+Language detection will return one predominant language for each document you submit, along with it's [ISO 639-1](https://www.iso.org/standard/22109.html) name, a human-readable name, a confidence score, script name and script code according to the [ISO 15924 standard](https://wikipedia.org/wiki/ISO_15924). A positive score of 1 indicates the highest possible confidence level of the analysis.

+> [!NOTE]

+> Ambiguous content can cause confidence scores to be lower.

+> The `countryHint` in the response is only applicable if the confidence score is less than 0.8.

+With the second document, the language detection model has additional context to make a better judgment because it contains the `countryHint` property in the input above. This will return the following output.

+

+ "modelVersion": "2023-12-01"

+ "kind": "LanguageDetectionResults",

+ "results": {

+ "documents": [

+ {

+ "id": "1",

+ "detectedLanguage": {

+ "name": "Spanish",

+ "iso6391Name": "es",

+ "confidenceScore": 0.97,

+ "script": "Latin",

+ "scriptCode": "Latn"

+ },

+ "warnings": []

+ }

+ ],

+ "errors": [],

+ "modelVersion": "2023-12-01"

+ }

+}

+```

+## Script name and script code

+> [!NOTE]

+> * Script detection is currently limited to [select languages](../language-support.md#script-detection).

+> * The script detection is only available for textual input which is greater than 12 characters in length.

+Language detection offers the ability to detect more than one script per language according to the [ISO 15924 standard](https://wikipedia.org/wiki/ISO_15924). Specifically, Language Detection returns two script-related properties:

+* `script`: The human-readable name of the identified script

+* `scriptCode`: The ISO 15924 code for the identified script

+The output of the API includes the value of the `scriptCode` property for documents that are at least 12 characters or greater in length and matches the list of supported languages and scripts. Script detection is designed to benefit users whose language can be transliterated or written in more than one script, such as Kazakh or Hindi language.

+Previously, language detection was designed to detect the language of documents in a wide variety of languages, dialects, and regional variants, but was limited by "Romanization". Romanization refers to conversion of text from one writing system to the Roman (Latin) script, and is necessary to detect many Indo-European languages. However, there are other languages which are written in multiple scripts, such as Kazakh, which can be written in Cyrillic, Perso-Arabic, and Latin scripts. There are also other cases in which users may either choose or are required to transliterate their language in more than one script, such as Hindi transliterated in Latin script, due to the limited availability of keyboards which support its Devanagari script.

+Consequently, language detection's expanded support for script detection behaves as follows:

+**Input**

+```json

+{

+    "kind": "LanguageDetection",

+    "parameters": {

+        "modelVersion": "latest"

+    },

+    "analysisInput": {

+        "documents": [

+            {

+                "id": "1",

+                "text": "आप कहाँ जा रहे हैं?"

+            },

+            {

+                "id": "2",

+                "text": "Туған жерім менің - Қазақстаным"

+            }

+        ]

+    }

+}

+```

+**Output**

+The resulting output consists of the predominant language, along with a script name, script code, and confidence score.

+```json

+{

+    "kind": "LanguageDetectionResults",

+    "results": {

+        "documents": [

+            {

+                "id": "1",

+                "detectedLanguage": {

+                    "name": "Hindi",

+                    "iso6391Name": "hi",

+                    "confidenceScore": 1.0,

+                    "script": "Devanagari",

+                    "scriptCode": "Deva"

+                },

+                "warnings": []

+            },

+            {

+                "id": "2",

+                "detectedLanguage": {

+                    "name": "Kazakh",

+                    "iso6391Name": "kk",

+                    "confidenceScore": 1.0,

+                    "script": "Cyrillic",

+ΓÇ» "scriptCode":ΓÇ»"Cyrl"

+                },

+                "warnings": []

+            }

+        ],

+        "errors": [],

+        "modelVersion": "2023-12-01"

+    }

+| **Language detection** | 1 core, 5GB memory | 1 core, 8GB memory |15 | 30|

+## Script detection

+| Language |Script code | Scripts |

+| | | |

+| Bengali (Bengali-Assamese) | `as` | `Latn`, `Beng` |

+| Bengali (Bangla) | `bn` | `Latn`, `Beng` |

+| Gujarati | `gu` | `Latn`, `Gujr` |

+| Hindi | `hi` | `Latn`, `Deva` |

+| Kannada | `kn` | `Latn`, `Knda` |

+| Malayalam | `ml` | `Latn`, `Mlym` |

+| Marathi | `mr` | `Latn`, `Deva` |

+| Oriya | `or` | `Latn`, `Orya` |

+| Gurmukhi | `pa` | `Latn`, `Guru` |

+| Tamil | `ta` | `Latn`, `Taml` |

+| Telugu | `te` | `Latn`, `Telu` |

+| Arabic | `ur` | `Latn`, `Arab` |

+| Cyrillic | `tt` | `Latn`, `Cyrl` |

+| Serbian `sr` | `Latn`, `Cyrl` |

+| Unified Canadian Aboriginal Syllabics | `iu` | `Latn`, `Cans` |

+Language detection is one of the features offered by [Azure AI Language](../overview.md), a collection of machine learning and AI algorithms in the cloud for developing intelligent applications that involve written language. Language detection is able to detect more than 100 languages in their primary script. In addition, it offers [script detection](./how-to/call-api.md#script-name-and-script-code) to detect multiple scripts per language according to the [ISO 15924 standard](https://wikipedia.org/wiki/ISO_15924) for a [select number of languages](./language-support.md#script-detection).

+## Language detection features

+* Language detection: Returns one predominant language for each document you submit, along with its ISO 639-1 name, a human-readable name, confidence score, script name and script code according to ISO 15924 standard.

+* Script detection: To distinguish between multiple scripts used to write certain languages, such as Kazakh, language detection returns a script name and script code according to the ISO 15924 standard.

+* Ambiguous content handling: To help disambiguate language based on the input, you can specify an ISO 3166-1 alpha-2 country/region code. For example, the word "communication" is common to both English and French. Specifying the origin of the text as France can help the language detection model determine the correct language.

+An AI system includes not only the technology, but also the people who will use it, the people who will be affected by it, and the environment in which it's deployed. Read the [transparency note for language detection](/legal/cognitive-services/language-service/transparency-note-language-detection?context=/azure/ai-services/language-service/context/context) to learn about responsible AI use and deployment in your systems. You can also see the following articles for more information:

+## February 2024

+* Expanded [language detection](./language-detection/how-to/call-api.md#script-name-and-script-code) support for additional scripts according to the [ISO 15924 standard](https://wikipedia.org/wiki/ISO_15924) is now available starting in API version `2023-11-15-preview`.

+|**Top K Documents** | This parameter is an integer that can be set to 3, 5, 10, or 20, and controls the number of document chunks provided to the large language model for formulating the final response. By default, this is set to 5. The search process can be noisy and sometimes, due to chunking, relevant information may be spread across multiple chunks in the search index. Selecting a top-K number, like 5, ensures that the model can extract relevant information, despite the inherent limitations of search and chunking. However, increasing the number too high can potentially distract the model. Additionally, the maximum number of documents that can be effectively used depends on the version of the model, as each has a different context size and capacity for handling documents. If you find that responses are missing important context, try increasing this parameter. Conversely, if you think the model is providing irrelevant information alongside useful data, consider decreasing it. This is the `topNDocuments` parameter in the API. |

+| `Cognitive Services User` | Azure OpenAI | List API-Keys from Azure OpenAI Studio.|

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+#customer intent: As a developer, I want to install the Speech SDK for the language of my choice to implement Speech AI in applications.

+# Quickstart: Install the Speech SDK

+## Related content

+Azure AI services has been awarded certifications such as CSA STAR Certification, FedRAMP Moderate, and HIPAA BAA.

+When you create a new Azure AI hub resource, a set of dependent Azure resources are required to store data that you upload or get generated when working in AI studio. If not provided by you, and required, these resources are automatically created.

+ Title: Architecture

+description: Learn about the architecture of Azure AI Studio.

+# Azure AI Studio architecture

+

+AI Studio provides a unified experience for AI developers and data scientists to build, evaluate, and deploy AI models through a web portal, SDK, or CLI. It's built on capabilities and services provided by other Azure services.

+The top level AI Studio resources (AI hub and AI projects) are based on Azure Machine Learning. Other resources, such as Azure OpenAI, Azure AI Services, and Azure AI Search, are used by the AI hub and AI project.

+- **AI hub**: The AI hub is the top-level resource in AI Studio. The Azure resource provider for an AI hub is `Microsoft.MachineLearningServices/workspaces`, and the kind of resource is `Hub`. It provides the following features:

+ - Data upload and artifact storage.

+ - Hub-scoped connections to Azure services such as Azure OpenAI, Azure AI Services, and Azure AI Search.

+ - Base model endpoints for Azure OpenAI, Speech, and Vision.

+ - Compute resources.

+ - Security and governance.

+- **AI project**: An AI project is a child resource of the AI hub. The Azure resource provider for an AI project is `Microsoft.MachineLearningServices/workspaces`, and the kind of resource is `Project`. It inherits the AI hub's connections, and compute resources. When a new AI project is created from the AI hub, the security settings of the AI hub are applied to it. The AI project provides the following features:

+ - Groups of components such as datasets, models, and indexes.

