https://support.microsoft.com/help/4570609), [8.3](https://support.microsoft.com/help/4597409/), 8.4 (4.18.0-305.30.1.el8_4.x86_64 or later), 8.5 (4.18.0-348.5.1.el8_5.x86_64 or later), 8.6, 8.7. Ubuntu 14.04 LTS Server | Includes support for all 14.04.*x* versions; [Supported kernel versions](#supported-ubuntu-kernel-versions-for-azure-virtual-machines); Ubuntu 16.04 LTS Server | Includes support for all 16.04.*x* versions; [Supported kernel version](#supported-ubuntu-kernel-versions-for-azure-virtual-machines)<br/><br/> Ubuntu servers using password-based authentication and sign-in, and the cloud-init package to configure cloud VMs, might have password-based sign-in disabled on failover (depending on the cloudinit configuration). Password-based sign in can be re-enabled on the virtual machine by resetting the password from the Support > Troubleshooting > Settings menu (of the failed over VM in the Azure portal. SUSE Linux Enterprise Server 12 | SP1, SP2, SP3, SP4, SP5 [(Supported kernel ve SUSE Linux Enterprise Server 15 | 15, SP1, SP2, SP3, SP4, SP5 [(Supported kernel versions)](#supported-suse-linux-enterprise-server-15-kernel-versions-for-azure-virtual-machines) SUSE Linux Enterprise Server 11 | SP3<br/><br/> Upgrade of replicating machines from SP3 to SP4 isn't supported. If a replicated machine has been upgraded, you need to disable replication and re-enable replication after the upgrade. SUSE Linux Enterprise Server 11 | SP4-Oracle Linux | 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, [7.7](https://support.microsoft.com/help/4531426/update-rollup-42-for-azure-site-recovery), [7.8](https://support.microsoft.com/help/4573888/), [7.9](https://support.microsoft.com/help/4597409), [8.0](https://support.microsoft.com/help/4573888/), [8.1](https://support.microsoft.com/help/4573888/), [8.2](https://support.microsoft.com/topic/update-rollup-55-for-azure-site-recovery-kb5003408-b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8), [8.3](https://support.microsoft.com/topic/update-rollup-55-for-azure-site-recovery-kb5003408-b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8) (running the Red Hat compatible kernel or Unbreakable Enterprise Kernel Release 3, 4, 5, and 6 (UEK3, UEK4, UEK5, UEK6), [8.4](https://support.microsoft.com/topic/update-rollup-59-for-azure-site-recovery-kb5008707-66a65377-862b-4a4c-9882-fd74bdc7a81e), 8.5, 8.6, 8.7, 8.8 , 8.9, 9.0 <br> **Notes:** Support for Oracle Linux `9.1` is removed from support matrix as issues were observed while using Azure Site Recovery with Oracle Linux 9.1. <br/><br/>8.1 (running on all UEK kernels and RedHat kernel <= 3.10.0-1062.* are supported in [9.35](https://support.microsoft.com/help/4573888/) Support for rest of the RedHat kernels is available in [9.36](https://support.microsoft.com/help/4578241/)). +Oracle Linux | 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, [7.7](https://support.microsoft.com/help/4531426/update-rollup-42-for-azure-site-recovery), [7.8](https://support.microsoft.com/help/4573888/), [7.9](https://support.microsoft.com/help/4597409), [8.0](https://support.microsoft.com/help/4573888/), [8.1](https://support.microsoft.com/help/4573888/), [8.2](https://support.microsoft.com/topic/update-rollup-55-for-azure-site-recovery-kb5003408-b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8), [8.3](https://support.microsoft.com/topic/update-rollup-55-for-azure-site-recovery-kb5003408-b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8) (running the Red Hat compatible kernel or Unbreakable Enterprise Kernel Release 3, 4, 5, and 6 (UEK3, UEK4, UEK5, UEK6), [8.4](https://support.microsoft.com/topic/update-rollup-59-for-azure-site-recovery-kb5008707-66a65377-862b-4a4c-9882-fd74bdc7a81e), 8.5, 8.6, 8.7, 8.8 , 8.9, 9.0, 9.1, 9.2, 9.3. <br/><br/>8.1 (running on all UEK kernels and RedHat kernel <= 3.10.0-1062.* are supported in [9.35](https://support.microsoft.com/help/4573888/) Support for rest of the RedHat kernels is available in [9.36](https://support.microsoft.com/help/4578241/)). <br> Oracle Linux 9.x is supported for the [following kernel versions](#supported-red-hat-linux-kernel-versions-for-oracle-linux-on-azure-virtual-machines). Rocky Linux | [See supported versions](#supported-rocky-linux-kernel-versions-for-azure-virtual-machines). > [!NOTE] Rocky Linux | [See supported versions](#supported-rocky-linux-kernel-versions-fo > [!NOTE] > To support latest Linux kernels within 15 days of release, Azure Site Recovery rolls out hot fix patch on top of latest mobility agent version. This fix is rolled out in between two major version releases. To update to latest version of mobility agent (including hot fix patch), follow steps mentioned in [this article](service-updates-how-to.md#azure-vm-disaster-recovery-to-azure). This patch is currently rolled out for mobility agents used in Azure to Azure DR scenario. +#### Supported kernel versions for Red Hat Enterprise Linux for Azure virtual machines ++**Release** | **Mobility service version** | **Red Hat kernel version** | + | | | +RHEL 9.0 <br> RHEL 9.1 <br> RHEL 9.2 <br> RHEL 9.3 | 9.60 | 5.14.0-70.13.1.el9_0.x86_64 <br> 5.14.0-70.17.1.el9_0.x86_64 <br> 5.14.0-70.22.1.el9_0.x86_64 <br> 5.14.0-70.26.1.el9_0.x86_64 <br> 5.14.0-70.30.1.el9_0.x86_64 <br> 5.14.0-70.36.1.el9_0.x86_64 <br> 5.14.0-70.43.1.el9_0.x86_64 <br> 5.14.0-70.49.1.el9_0.x86_64 <br> 5.14.0-70.50.2.el9_0.x86_64 <br> 5.14.0-70.53.1.el9_0.x86_64 <br> 5.14.0-70.58.1.el9_0.x86_64 <br> 5.14.0-70.64.1.el9_0.x86_64 <br> 5.14.0-70.70.1.el9_0.x86_64 <br> 5.14.0-70.75.1.el9_0.x86_64 <br> 5.14.0-70.80.1.el9_0.x86_64 <br> 5.14.0-70.85.1.el9_0.x86_64 <br> 5.14.0-162.6.1.el9_1.x86_64ΓÇ» <br> 5.14.0-162.12.1.el9_1.x86_64 <br> 5.14.0-162.18.1.el9_1.x86_64 <br> 5.14.0-284.11.1.el9_2.x86_64 <br> 5.14.0-284.13.1.el9_2.x86_64 <br> 5.14.0-284.16.1.el9_2.x86_64 <br> 5.14.0-284.18.1.el9_2.x86_64 <br> 5.14.0-284.23.1.el9_2.x86_64 <br> 5.14.0-284.25.1.el9_2.x86_64 <br> 5.14.0-284.28.1.el9_2.x86_64 <br> 5.14.0-284.30.1.el9_2.x86_64 <br> 5.14.0-284.32.1.el9_2.x86_64 <br> 5.14.0-284.34.1.el9_2.x86_64 <br> 5.14.0-284.36.1.el9_2.x86_64 <br> 5.14.0-284.40.1.el9_2.x86_64 <br> 5.14.0-284.41.1.el9_2.x86_64 <br>5.14.0-284.43.1.el9_2.x86_64 <br>5.14.0-284.44.1.el9_2.x86_64 <br> 5.14.0-284.45.1.el9_2.x86_64 <br>5.14.0-284.48.1.el9_2.x86_64 <br>5.14.0-284.50.1.el9_2.x86_64 <br> 5.14.0-284.52.1.el9_2.x86_64 <br>5.14.0-362.8.1.el9_3.x86_64 <br>5.14.0-362.13.1.el9_3.x86_64 | + #### Supported Ubuntu kernel versions for Azure virtual machines +> [!NOTE] +> Mobility service versions `9.58` and `9.59` are not released for Azure to Azure Site Recovery. ++ **Release** | **Mobility service version** | **Kernel version** | | | |+14.04 LTS | [9.60]()| No new 14.04 LTS kernels supported in this release. | 14.04 LTS | [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50) | No new 14.04 LTS kernels supported in this release. 14.04 LTS | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) | No new 14.04 LTS kernels supported in this release. | 14.04 LTS | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | No new 14.04 LTS kernels supported in this release. | 14.04 LTS | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f)| No new 14.04 LTS kernels supported in this release. |-14.04 LTS | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5)| No new 14.04 LTS kernels supported in this release. | |||+16.04 LTS | [9.60]() | No new 16.04 LTS kernels supported in this release. | 16.04 LTS | [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50) | No new 16.04 LTS kernels supported in this release. | 16.04 LTS | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) | No new 16.04 LTS kernels supported in this release. | 16.04 LTS | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | No new 16.04 LTS kernels supported in this release. | 16.04 LTS | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f)| No new 16.04 LTS kernels supported in this release. |-16.04 LTS | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5)| No new 16.04 LTS kernels supported in this release. | |||+18.04 LTS | [9.60]() | No new 18.04 LTS kernels supported in this release. | 18.04 LTS | [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50) | No new 18.04 LTS kernels supported in this release. | 18.04 LTS | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) | No new 18.04 LTS kernels supported in this release. | 18.04 LTS |[9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | 4.15.0-1166-azure <br> 4.15.0-1167-azure <br> 4.15.0-212-generic <br> 4.15.0-213-generic <br> 5.4.0-1108-azure <br> 5.4.0-1109-azure <br> 5.4.0-149-generic <br> 5.4.0-150-generic | 18.04 LTS |[9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f)| 4.15.0-208-generic <br> 4.15.0-209-generic <br> 5.4.0-1105-azure <br> 5.4.0-1106-azure <br> 5.4.0-146-generic <br> 4.15.0-1163-azure <br> 4.15.0-1164-azure <br> 4.15.0-1165-azure <br> 4.15.0-210-generic <br> 4.15.0-211-generic <br> 5.4.0-1107-azure <br> 5.4.0-147-generic <br> 5.4.0-147-generic <br> 5.4.0-148-generic <br> 4.15.0-212-generic <br> 4.15.0-1166-azure <br> 5.4.0-149-generic <br> 5.4.0-150-generic <br> 5.4.0-1108-azure <br> 5.4.0-1109-azure |-18.04 LTS |[9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5)| 5.4.0-137-generic <br> 5.4.0-1101-azure <br> 4.15.0-1161-azure <br> 4.15.0-204-generic <br> 5.4.0-1103-azure <br> 5.4.0-139-generic <br> 4.15.0-206-generic <br> 5.4.0-1104-azure <br> 5.4.0-144-generic <br> 4.15.0-1162-azure | |||+20.04 LTS | [9.60]() | No new 20.04 LTS kernels supported in this release. | 20.04 LTS | [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50) | 5.15.0-1052-azure <br> 5.15.0-1053-azure <br> 5.15.0-89-generic <br> 5.15.0-91-generic <br> 5.4.0-1120-azure <br> 5.4.0-1121-azure <br> 5.4.0-167-generic <br> 5.4.0-169-generic | 20.04 LTS | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) | 5.15.0-1049-azure <br> 5.15.0-1050-azure <br> 5.15.0-1051-azure <br> 5.15.0-86-generic <br> 5.15.0-87-generic <br> 5.15.0-88-generic <br> 5.4.0-1117-azure <br> 5.4.0-1118-azure <br> 5.4.0-1119-azure <br> 5.4.0-164-generic <br> 5.4.0-165-generic <br> 5.4.0-166-generic | 20.04 LTS |[9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | 5.15.0-1039-azure <br> 5.15.0-1040-azure <br> 5.15.0-1041-azure <br> 5.15.0-73-generic <br> 5.15.0-75-generic <br> 5.15.0-76-generic <br> 5.4.0-1108-azure <br> 5.4.0-1109-azure <br> 5.4.0-1110-azure <br> 5.4.0-1111-azure <br> 5.4.0-149-generic <br> 5.4.0-150-generic <br> 5.4.0-152-generic <br> 5.4.0-153-generic <br> 5.4.0-155-generic <br> 5.4.0-1112-azure <br> 5.15.0-78-generic <br> 5.15.0-1042-azure <br> 5.15.0-79-generic <br> 5.4.0-156-generic <br> 5.15.0-1047-azure <br> 5.15.0-84-generic <br> 5.4.0-1116-azure <br> 5.4.0-163-generic <br> 5.15.0-1043-azure <br> 5.15.0-1045-azure <br> 5.15.0-1046-azure <br> 5.15.0-82-generic <br> 5.15.0-83-generic | 20.04 LTS |[9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f)| 5.15.0-1035-azure <br> 5.15.0-1036-azure <br> 5.15.0-69-generic <br> 5.4.0-1105-azure <br> 5.4.0-1106-azure <br> 5.4.0-146-generic <br> 5.4.0-147-generic <br> 5.15.0-1037-azure <br> 5.15.0-1038-azure <br> 5.15.0-70-generic <br> 5.15.0-71-generic <br> 5.15.0-72-generic <br> 5.4.0-1107-azure <br> 5.4.0-148-generic <br> 5.4.0-149-generic <br> 5.4.0-150-generic <br> 5.4.0-1108-azure <br> 5.4.0-1109-azure <br> 5.15.0-73-generic <br> 5.15.0-1039-azure |-20.04 LTS | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | 5.4.0-1101-azure <br> 5.15.0-1033-azure <br> 5.15.0-60-generic <br> 5.4.0-1103-azure <br> 5.4.0-139-generic <br> 5.15.0-1034-azure <br> 5.15.0-67-generic <br> 5.4.0-1104-azure <br> 5.4.0-144-generic | |||+22.04 LTS |[9.60]()| 5.19.0-1025-azure <br> 5.19.0-1026-azure <br> 5.19.0-1027-azure <br> 5.19.0-41-generic <br> 5.19.0-42-generic <br> 5.19.0-43-generic <br> 5.19.0-45-generic <br> 5.19.0-46-generic <br> 5.19.0-50-generic <br> 6.2.0-1005-azure <br> 6.2.0-1006-azure <br> 6.2.0-1007-azure <br> 6.2.0-1008-azure <br> 6.2.0-1011-azure <br> 