+ - An isolated data container (within the storage inherited from the AI hub).

+ - Project-scoped connections. For example, a project might need access to data stored in a separate Azure Storage account.

+ - Open source model deployments from catalog and fine-tuned model endpoints.

+

+An AI hub can have multiple child AI projects. Each AI project can have its own set of project-scoped connections.

+### Tenant separation

+While most of the resources used by Azure AI Studio live in your Azure subscription, some resources exist in the Azure AI Studio tenant. The Azure AI Studio tenant is a separate Microsoft Entra ID tenant that provides some of the services used by Azure AI Studio. The following resources are in the Azure AI Studio tenant:

+- **Managed compute resources**: Provided by Azure Batch resources in the Azure AI Studio tenant.

+- **Managed virtual network**: Provided by Azure Virtual Network resources in the Azure AI Studio tenant. If FQDN rules are enabled, an Azure Firewall (standard) is added and charged to your subscription. For more information, see [Configure a managed virtual network for Azure AI Studio](../how-to/configure-managed-network.md).

+- **Metadata storage**: Provided by Azure Cosmos DB, Azure AI Search, and Azure Storage Account in the Azure AI Studio tenant. If you use customer-managed keys, these resources are created in your subscription. For more information, see [Customer-managed keys](../../ai-services/encryption/cognitive-services-encryption-keys-portal.md?context=/azure/ai-studio/context/context).

+

+## Azure resource providers

+Since Azure AI Studio is built from other Azure services, the resource providers for these services must be registered in your Azure subscription. The following table lists the resource, provider, and resource provider kinds:

+When you create a new Azure AI hub resource, a set of dependent Azure resources are required to store data, manage security, and provide compute resources. The following table lists the dependent Azure resources and their resource providers:

+> [!TIP]

+> If you don't provide a dependent resource when creating an AI hub, and it's a required dependency, AI Studio creates the resource for you.

+For information on registering resource providers, see [Register an Azure resource provider](/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider).

+## Role-based access control and control plane proxy

+Azure AI Services and Azure OpenAI provide control plane endpoints for operations such as listing model deployments. These endpoints are secured using a separate Azure role-based access control (RBAC) configuration than the one used for Azure AI hub.

+To reduce the complexity of Azure RBAC management, AI Studio provides a *control plane proxy* that allows you to perform operations on connected Azure AI Services and Azure OpenAI resources. Performing operations on these resources through the control plane proxy only requires Azure RBAC permissions on the AI hub. The Azure AI Studio service then performs the call to the Azure AI Services or Azure OpenAI control plane endpoint on your behalf.

+For more information, see [Role-based access control in Azure AI Studio](rbac-ai-studio.md).

+## Encryption

+Azure AI Studio uses encryption to protect data at rest and in transit. By default, Microsoft-managed keys are used for encryption, however you can use your own encryption keys. For more information, see [Customer-managed keys](../../ai-services/encryption/cognitive-services-encryption-keys-portal.md?context=/azure/ai-studio/context/context).

+## Virtual network

+Azure AI hub can be configured to use a *managed* virtual network. The managed virtual network secures communications between the AI hub, AI projects, and managed resources such as computes. If your dependency services (Azure Storage, Key Vault, and Container Registry) have public access disabled, a private endpoint for each dependency service is created to secure communication between the AI hub/project and the dependency service.

+> [!NOTE]

+> If you want to use a virtual network to secure communications between your clients and the AI hub or AI project, you must use an Azure Virtual Network that you create and manage. For example, an Azure Virtual Network that uses a VPN or ExpressRoute connection to your on-premises network.

+For more information on how to configure a managed virtual network, see [Configure a managed virtual network for Azure AI Studio](../how-to/configure-managed-network.md).

+## Azure Monitor

+Azure monitor and Azure Log Analytics provide monitoring and logging for the underlying resources used by Azure AI Studio. Since Azure AI Studio is built on Azure Machine Learning, Azure OpenAI, Azure AI Services, and Azure AI Search, use the following articles to learn how to monitor the

+| Resource | Monitoring and logging |

+| | |

+| Azure AI hub and AI project | [Monitor Azure Machine Learning](/azure/machine-learning/monitor-azure-machine-learning) |

+| Azure OpenAI | [Monitor Azure OpenAI](/azure/ai-services/openai/how-to/monitoring) |

+| Azure AI Services | [Monitor Azure AI (training)](/training/modules/monitor-ai-services/) |

+| Azure AI Search | [Monitor Azure AI Search](/azure/search/monitor-azure-cognitive-search) |

+## Price and quota

+For more information on price and quota, use the following articles:

+- [Plan and manage costs](../how-to/costs-plan-manage.md)

+- [Commitment tier pricing](../how-to/commitment-tier.md)

+- [Quota management](../how-to/quota.md)

+## Next steps

+Create an AI hub using one of the following methods:

+- [Azure AI Studio](../how-to/create-azure-ai-resource.md#create-an-azure-ai-hub-resource-in-ai-studio): Create an AI hub for getting started.

+- [Azure portal](../how-to/create-azure-ai-resource.md#create-a-secure-azure-ai-hub-resource-in-the-azure-portal): Create an AI hub with your own networking, encryption, identity and access management, dependent resources, and resource tag settings.

+- [Bicep template](../how-to/create-azure-ai-hub-template.md).

+ Title: Create an AI hub using a Bicep template

+description: Use a Microsoft Bicep template to create a new Azure AI hub.

+#Customer intent: As a DevOps person, I need to automate or customize the creation of an AI hub by using templates.

+# Use an Azure Resource Manager template to create an Azure AI hub

+Use a [Microsoft Bicep](/azure/azure-resource-manager/bicep/overview) template to create an Azure AI hub resource for Azure AI Studio. A template makes it easy to create resources as a single, coordinated operation. A Bicep template is a text document that defines the resources that are needed for a deployment. It might also specify deployment parameters. Parameters are used to provide input values when using the template.

+The template used in this article can be found at [https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.machinelearningservices/aistudio-basics](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.machinelearningservices/aistudio-basics). Both the source `main.bicep` file and the compiled Azure Resource Manager template (`main.json`) file are available. This template creates the following resources:

+- An Azure Resource Group (if one doesn't already exist)

+- An Azure AI hub resource

+- Azure Storage Account

+- Azure Key Vault

+- Azure Container Registry

+- Azure Application Insights

+- Azure AI services (created by the template)

+## Prerequisites

+- An Azure subscription. If you don't have one, create a [free account](https://azure.microsoft.com/free/).

+- A copy of the template files from the GitHub repo. To clone the GitHub repo to your local machine, you can use [Git](https://git-scm.com/). Use the following command to clone the quickstart repository to your local machine and navigate to the `aistudio-basics` directory.

+ # [Azure CLI](#tab/cli)

+ ```azurecli

+ git clone https://github.com/Azure/azure-quickstart-templates

+ cd azure-quickstart-templates/quickstarts/microsoft.machinelearningservices/aistudio-basics

+ ```

+ # [Azure PowerShell](#tab/powershell)

+ ```azurepowershell

+ git clone https://github.com/Azure/azure-quickstart-templates

+ cd azure-quickstart-templates\quickstarts\microsoft.machinelearningservices\aistudio-basics

+ ```

+

+- The Bicep command-line tools. To install the Bicep command-line tools, use the [Install the Bicep CLI](/azure/azure-resource-manager/bicep/install) article.

+## Understanding the template

+The Bicep template is made up of the following files:

+| File | Description |

+| - | -- |

+| [main.bicep](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.machinelearningservices/aistudio-basics/main.bicep) | The main Bicep file that defines the parameters and variables. Passing parameters & variables to other modules in the `modules` subdirectory. |

+| [ai-resource.bicep](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.machinelearningservices/aistudio-basics/modules/ai-resource.bicep) | Defines the Azure AI hub resource. |

+| [dependent-resources.bicep](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.machinelearningservices/aistudio-basics/modules/dependent-resources.bicep) | Defines the dependent resources for the Azure AI hub. Azure Storage Account, Container Registry, Key Vault, and Application Insights. |

+> [!IMPORTANT]

+> The example templates may not always use the latest API version for the Azure resources it creates. Before using the template, we recommend modifying it to use the latest API versions. Each Azure service has its own set of API versions. For information on the API for a specific service, check the service information in the [Azure REST API reference](/rest/api/azure/).

+>

+> The AI hub resource is based on Azure Machine Learning. For information on the latest API versions for Azure Machine Learning, see the [Azure Machine Learning REST API reference](/rest/api/azureml/). To update this API version, find the `Microsoft.MachineLearningServices/<resource>` entry for the resource type and update it to the latest version. The following example is an entry for the Azure AI hub that uses an API version of `2023-08-01-preview`:

+>

+>```bicep

+>resource aiResource 'Microsoft.MachineLearningServices/workspaces@2023-08-01-preview' = {

+>```

+### Azure Resource Manager template

+While the Bicep domain-specific language (DSL) is used to define the resources, the Bicep file is compiled into an Azure Resource Manager template when you deploy the template. The `main.json` file included in the GitHub repository is a compiled Azure Resource Manager version of the template. This file is generated from the `main.bicep` file using the Bicep command-line tools. For example, when you deploy the Bicep template it generates the `main.json` file. You can also manually create the `main.json` file using the `bicep build` command without deploying the template.