6.2.0-1012-azure <br> 6.2.0-1014-azure <br> 6.2.0-1015-azure <br> 6.2.0-1016-azure <br> 6.2.0-1017-azure <br> 6.2.0-1018-azure <br> 6.2.0-25-generic <br> 6.2.0-26-generic <br> 6.2.0-31-generic <br> 6.2.0-32-generic <br> 6.2.0-33-generic <br> 6.2.0-34-generic <br> 6.2.0-35-generic <br> 6.2.0-36-generic <br> 6.2.0-37-generic <br> 6.2.0-39-generic <br> 6.5.0-1007-azure <br> 6.5.0-1009-azure <br> 6.5.0-1010-azure <br> 6.5.0-14-generic | 22.04 LTS | [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50) | 5.15.0-1052-azure <br> 5.15.0-1053-azure <br> 5.15.0-76-generic <br> 5.15.0-89-generic <br> 5.15.0-91-generic | 22.04 LTS | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) | 5.15.0-1049-azure <br> 5.15.0-1050-azure <br> 5.15.0-1051-azure <br> 5.15.0-86-generic <br> 5.15.0-87-generic <br> 5.15.0-88-generic | 22.04 LTS |[9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810)| 5.15.0-1039-azure <br> 5.15.0-1040-azure <br> 5.15.0-1041-azure <br> 5.15.0-73-generic <br> 5.15.0-75-generic <br> 5.15.0-76-generic <br> 5.15.0-78-generic <br> 5.15.0-1042-azure <br> 5.15.0-1044-azure <br> 5.15.0-79-generic <br> 5.15.0-1047-azure <br> 5.15.0-84-generic <br> 5.15.0-1045-azure <br> 5.15.0-1046-azure <br> 5.15.0-82-generic <br> 5.15.0-83-generic | 22.04 LTS |[9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f)| 5.15.0-1035-azure <br> 5.15.0-1036-azure <br> 5.15.0-69-generic <br> 5.15.0-70-generic <br> 5.15.0-1037-azure <br> 5.15.0-1038-azure <br> 5.15.0-71-generic <br> 5.15.0-72-generic <br> 5.15.0-73-generic <br> 5.15.0-1039-azure |-22.04 LTS | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | 5.15.0-1003-azure <br> 5.15.0-1005-azure <br> 5.15.0-1007-azure <br> 5.15.0-1008-azure <br> 5.15.0-1010-azure <br> 5.15.0-1012-azure <br> 5.15.0-1013-azure <br> 5.15.0-1014-azure <br> 5.15.0-1017-azure <br> 5.15.0-1019-azure <br> 5.15.0-1020-azure <br> 5.15.0-1021-azure <br> 5.15.0-1022-azure <br> 5.15.0-1023-azure <br> 5.15.0-1024-azure <br> 5.15.0-1029-azure <br> 5.15.0-1030-azure <br> 5.15.0-1031-azure <br> 5.15.0-25-generic <br> 5.15.0-27-generic <br> 5.15.0-30-generic <br> 5.15.0-33-generic <br> 5.15.0-35-generic <br> 5.15.0-37-generic <br> 5.15.0-39-generic <br> 5.15.0-40-generic <br> 5.15.0-41-generic <br> 5.15.0-43-generic <br> 5.15.0-46-generic <br> 5.15.0-47-generic <br> 5.15.0-48-generic <br> 5.15.0-50-generic <br> 5.15.0-52-generic <br> 5.15.0-53-generic <br> 5.15.0-56-generic <br> 5.15.0-57-generic <br> 5.15.0-58-generic <br> 5.15.0-1033-azure <br> 5.15.0-60-generic <br> 5.15.0-1034-azure <br> 5.15.0-67-generic | > [!NOTE] > To support latest Linux kernels within 15 days of release, Azure Site Recovery rolls out hot fix patch on top of latest mobility agent version. This fix is rolled out in between two major version releases. To update to latest version of mobility agent (including hot fix patch) follow steps mentioned in [this article](service-updates-how-to.md#azure-vm-disaster-recovery-to-azure). This patch is currently rolled out for mobility agents used in Azure to Azure DR scenario. Rocky Linux | [See supported versions](#supported-rocky-linux-kernel-versions-fo #### Supported Debian kernel versions for Azure virtual machines +> [!NOTE] +> Mobility service versions `9.58` and `9.59` are not released for Azure to Azure Site Recovery. + + **Release** | **Mobility service version** | **Kernel version** | | | |+Debian 7 | [9.60]| No new Debian 7 kernels supported in this release. | Debian 7 | [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50)| No new Debian 7 kernels supported in this release. | Debian 7 | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d)| No new Debian 7 kernels supported in this release. | Debian 7 | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | No new Debian 7 kernels supported in this release. | Debian 7 | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f)| No new Debian 7 kernels supported in this release. |-Debian 7 | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5)| No new Debian 7 kernels supported in this release. | |||+Debian 8 | [9.60]| No new Debian 8 kernels supported in this release. | Debian 8 | [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50)| No new Debian 8 kernels supported in this release. | Debian 8 | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d)| No new Debian 8 kernels supported in this release. | Debian 8 | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | No new Debian 8 kernels supported in this release. | Debian 8 | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f)| No new Debian 8 kernels supported in this release. |-Debian 8 | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5)| No new Debian 8 kernels supported in this release. | |||+Debian 9.1 | [9.60]| No new Debian 9.1 kernels supported in this release. | Debian 9.1 | [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50)| No new Debian 9.1 kernels supported in this release. | Debian 9.1 | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d)| No new Debian 9.1 kernels supported in this release. | Debian 9.1 | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810)| No new Debian 9.1 kernels supported in this release. | Debian 9.1 | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f)| No new Debian 9.1 kernels supported in this release. |-Debian 9.1 | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5)| No new Debian 9.1 kernels supported in this release. | |||-Debian 10 | [9.57]()| No new Debian 10 kernels supported in this release. | +Debian 10 | [9.60]| 4.19.0-26-amd64 <br> 4.19.0-26-cloud-amd64 <br> 5.10.0-0.deb10.27-amd64 <br> 5.10.0-0.deb10.27-cloud-amd64 | +Debian 10 | [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50)| No new Debian 10 kernels supported in this release. | Debian 10 | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d)| 5.10.0-0.deb10.26-amd64 <br> 5.10.0-0.deb10.26-cloud-amd64 | Debian 10 | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810)| 5.10.0-0.deb10.23-amd64 <br> 5.10.0-0.deb10.23-cloud-amd64 <br> 4.19.0-25-amd64 <br> 4.19.0-25-cloud-amd64 <br> 5.10.0-0.deb10.24-amd64 <br> 5.10.0-0.deb10.24-cloud-amd64 | Debian 10 | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f)| 5.10.0-0.bpo.3-amd64 <br> 5.10.0-0.bpo.3-cloud-amd64 <br> 5.10.0-0.bpo.4-amd64 <br> 5.10.0-0.bpo.4-cloud-amd64 <br> 5.10.0-0.bpo.5-amd64 <br> 5.10.0-0.bpo.5-cloud-amd64 <br> 4.19.0-24-amd64 <br> 4.19.0-24-cloud-amd64 <br> 5.10.0-0.deb10.22-amd64 <br> 5.10.0-0.deb10.22-cloud-amd64 <br> 5.10.0-0.deb10.23-amd64 <br> 5.10.0-0.deb10.23-cloud-amd64 |-Debian 10 | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5)| 5.10.0-0.deb10.21-amd64 <br> 5.10.0-0.deb10.21-cloud-amd64 | |||+Debian 11 | [9.60]()| 5.10.0-27-amd64 <br> 5.10.0-27-cloud-amd64 | Debian 11 | [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50)| No new Debian 11 kernels supported in this release. | Debian 11 | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d)| 5.10.0-26-amd64 <br> 5.10.0-26-cloud-amd64 | Debian 11 | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810)| 5.10.0-24-amd64 <br> 5.10.0-24-cloud-amd64 <br> 5.10.0-25-amd64 <br> 5.10.0-25-cloud-amd64 | Debian 11 | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f)| 5.10.0-22-amd64 <br> 5.10.0-22-cloud-amd64 <br> 5.10.0-23-amd64 <br> 5.10.0-23-cloud-amd64 |-Debian 11 | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | 5.10.0-21-amd64 </br> 5.10.0-21-cloud-amd64 | > [!NOTE] > To support latest Linux kernels within 15 days of release, Azure Site Recovery rolls out hot fix patch on top of latest mobility agent version. This fix is rolled out in between two major version releases. To update to latest version of mobility agent (including hot fix patch) follow steps mentioned in [this article](service-updates-how-to.md#azure-vm-disaster-recovery-to-azure). This patch is currently rolled out for mobility agents used in Azure to Azure DR scenario. #### Supported SUSE Linux Enterprise Server 12 kernel versions for Azure virtual machines +> [!NOTE] +> Mobility service versions `9.58` and `9.59` are not released for Azure to Azure Site Recovery. ++ **Release** | **Mobility service version** | **Kernel version** | | | |+SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.60]() | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.163-azure:5 | SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.155-azure:5 | SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.152-azure:5 | SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.136-azure:5 <br> 4.12.14-16.139-azure:5 <br> 4.12.14-16.146-azure:5 <br> 4.12.14-16.149-azure:5 | SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.130-azure:5 <br> 4.12.14-16.133-azure:5 |-SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.124-azure:5 <br> 4.12.14-16.127-azure:5 | #### Supported SUSE Linux Enterprise Server 15 kernel versions for Azure virtual machines +> [!NOTE] +> Mobility service versions `9.58` and `9.59` are not released for Azure to Azure Site Recovery. + + **Release** | **Mobility service version** | **Kernel version** | | | |+SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4, SP5) | [9.60]() | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> No new SUSE 15 kernels supported in this release. | SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4, SP5) | [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150400.14.72-azure:4 <br> 5.14.21-150500.33.23-azure:5 <br> 5.14.21-150500.33.26-azure:5 | SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4, SP5) | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150400.14.69-azure:4 <br> 5.14.21-150500.31-azure:5 <br> 5.14.21-150500.33.11-azure:5 <br> 5.14.21-150500.33.14-azure:5 <br> 5.14.21-150500.33.17-azure:5 <br> 5.14.21-150500.33.20-azure:5 <br> 5.14.21-150500.33.3-azure:5 <br> 5.14.21-150500.33.6-azure:5 | SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4) | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150400.14.52-azure:4 <br> 4.12.14-16.139-azure:5 <br> 5.14.21-150400.14.55-azure:4 <br> 5.14.21-150400.14.60-azure:4 <br> 5.14.21-150400.14.63-azure:4 <br> 5.14.21-150400.14.66-azure:4 | SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4) | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150400.14.40-azure:4 <br> 5.14.21-150400.14.43-azure:4 <br> 5.14.21-150400.14.46-azure:4 <br> 5.14.21-150400.14.49-azure:4 |-SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4) | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150400.14.31-azure:4 <br> 5.14.21-150400.14.34-azure:4 <br> 5.14.21-150400.14.37-azure:4 | +#### Supported Red Hat Linux kernel versions for Oracle Linux on Azure virtual machines ++**Release** | **Mobility service version** | **Red Hat kernel version** | + | | | +Oracle Linux 9.0 <br> Oracle Linux 9.1 <br> Oracle Linux 9.2 <br> Oracle Linux 9.3 | 9.60 | 5.14.0-70.13.1.el9_0.x86_64 <br> 5.14.0-70.17.1.el9_0.x86_64 <br> <br> 5.14.0-70.22.1.el9_0.x86_64 <br> 5.14.0-70.26.1.el9_0.x86_64 <br> 5.14.0-70.30.1.el9_0.x86_64 <br> 5.14.0-70.36.1.el9_0.x86_64 <br> 5.14.0-70.43.1.el9_0.x86_64 <br> 5.14.0-70.49.1.el9_0.x86_64 <br> 5.14.0-70.50.2.el9_0.x86_64 <br> 5.14.0-70.53.1.el9_0.x86_64 <br> 5.14.0-70.58.1.el9_0.x86_64 <br> 5.14.0-70.64.1.el9_0.x86_64 <br> 5.14.0-70.70.1.el9_0.x86_64 <br> 5.14.0-70.75.1.el9_0.x86_64 <br> 5.14.0-70.80.1.el9_0.x86_64 <br> 5.14.0-70.85.1.el9_0.x86_64 <br> 5.14.0-162.6.1.el9_1.x86_64ΓÇ» <br> 5.14.0-162.12.1.el9_1.x86_64 <br> 5.14.0-162.18.1.el9_1.x86_64 <br> 5.14.0-284.11.1.el9_2.x86_64 <br>5.14.0-284.13.1.el9_2.x86_64 <br>5.14.0-284.16.1.el9_2.x86_64 <br>5.14.0-284.18.1.el9_2.x86_64 <br> 5.14.0-284.23.1.el9_2.x86_64 <br> 5.14.0-284.25.1.el9_2.x86_64 <br> 5.14.0-284.28.1.el9_2.x86_64 <br> 5.14.0-284.30.1.el9_2.x86_64 <br> 5.14.0-284.32.1.el9_2.x86_64 <br> 5.14.0-284.34.1.el9_2.x86_64 <br> 5.14.0-284.36.1.el9_2.x86_64 <br> 5.14.0-284.40.1.el9_2.x86_64 <br> 5.14.0-284.41.1.el9_2.x86_64 <br> 5.14.0-284.43.1.el9_2.x86_64 <br> 5.14.0-284.44.1.el9_2.x86_64 <br> 5.14.0-284.45.1.el9_2.x86_64 <br> 