+```azurecli

+bicep build main.bicep

+```

+For more information, see the [Bicep CLI](/azure/azure-resource-manager/bicep/bicep-cli) article.

+## Configure the template

+To run the Bicep template, use the following commands from the `aistudio-basics` directory:

+1. To create a new Azure Resource Group, use the following command. Replace `exampleRG` with the name of your resource group, and `eastus` with the Azure region to use:

+ # [Azure CLI](#tab/cli)

+ ```azurecli

+ az group create --name exampleRG --location eastus

+ ```

+ # [Azure PowerShell](#tab/powershell)

+ ```azurepowershell

+ New-AzResourceGroup -Name exampleRG -Location eastus

+ ```

+

+1. To run the template, use the following command. Replace `myai` with the name to use for your resources. This value is used, along with generated prefixes and suffixes, to create a unique name for the resources created by the template.

+ > [!TIP]

+ > The `aiResourceName` must be 5 or less characters. It can't be entirely numeric or contain the following characters: `~ ! @ # $ % ^ & * ( ) = + _ [ ] { } \ | ; : . ' " , < > / ?`.

+ # [Azure CLI](#tab/cli)

+ ```azurecli

+ az deployment group create --resource-group exampleRG --template-file main.bicep --parameters aiResourceName=myai

+ ```

+ # [Azure PowerShell](#tab/powershell)

+ ```azurepowershell

+ New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile main.bicep -aiResourceName myai

+ ```

+

+ Once the operation completes, you can use your Azure AI hub to create AI projects, manage resources, and collaborate with others.

+## Next steps

+- [Create a project](create-projects.md)

+- [Learn more about Azure AI Studio](../what-is-ai-studio.md)

+- [Learn more about Azure AI hub resources](../concepts/ai-resources.md)

+| [LLM](./llm-tool.md) | Use Azure OpenAI large language models (LLM) for tasks such as text completion or chat. | Default | [promptflow-tools](https://pypi.org/project/promptflow-tools/) |

+| [Embedding](./embedding-tool.md) | Use Azure OpenAI embedding models to create an embedding vector that represents the input text. | Default | [promptflow-tools](https://pypi.org/project/promptflow-tools/) |

+### Kubenet Cluster Upgrade

+Since the cluster is already using a private CIDR for pods which doesn't overlap with the VNet IP space, you don't need to specify the `--pod-cidr` parameter and the Pod CIDR will remain the same.

+- Improved Service routing

+> [!NOTE]

+> In this tutorial, "service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path" is being set to "/healthz". This means if the response code of the requests to "/healthz" is not "200", the whole ingress controller will be down. You can modify the value to other URI in your own scenario. You cannot delete this part or unset the value, or the ingress controller will still be down.

+> The package "ingress-nginx" used in this tutorial, which is provided by [Kubernetes official](https://github.com/kubernetes/ingress-nginx), will always return "200" response code if requesting "/healthz", as it is designed as "[default backend](https://kubernetes.github.io/ingress-nginx/user-guide/default-backend/)" for users to have a quick start, unless it is being overwritten by ingress rules.

+* Optionally, you can set a duration of time to wait between draining a node and proceeding to reimage it and move on to the next node. A short interval allows you to complete other tasks, such as checking application health from a Grafana dashboard during the upgrade process. We recommend a short timeframe for the upgrade process, as close to 0 minutes as reasonably possible. Otherwise, a higher node soak time affects how long before you discover an issue. The minimum soak time value is 0 minutes, with a maximum of 30 minutes. If not specified, the default value is 0 minutes.

+#### Set node soak time value

+The combination of [Planned Maintenance Window][planned-maintenance], [Max Surge](./upgrade-aks-cluster.md#customize-node-surge-upgrade), [Pod Disruption Budget][pdb-spec], [node drain timeout][drain-timeout], and [node soak time][soak-time] can significantly increase the likelihood of node upgrades completing successfully by the end of the maintenance window while also minimizing disruptions.

+* [Node soak time][soak-time] helps stagger node upgrades in a controlled manner and can minimize application downtime during an upgrade. You can specify a wait time, preferably as reasonably close to 0 minutes as possible, to check application readiness between node upgrades. If not specified, the default value is 0 minutes. Node soak time works together with the max surge and node drain timeout properties available in the node pool to deliver the right outcomes in terms of upgrade speed and application availability.

+[soak-time]: ./upgrade-aks-cluster.md#set-node-soak-time-value

+With Azure Network Policy Manager for Linux, we don't recommend scaling beyond 250 nodes and 20k pods. If you attempt to scale beyond these limits, you may encounter Out of Memory (OOM) kills. To increase your memory limit, please create a support ticket.

+> [!VIDEO https://www.youtube.com/embed/7Z45FdCLFbA]

+> [!VIDEO https://www.youtube.com/embed/SuGkhuBUV5k]

+> [!VIDEO https://www.youtube.com/embed/Dvar8Dg25s0]

+> [!VIDEO https://www.youtube.com/embed/62X0NALedCc]

+The Health check requests are sent to your site internally, so the request won't show in [the web server logs](troubleshoot-diagnostic-logs.md#enable-web-server-logging). You can add log statements in your Health check code to keep logs of when your Health check path is pinged.

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+> [!NOTE]

+> Azure Automation will follow the support lifecycle of PowerShell and Python language versions in accordance with the timelines published by parent products [PowerShell](https://learn.microsoft.com/powershell/scripting/install/powershell-support-lifecycle?view=powershell-7.3&preserve-view=true#powershell-end-of-support-dates) and [Python](https://devguide.python.org/versions/) respectively. We recommend you to use runbooks with supported language versions.

+The PowerShell version is determined by the **Runtime version** specified (that is version 7.2, 7.1 (preview) or 5.1).

+| Snapshot Storage Size | Count | Represents the total storage usage of configuration snapshot(s) in bytes. |

+| Snapshot Storage Size | This metric does not have any dimensions. |

+* Snapshot Storage Size

+

+1. Get the token to output to console.

+

+ ```console

+ echo $TOKEN

+ ```

+ "EnableClassic": false,

+ "EnableClassic": false,

+ "EnableClassic": false,

+ "EnableClassic": false,

+- [Angular plugin](javascript-framework-extensions.md?tabs=angular)

+You cannot use quota limits, similar to the Log Anlytics Workspace (Daily Cap or Data retention) in the Azure Monitor workspace.

+| [Resource logs](./resource-logs.md) | Azure Resources | Resource logs provide an insight into operations that were performed within an Azure resource. This is known as the *data plane*. Examples include getting a secret from a key vault, or making a request to a database. The contents of resource logs varies according to the Azure service and resource type.<br><br>*Resource logs were previously referred to as diagnostic logs.* |

+>If you want to configure a UDR route in the VM VNet, to control the routing of packets destined for a regionally VNet-peered Azure NetApp Files standard volume, the UDR prefix must be more specific or equal to the delegated subnet size of the Azure NetApp Files volume. If the UDR prefix is of size greater than the delegated subnet size, it will not be effective.

+Customer-managed keys for Azure NetApp Files volume encryption enable you to use your own keys rather than a platform-managed key when creating a new volume. With customer-managed keys, you can fully manage the relationship between a key's life cycle, key usage permissions, and auditing operations on keys.

+ Customer-managed keys have no performance impact on Azure NetApp Files. Its only difference from platform-managed keys is how the key is managed.

+* UK West

+* West US 3

+In ARM templates, you can reuse or modularize a template through nesting or linking templates using the `Microsoft.Resources/deployments` resource. For more information, see [Using linked and nested templates when deploying Azure resources](../templates/linked-templates.md) The following ARM template is a sample of a nested template:

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "storageAccountName": {

+ "type": "string",

+ "defaultValue": "[format('{0}{1}', 'store', uniqueString(resourceGroup().id))]"

+ },

+ "location": {

+ "type": "string",

+ "defaultValue": "[resourceGroup().location]"

+ }

+ },

+ "resources": [

+ {

+ "type": "Microsoft.Resources/deployments",

+ "apiVersion": "2022-09-01",

+ "name": "nestedTemplate1",

+ "properties": {

+ "mode": "Incremental",

+ "template": {

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "resources": [

+ {

+ "type": "Microsoft.Storage/storageAccounts",

+ "apiVersion": "2023-01-01",

+ "name": "[parameters('storageAccountName')]",

+ "location": "[parameters('location')]",

+ "sku": {

+ "name": "Standard_LRS"

+ },

+ "kind": "StorageV2"

+ }

+ ]

+ }

+ }

+ }

+ ]

+}

+```

+In Bicep, you can still use the `Microsoft.Resources/deployments` resource for nesting ARM templates or linking external ARM templates. But, it's not a great idea because it can lead to unsafe and tricky behaviors due to how it's evaluated multiple times. Also, there's hardly any validation and self completion from Visual Studio Code when you author the Bicep file, making it tough to work with. The following Bicep file fails this test because the template contains `Microsoft.Resources/deployments` resource on the root level.