5.14.0-284.48.1.el9_2.x86_64 <br> 5.14.0-284.50.1.el9_2.x86_64 <br> 5.14.0-284.52.1.el9_2.x86_64 <br> 5.14.0-362.8.1.el9_3.x86_64 <br> 5.14.0-362.13.1.el9_3.x86_64 | + #### Supported Rocky Linux kernel versions for Azure virtual machines +> [!NOTE] +> Mobility service versions `9.58` and `9.59` are not released for Azure to Azure Site Recovery. + ++**Release** | **Mobility service version** | **Red Hat kernel version** | + | | | +Rocky Linux 9.0 <br> Rocky Linux 9.1 | [9.60]() | 5.14.0-70.13.1.el9_0.x86_64 <br> 5.14.0-70.17.1.el9_0.x86_64 <br> 5.14.0-70.22.1.el9_0.x86_64 <br> 5.14.0-70.26.1.el9_0.x86_64 <br> 5.14.0-70.30.1.el9_0.x86_64 <br> 5.14.0-70.36.1.el9_0.x86_64 <br> 5.14.0-70.43.1.el9_0.x86_64 <br> 5.14.0-70.49.1.el9_0.x86_64 <br> 5.14.0-70.50.2.el9_0.x86_64 <br> 5.14.0-70.53.1.el9_0.x86_64 <br> 5.14.0-70.58.1.el9_0.x86_64 <br> 5.14.0-70.64.1.el9_0.x86_64 <br> 5.14.0-70.70.1.el9_0.x86_64 <br> 5.14.0-70.75.1.el9_0.x86_64 <br> 5.14.0-70.80.1.el9_0.x86_64 <br> 5.14.0-70.85.1.el9_0.x86_64 <br> 5.14.0-162.6.1.el9_1.x86_64ΓÇ» <br> 5.14.0-162.12.1.el9_1.x86_64 <br> 5.14.0-162.18.1.el9_1.x86_64 | + **Release** | **Mobility service version** | **Kernel version** | | | | Rocky Linux | [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50) | Rocky Linux 8.8 <br> Rocky Linux 8.9 | Rocky Linux | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) | Rocky Linux 8.7 <br> Rocky Linux 9.0 | -> [!NOTE] -> Support for Rocky Linux 9.1 is removed from the support matrix as issues were observed while using it with Azure Site Recovery. - > [!IMPORTANT] > To support latest Linux kernels within 15 days of release, Azure Site Recovery rolls out hot fix patch on top of latest mobility agent version. This fix is rolled out in between two major version releases. To update to latest version of mobility agent (including hot fix patch) follow steps mentioned in [this article](service-updates-how-to.md#azure-vm-disaster-recovery-to-azure). This patch is currently rolled out for mobility agents used in Azure to Azure DR scenario. |
site-recovery | Vmware Physical Azure Support Matrix | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-physical-azure-support-matrix.md | Title: Support matrix for VMware/physical disaster recovery in Azure Site Recove description: Summarizes support for disaster recovery of VMware VMs and physical server to Azure using Azure Site Recovery. Previously updated : 12/27/2023 Last updated : 02/09/2024 Windows 7 with SP1 64-bit | Supported from [Update rollup 36](https://support.mi ### For Linux +> [!NOTE] +> Mobility service versions`9.56` and `9.60` are only available for Modernized experience. <br> +> Mobility service version `9.58` is not released for VMWare to Azure Site Recovery. <br> +> Mobility service versions `9.59` is only available for Classic experience. ++ **Operating system** | **Details** | Linux | Only 64-bit system is supported. 32-bit system isn't supported.<br/><br/>Every Linux server should have [Linux Integration Services (LIS) components](https://www.microsoft.com/download/details.aspx?id=55106) installed. It is required to boot the server in Azure after test failover/failover. If in-built LIS components are missing, ensure to install the [components](https://www.microsoft.com/download/details.aspx?id=55106) before enabling replication for the machines to boot in Azure. <br/><br/> Site Recovery orchestrates failover to run Linux servers in Azure. However Linux vendors might limit support to only distribution versions that haven't reached end-of-life.<br/><br/> On Linux distributions, only the stock kernels that are part of the distribution minor version release/update are supported.<br/><br/> Upgrading protected machines across major Linux distribution versions isn't supported. To upgrade, disable replication, upgrade the operating system, and then enable replication again.<br/><br/> [Learn more](https://support.microsoft.com/help/2941892/support-for-linux-and-open-source-technology-in-azure) about support for Linux and open-source technology in Azure.<br/><br/> Chained IO isn't supported by Site Recovery.-Linux Red Hat Enterprise | 5.2 to 5.11</b><br/> 6.1 to 6.10</b> </br> 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, [7.7](https://support.microsoft.com/help/4528026/update-rollup-41-for-azure-site-recovery), [7.8](https://support.microsoft.com/help/4564347/), [7.9 Beta version](https://support.microsoft.com/help/4578241/), [7.9](https://support.microsoft.com/help/4590304/) </br> [8.0](https://support.microsoft.com/help/4531426/update-rollup-42-for-azure-site-recovery), 8.1, [8.2](https://support.microsoft.com/help/4570609), [8.3](https://support.microsoft.com/help/4597409/), [8.4](https://support.microsoft.com/topic/883a93a7-57df-4b26-a1c4-847efb34a9e8) (4.18.0-305.30.1.el8_4.x86_64 or higher), [8.5](https://support.microsoft.com/topic/883a93a7-57df-4b26-a1c4-847efb34a9e8) (4.18.0-348.5.1.el8_5.x86_64 or higher), [8.6](https://support.microsoft.com/topic/update-rollup-62-for-azure-site-recovery-e7aff36f-b6ad-4705-901c-f662c00c402b), 8.7, 8.8, 8.9, 9.0. <br/> Few older kernels on servers running Red Hat Enterprise Linux 5.2-5.11 & 6.1-6.10 don't have [Linux Integration Services (LIS) components](https://www.microsoft.com/download/details.aspx?id=55106) pre-installed. If in-built LIS components are missing, ensure to install the [components](https://www.microsoft.com/download/details.aspx?id=55106) before enabling replication for the machines to boot in Azure. <br> <br> **Notes**: <br> - Support for Linux Red Hat Enterprise versions `8.9` and `9.0` is only available for Modernized experience and isn't available for Classic experience. <br> - Support for Red Hat Enterprise Linux 9.1 is removed from support matrix as issues were observed while using Azure Site Recovery with Red Hat Enterprise Linux 9.1. +Linux Red Hat Enterprise | 5.2 to 5.11</b><br/> 6.1 to 6.10</b> </br> 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, [7.7](https://support.microsoft.com/help/4528026/update-rollup-41-for-azure-site-recovery), [7.8](https://support.microsoft.com/help/4564347/), [7.9 Beta version](https://support.microsoft.com/help/4578241/), [7.9](https://support.microsoft.com/help/4590304/) </br> [8.0](https://support.microsoft.com/help/4531426/update-rollup-42-for-azure-site-recovery), 8.1, [8.2](https://support.microsoft.com/help/4570609), [8.3](https://support.microsoft.com/help/4597409/), [8.4](https://support.microsoft.com/topic/883a93a7-57df-4b26-a1c4-847efb34a9e8) (4.18.0-305.30.1.el8_4.x86_64 or higher), [8.5](https://support.microsoft.com/topic/883a93a7-57df-4b26-a1c4-847efb34a9e8) (4.18.0-348.5.1.el8_5.x86_64 or higher), [8.6](https://support.microsoft.com/topic/update-rollup-62-for-azure-site-recovery-e7aff36f-b6ad-4705-901c-f662c00c402b), 8.7, 8.8, 8.9, 9.0, 9.1, 9.2, 9.3 <br/> Few older kernels on servers running Red Hat Enterprise Linux 5.2-5.11 & 6.1-6.10 don't have [Linux Integration Services (LIS) components](https://www.microsoft.com/download/details.aspx?id=55106) pre-installed. If in-built LIS components are missing, ensure to install the [components](https://www.microsoft.com/download/details.aspx?id=55106) before enabling replication for the machines to boot in Azure. <br> <br> **Notes**: <br> - Support for Linux Red Hat Enterprise versions `8.9`, `9.0`, `9.1`, `9.2`, and `9.3` is only available for Modernized experience and isn't available for Classic experience. <br> - RHEL `9.x` is supported for [the following kernel versions](#supported-kernel-versions-for-red-hat-enterprise-linux-for-azure-virtual-machines) | Linux: CentOS | 5.2 to 5.11</b><br/> 6.1 to 6.10</b><br/> </br> 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, [7.7](https://support.microsoft.com/help/4528026/update-rollup-41-for-azure-site-recovery), [7.8](https://support.microsoft.com/help/4564347/), [7.9](https://support.microsoft.com/help/4578241/) </br> [8.0](https://support.microsoft.com/help/4531426/update-rollup-42-for-azure-site-recovery), 8.1, [8.2](https://support.microsoft.com/help/4570609), [8.3](https://support.microsoft.com/help/4597409/), [8.4](https://support.microsoft.com/topic/883a93a7-57df-4b26-a1c4-847efb34a9e8) (4.18.0-305.30.1.el8_4.x86_64 or later), [8.5](https://support.microsoft.com/topic/883a93a7-57df-4b26-a1c4-847efb34a9e8) (4.18.0-348.5.1.el8_5.x86_64 or later), 8.6, 8.7 <br/><br/> Few older kernels on servers running CentOS 5.2-5.11 & 6.1-6.10 don't have [Linux Integration Services (LIS) components](https://www.microsoft.com/download/details.aspx?id=55106) pre-installed. If in-built LIS components are missing, ensure to install the [components](https://www.microsoft.com/download/details.aspx?id=55106) before enabling replication for the machines to boot in Azure. Ubuntu | Ubuntu 14.04* LTS server [(review supported kernel versions)](#ubuntu-kernel-versions)<br/>Ubuntu 16.04* LTS server [(review supported kernel versions)](#ubuntu-kernel-versions) </br> Ubuntu 18.04* LTS server [(review supported kernel versions)](#ubuntu-kernel-versions) </br> Ubuntu 20.04* LTS server [(review supported kernel versions)](#ubuntu-kernel-versions) <br> Ubuntu 22.04* LTS server [(review supported kernel versions)](#ubuntu-kernel-versions) <br> **Note**: Support for Ubuntu 22.04 is available for Modernized experience only and not available for Classic experience yet. </br> (*includes support for all 14.04.*x*, 16.04.*x*, 18.04.*x*, 20.04.*x* versions) Debian | Debian 7/Debian 8 (includes support for all 7. *x*, 8. *x* versions). [Ensure to download latest mobility agent installer on the configuration server](vmware-physical-mobility-service-overview.md#download-latest-mobility-agent-installer-for-suse-11-sp3-suse-11-sp4-rhel-5-cent-os-5-debian-7-debian-8-debian-9-oracle-linux-6-and-ubuntu-1404-server). <br/> Debian 9 (includes support for 9.1 to 9.13. Debian 9.0 isn't supported.). [Ensure to download latest mobility agent installer on the configuration server](vmware-physical-mobility-service-overview.md#download-latest-mobility-agent-installer-for-suse-11-sp3-suse-11-sp4-rhel-5-cent-os-5-debian-7-debian-8-debian-9-oracle-linux-6-and-ubuntu-1404-server). <br/> Debian 10, Debian 11 [(Review supported kernel versions)](#debian-kernel-versions). SUSE Linux | SUSE Linux Enterprise Server 12 SP1, SP2, SP3, SP4, [SP5](https://support.microsoft.com/help/4570609) [(review supported kernel versions)](#suse-linux-enterprise-server-12-supported-kernel-versions) <br/> SUSE Linux Enterprise Server 15, 15 SP1, SP2, SP3, SP4, SP5 [(review supported kernel versions)](#suse-linux-enterprise-server-15-supported-kernel-versions) <br/> SUSE Linux Enterprise Server 11 SP3. [Ensure to download latest mobility agent installer on the configuration server](vmware-physical-mobility-service-overview.md#download-latest-mobility-agent-installer-for-suse-11-sp3-suse-11-sp4-rhel-5-cent-os-5-debian-7-debian-8-debian-9-oracle-linux-6-and-ubuntu-1404-server). </br> SUSE Linux Enterprise Server 11 SP4 </br> **Note**: Upgrading replicated machines from SUSE Linux Enterprise Server 11 SP3 to SP4 isn't supported. To upgrade, disable replication and re-enable after the upgrade. <br/> Support for SUSE Linux Enterprise Server 15 SP5 is available for Modernized experience only.| -Oracle Linux | 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, [7.7](https://support.microsoft.com/help/4531426/update-rollup-42-for-azure-site-recovery), [7.8](https://support.microsoft.com/help/4573888/), [7.9](https://support.microsoft.com/help/4597409/), [8.0](https://support.microsoft.com/help/4573888/), [8.1](https://support.microsoft.com/help/4573888/), [8.2](https://support.microsoft.com/topic/b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8), [8.3](https://support.microsoft.com/topic/b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8), [8.4](https://support.microsoft.com/topic/update-rollup-59-for-azure-site-recovery-kb5008707-66a65377-862b-4a4c-9882-fd74bdc7a81e), 8.5, 8.6, 8.7, 8.8, 8.9, 9.0 <br/><br/> **Notes:** <br> - Support for Oracle Linux `8.9` and `9.0` is only available for Modernized experience and isn't available for Classic experience. <br> - Support for Oracle Linux `9.1` is removed from support matrix, as issues were observed using Azure Site Recovery with Oracle Linux 9.0 and 9.1. <br><br> Running the Red Hat compatible kernel or Unbreakable Enterprise Kernel Release 3, 4 & 5 (UEK3, UEK4, UEK5)<br/><br/>8.1<br/>Running on all UEK kernels and RedHat kernel <= 3.10.0-1062.