+param storageAccountName string = 'store${uniqueString(resourceGroup().id)}'

+param location string = resourceGroup().location

+resource nestedTemplate1 'Microsoft.Resources/deployments@2023-07-01' = {

+ name: 'nestedTemplate1'

+ properties:{

+ template: {

+ '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'

+ contentVersion: '1.0.0.0'

+ resources: [

+ {

+ type: 'Microsoft.Storage/storageAccounts'

+ apiVersion: '2023-01-01'

+ name: storageAccountName

+ location: location

+ sku: {

+ name: 'Standard_LRS'

+ }

+ kind: 'StorageV2'

+ }

+ ]

+ }

+ }

+}

+```

+To fix the issue, you can use the Bicep CLI [decompile](./bicep-cli.md#decompile) command. For example, the preceding ARM template can be decomplied into the following Bicep files:

+_main.bicep_:

+```bicep

+param storageAccountName string = 'store${uniqueString(resourceGroup().id)}'

+param location string = resourceGroup().location

+module nestedTemplate1 './nested_nestedTemplate1.bicep' = {

+ name: 'nestedTemplate1'

+ params: {

+ storageAccountName: storageAccountName

+ location: location

+ }

+}

+```

+_nested_nestedTemplate1.bicep_:

+```bicep

+param storageAccountName string

+param location string

+resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {

+ name: storageAccountName

+ location: location

+ sku: {

+ name: 'Standard_LRS'

+ }

+ kind: 'StorageV2'

+}

+```

+Additionally, you can also refence ARM templates using the [module](./modules.md) statement.

+_main.bicep_:

+```bicep

+param storageAccountName string = 'store${uniqueString(resourceGroup().id)}'

+param location string = resourceGroup().location

+module nestedTemplate1 './createStorage.json' = {

+ name: 'nestedTemplate1'

+ params: {

+ storageAccountName: storageAccountName

+ location: location

+_createStorage.json_:

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "storageAccountName": {

+ "type": "string",

+ "defaultValue": "[format('{0}{1}', 'store', uniqueString(resourceGroup().id))]"

+ },

+ "location": {

+ "type": "string",

+ "defaultValue": "[resourceGroup().location]"

+ }

+ },

+ "resources": [

+ {

+ "type": "Microsoft.Storage/storageAccounts",

+ "apiVersion": "2023-01-01",

+ "name": "[parameters('storageAccountName')]",

+ "location": "[parameters('location')]",

+ "sku": {

+ "name": "Standard_LRS"

+ },

+ "kind": "StorageV2"

+ }

+ ]

+}

+```

+userid=$(az ad user list --upn example@contoso.org --query [0].id --output tsv)

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+ 'retriable-4xx'

+Azure Managed Instance for Apache Cassandra is a fully managed service for pure open-source Apache Cassandra clusters. The service also allows configurations to be overridden, depending on the specific needs of each workload, allowing maximum flexibility and control where needed. It also provides the capability to scale out the capacity of existing on-premises or cloud self-hosted Apache Cassandra clusters. It scales out by adding managed Cassandra datacenters to the existing cluster ring.

+|**Operational overhead**| You have existing Cassandra experts who can deploy, configure, and maintain your clusters. | You want to eliminate the operational overhead by using a fully managed Database-as-as-Service for open-source Apache Cassandra, but have the option of controling Cassandra-specific configurations such as replication and consistency when required. | You want to eliminate the operational overhead by using a fully managed Platform-as-as-service database in the cloud. |

+|**Software Support**| You handle all patches, and ensure that software is upgraded before end of life.| You want a first-party managed service experience that will offer Cassandra software level support beyond end of live, automated patching, and turnkey upgrades for major versions | You want a first-party managed service experience where software level support is completely abstracted.|

+|**Operating system requirements**| You have a requirement to maintain custom or golden Virtual Machine operating system images. | You can use vanilla images but want to have control over the selection of SKUs, memory, disks, and IOPS. | You want capacity provisioning to be simplified and expressed as a single normalized metric, with a one-to-one relationship to throughput, such as [request units](../request-units.md) in Azure Cosmos DB. |

+Azure Cosmos DB for PostgreSQL is built on native PostgreSQL--rather than a PostgreSQL fork--and lets you choose any major database versions supported by the PostgreSQL community. It's ideal for starting on a single-node database with rich indexing, geospatial capabilities, and JSONB support. Later, if you need more performance, you can add nodes to the cluster with zero downtime.

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+Security recommendations in Microsoft Defender for Cloud help you to improve and harden your security posture. Recommendations are based on the security standards you define in subscriptions that have Defender for Cloud onboarded.

+1. Enter a name and description.

+```json

+```json

+The built-in recommendations supplied with Microsoft Defender for Cloud include details such as severity levels and remediation instructions. If you want to add this type of information to custom recommendations for Azure, use the REST API.

+ "securityCenter": {

+ "RemediationDescription": "Custom description goes here",

+ "Severity": "High"

+ "displayName": "Security - ERvNet - AuditRGLock",

+ "policyType": "Custom",

+ "mode": "All",

+ "description": "Audit required resource groups lock",

+ "metadata": {

+ "securityCenter": {

+ "RemediationDescription": "Resource Group locks can be set via Azure Portal -> Resource Group -> Locks",

+ "Severity": "High"

+ }

+ },

+ "parameters": {

+ "expressRouteLockLevel": {

+ "type": "String",

+ "metadata": {

+ "displayName": "Lock level",

+ "description": "Required lock level for ExpressRoute resource groups."

+ },

+ "allowedValues": [

+ "CanNotDelete",

+ "ReadOnly"

+ ]

+ }

+ },

+ "policyRule": {

+ "if": {

+ "field": "type",

+ "equals": "Microsoft.Resources/subscriptions/resourceGroups"

+ },

+ "then": {

+ "effect": "auditIfNotExists",

+ "details": {

+ "type": "Microsoft.Authorization/locks",

+ "existenceCondition": {

+ "field": "Microsoft.Authorization/locks/level",

+ "equals": "[parameters('expressRouteLockLevel')]"

+ }

+ }

+ }

+ }

+- [Learn about](create-custom-recommendations.md) creating custom standards for AWS accounts and GCP projects.

+description: Learn about the capabilities and functions of the data-aware security view in Microsoft Defender for Cloud.

+# Data security dashboard (Preview)

+Microsoft Defender for Cloud's data security dashboard provides an interactive view of significant risks to sensitive data. It prioritizes alerts and potential attack paths across multicloud data resources, making data protection management more effective.

+With the data security dashboard you can:

+- Easily locate and summarize sensitive data resources in your cloud data estate.

+- Identify and prioritize data resources at risk to prevent and respond to sensitive data breaches.

+- Investigate active high severity threats that lead to sensitive data.

+To access the data security dashboard in Defender for Cloud, select **Data Security**.

+**To view the dashboard**:

+- You must [enable Defender CSPM](tutorial-enable-cspm-plan.md).

+- [Enable sensitive data discovery](tutorial-enable-cspm-plan.md#enable-the-components-of-the-defender-cspm-plan) within the Defender CSPM plan.

+**To receive the alerts for data sensitivity**:

+- You must [enable Defender for Storage](tutorial-enable-storage-plan.md).

+## Required permissions and roles

+**Permissions**:

+- Microsoft.Security/assessments/read

+- Microsoft.Security/assessments/subassessments/read

+- Microsoft.Security/alerts/read

+**Role** - the minimum required privileged role-based access control role of **Security explorer**.

+- Register each relevant Azure subscription to the [Microsoft.Security resource provider](/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider).

+> [!NOTE]

+> The data security dashboard feature is turned on at the subscription level.

+- **Coverage status** - displays the limited data coverage for resources without Defender CSPM workload protection:

+ - **Covered** ΓÇô resources that have the necessary Defender CSPM, or Defender for Storage, or Defender for Databases enabled.

+ - **Partially covered** ΓÇô missing either the Defender CSPM, Defender for Storage, or Defender for Storage plan. Select the tooltip to present a detailed view of what is missing.

+ - **Not covered** - resources that aren't covered by Defender CSPM, or Defender for Storage, or Defender for Databases.

+ - **Sensitive resources requiring attention** - displays the number of sensitive resources that have either high severity security alerts or attack paths.

+You can select the **Manage data sensitivity settings** to get to the **Data sensitivity** page. The **Data sensitivity** page allows you to manage the data sensitivity settings of cloud resources at the tenant level, based on selective info types and labels originating from the Purview compliance portal, and [customize sensitivity settings](data-sensitivity-settings.md) such as creating your own customized info types and labels, and setting sensitivity label thresholds.

+**Sensitive resources status over time** - displays how data security evolves over time with a graph that shows the number of sensitive resources affected by alerts, attack paths, and recommendations within a defined period (last 30, 14, or 7 days).