* are supported in [9.35](https://support.microsoft.com/help/4573888/) Support for rest of the RedHat kernels is available in [9.36](https://support.microsoft.com/help/4578241/). | +Oracle Linux | 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, [7.7](https://support.microsoft.com/help/4531426/update-rollup-42-for-azure-site-recovery), [7.8](https://support.microsoft.com/help/4573888/), [7.9](https://support.microsoft.com/help/4597409/), [8.0](https://support.microsoft.com/help/4573888/), [8.1](https://support.microsoft.com/help/4573888/), [8.2](https://support.microsoft.com/topic/b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8), [8.3](https://support.microsoft.com/topic/b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8), [8.4](https://support.microsoft.com/topic/update-rollup-59-for-azure-site-recovery-kb5008707-66a65377-862b-4a4c-9882-fd74bdc7a81e), 8.5, 8.6, 8.7, 8.8, 8.9, 9.0, 9.1, 9.2, and 9.3 <br/><br/> **Notes:** <br> - Support for Oracle Linux `8.9`, `9.0`, `9.1`, `9.2`, and `9.3` is only available for Modernized experience and isn't available for Classic experience. <br><br> Running the Red Hat compatible kernel or Unbreakable Enterprise Kernel Release 3, 4 & 5 (UEK3, UEK4, UEK5)<br/><br/>8.1<br/>Running on all UEK kernels and RedHat kernel <= 3.10.0-1062.* are supported in [9.35](https://support.microsoft.com/help/4573888/) Support for rest of the RedHat kernels is available in [9.36](https://support.microsoft.com/help/4578241/). <br> Oracle Linux `9.x` is supported for the [following kernel versions](#supported-red-hat-linux-kernel-versions-for-oracle-linux-on-azure-virtual-machines) | Rocky Linux | [See supported versions](#rocky-linux-server-supported-kernel-versions). > [!NOTE]->- For each of the Windows versions, Azure Site Recovery only supports [Long-Term Servicing Channel (LTSC)](/windows-server/get-started/servicing-channels-comparison#long-term-servicing-channel-ltsc) builds. [Semi-Annual Channel](/windows-server/get-started/servicing-channels-comparison#semi-annual-channel) releases are currently unsupported at this time. ->- Please ensure that for Linux versions, Azure Site Recovery doesn't support customized OS images. Only the stock kernels that are part of the distribution minor version release/update are supported. +>- For each of the Windows versions, Azure Site Recovery only supports [Long-Term Servicing Channel (LTSC)](/windows-server/get-started/servicing-channels-comparison#long-term-servicing-channel-ltsc) builds. [Semi-Annual Channel](/windows-server/get-started/servicing-channels-comparison#semi-annual-channel) releases are currently unsupported at this time. +>- Ensure that for Linux versions, Azure Site Recovery doesn't support customized OS images. Only the stock kernels that are part of the distribution minor version release/update are supported. +++#### Supported kernel versions for Red Hat Enterprise Linux for Azure virtual machines ++**Release** | **Mobility service version** | **Red Hat kernel version** | + | | | +RHEL 9.0 <br> RHEL 9.1 <br> RHEL 9.2 <br> RHEL 9.3 | 9.60 | 5.14.0-70.13.1.el9_0.x86_64 <br> 5.14.0-70.17.1.el9_0.x86_64 <br> 5.14.0-70.22.1.el9_0.x86_64 <br> 5.14.0-70.26.1.el9_0.x86_64 <br> 5.14.0-70.30.1.el9_0.x86_64 <br> 5.14.0-70.36.1.el9_0.x86_64 <br> 5.14.0-70.43.1.el9_0.x86_64 <br> 5.14.0-70.49.1.el9_0.x86_64 <br> 5.14.0-70.50.2.el9_0.x86_64 <br> 5.14.0-70.53.1.el9_0.x86_64 <br> 5.14.0-70.58.1.el9_0.x86_64 <br> 5.14.0-70.64.1.el9_0.x86_64 <br> 5.14.0-70.70.1.el9_0.x86_64 <br> 5.14.0-70.75.1.el9_0.x86_64 <br> 5.14.0-70.80.1.el9_0.x86_64 <br> 5.14.0-70.85.1.el9_0.x86_64 <br> 5.14.0-162.6.1.el9_1.x86_64ΓÇ» <br> 5.14.0-162.12.1.el9_1.x86_64 <br> 5.14.0-162.18.1.el9_1.x86_64 <br> 5.14.0-284.11.1.el9_2.x86_64 <br> 5.14.0-284.13.1.el9_2.x86_64 <br> 5.14.0-284.16.1.el9_2.x86_64 <br> 5.14.0-284.18.1.el9_2.x86_64 <br> 5.14.0-284.23.1.el9_2.x86_64 <br> 5.14.0-284.25.1.el9_2.x86_64 <br> 5.14.0-284.28.1.el9_2.x86_64 <br> 5.14.0-284.30.1.el9_2.x86_64 <br> 5.14.0-284.32.1.el9_2.x86_64 <br> 5.14.0-284.34.1.el9_2.x86_64 <br> 5.14.0-284.36.1.el9_2.x86_64 <br> 5.14.0-284.40.1.el9_2.x86_64 <br> 5.14.0-284.41.1.el9_2.x86_64 <br>5.14.0-284.43.1.el9_2.x86_64 <br>5.14.0-284.44.1.el9_2.x86_64 <br> 5.14.0-284.45.1.el9_2.x86_64 <br>5.14.0-284.48.1.el9_2.x86_64 <br>5.14.0-284.50.1.el9_2.x86_64 <br> 5.14.0-284.52.1.el9_2.x86_64 <br>5.14.0-362.8.1.el9_3.x86_64 <br>5.14.0-362.13.1.el9_3.x86_64 | ### Ubuntu kernel versions +> [!NOTE] +> Mobility service versions`9.56` and `9.60` are only available for Modernized experience. <br> +> Mobility service version `9.58` is not released for VMWare to Azure Site Recovery. <br> +> Mobility service versions `9.59` is only available for Classic experience. + **Supported release** | **Mobility service version** | **Kernel version** | | | |-14.04 LTS | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5), [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f), [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810), [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d), [9.57](https://support.microsoft.com/topic/update-rollup-70-for-azure-site-recovery-kb5034599-e94901f6-7624-4bb4-8d43-12483d2e1d50) <br> **Note:** Support for 9.56 is only available for Modernized experience. | 3.13.0-24-generic to 3.13.0-170-generic,<br/>3.16.0-25-generic to 3.16.0-77-generic,<br/>3.19.0-18-generic to 3.19.0-80-generic,<br/>4.2.0-18-generic to 4.2.0-42-generic,<br/>4.4.0-21-generic to 4.4.0-148-generic,<br/>4.15.0-1023-azure to 4.15.0-1045-azure | +14.04 LTS | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f), [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810), [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d), [9.57](https://support.microsoft.com/topic/update-rollup-70-for-azure-site-recovery-kb5034599-e94901f6-7624-4bb4-8d43-12483d2e1d50), 9.59, 9.60 | 3.13.0-24-generic to 3.13.0-170-generic,<br/>3.16.0-25-generic to 3.16.0-77-generic,<br/>3.19.0-18-generic to 3.19.0-80-generic,<br/>4.2.0-18-generic to 4.2.0-42-generic,<br/>4.4.0-21-generic to 4.4.0-148-generic,<br/>4.15.0-1023-azure to 4.15.0-1045-azure | |||-16.04 LTS | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5), [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f), [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810), [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50) **Note:** Support for 9.56 is only available for Modernized experience. | 4.4.0-21-generic to 4.4.0-210-generic,<br/>4.8.0-34-generic to 4.8.0-58-generic,<br/>4.10.0-14-generic to 4.10.0-42-generic,<br/>4.11.0-13-generic, 4.11.0-14-generic,<br/>4.13.0-16-generic to 4.13.0-45-generic,<br/>4.15.0-13-generic to 4.15.0-142-generic<br/>4.11.0-1009-azure to 4.11.0-1016-azure,<br/>4.13.0-1005-azure to 4.13.0-1018-azure <br/>4.15.0-1012-azure to 4.15.0-1113-azure </br> 4.15.0-101-generic to 4.15.0-107-generic | +16.04 LTS | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f), [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810), [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50), 9.59, 9.60 | 4.4.0-21-generic to 4.4.0-210-generic,<br/>4.8.0-34-generic to 4.8.0-58-generic,<br/>4.10.0-14-generic to 4.10.0-42-generic,<br/>4.11.0-13-generic, 4.11.0-14-generic,<br/>4.13.0-16-generic to 4.13.0-45-generic,<br/>4.15.0-13-generic to 4.15.0-142-generic<br/>4.11.0-1009-azure to 4.11.0-1016-azure<br/>4.13.0-1005-azure to 4.13.0-1018-azure <br/>4.15.0-1012-azure to 4.15.0-1113-azure </br> 4.15.0-101-generic to 4.15.0-107-generic | |||+18.04 LTS | [9.60]() | No new Ubuntu 18.04 kernels supported in this release. | +18.04 LTS | [9.59]() | No new Ubuntu 18.04 kernels supported in this release. | 18.04 LTS | [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50) | No new Ubuntu 18.04 kernels supported in this release|-18.04 LTS | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) <br> **Note:** Support for 9.56 is only available for Modernized experience.| No new Ubuntu 18.04 kernels supported in this release| +18.04 LTS | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) | No new Ubuntu 18.04 kernels supported in this release| 18.04 LTS |[9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | 4.15.0-1163-azure <br> 4.15.0-1164-azure <br> 4.15.0-1165-azure <br> 4.15.0-1166-azure <br> 4.15.0-1167-azure <br> 4.15.0-210-generic <br> 4.15.0-211-generic <br> 4.15.0-212-generic <br> 4.15.0-213-generic <br> 5.4.0-1107-azure <br> 5.4.0-1108-azure <br> 5.4.0-1109-azure <br> 5.4.0-147-generic <br> 5.4.0-148-generic <br> 5.4.0-149-generic <br> 5.4.0-150-generic | 18.04 LTS|[9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f)| 4.15.0-1161-azure <br> 4.15.0-1162-azure <br> 4.15.0-204-generic <br> 4.15.0-206-generic <br> 4.15.0-208-generic <br> 4.15.0-209-generic <br> 5.4.0-1101-azure <br> 5.4.0-1103-azure <br> 5.4.0-1104-azure <br> 5.4.0-1105-azure <br> 5.4.0-1106-azure <br> 5.4.0-139-generic <br> 5.4.0-144-generic <br> 5.4.0-146-generic |-18.04 LTS|[9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5)| 4.15.0-1157-azure </br> 4.15.0-1158-azure </br> 4.15.0-1159-azure </br> 4.15.0-197-generic </br> 4.15.0-200-generic </br> 4.15.0-201-generic </br> 4.15.0-202-generic <br> 5.4.0-1095-azure <br> 5.4.0-1098-azure <br> 5.4.0-1100-azure <br> 5.4.0-132-generic <br> 5.4.0-135-generic <br> 5.4.0-136-generic <br> 5.4.0-137-generic | |||+20.04 LTS | [9.60]() | No new Ubuntu 20.04 kernels supported in this release. | +20.04 LTS | [9.59]() | No new Ubuntu 20.04 kernels supported in this release. | 20.04 LTS |[9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50) | 5.15.0-89-generic <br> 5.15.0-91-generic <br> 5.4.0-167-generic <br> 5.4.0-169-generic |-20.04 LTS |[9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) <br> **Note**: 9.56 is available for Modernized experience only and not available for Classic experience yet. | 5.15.0-1049-azure <br> 5.15.0-1050-azure <br> 5.15.0-1051-azure <br> 5.15.0-86-generic <br> 5.15.0-87-generic <br> 5.15.0-88-generic <br> 5.4.0-1117-azure <br> 5.4.0-1118-azure <br> 5.4.0-1119-azure <br> 5.4.0-164-generic <br> 5.4.0-165-generic <br> 5.4.0-166-generic | +20.04 LTS |[9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) | 5.15.0-1049-azure <br> 5.15.0-1050-azure <br> 5.15.0-1051-azure <br> 5.15.0-86-generic <br> 5.15.0-87-generic <br> 5.15.0-88-generic <br> 5.4.0-1117-azure <br> 5.4.0-1118-azure <br> 5.4.0-1119-azure <br> 5.4.0-164-generic <br> 5.4.0-165-generic <br> 5.4.0-166-generic | 20.04 LTS|[9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | 5.15.0-1037-azure <br> 5.15.0-1038-azure <br> 5.15.0-1039-azure <br> 5.15.0-1040-azure <br> 5.15.0-1041-azure <br> 5.15.0-70-generic <br> 5.15.0-71-generic <br> 5.15.0-72-generic <br> 5.15.0-73-generic <br> 5.15.0-75-generic <br> 5.15.0-76-generic <br> 5.4.0-1107-azure <br> 5.4.0-1108-azure <br> 5.4.0-1109-azure <br> 5.4.0-1110-azure <br> 5.4.0-1111-azure <br> 5.4.0-148-generic <br> 5.4.0-149-generic <br> 5.4.0-150-generic <br> 5.4.0-152-generic <br> 5.4.0-153-generic | 20.04 LTS|[9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f)| 5.15.0-1033-azure <br> 5.15.0-1034-azure <br> 5.15.0-1035-azure <br> 5.15.0-1036-azure <br> 5.15.0-60-generic <br> 5.15.0-67-generic <br> 5.15.0-69-generic <br> 5.4.0-1101-azure <br> 5.4.0-1103-azure <br> 5.4.0-1104-azure <br> 5.4.0-1105-azure <br> 5.4.0-1106-azure <br> 5.4.0-139-generic <br> 5.4.0-144-generic <br> 5.4.0-146-generic <br> 5.4.0-147-generic |-20.04 LTS|[9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5)| 5.15.0-1023-azure </br> 5.15.0-1029-azure </br> 5.15.0-1030-azure </br> 5.15.0-1031-azure </br> 5.15.0-53-generic </br> 5.15.0-56-generic </br> 5.15.0-57-generic <br> 5.15.0-58-generic <br> 5.4.0-1095-azure <br> 5.4.0-1098-azure <br> 5.4.0-1100-azure <br> 5.4.0-132-generic <br> 5.4.0-135-generic <br> 5.4.0-136-generic <br> 5.4.0-137-generic | |||+22.04 LTS <br> **Note**: Support for Ubuntu 22.04 is available for Modernized experience only and not available for Classic experience yet. | [9.60]() | 5.19.0-1025-azure <br> 5.19.0-1026-azure <br> 5.19.0-1027-azure <br> 6.2.0-1005-azure <br> 6.2.0-1006-azure <br> 6.2.0-1007-azure <br> 6.2.0-1008-azure <br> 6.2.0-1011-azure <br> 6.2.0-1012-azure <br> 6.2.0-1014-azure <br> 6.2.0-1015-azure <br> 6.2.0-1016-azure <br> 6.2.0-1017-azure <br> 6.2.0-1018-azure <br> 6.5.0-1007-azure <br> 6.5.0-1009-azure <br> 6.5.0-1010-azure <br> 5.19.0-41-generic <br> 5.19.0-42-generic <br> 5.19.0-43-generic <br> 5.19.0-45-generic <br> 5.19.0-46-generic <br> 5.19.0-50-generic <br> 6.2.0-25-generic <br> 6.2.0-26-generic <br> 6.2.0-31-generic <br> 6.2.0-32-generic <br> 6.2.0-33-generic <br> 6.2.0-34-generic <br> 6.2.0-35-generic <br> 6.2.0-36-generic <br> 6.2.0-37-generic <br> 6.2.0-39-generic <br> 6.5.0-14-generic | 22.04 LTS <br> **Note**: Support for Ubuntu 22.04 is available for Modernized experience only and not available for Classic experience yet.