+ |

+API gateways | Azure API Management<br/><br/> Defender for APIs currently doesn't onboard APIs that are exposed using the API Management [self-hosted gateway](../api-management/self-hosted-gateway-overview.md), or managed using API Management [workspaces](../api-management/workspaces-overview.md).

+ :::image type="content" source="media/defender-for-apis-validation/postman-keys.png" alt-text="Screenshot that shows where to enter the keys and their values in Postman.":::

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+<!--

+Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords.

+Enable **Microsoft Defender for Key Vault** for Azure-native, advanced threat protection for Azure Key Vault, providing an additional layer of security intelligence.

+When anomalous activities occur, Defender for Key Vault shows alerts and optionally sends them via email to relevant members of your organization. These alerts include the details of the suspicious activity and recommendations on how to investigate and remediate threats.

+- User Principal Name or IP address of the suspicious resource

+1. If you can identify the source of the traffic in your tenant, contact the user or owner of the application.

+### Step 2: Respond accordingly

+### Step 4: Take action

+For related material, see the following articles:

+The cloud management layer is a crucial service connected to all your cloud resources. Because of this, it is also a potential target for attackers. Consequently, we recommend security operations teams monitor the resource management layer closely.

+`Delegated access` refers to access with [Azure Lighthouse](/azure/lighthouse/overview) or with [Delegated administration privileges](/partner-center/dap-faq).

+## Step 3: Immediate mitigation

+- **Regulatory compliance** - Based on continuous assessments of your hybrid and multi-cloud resources, Defender for Cloud provides insights into your compliance with the standards that matter to your organization. Defender for Cloud analyzes risk factors in your environment according to security best practices. These assessments are mapped to compliance controls from a supported set of standards. [Learn more](regulatory-compliance-dashboard.md).

+- You can add more non-default compliance standards when at least one paid plan is enabled in Defender for Cloud.

+1. In the Defender for Cloud portal, open the **Regulatory compliance** page.

+ :::image type="content" source="media/regulatory-compliance-dashboard/control-detail.png" alt-text="Screenshot that shows you where to navigate to select control details on the screen." lightbox="media/regulatory-compliance-dashboard/control-detail.png":::

+ :::image type="content" source="media/regulatory-compliance-dashboard/down-arrow.png" alt-text="Screenshot that shows you where the down arrow is on the screen." lightbox="media/regulatory-compliance-dashboard/down-arrow.png":::

+ :::image type="content" source="./media/regulatory-compliance-dashboard/sample-recommendation.png" alt-text="Screenshot that shows that selecting a recommendation from a standard leads directly to the recommendation details page." lightbox="media/regulatory-compliance-dashboard/sample-recommendation.png":::

+ :::image type="content" source="./media/regulatory-compliance-dashboard/encrypting-vm-disks.png" alt-text="Screenshot that shows the take action button on the recommendation details page leads to the remediation options." lightbox="media/regulatory-compliance-dashboard/encrypting-vm-disks.png":::

+Assessments run approximately every 12 hours, so you'll see the impact on your compliance data only after the next run of the relevant assessment.

+ :::image type="content" source="./media/regulatory-compliance-dashboard/download-report.png" alt-text="Screenshot that shows using the toolbar in Defender for Cloud's regulatory compliance dashboard to download compliance reports." lightbox="media/regulatory-compliance-dashboard/download-report.png":::

+ :::image type="content" source="media/release-notes/audit-reports-regulatory-compliance-dashboard.png" alt-text="Screenshot that shows using the toolbar in Defender for Cloud's regulatory compliance dashboard to download Azure and Dynamics certification reports." lightbox="media/release-notes/audit-reports-regulatory-compliance-dashboard.png":::

+ :::image type="content" source="media/release-notes/audit-reports-list-regulatory-compliance-dashboard-ga.png" alt-text="Screenshot that shows filtering the list of available Azure Audit reports using tabs and filters." lightbox="media/release-notes/audit-reports-list-regulatory-compliance-dashboard-ga.png":::

+> You can also manually export reports about a single point in time directly from the regulatory compliance dashboard. Generate these **PDF/CSV reports** or **Azure and Dynamics certification reports** using the **Download report** or **Audit reports** toolbar options.

+- [Managing security recommendations in Defender for Cloud](review-security-recommendations.md) - Learn how to use recommendations in Defender for Cloud to help protect your multicloud resources.

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+ - **Severity** - The severity of the recommendation (High, Medium, or Low). More details below.

+## How are recommendations classified?

+Every security recommendation from Defender for Cloud is assigned one of three severity ratings:

+

+- **High severity**: These recommendations should be addressed immediately, as they indicate a critical security vulnerability that could be exploited by an attacker to gain unauthorized access to your systems or data. Examples of high severity recommendations are when weΓÇÖve discovered unprotected secrets on a machine, overly-permissive inbound NSG rules, clusters allowing images to be deployed from untrusted registries, and unrestricted public access to storage accounts or databases.

+- **Medium severity**: These recommendations indicate a potential security risk that should be addressed in a timely manner, but may not require immediate attention. Examples of medium severity recommendations might include containers sharing sensitive host namespaces, web apps not using managed identities, Linux machines not requiring SSH keys during authentication, and unused credentials being left in the system after 90 days of inactivity.

+- **Low severity**: These recommendations indicate a relatively minor security issue that can be addressed at your convenience. Examples of low severity recommendations might include the need to disable local authentication in favor of Microsoft Entra ID, health issues with your endpoint protection solution, best practices not being followed with network security groups, or misconfigured logging settings that could make it harder to detect and respond to security incidents.

+

+Of course, the internal views of an organization might differ with MicrosoftΓÇÖs classification of a specific recommendation. So, it's always a good idea to review each recommendation carefully and consider its potential impact on your security posture before deciding how to address it.

+By using agentless secrets scanning, you can proactively discover the following types of secrets across your environments (in Azure, AWS, and GCP cloud providers):

+- Plaintext Azure Subscription Management Certificate.

+The following secrets can also be accessed from the `Security Recommendations` and `Attack Path`, across Azure, AWS, and GCP cloud providers:

+- Access to [Defender for Cloud](get-started.md).

+Attack path analysis is a graph-based algorithm that scans your [cloud security graph](concept-attack-path.md#what-is-cloud-security-graph). These scans expose exploitable paths that attackers might use to breach your environment to reach your high-impact assets. Attack path analysis exposes attack paths and suggests recommendations for how to best remediate issues that break the attack path and prevent successful breach.

+The attack path page shows an overview of your attack paths, affected resources, and a list of active attack paths.

+If a secret is found on your resource, that resource triggers an affiliated recommendation that is located under the Remediate vulnerabilities security control on the Recommendations page. Depending on your resources, one or more of the following recommendations appears:

+- **AWS resources**: `EC2 instances should have secrets findings resolved`

+- **GCP resources**: `VM instances should have secrets findings resolved`

+1. Select one of the following:

+ - **Azure resources**: `Machines should have secrets findings resolved`

+ - **AWS resources**: `EC2 instances should have secrets findings resolved`

+ - **GCP resources**: `VM instances should have secrets findings resolved`

+1. (Optional) You can select an affected resource to see that resource's information.

+Secrets that don't have a known attack path are referred to as `secrets without an identified target resource`.

+ - **VM with plaintext secret that can authenticate to an SQL database** - Returns all Azure VMs, AWS EC2 instances, or GCP VM instances with plaintext secret that can access SQL databases.

+If you don't want to use any of the available templates, you can also [build your own query](how-to-manage-cloud-security-explorer.md) in the cloud security explorer.

+- [Use asset inventory to manage your resources' security posture](asset-inventory.md).

+| **DEFENDER CSPM FEATURES** | | | |

+| [Data security dashboard](data-aware-security-dashboard-overview.md) | Preview | NA | NA |

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+description: Upcoming changes to Microsoft Defender for Cloud that you might need to be aware of and for which you might need to plan.

+| [Deprecation of recommendation related to Defender for AI](#deprecation-of-recommendation-related-to-defender-for-ai) | February 12, 2024 | March 14, 2024 |

+## Deprecation of recommendation related to Defender for AI

+**Announcement date: February 12, 2024**

+**Estimated date of change: March 14, 2024**

+The recommendation [`Public network access should be disabled for Cognitive Services accounts`](https://ms.portal.azure.com/?feature.msaljs=true#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/684a5b6d-a270-61ce-306e-5cea400dc3a7) is set to be deprecated. The related policy definition [`Cognitive Services accounts should disable public network access`](https://ms.portal.azure.com/?feature.msaljs=true#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) is also being removed from the regulatory compliance dashboard.

+This recommendation is already being covered by another networking recommendation for Azure AI Services, [`Cognitive Services accounts should restrict network access`](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/f738efb8-005f-680d-3d43-b3db762d6243/showSecurityCenterCommandBar~/false).

+See the [list of security recommendations](recommendations-reference.md).

+Customers currently using Defender for Cloud DevOps security from Azure portal won't be impacted.

+As use of the Azure Monitor Agent (AMA) and the Log Analytics agent (also known as the Microsoft Monitoring Agent (MMA)) is [phased out in Defender for Servers](https://techcommunity.microsoft.com/t5/user/ssoregistrationpage?dest_url=https:%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fblogs%2Fblogworkflowpage%2Fblog-id%2FMicrosoftDefenderCloudBlog%2Farticle-id%2F1269), existing endpoint recommendations, which rely on those agents, will be replaced with new recommendations. The new recommendations rely on [agentless machine scanning](concept-agentless-data-collection.md) which allows the recommendations to discover and assesses the configuration of supported endpoint detection and response solutions and offers remediation steps, if issues are found.

+As part of that deprecation, weΓÇÖll be introducing new agentless endpoint protection recommendations. These recommendations will be available in Defender for Servers Plan 2 and the Defender CSPM plan. They'll support Azure and multicloud machines. On-premises machines aren't supported.

+Defender for Cloud will begin enforcing the Defender CSPM plan check for premium DevOps security value beginning **March 7th, 2024**. If you have the Defender CSPM plan enabled on a cloud environment (Azure, AWS, GCP) within the same tenant your DevOps connectors are created in, you'll continue to receive premium DevOps capabilities at no extra cost. If you aren't a Defender CSPM customer, you have until **March 7th, 2024** to enable Defender CSPM before losing access to these security features. To enable Defender CSPM on a connected cloud environment before March 7, 2024, follow the enablement documentation outlined [here](tutorial-enable-cspm-plan.md#enable-the-components-of-the-defender-cspm-plan).

+In Azure, agentless scanning for VMs uses a built-in role (called [VM scanner operator](/azure/defender-for-cloud/faq-permissions)) with the minimum necessary permissions required to scan and assess your VMs for security issues. To continuously provide relevant scan health and configuration recommendations for VMs with encrypted volumes, an update to this role's permissions is planned. The update includes the addition of the ```Microsoft.Compute/DiskEncryptionSets/read``` permission. This permission solely enables improved identification of encrypted disk usage in VMs. It doesn't provide Defender for Cloud any more capabilities to decrypt or access the content of these encrypted volumes beyond the encryption methods [already supported](/azure/defender-for-cloud/concept-agentless-data-collection#availability) prior to this change. This change is expected to take place during February 2024 and no action is required on your end.

+See the [full index of Azure Policy built-in policy definitions for Key Vault](../key-vault/policy-reference.md).

+Cisco2960# show monitor session 1

+| Europe | <ul><li>West Europe</li><li>North Europe</li><li>UK South</li><li>UK West</li><li>France Central</li><li>France South</li><li>Germany North</li><li>Germany West Central</li><li>Sweden Central</li><li>Sweden South</li><li>Switzerland North</li><li>Switzerland West</li><li>Norway East</li><li>Norway West</li></ul> |

+| Asia | <ul><li>East Asia</li><li>Southeast Asia</li><li>Central India</li><li>South India</li><li>Japan West</li><li>Korea South</li><li>UAE North</li></ul> |

+Apache Phoenix is an open source, massively parallel relational database layer built on HBase. Phoenix allows you to use SQL like queries over HBase. Phoenix uses JDBC drivers underneath to enable you to create, delete, alter SQL tables, indexes, views, and sequences. You can also use Phoenix to update rows individually and in bulk. Phoenix uses a NOSQL native compilation rather than using MapReduce to compile queries, enabling the creation of low-latency applications on top of HBase.

+HDInsight users can use Apache Zeppelin to query Phoenix tables. Apache Zeppelin is integrated with HDInsight cluster and there are no additional steps to use it. Create a Zeppelin Notebook with JDBC interpreter and start writing your Phoenix SQL queries

+ The **%jdbc(phoenix)** statement in the frontline tells the notebook to use the Phoenix JDBC interpreter.

+HDInsight Spark clusters have Anaconda installed. There are two Python installations in the cluster, Anaconda Python 2.7 and Python 3.5. The following table shows the default Python settings for Spark, Livy, and Jupyter.

+For the Spark 3.1.2 version, the Apache PySpark kernel is removed and a new Python 3.8 environment is installed under `/usr/bin/miniforge/envs/py38/bin`, which is used by the PySpark3 kernel. The `PYSPARK_PYTHON` and `PYSPARK3_PYTHON` environment variables are updated with the following:

+HDInsight cluster depends on the built-in Python environment, both Python 2.7 and Python 3.5. Directly installing custom packages in those default built-in environments may cause unexpected library version changes. And break the cluster further. To safely install custom external Python packages for your Spark applications, follow the steps.

+1. Create Python virtual environment using conda. A virtual environment provides an isolated space for your projects without breaking others. When creating the Python virtual environment, you can specify Python version that you want to use. You still need to create virtual environment even though you would like to use Python 2.7 and 3.5. This requirement is to make sure the cluster's default environment not getting broke. Run script actions on your cluster for all nodes with following script to create a Python virtual environment.

+2. Install external Python packages in the created virtual environment if needed. Run script actions on your cluster for all nodes with following script to install external Python packages. You need to have sudo privilege here to write files to the virtual environment folder.

+ Use following command if you would like to install a library with its latest version:

+ 1. Open Ambari UI, go to Spark 2 page, Configs tab.

+ 2. Expand Advanced livy2-env, add following statements at bottom. If you installed the virtual environment with a different prefix, change the path correspondingly.

+ 4. Save the changes and restart affected services. These changes need a restart of Spark 2 service. Ambari UI will prompt a required restart reminder, click Restart to restart all affected services.

+ If you are using `livy`, add the following properties to the request body:

+4. If you would like to use the new created virtual environment on Jupyter. Change Jupyter configs and restart Jupyter. Run script actions on all header nodes with following statement to point Jupyter to the new created virtual environment. Make sure to modify the path to the prefix you specified for your virtual environment. After running this script action, restart Jupyter service through Ambari UI to make this change available.

+ You could double confirm the Python environment in Jupyter Notebook by running the code:

+#CustomerIntent: As an administrator, I want to learn how to create or modify an an Exchange peering with Route Server using the Azure portal so I can manage my Exchange peerings.

+In this article, you learn how to create a Microsoft Exchange peering with a route server using the Azure portal. This article also shows you how to check the status of the resource, update it, or delete and deprovision it.

+## Prerequisites

+- Review the [Prerequisites to set up peering with Microsoft](prerequisites.md) and the [Exchange peering walkthrough](walkthrough-exchange-all.md) before you begin configuration.

+- If you already have an Exchange peering with Microsoft that isn't converted to Azure resources, see [Convert a legacy Exchange peering to an Azure resource by using the portal](howto-legacy-exchange-portal.md).

+- Associate your public ASN with your Azure subscription. For more information, see [Associate peer ASN to Azure subscription using the Azure portal](howto-subscription-association-portal.md).

+In this section, you learn how to create an Exchange peering with a route server using the Azure portal.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the search box at the top of the portal, enter ***peering***. Select **Peerings** in the search results.

+ :::image type="content" source="./media/how-to-exchange-route-server-portal/internet-peering-portal-search.png" alt-text="Screenshot of searching for internet peerings in the Azure portal." lightbox="./media/how-to-exchange-route-server-portal/internet-peering-portal-search.png":::

+1. In the **Peerings** page, select **+ Create** to create a new peering.

+ :::image type="content" source="./media/how-to-exchange-route-server-portal/peerings-portal.png" alt-text="Screenshot of internet peerings page in the Azure portal." lightbox="./media/how-to-exchange-route-server-portal/peerings-portal.png":::

+1. In the **Basics** tab of **Create a peering**, enter or select your Azure subscription, resource group, name, and ASN of the peering:

+ :::image type="content" source="./media/how-to-exchange-route-server-portal/create-peering-basics.png" alt-text="Screenshot of the Basics tab of creating a peering in the Azure portal.":::

+ > [!IMPORTANT]

+ > You can only choose an ASN with ValidationState as Approved before you submit a peering request. After submitting a PeerAsn request, wait for about 12 hours for the ASN association to be approved. If the ASN you select is pending validation, you'll see an error message. If you don't see the ASN you needed to choose, check that you selected the correct subscription. If so, check if you have already created PeerAsn. For more information, see [Associate peer ASN to Azure subscription using the Azure portal](howto-subscription-association-portal.md).

+1. Select **Next: Configuration** to continue. In the **Configuration** tab, you MUST choose the following required configurations to create a peering for Peering Service Exchange with Route Server:

+ - Peering type: **Direct**.

+ - Microsoft network: **AS8075 (with exchange route server)**.

+ - SKU: **Premium Free**.

+1. Select your **Metro**, then select **Create new** to add a connection to your peering.

+ :::image type="content" source="./media/how-to-exchange-route-server-portal/create-peering-configuration.png" alt-text="Screenshot of the Configuration tab of creating a peering in the Azure portal.":::

+1. In **Direct Peering Connection**, enter or select your peering facility details then select **Save**.

+ :::image type="content" source="./media/how-to-exchange-route-server-portal/direct-peering-connection.png" alt-text="Screenshot of creating a direct peering connection.":::

+ > [!NOTE]

+ > - Peering connections for Peering Service Exchange with Route Server must have **Peer** as the Session Address Provider.

+ > - *Use for Peering Service* is disabled by default. It can be enabled after the exchange provider signs a Peering Service agreement with Microsoft.