| [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50) | 5.15.0-76-generic <br> 5.15.0-89-generic <br> 5.15.0-91-generic | 22.04 LTS <br> **Note**: Support for Ubuntu 22.04 is available for Modernized experience only and not available for Classic experience yet. |[9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) | 5.15.0-1049-azure <br> 5.15.0-1050-azure <br> 5.15.0-1051-azure <br> 5.15.0-86-generic <br> 5.15.0-87-generic <br> 5.15.0-88-generic | 22.04 LTS <br> **Note**: Support for Ubuntu 22.04 is available for Modernized experience only and not available for Classic experience yet. |[9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810)| 5.15.0-1037-azure <br> 5.15.0-1038-azure <br> 5.15.0-1039-azure <br> 5.15.0-1040-azure <br> 5.15.0-1041-azure <br> 5.15.0-71-generic <br> 5.15.0-72-generic <br> 5.15.0-73-generic <br> 5.15.0-75-generic <br> 5.15.0-76-generic | 22.04 LTS <br> **Note**: Support for Ubuntu 22.04 is available for Modernized experience only and not available for Classic experience yet. |[9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f)| 5.15.0-1033-azure <br> 5.15.0-1034-azure <br> 5.15.0-1035-azure <br> 5.15.0-1036-azure <br> 5.15.0-60-generic <br> 5.15.0-67-generic <br> 5.15.0-69-generic <br> 5.15.0-70-generic|-22.04 LTS <br> **Note**: Support for Ubuntu 22.04 is available for Modernized experience only and not available for Classic experience yet. |[9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5)|5.15.0-1003-azure </br> 5.15.0-1005-azure </br> 5.15.0-1007-azure </br> 5.15.0-1008-azure </br> 5.15.0-1010-azure </br> 5.15.0-1012-azure </br> 5.15.0-1013-azure <br> 5.15.0-1014-azure <br> 5.15.0-1017-azure <br> 5.15.0-1019-azure <br> 5.15.0-1020-azure <br> 5.15.0-1021-azure <br> 5.15.0-1022-azure <br> 5.15.0-1023-azure <br> 5.15.0-1024-azure <br> 5.15.0-1029-azure <br> 5.15.0-1030-azure <br> 5.15.0-1031-azure <br> 5.15.0-25-generic <br> 5.15.0-27-generic <br> 5.15.0-30-generic <br> 5.15.0-33-generic <br> 5.15.0-35-generic <br> 5.15.0-37-generic <br> 5.15.0-39-generic <br> 5.15.0-40-generic <br> 5.15.0-41-generic <br> 5.15.0-43-generic <br> 5.15.0-46-generic <br> 5.15.0-47-generic <br> 5.15.0-48-generic <br> 5.15.0-50-generic <br> 5.15.0-52-generic <br> 5.15.0-53-generic <br> 5.15.0-56-generic <br> 5.15.0-57-generic <br> 5.15.0-58-generic | + ### Debian kernel versions +> [!NOTE] +> Mobility service versions`9.56` and `9.60` are only available for Modernized experience. <br> +> Mobility service version `9.58` is not released for VMWare to Azure Site Recovery. <br> +> Mobility service versions `9.59` is only available for Classic experience. + **Supported release** | **Mobility service version** | **Kernel version** | | | |-Debian 7 | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5), [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f), [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810), [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d), [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50) <br> **Note:** Support for 9.56 is only available for Modernized experience. | 3.2.0-4-amd64 to 3.2.0-6-amd64, 3.16.0-0.bpo.4-amd64 | +Debian 7 | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f), [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810), [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d), [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50), 9.59, 9.60 | 3.2.0-4-amd64 to 3.2.0-6-amd64, 3.16.0-0.bpo.4-amd64 | |||-Debian 8 | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5), [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f), [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810), [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) <br> [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50) <br> **Note:** Support for 9.56 is only available for Modernized experience. | 3.16.0-4-amd64 to 3.16.0-11-amd64, 4.9.0-0.bpo.4-amd64 to 4.9.0-0.bpo.12-amd64 | +Debian 8 | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f), [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810), [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) <br> [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50), 9.59, 9.60 | 3.16.0-4-amd64 to 3.16.0-11-amd64, 4.9.0-0.bpo.4-amd64 to 4.9.0-0.bpo.12-amd64 | |||-Debian 9.1 | [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50) <br> **Note:** Support for 9.56 is only available for Modernized experience. | No new Debian 9.1 kernels supported in this release| -Debian 9.1 | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) <br> **Note:** Support for 9.56 is only available for Modernized experience. | No new Debian 9.1 kernels supported in this release| +Debian 9.1 | [9.60]() | No new Debian 9.1 kernels supported in this release. | +Debian 9.1 | [9.59]() | No new Debian 9.1 kernels supported in this release. | +Debian 9.1 | [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50) | No new Debian 9.1 kernels supported in this release| +Debian 9.1 | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) | No new Debian 9.1 kernels supported in this release. | Debian 9.1 | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | No new Debian 9.1 kernels supported in this release| Debian 9.1 | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f)| No new Debian 9.1 kernels supported in this release-Debian 9.1 | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | No new Debian 9.1 kernels supported in this release |||+Debian 10 | [9.60]()| 4.19.0-26-amd64 <br> 4.19.0-26-cloud-amd64 <br> 5.10.0-0.deb10.27-amd64 <br> 5.10.0-0.deb10.27-cloud-amd64 | +Debian 10 | [9.59]() | No new Debian 10 kernels supported in this release. | Debian 10 | [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50) | No new Debian 10 kernels supported in this release |-Debian 10 | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) <br> **Note**: Support for 9.56 agent is available for Modernized experience only. | 5.10.0-0.deb10.26-amd64 <br> 5.10.0-0.deb10.26-cloud-amd64 | +Debian 10 | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) | 5.10.0-0.deb10.26-amd64 <br> 5.10.0-0.deb10.26-cloud-amd64 | Debian 10 | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | 4.19.0-24-amd64 <br> 4.19.0-24-cloud-amd64 <br> 5.10.0-0.deb10.22-amd64 <br> 5.10.0-0.deb10.22-cloud-amd64 <br> 5.10.0-0.deb10.23-amd64 <br> 5.10.0-0.deb10.23-cloud-amd64 | Debian 10 | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f)| 5.10.0-0.bpo.3-amd64 <br> 5.10.0-0.bpo.3-cloud-amd64 <br> 5.10.0-0.bpo.4-amd64 <br> 5.10.0-0.bpo.4-cloud-amd64 <br> 5.10.0-0.bpo.5-amd64 <br> 5.10.0-0.bpo.5-cloud-amd64 <br> 5.10.0-0.deb10.21-amd64 <br> 5.10.0-0.deb10.21-cloud-amd64 |-Debian 10 | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | 4.19.0-23-amd64 </br> 4.19.0-23-cloud-amd64 </br> 5.10.0-0.deb10.20-amd64 </br> 5.10.0-0.deb10.20-cloud-amd64 | |||-Debian 11 | [9.57]() | No new Debian 11 kernels supported in this release. | -Debian 11 | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) <br> **Note**: Support for 9.56 agent is available for Modernized experience only. | 5.10.0-26-amd64 <br> 5.10.0-26-cloud-amd64 | +Debian 11 | [9.60]() | 5.10.0-27-amd64 <br> 5.10.0-27-cloud-amd64 | +Debian 11 | [9.59]() | No new Debian 11 kernels supported in this release. | +Debian 11 | [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50) | No new Debian 11 kernels supported in this release. | +Debian 11 | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) | 5.10.0-26-amd64 <br> 5.10.0-26-cloud-amd64 | Debian 11 | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810)| 5.10.0-22-amd64 <br> 5.10.0-22-cloud-amd64 <br> 5.10.0-23-amd64 <br> 5.10.0-23-cloud-amd64 | Debian 11 | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f)| 5.10.0-21-amd64 <br> 5.10.0-21-cloud-amd64 |-Debian 11 | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | 5.10.0-20-amd64 </br> 5.10.0-20-cloud-amd64 | ### SUSE Linux Enterprise Server 12 supported kernel versions +> [!NOTE] +> Mobility service versions`9.56` and `9.60` are only available for Modernized experience. <br> +> Mobility service version `9.58` is not released for VMWare to Azure Site Recovery. <br> +> Mobility service versions `9.59` is only available for Classic experience. ++ **Release** | **Mobility service version** | **Kernel version** | | | |+SUSE Linux Enterprise Server 12, SP1, SP2, SP3, SP4 | [9.60]() | By default, all [stock SUSE 12 SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> 4.12.14-16.163-azure:5 | +SUSE Linux Enterprise Server 12, SP1, SP2, SP3, SP4 | [9.59]() | By default, all [stock SUSE 12 SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> No new SUSE 12 kernels supported in this release. | SUSE Linux Enterprise Server 12, SP1, SP2, SP3, SP4 | [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50) | By default, all [stock SUSE 12 SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> No new SUSE 12 kernels supported in this release. |-SUSE Linux Enterprise Server 12, SP1, SP2, SP3, SP4 | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) <br> **Note**: Support for 9.56 agent is available for Modernized experience only. | By default, all [stock SUSE 12 SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> No new SUSE 12 kernels supported in this release. | +SUSE Linux Enterprise Server 12, SP1, SP2, SP3, SP4 | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) | By default, all [stock SUSE 12 SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> No new SUSE 12 kernels supported in this release. | SUSE Linux Enterprise Server 12, SP1, SP2, SP3, SP4 | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | By default, all [stock SUSE 12 SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> 4.12.14-16.130-azure:5 <br> 4.12.14-16.133-azure:5 <br> 4.12.14-16.136-azure:5 | SUSE Linux Enterprise Server 12, SP1, SP2, SP3, SP4 | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f) | By default, all [stock SUSE 12 SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> 4.12.14-16.124-azure:5 <br> 4.12.14-16.127-azure:5 |-SUSE Linux Enterprise Server 12, SP1, SP2, SP3, SP4 | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | By default, all [stock SUSE 12 SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> 4.12.14-16.115-azure:5 <br> 4.12.14-16.120-azure:5 | ### SUSE Linux Enterprise Server 15 supported kernel versions +> [!NOTE] +> Mobility service versions`9.56` and `9.60` are only available for Modernized experience. <br> +> Mobility service version `9.58` is not released for VMWare to Azure Site Recovery. <br> +> Mobility service versions `9.59` is only available for Classic experience. ++ **Release** | **Mobility service version** | **Kernel version** | | | |+SUSE Linux Enterprise Server 15, SP1, SP2, SP3, SP4 | [9.60]() | By default, all [stock SUSE 12 SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> No new SUSE 15 kernels supported in this release. | +SUSE Linux Enterprise Server 15, SP1, SP2, SP3, SP4 | [9.59]() | By default, all [stock SUSE 12 SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> No new SUSE 15 kernels supported in this release. | SUSE Linux Enterprise Server 15, SP1, SP2, SP3, SP4, SP5 <br> **Note:** SUSE 15 SP5 is only supported for Modernized experience. | [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> No new SUSE 15 kernels supported in this release.