+

+1. Select **Review + create**. Review the summary and select **Create** after the validation passes.

+ Allow time for the resource to finish deploying. When deployment is successful, your peering is created and provisioning begins.

+ > [!NOTE]

+ > For normal Internet Service Providers (ISP) who are a Microsoft Peering Service partner, customer IP prefixes registration is required. However, in the case of exchange partners with a route server, it is required to register customer ASNs and not prefixes. Same ASN key would be valid for the customer's prefix registration.

+1. Open the peering in the Azure portal, and select **Registered ASNs**.

+ :::image type="content" source="./media/how-to-exchange-route-server-portal/registered-asn.png" alt-text="Screenshot shows how to go to Registered ASNs from the Peering Overview page in the Azure portal.":::

+1. Select **Add registered ASN** to create a new customer Autonomous System Number (ASN) under your exchange subscription.

+ :::image type="content" source="./media/how-to-exchange-route-server-portal/register-new-asn.png" alt-text="Screenshot shows how to register an ASN in the Azure portal.":::

+1. Select **Save**.

+1. In **Registered ASNs**, each ASN has an associated Prefix Key assigned to it. As an exchange provider, you need to provide this Prefix Key to your customer so they can register Peering Service under their subscription.

+### <a name=get></a>Verify an Exchange peering

+In this section, you learn how to view a peering to verify its configuration and state.

+1. In the search box at the top of the portal, enter ***peering***. Select **Peerings** in the search results.

+1. Select the peering resource that you want to view.

+1. Select **Connections** to view the PeerAsn information.

+ :::image type="content" source="./media/how-to-exchange-route-server-portal/peering-connections.png" alt-text="Screenshot shows the connections of a peering in the Azure portal." lightbox="./media/how-to-exchange-route-server-portal/peering-connections.png":::

+ At the top of the screen, you see a summary of peering connections between your ASN and Microsoft, across different facilities within the metro.

+ > [!NOTE]

+ > - **Connection State** corresponds to the state of the peering connection setup. The states displayed in this field follow the state diagram shown in the [Exchange peering walkthrough](walkthrough-exchange-all.md).

+ > - **IPv4 Session State** and **IPv6 Session State** correspond to the IPv4 and IPv6 BGP session states respectively.

+ > - When you select a row at the top of the screen, the **Connection** section at the bottom shows details for each connection. Select the arrows to expand **Configuration**, **IPv4 address**, and **IPv6 address**.

+## <a name="modify"></a>Modify an Exchange peering

+In this section, you learn how to modify an Exchange peering.

+1. In the search box at the top of the portal, enter ***peering***. Select **Peerings** in the search results.

+1. Select the peering resource that you want to modify.

+1. Select **Connections**.

+### Add Exchange peering connections

+1. Select the **+ Add connections** button to add and configure a new peering connection.

+ :::image type="content" source="./media/how-to-exchange-route-server-portal/add-connection.png" alt-text="Screenshot shows how to add a new peering connection in the Azure portal." lightbox="./media/how-to-exchange-route-server-portal/add-connection.png":::

+1. In **Exchange Peering Connection**, enter or select the required information and then select **Save**. For more information, see [Create and provision an Exchange peering](#create-and-provision-an-exchange-peering).

+ :::image type="content" source="./media/how-to-exchange-route-server-portal/exchange-peering-connection.png" alt-text="Screenshot shows the exchange peering connection page in the Azure portal.":::

+### Remove Exchange peering connections

+1. Right-click the peering connection you want to delete, and then select **Delete connection**.

+ :::image type="content" source="./media/how-to-exchange-route-server-portal/delete-connection.png" alt-text="Screenshot shows how to delete a peering connection in the Azure portal." lightbox="./media/how-to-exchange-route-server-portal/delete-connection.png":::

+1. Confirm the delete by entering **yes** and then select **Delete**.

+ :::image type="content" source="./media/how-to-exchange-route-server-portal/delete-confirmation.png" alt-text="Screenshot shows the confirmation page to delete a peering connection in the Azure portal.":::

+### Add an IPv4 or IPv6 session on Active connections

+1. Right-click the peering connection you want to delete, and then select **Edit connection**.

+ :::image type="content" source="./media/how-to-exchange-route-server-portal/edit-connection.png" alt-text="Screenshot shows how to edit a peering connection in the Azure portal." lightbox="./media/how-to-exchange-route-server-portal/edit-connection.png":::

+1. Modify the **IPv4 address** or **IPv6 address** information, and select **Save**.

+ :::image type="content" source="./media/how-to-exchange-route-server-portal/edit-exchange-peering-connection.png" alt-text="Screenshot shows the edit peering connection page in the Azure portal.":::

+### Remove an IPv4 or IPv6 session on Active connections

+To remove an IPv4 or IPv6 session from an existing connection, contact [Microsoft peering](mailto:peeringexperience@microsoft.com). This operation isn't currently supported using the Azure portal.

+To deprovision an Exchange peering, contact [Microsoft peering](mailto:peeringexperience@microsoft.com). This operation isn't currently supported using the Azure portal or PowerShell.

+## Related content

+- [Internet peering for Peering Service Exchange with Route Server partner walkthrough](walkthrough-exchange-route-server-partner.md).

+- [Convert a legacy Exchange peering to an Azure resource using the Azure portal](howto-legacy-exchange-portal.md).

+description: Learn how to enable Azure Peering Service on a Direct peering using the Azure portal.

+#CustomerIntent: As an administrator, I want to learn how to enable Azure Peering Service on a Direct peering using the Azure portal so I can manage my Direct peerings.

+In this article, you learn how to enable [Azure Peering Service](../peering-service/about.md) on a Direct peering using the Azure portal. To learn how to enable Peering Service on a Direct peering using Azure PowerShell, see [Enable Azure Peering Service on a Direct peering using PowerShell](howto-peering-service-powershell.md).

+## Prerequisites

+- Complete the [Prerequisites to set up peering with Microsoft](prerequisites.md) before you begin configuration.

+- A Direct peering in your subscription for which you want to enable Peering Service. If you don't have one, either convert a legacy Direct peering or create a new Direct peering. For more information, see [Convert a legacy Direct peering to an Azure resource](howto-legacy-direct-portal.md) or [Create or modify a Direct peering](howto-direct-portal.md).

+In this section, you learn how to enable Peering Service on a Direct peering using the Azure portal.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the search box at the top of the portal, enter ***peering***. Select **Peerings** in the search results.

+ :::image type="content" source="./media/howto-peering-service-portal/internet-peering-portal-search.png" alt-text="Screenshot of searching for internet peerings in the Azure portal." lightbox="./media/howto-peering-service-portal/internet-peering-portal-search.png":::

+1. Select the peering resource that you want to enable Peering Service for its connection.

+1. Select **Connections**.

+ :::image type="content" source="./media/howto-peering-service-portal/peering-connections.png" alt-text="Screenshot shows the connections of a peering in the Azure portal." lightbox="./media/howto-peering-service-portal/peering-connections.png":::

+1. Right-click the peering connection you want to enable Peering Service for, and then select **Edit connection**.

+ :::image type="content" source="./media/howto-peering-service-portal/edit-connection.png" alt-text="Screenshot shows how to edit a peering connection in the Azure portal." lightbox="./media/howto-peering-service-portal/edit-connection.png":::

+1. Select **Enabled** for **Use for Peering Service**.

+ :::image type="content" source="./media/howto-peering-service-portal/edit-direct-peering-connection.png" alt-text="Screenshot shows how to enable Azure Peering Service on a Direct peering connection in the Azure portal.":::

+1. Select **Save**.

+1. Once the deployment is complete, select **Registered prefixes** to register a prefix to the peering.

+ :::image type="content" source="./media/howto-peering-service-portal/add-registered-prefix.png" alt-text="Screenshot shows how to add registered prefixes in the Azure portal." lightbox="./media/howto-peering-service-portal/add-registered-prefix.png":::

+1. Enter a name and prefix, then select **Save**.

+ :::image type="content" source="./media/howto-peering-service-portal/register-prefix-configure.png" alt-text="Screenshot shows how to register a prefix in the Azure portal.":::

+

+ After a prefix is created, you can see it in the list of prefixes in **Registered prefixes** page.

+1. Select the prefix you created to see the details, which include the **Prefix key**. This key must be provided to the customer so they can use it to register their prefix in their subscription.

+ :::image type="content" source="./media/howto-peering-service-portal/prefix-details.png" alt-text="Screenshot shows the prefix details including the prefix key in the Azure portal.":::

+## Modify a Direct peering connection

+To modify connection settings, see the **Modify a Direct peering** section in [Create or modify a Direct peering by using the portal](howto-direct-portal.md).

+## Related content

+- [Internet peering for Azure Peering Service partner walkthrough](walkthrough-peering-service-all.md).

+- [Enable Azure Peering Service Voice on a Direct peering by using the Azure portal](howto-peering-service-voice-portal.md).

+- [Internet peering frequently asked questions (FAQ)](faqs.md).