|-SUSE Linux Enterprise Server 15, SP1, SP2, SP3, SP4, SP5 <br> **Note:** SUSE 15 SP5 is only supported for Modernized experience. | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) <br> **Note**: Support for 9.56 agent is available for Modernized experience only. | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> 4.12.14-16.152-azure:5 <br> 5.14.21-150400.14.69-azure:4 <br> 5.14.21-150500.31-azure:5 <br> 5.14.21-150500.33.11-azure:5 <br> 5.14.21-150500.33.14-azure:5 <br> 5.14.21-150500.33.17-azure:5 <br> 5.14.21-150500.33.20-azure:5 <br> 5.14.21-150500.33.3-azure:5 <br> 5.14.21-150500.33.6-azure:5 | +SUSE Linux Enterprise Server 15, SP1, SP2, SP3, SP4, SP5 <br> **Note:** SUSE 15 SP5 is only supported for Modernized experience. | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> 4.12.14-16.152-azure:5 <br> 5.14.21-150400.14.69-azure:4 <br> 5.14.21-150500.31-azure:5 <br> 5.14.21-150500.33.11-azure:5 <br> 5.14.21-150500.33.14-azure:5 <br> 5.14.21-150500.33.17-azure:5 <br> 5.14.21-150500.33.20-azure:5 <br> 5.14.21-150500.33.3-azure:5 <br> 5.14.21-150500.33.6-azure:5 | SUSE Linux Enterprise Server 15, SP1, SP2, SP3, SP4 | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> 5.14.21-150400.14.49-azure:4 <br> 5.14.21-150400.14.52-azure:4 | SUSE Linux Enterprise Server 15, SP1, SP2, SP3, SP4 | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> 5.14.21-150400.14.31-azure:4 <br> 5.14.21-150400.14.34-azure:4 <br> 5.14.21-150400.14.37-azure:4 <br> 5.14.21-150400.14.43-azure:4 <br> 5.14.21-150400.14.46-azure:4 <br> 5.14.21-150400.14.40-azure:4 |-SUSE Linux Enterprise Server 15, SP1, SP2, SP3, SP4 | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> 5.14.21-150400.14.21-azure:4 <br> 5.14.21-150400.14.28-azure:4 <br> 5.3.18-150300.38.88-azure:3 | ++#### Supported Red Hat Linux kernel versions for Oracle Linux on Azure virtual machines ++**Release** | **Mobility service version** | **Red Hat kernel version** | + | | | +Oracle Linux 9.0 <br> Oracle Linux 9.1 <br> Oracle Linux 9.2 <br> Oracle Linux 9.3 | 9.60 | 5.14.0-70.13.1.el9_0.x86_64 <br> 5.14.0-70.17.1.el9_0.x86_64 <br> 5.14.0-70.22.1.el9_0.x86_64 <br> 5.14.0-70.26.1.el9_0.x86_64 <br> 5.14.0-70.30.1.el9_0.x86_64 <br> 5.14.0-70.36.1.el9_0.x86_64 <br> 5.14.0-70.43.1.el9_0.x86_64 <br> 5.14.0-70.49.1.el9_0.x86_64 <br> 5.14.0-70.50.2.el9_0.x86_64 <br> 5.14.0-70.53.1.el9_0.x86_64 <br> 5.14.0-70.58.1.el9_0.x86_64 <br> 5.14.0-70.64.1.el9_0.x86_64 <br> 5.14.0-70.70.1.el9_0.x86_64 <br> 5.14.0-70.75.1.el9_0.x86_64 <br> 5.14.0-70.80.1.el9_0.x86_64 <br> 5.14.0-70.85.1.el9_0.x86_64 <br> 5.14.0-162.6.1.el9_1.x86_64ΓÇ» <br> 5.14.0-162.12.1.el9_1.x86_64 <br> 5.14.0-162.18.1.el9_1.x86_64 <br> 5.14.0-284.11.1.el9_2.x86_64 <br>5.14.0-284.13.1.el9_2.x86_64 <br>5.14.0-284.16.1.el9_2.x86_64 <br>5.14.0-284.18.1.el9_2.x86_64 <br> 5.14.0-284.23.1.el9_2.x86_64 <br> 5.14.0-284.25.1.el9_2.x86_64 <br> 5.14.0-284.28.1.el9_2.x86_64 <br> 5.14.0-284.30.1.el9_2.x86_64 <br> 5.14.0-284.32.1.el9_2.x86_64 <br> 5.14.0-284.34.1.el9_2.x86_64 <br> 5.14.0-284.36.1.el9_2.x86_64 <br> 5.14.0-284.40.1.el9_2.x86_64 <br> 5.14.0-284.41.1.el9_2.x86_64 <br> 5.14.0-284.43.1.el9_2.x86_64 <br> 5.14.0-284.44.1.el9_2.x86_64 <br> 5.14.0-284.45.1.el9_2.x86_64 <br> 5.14.0-284.48.1.el9_2.x86_64 <br> 5.14.0-284.50.1.el9_2.x86_64 <br> 5.14.0-284.52.1.el9_2.x86_64 <br> 5.14.0-362.8.1.el9_3.x86_64 <br> 5.14.0-362.13.1.el9_3.x86_64 | + ### Rocky Linux Server supported kernel versions > [!IMPORTANT] > Support for Rocky Linux is available for Modernized experience only and not available for Classic experience. +**Release** | **Mobility service version** | **Red Hat kernel version** | + | | | +Rocky Linux 9.0 <br> Rocky Linux 9.1 | [9.60]() | 5.14.0-70.13.1.el9_0.x86_64 <br> 5.14.0-70.17.1.el9_0.x86_64 <br> 5.14.0-70.22.1.el9_0.x86_64 <br> 5.14.0-70.26.1.el9_0.x86_64 <br> 5.14.0-70.30.1.el9_0.x86_64 <br> 5.14.0-70.36.1.el9_0.x86_64 <br> 5.14.0-70.43.1.el9_0.x86_64 <br> 5.14.0-70.49.1.el9_0.x86_64 <br> 5.14.0-70.50.2.el9_0.x86_64 <br> 5.14.0-70.53.1.el9_0.x86_64 <br> 5.14.0-70.58.1.el9_0.x86_64 <br> 5.14.0-70.64.1.el9_0.x86_64 <br> 5.14.0-70.70.1.el9_0.x86_64 <br> 5.14.0-70.75.1.el9_0.x86_64 <br> 5.14.0-70.80.1.el9_0.x86_64 <br> 5.14.0-70.85.1.el9_0.x86_64 <br> 5.14.0-162.6.1.el9_1.x86_64ΓÇ» <br> 5.14.0-162.12.1.el9_1.x86_64 <br> 5.14.0-162.18.1.el9_1.x86_64 | + **Release** | **Mobility service version** | **Kernel version** | | | | Rocky Linux <br> | [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50) | Rocky Linux 8.8 <br> Rocky Linux 8.9 | Rocky Linux <br> | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) | Rocky Linux 8.7 <br> Rocky Linux 9.0 | -> [!NOTE] -> Support for Rocky Linux 9.1 is removed from the support matrix as issues were observed while using it with Azure Site Recovery. ## Linux file systems/guest storage |
storage | Access Tiers Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/access-tiers-overview.md | The cold tier is now generally available in all public and Azure Government regi ### Limitations and known issues -- The [change feed](storage-blob-change-feed.md) is not yet compatible with the cold tier.-- [Object replication](object-replication-overview.md) is not yet compatible with the cold tier. - The default access tier setting of the account can't be set to cold tier. ### Required versions of REST, SDKs, and tools |
storage | Storage Quickstart Blobs Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-quickstart-blobs-python.md | You can authorize access to data in your storage account using the following ste ```python from azure.identity import DefaultAzureCredential+ from azure.storage.blob import BlobServiceClient ``` 3. Add this code inside the `try` block. When the code runs on your local workstation, `DefaultAzureCredential` uses the developer credentials of the prioritized tool you're logged into to authenticate to Azure. Examples of these tools include Azure CLI or Visual Studio Code. |
storage | Versioning Enable | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/versioning-enable.md | To enable blob versioning for a storage account in the Azure portal: :::image type="content" source="media/versioning-enable/portal-enable-versioning.png" alt-text="Screenshot showing how to enable blob versioning in Azure portal"::: > [!IMPORTANT]-> If you set the **Delete versions after** option, a rule is automatically added to the lifecycle management policy of the storage account. Once that rule is added, the **Delete versions after** option no appears in the **Data protection** configuration page. +> If you set the **Delete versions after** option, a rule is automatically added to the lifecycle management policy of the storage account. Once that rule is added, the **Delete versions after** option no longer appears in the **Data protection** configuration page. > > You can make that option reappear in the **Data protection** page by removing the rule. If your lifecycle management policy contains other rules that delete versions, then you'll have to remove those rules as well before the **Delete versions after** option can reappear. |
storage | Elastic San Batch Create Sample | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/elastic-san/elastic-san-batch-create-sample.md | Title: Create multiple Azure Elastic SAN Preview volumes in a batch -description: Azure PowerShell Script Sample - Create multiple elastic SAN Preview volumes in a batch. +description: Azure PowerShell Script Sample - Create multiple Elastic SAN Preview volumes in a batch. |
storage | Elastic San Snapshots | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/elastic-san/elastic-san-snapshots.md | Currently, you can only use the Azure portal to create Elastic SAN volumes from 1. Select **Create volume**. 1. For **Source type** select **Disk snapshot** and fill out the rest of the values. 1. Select **Create**.++## Limitations ++- If a volume is larger than 4 TiB, export of a volume snapshot to a disk snapshot is not supported. |
storage | Storage Files Migration Robocopy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-files-migration-robocopy.md | You should be prepared to run multiple rounds of RoboCopy against a given namesp `/R:5 /W:5` is a reasonable setting that you can adjust to your liking. In this example, a failed file will be retried five times, with five-second wait time between retries. If the file still fails to copy, the next RoboCopy job will try again. Often files that failed because they are in use or because of timeout issues might eventually be copied successfully this way. +### Estimating storage transaction charges ++As you begin your migration to Azure Files, RoboCopy copies your files and folders into Azure. Depending on your billing model for Azure Files, transaction charges might apply. See [Understanding billing](understanding-billing.md). ++If you're using a pay-as-you-go billing model for standard Azure file shares, it might be difficult to estimate the number of transactions your migration will generate. ++- It's not possible to estimate the number of transactions based on the utilized storage capacity of the source. The number of transactions scales with the number of namespace items (files and folder) and their properties that are migrated, not their size. For example, more transactions are required to migrate 1 GiB of small files than 1 GiB of larger files. +- In order to minimize downtime, you might need to run copy operations several times from source to target. All source and target items are processed during each copy operation, though subsequent runs finish faster. After the initial operations, only the differences introduced between copy runs are transported over the network. It's important to understand that although less data is being transported, the number of transactions required might remain the same. +- Copying the same file twice might not result in the same number of transactions. Processing an item migrated in a previous copy run might result in only a few read transactions. In contrast, changes to metadata or content between copy runs might require a larger number of transactions to update the target. Each file in your namespace might have unique requirements, resulting in a different number of transactions. ++It's advisable to run some initial tests on your own data to better understand how many transactions are incurred. This will give you a better idea of the total number of transactions a file migration might generate. + ## Next steps The following articles will help you understand advanced options and best practices. |
storage | Storage How To Use Files Linux | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-how-to-use-files-linux.md | HTTP_ENDPOINT=$(az storage account show \ SMB_PATH=$(echo $HTTP_ENDPOINT | cut -c7-${#HTTP_ENDPOINT})$FILE_SHARE_NAME if [ -z "$(grep $SMB_PATH\ $MNT_PATH /etc/fstab)" ]; then- echo "$SMB_PATH $MNT_PATH cifs nofail,credentials=$SMB_CREDENTIAL_FILE,serverino,nosharesock,actimeo=30" | sudo tee -a /etc/fstab > + echo "$SMB_PATH $MNT_PATH cifs _netdev,nofail,credentials=$SMB_CREDENTIAL_FILE,serverino,nosharesock,actimeo=30" | sudo tee -a /etc/fstab > else echo "/etc/fstab was not modified to avoid conflicting entries as this Azure file share was already present. You may want to double check /etc/fstab to ensure the configuration is as desired." fi |
virtual-machine-scale-sets | Flexible Virtual Machine Scale Sets Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machine-scale-sets/flexible-virtual-machine-scale-sets-portal.md | +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + This article steps through using Azure portal to create a Virtual Machine Scale Set. ## Log in to Azure Sign in to the [Azure portal](https://portal.azure.com). |
virtual-machine-scale-sets | Quick Create Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machine-scale-sets/quick-create-portal.md | +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + **Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Windows VMs :heavy_check_mark: Uniform scale sets > [!NOTE] |
virtual-machine-scale-sets | Spot Priority Mix | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machine-scale-sets/spot-priority-mix.md | -**Applies to:** :heavy_check_mark: Flexible scale sets +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. ++**Applies to:** :heavy_check_mark: Flexible scale sets Azure allows you to have the flexibility of running a mix of uninterruptible standard VMs and interruptible Spot VMs for Virtual Machine Scale Set deployments. You're able to deploy this Spot Priority Mix using Flexible orchestration to easily balance between high-capacity availability and lower infrastructure costs according to your workload requirements. This feature allows you to easily manage your scale set capability to achieve the following goals: You can set your Spot Priority Mix by using an ARM template to add the following You can refer to this [ARM template example](https://paste.microsoft.com/f84d2f83-f6bf-4d24-aa03-175b0c43da32) for more context. -### [Portal](#tab/portal) +### [Portal](#tab/portal) -You can set your Spot Priority Mix in the Spot tab of the Virtual Machine Scale Sets creation process in the Azure portal. The following steps instruct you on how to access this feature during that process. +You can set your Spot Priority Mix in the Spot tab of the Virtual Machine Scale Sets creation process in the Azure portal. The following steps instruct you on how to access this feature during that process. 1. Log in to the [Azure portal](https://portal.azure.com). 1. In the search bar, search for and select **Virtual Machine Scale Sets**. You can set your Spot Priority Mix in the Spot tab of the Virtual Machine Scale 1. In the **Basics** tab, fill out the required fields, select **Flexible** as the **Orchestration** mode, and select the checkbox for **Run with Azure Spot discount**. 1. In the **Spot** tab, select the check-box next to *Scale with VMs and Spot VMs* option under the **Scale with VMs and discounted Spot VMs** section. 1. Fill out the **Base VM (uninterruptible) count** and **Instance distribution** fields to configure your percentage split between Spot and Standard VMs.-1. Continue through the Virtual Machine Scale Set creation process. +1. Continue through the Virtual Machine Scale Set creation process. ### [Azure CLI](#tab/cli) -You can set your Spot Priority Mix using Azure CLI by setting the `priority` flag to `Spot` and including the `regular-priority-count` and `regular-priority-percentage` flags. +You can set your Spot Priority Mix using Azure CLI by setting the `priority` flag to `Spot` and including the `regular-priority-count` and `regular-priority-percentage` flags. ```azurecli az vmss create -n myScaleSet \ az vmss create -n myScaleSet \ ### [Azure PowerShell](#tab/powershell) -You can set your Spot Priority Mix using Azure PowerShell by setting the `Priority` parameter to `Spot` and including the `BaseRegularPriorityCount` and `RegularPriorityPercentage` parameters. +You can set your Spot Priority Mix using Azure PowerShell by setting the `Priority` parameter to `Spot` and including the `BaseRegularPriorityCount` and `RegularPriorityPercentage` parameters. ```azurepowershell $vmssConfig = New-AzVmssConfig ` You can update your existing Spot Priority Mix in the Configuration tab of the V 1. Navigate to the specific virtual machine scale set that you're adjusting the Spot Priority Mix on. 1. In the left side bar, scroll down to and select **Configuration**.-1. Your current Spot Priority Mix should be visible. Here you can change the **Base VM (uninterruptible) count** and **Instance distribution** of Spot and Standard VMs. +1. Your current Spot Priority Mix should be visible. Here you can change the **Base VM (uninterruptible) count** and **Instance distribution** of Spot and Standard VMs. 1. Update your Spot Mix as needed.-1. Press the **Save** button to apply your changes. +1. Press the **Save** button to apply your changes. ### [Azure CLI](#tab/cli) -You can update your Spot Priority Mix using Azure CLI by updating the `regular-priority-count` and `regular-priority-percentage` parameters. +You can update your Spot Priority Mix using Azure CLI by updating the `regular-priority-count` and `regular-priority-percentage` parameters. ```azurecli az vmss update --resource-group myResourceGroup \ az vmss update --resource-group myResourceGroup \ ### [Azure PowerShell](#tab/powershell) -You can update your Spot Priority Mix using Azure PowerShell by updating the `BaseRegularPriorityCount` and `RegularPriorityPercentage` parameters. +You can update your Spot Priority Mix using Azure PowerShell by updating the `BaseRegularPriorityCount` and `RegularPriorityPercentage` parameters. ```azurepowershell $vmss = Get-AzVmss ` Update-AzVmss ` ## Examples -The following examples have scenario assumptions, a table of actions, and walk-through of results to help you understand how Spot Priority Mix configuration works. +The following examples have scenario assumptions, a table of actions, and walk-through of results to help you understand how Spot Priority Mix configuration works. Some important terminology to notice before referring to these examples: Example walk-through: - Note, because there's a 50/50 split, in the fourth scale-out, there's one more Spot VM than standard VM. Once it's scaled out again (5th scale-out), the 50/50 balance is restored with another standard VM. 1. You then scale in your scale set with the eviction policy being *evict-delete*, which deletes all the Spot VMs. 1. With the scale-out operations mentioned in this scenario, you restore the 50/50 balance in your scale set by only creating Spot VMs.-1. By the last scale-out, your scale set is already balanced, so one of each type of VM is created. +1. By the last scale-out, your scale set is already balanced, so one of each type of VM is created. ### Scenario 2 The following scenario assumptions apply to this example: Example walk-through: 1. With the initial creation of the Virtual Machine Scale Set and Spot Priority Mix, you have 20 VMs.- - 10 of those VMs are the Base (standard) VMs, 2 extra standard VMs, and 8 Spot priority VMs for your 25% *regularPriorityPercentageAboveBase*. - - Another way to look at this ratio is you have 1 standard VM for every 4 Spot VMs in the scale set. + - 10 of those VMs are the Base (standard) VMs, 2 extra standard VMs, and 8 Spot priority VMs for your 25% *regularPriorityPercentageAboveBase*. + - Another way to look at this ratio is you have 1 standard VM for every 4 Spot VMs in the scale set. 2. You then scale out twice to create 90 more VMs; 23 standard VMs and 67 Spot VMs. 3. When you scale in by 10 VMs, 10 Spot VMs are *stop-deallocated*, creating an imbalance in your scale set. 4. Your next scale out operation creates another 2 standard VMs and 8 Spot VMs, bringing you closer to your 25% above base ratio. -## Troubleshooting +## Troubleshooting If Spot Priority Mix isn't available to you, be sure to configure the `priorityMixPolicy` to specify a *Spot* priority in the `virtualMachineProfile`. Without enabling the `priorityMixPolicy` setting, you won't be able to access this Spot feature. Spot Priority Mix applies for scale actions on the scale set. Changing the perce Spot Priority Mix is only available on Virtual Machine Scale Sets with Flexible orchestration mode. ### Q: Which regions is Spot Priority Mix enabled in?-Spot VMs, and therefore Spot Priority Mix, are available in all global Azure regions. +Spot VMs, and therefore Spot Priority Mix, are available in all global Azure regions. ## Next steps |
virtual-machine-scale-sets | Tutorial Autoscale Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machine-scale-sets/tutorial-autoscale-cli.md | +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + When you create a scale set, you define the number of VM instances that you wish to run. As your application demand changes, you can automatically increase or decrease the number of VM instances. The ability to autoscale lets you keep up with customer demand or respond to application performance changes throughout the lifecycle of your app. In this tutorial you learn how to: > [!div class="checklist"] |
virtual-machines | Automatic Vm Guest Patching | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/automatic-vm-guest-patching.md | +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + **Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Windows VMs :heavy_check_mark: Flexible scale sets Enabling automatic VM guest patching for your Azure VMs helps ease update management by safely and automatically patching virtual machines to maintain security compliance, while limiting the blast radius of VMs. |
virtual-machines | Compiling Scaling Applications | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/compiling-scaling-applications.md | +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + **Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Windows VMs :heavy_check_mark: Flexible scale sets :heavy_check_mark: Uniform scale sets Optimal scale-up and scale-out performance of HPC applications on Azure requires performance tuning and optimization experiments for the specific workload. This section and the VM series-specific pages offer general guidance for scaling your applications. |
virtual-machines | Configure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/configure.md | +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + **Applies to:** :heavy_check_mark: Linux VMs :heavy_check_mark: Windows VMs :heavy_check_mark: Flexible scale sets :heavy_check_mark: Uniform scale sets This article shares some guidance on configuring and optimizing the InfiniBand-enabled [HB-series](sizes-hpc.md) and [N-series](sizes-gpu.md) VMs for HPC. |
virtual-network | Accelerated Networking Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/accelerated-networking-overview.md | +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + This article describes the benefits, constraints, and supported configurations of Accelerated Networking. Accelerated Networking enables [single root I/O virtualization (SR-IOV)](/windows-hardware/drivers/network/overview-of-single-root-i-o-virtualization--sr-iov-) on supported virtual machine (VM) types, greatly improving networking performance. This high-performance data path bypasses the host, which reduces latency, jitter, and CPU utilization for the most demanding network workloads. >[!NOTE] |
virtual-network | Create Vm Accelerated Networking Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/create-vm-accelerated-networking-cli.md | +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + This article describes how to create a Linux or Windows virtual machine (VM) with Accelerated Networking (AccelNet) enabled by using the Azure CLI command-line interface. The article also discusses how to enable and manage Accelerated Networking on existing VMs. You can also create a VM with Accelerated Networking enabled by using the [Azure portal](quick-create-portal.md). For more information about using the Azure portal to manage Accelerated Networking on VMs, see [Manage Accelerated Networking through the portal](#manage-accelerated-networking-through-the-portal). |
virtual-network | Default Outbound Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/ip-services/default-outbound-access.md | If you deploy a virtual machine in Azure and it doesn't have explicit outbound c * Customers don't own the default outbound access IP. This IP might change, and any dependency on it could cause issues in the future. -Some examples of configurations that will not work when using default outbound access: -- When you have multiple NICs on the same VM, note that default outbound IPs will not consistently be the same across all NICs.+Some examples of configurations that won't work when using default outbound access: +- When you have multiple NICs on the same VM, note that default outbound IPs won't consistently be the same across all NICs. - When scaling up/down Virtual Machine Scale sets, default outbound IPs assigned to individual instances can and will often change.-- Similarly, default outbound IPs are not consistent or contigious across VM instances in a Virtual Machine Scale Set.+- Similarly, default outbound IPs aren't consistent or contiguous across VM instances in a Virtual Machine Scale Set. ## How can I transition to an explicit method of public connectivity (and disable default outbound access)? There are multiple ways to turn off default outbound access. The following sections describe the options available to you. >[!Important]-> Private Subnet is currently in public preview. It is provided without a service-level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> Private Subnet is currently in public preview. It's provided without a service-level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). ### Utilize the Private Subnet parameter There are multiple ways to turn off default outbound access. The following secti * VMs on a Private subnet can still access the Internet using explicit outbound connectivity. > [!NOTE]- > Certain services will not function on a virtual machine in a Private Subnet without an explicit method of egress (examples are Windows Activation and Windows Updates). + > Certain services won't function on a virtual machine in a Private Subnet without an explicit method of egress (examples are Windows Activation and Windows Updates). #### Add the Private subnet feature There are multiple ways to turn off default outbound access. The following secti * Using CLI, when creating a subnet with [az network vnet subnet create](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-create), use the `--default-outbound` option and choose "false" * Using an Azure Resource Manager template, set the value of `defaultOutboundAccess` parameter to be "false"++#### Private subnet limitations + +* In order to utilize to activate/update virtual machine operation systems, including Windows, it's a requirement to have an explicit outbound connectivity method. ++* Delegated subnets can't be marked as Private. ++* Existing subnets can't currently be converted to Private. ++* In configurations using a User Defined Route (UDR) with a default route (0/0) that sends traffic to an upstream firewall/network virtual appliance, any traffic that bypasses this route (e.g. to Service Tagged destinations) will break in a Private subnet. ### Add an explicit outbound connectivity method NAT gateway is the recommended approach to have explicit outbound connectivity. ## Constraints -* Public connectivity is required for Windows Activation and Windows Updates. It is recommended to set up an explicit form of public outbound connectivity. +* Public connectivity is required for Windows Activation and Windows Updates. It's recommended to set up an explicit form of public outbound connectivity. * Default outbound access IP doesn't support fragmented packets. |
virtual-network | Setup Dpdk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/setup-dpdk.md | +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + Data Plane Development Kit (DPDK) on Azure offers a faster user-space packet processing framework for performance-intensive applications. This framework bypasses the virtual machineΓÇÖs kernel network stack. In typical packet processing that uses the kernel network stack, the process is interrupt-driven. When the network interface receives incoming packets, there's a kernel interrupt to process the packet and a context switch from the kernel space to the user space. DPDK eliminates context switching and the interrupt-driven method in favor of a user-space implementation that uses poll mode drivers for fast packet processing. |
virtual-network | Virtual Network Bandwidth Testing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-bandwidth-testing.md | +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + This article describes how to use the free NTTTCP tool from Microsoft to test network bandwidth and throughput performance on Azure Windows or Linux virtual machines (VMs). A tool like NTTTCP targets the network for testing and minimizes the use of other resources that could affect performance. ## Prerequisites You can test throughput from Windows VMs by using [NTTTCP](https://github.com/mi Run the test for 300 seconds, or five minutes, on both the sender and receiver VMs. The sender and receiver must specify the same test duration for the `-t` parameter. 1. On the receiver VM, run the following command, replacing the `<number of VM cores>`, and `<receiver IP address>` placeholders with your own values.- + **`ntttcp -r -m [<number of VM cores> x 2],*,<receiver IP address> -t 300`**- + ```cmd ntttcp -r -m 4,*,10.0.0.5 -t 300 ``` Run the test for 300 seconds, or five minutes, on both the sender and receiver V 1. Wait for the results. When the test is complete, the output should be similar as the following example:- + ```output C:\tools>ntttcp -s -m 4,*,10.0.0.5 -t 300 Copyright Version 5.39 Packets Sent Packets Received Retransmits Errors Avg. CPU % ============ ================ =========== ====== ========== 25324915 2161992 60412 0 15.075 -``` +``` # [Linux](#tab/linux) To measure throughput from Linux machines, use [NTTTCP-for-Linux](https://github - For **CentOS**, install `gcc` , `make` and `git`. ``` bash- sudo yum install gcc -y + sudo yum install gcc -y sudo yum install git -y sudo yum install make -y ``` To measure throughput from Linux machines, use [NTTTCP-for-Linux](https://github - For **Ubuntu**, install `build-essential` and `git`. ```bash- sudo apt-get -y install build-essential + sudo apt-get -y install build-essential sudo apt-get -y install git ``` |
virtual-network | Virtual Network Optimize Network Bandwidth | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-optimize-network-bandwidth.md | +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + Azure Virtual Machines (VMs) have default network settings that can be further optimized for network throughput. This article describes how to optimize network throughput for Microsoft Azure Windows and Linux VMs, including major distributions such as Ubuntu, CentOS, and Red Hat. ## Windows virtual machines |
virtual-network | Virtual Network Peering Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-peering-overview.md | Addresses can be resized in the following ways: - Resizing of address space is supported cross-tenant -Synching of virtual network peers can be performed through the Azure portal or with Azure PowerShell. We recommend that you run sync after every resize address space operation instead of performing multiple resizing operations and then running the sync operation. To learn how to update the address space for a peered virtual network, see [Updating the address space for a peered virtual network](./update-virtual-network-peering-address-space.md). +Syncing of virtual network peers can be performed through the Azure portal or with Azure PowerShell. We recommend that you run sync after every resize address space operation instead of performing multiple resizing operations and then running the sync operation. To learn how to update the address space for a peered virtual network, see [Updating the address space for a peered virtual network](./update-virtual-network-peering-address-space.md). > [!IMPORTANT] > This feature doesn't support scenarios where the virtual network to be updated is peered with: |
virtual-network | Virtual Network Test Latency | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-network-test-latency.md | +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + This article describes how to test network latency between Azure virtual machines (VMs) by using the publicly available tools [Latte](https://github.com/microsoft/latte) for Windows or [SockPerf](https://github.com/mellanox/sockperf) for Linux. For the most accurate results, you should measure VM network latency with a tool that's designed for the task and excludes other types of latency, such as application latency. Latte and SockPerf provide the most relevant network latency results by focusing on Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) traffic. Most applications use these protocols, and this traffic has the largest effect on application performance. |
virtual-network | Virtual Networks Name Resolution For Vms And Role Instances | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md | +> [!CAUTION] +> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. + Azure can be used to host IaaS, PaaS, and hybrid solutions. In order to facilitate communication between the virtual machines (VMs) and other resources deployed in a virtual network, it may be necessary to allow them to communicate with each other. The use of easily remembered and unchanging names simplifies the communication process, rather than relying on IP addresses. When resources deployed in virtual networks need to resolve domain names to internal IP addresses, they can use one of four methods: |
web-application-firewall | Waf Front Door Rate Limit | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/web-application-firewall/afds/waf-front-door-rate-limit.md | -Rate limiting enables you to detect and block abnormally high levels of traffic from any socket IP address. -By using Azure Web Application Firewall in Azure Front Door, you can mitigate some types of denial-of-service attacks. Rate limiting also protects you against clients that were accidentally misconfigured to send large volumes of requests in a short time period. +Rate limiting enables you to detect and block abnormally high levels of traffic from any socket IP address. By using Azure Web Application Firewall in Azure Front Door, you can mitigate some types of denial-of-service attacks. Rate limiting also protects you against clients that were accidentally misconfigured to send large volumes of requests in a short time period. -The socket IP address is the address of the client that initiated the TCP connection to Azure Front Door. Typically, the socket IP address is the IP address of the user, but it might also be the IP address of a proxy server or another device that sits between the user and Azure Front Door. --You can define rate limits at the socket IP address level or the remote address level. If you have multiple clients that access Azure Front Door from different socket IP addresses, they each have their own rate limits applied. The socket IP address is the source IP address the web application firewall (WAF) sees. If your user is behind a proxy, the socket IP address is often the proxy server address. The remote address is the original client IP that's usually sent via the `X-Forwarded-For` request header. +The socket IP address is the address of the client that initiated the TCP connection to Azure Front Door. Typically, the socket IP address is the IP address of the user, but it might also be the IP address of a proxy server or another device that sits between the user and Azure Front Door. If you have multiple clients that access Azure Front Door from different socket IP addresses, they each have their own rate limits applied. ## Configure a rate limit policy |