+ Title: Associate your ASN to Azure subscription - Azure portal

+description: Learn how to associate peer ASN to Azure subscription using the Azure portal.

+#CustomerIntent: As an administrator, I want to learn how to create a PeerASN resource so I can associate my peer ASN to Azure subscription and submit peering requests.

+# Associate your ASN with an Azure subscription using the Azure portal

+In this article, you learn how to associate your Autonomous System Number (ASN) with an Azure subscription using the Azure portal. To learn how to associate your ASN with an Azure subscription using Azure PowerShell, see [Associate peer ASN to Azure subscription using PowerShell](howto-subscription-association-powershell.md).

+As an Internet Service Provider or Internet Exchange Provider, you must associate your peer ASN with an Azure subscription before you submit a peering request.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- Peering provider. For more information, see [Register Peering provider](#register-peering-provider).

+## Register Peering provider

+In this section, you learn how to check if the peering provider is registered in your subscription and how to register it if not registered. Peering resource provider is required to set up peering. If you previously registered the peering resource provider, you can skip this section.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the search box at the top of the portal, enter ***Subscriptions***. Select **Subscriptions** in the search results.

+ :::image type="content" source="./media/howto-subscription-association-portal/subscriptions-portal-search.png" alt-text="Screenshot of searching for subscriptions in the Azure portal." lightbox="./media/howto-subscription-association-portal/subscriptions-portal-search.png":::

+1. Select the Azure subscription that you want to enable the provider for.

+1. Under **Settings**, select **Resource providers**.

+1. Enter ***peering*** in the filter box.

+1. Confirm the status of the provider is **Registered**. If the status is **NotRegistered**, select the **Microsoft.Peering** provider then select **Register**.

+ :::image type="content" source="./media/howto-subscription-association-portal/register-microsoft-peering-provider.png" alt-text="Screenshot shows how to register Peering provider in the Azure portal." lightbox="./media/howto-subscription-association-portal/register-microsoft-peering-provider.png":::

+## Create PeerAsn to associate your ASN with Azure Subscription

+As an Internet Service Provider or Internet Exchange Provider, you can create a new PeerAsn resource to associate an Autonomous System Number (ASN) with an Azure subscription. You can associate multiple ASNs to a subscription by creating a **PeerAsn** for each ASN you need to associate.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to the [Associate a Peer ASN](https://go.microsoft.com/fwlink/?linkid=2129592) page.

+1. On the **Associate a Peer ASN**, enter or select the following values in the **Basics** tab:

+ | Setting | Value |

+ | | |

+ | **Project details** | |

+ | Name | Enter a name for the PeerASN resource that you're creating. |

+ | Subscription | Select your Azure subscription that you want to associate the ASN with. |

+ | **Instance details** | |

+ | Peer name | Enter your company name. This name must be as close as possible to your PeeringDB profile. |

+ | Peer ASN | Enter your ASN. |

+ :::image type="content" source="./media/howto-subscription-association-portal/associate-peer-asn.png" alt-text="Screenshot shows how to associate a peer ASN in the Azure portal." lightbox="./media/howto-subscription-association-portal/associate-peer-asn.png":::

+1. Select **Create new** and enter **Email address** and **Phone number** of your Network Operations Center (NOC).

+1. Select **Review + create**.

+1. Review the settings, and then select **Create**. If deployment fails, contact [Microsoft peering](mailto:peering@microsoft.com).

+## View status of a PeerAsn

+Once PeerAsn resource is deployed successfully, you must wait for Microsoft to approve the association request. It might take up to 12 hours for approval. Once approved, you receive a notification to the email address you entered during the creation of PeerASN resource.

+> Wait for the **ValidationState** to turn **Approved** before submitting a peering request. It may take up to 12 hours for this approval.

+Modifying a PeerAsn isn't currently supported. If you need to modify a PeerASN, contact [Microsoft peering](mailto:peering@microsoft.com).

+Deleting a PeerAsn isn't currently supported. If you need to delete a PeerAsn, contact [Microsoft peering](mailto:peering@microsoft.com).

+## Related content

+- [Internet peering frequently asked questions (FAQ)](faqs.md).

+## Import server certificate chain as a Kubernetes secret

+1. Create a full server certificate chain, where the order of the certificates matters: the server certificate is the first one in the file, the intermediate is the second.

+ ```bash

+ cat mqtts-endpoint.crt intermediate_ca.crt > server_chain.pem

+ ```

+1. Create a Kubernetes secret with the server certificate chain and server key using kubectl.

+ ```bash

+ kubectl create secret tls server-cert-secret -n azure-iot-operations \

+ --cert server_chain.crt \

+ --key mqtts-endpoint.key

+ ```

+To test the TLS connection with mosquitto client, publish a message and pass the root CA certificate in the parameter `--cafile`.

+```console

+$ mosquitto_pub -d -h localhost -p 8885 -i "my-client" -t "test-topic" -m "Hello" --cafile root_ca.crt

+Client my-client sending CONNECT

+Client my-client received CONNACK (0)

+Client my-client sending PUBLISH (d0, q0, r0, m1, 'test-topic', ... (5 bytes))

+Client my-client sending DISCONNECT

+```

+> [!NOTE]

+> To connect to the broker you need to distribute root of trust to the clients, also known as trust bundle. In this case the root of trust is the self-signed root CA created Step CLI. Distribution of root of trust is required for the client to verify the server certificate chain. If your MQTT clients are workloads on the Kubernetes cluster you also need to create a ConfigMap with the root CA and mount it in your Pod.

+Remember to specify username, password, etc. if MQ authentication is enabled.

+- *updated*: IntDate, optional. The *updated* attribute indicates when this version of the key was updated. The value is null for keys that were last updated prior to the addition of this attribute. Its value MUST be a number containing an IntDate value.

+- *hsmPlatform*: string, optional. The underlying HSM Platform that is protecting a key.

+ - A hsmPlatform value of 2 means the key is protected by our latest FIPS 140 Level 3 validated HSM platform.

+ - A hsmPlatform value of 1 means the key is protected by our previous FIPS 140 Level 2 HSM platform using nCipher HSMs.

+ - A hsmPlatform value of 0 means the key is protected by a FIPS 140 Level 1 HSM software cryptographic module.

+ - if this is not set by a Managed HSM pool, it is protected by our latest FIPS 140 Level 3 validated HSM platform.

+

+ItΓÇÖs important to note that keys are bound to the HSM in which they were created. New keys are seamlessly created and stored in the new HSMs. While there is no way to migrate or transfer keys, new key versions are automatically in the new HSMs. For more information on how to migrate to a new key, see [How to migrate key workloads](../general/migrate-key-workloads.md).

+HSM Keys in vaults are protected". The Software keys are not protected by HSMs.

+- Keys stored in vaults benefit from robust protection using **FIPS 140-2 HSMs**. There are two distinct HSM platforms available: 1, which protects key versions with **FIPS 140-2 Level 2** and 2, which protects keys with **FIPS 140-2 Level 3** HSMs depending on when the key was created. All new keys and key versions are now created using platform 2 (except UK geo). To determine which HSM Platform is protecting a key version, get it's [hsmPlatform](about-keys-details.md#key-attributes).

+|Software-protected (hsmPlatform 0) keys in vaults | FIPS 140-2 Level 1|

+|hsmPlatform 1 protected keys in vaults (Premium SKU)| FIPS 140-2 Level 2|

+|hsmPlatform 2 protected keys in vaults (Premium SKU)| FIPS 140-2 Level 3|

+|Keys in Managed HSM are always HSM protected|FIPS 140-2 Level 3|

+ Install-Module Microsoft.Graph -Scope CurrentUser

+ Connect-MgGraph -Scopes "User.Read"

+ $officeTenantID = Get-MgOrganization | Select-Object -expand Id

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+ | Microsoft.Storage | Storage Account is used as the default storage for the workspace.

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+Azure Managed Instance for Apache Cassandra is a fully managed service for pure open-source Apache Cassandra clusters. The service also allows configurations to be overridden, depending on the specific needs of each workload, allowing maximum flexibility and control where needed. This article provides tips on how to optimize performance.

+Azure Managed Instance for Apache Cassandra is a fully managed service for pure open-source Apache Cassandra clusters. The service also allows configurations to be overridden, depending on the specific needs of each workload, allowing maximum flexibility and control where needed.

+Azure Managed Instance for Apache Cassandra is a fully managed service for pure open-source Apache Cassandra clusters. The service also allows configurations to be overridden, depending on the specific needs of each workload, allowing maximum flexibility and control where needed.

+Azure Managed Instance for Apache Cassandra is a fully managed service for pure open-source Apache Cassandra clusters. The service also allows configurations to be overridden, depending on the specific needs of each workload, allowing maximum flexibility and control where needed

+Azure Managed Instance for Apache Cassandra is a fully managed service for pure open-source Apache Cassandra clusters. The service also allows configurations to be overridden, depending on the specific needs of each workload, allowing maximum flexibility and control where needed.

+Azure Managed Instance for Apache Cassandra is a fully managed service for pure open-source Apache Cassandra clusters. The service also allows configurations to be overridden, depending on the specific needs of each workload, allowing maximum flexibility and control where needed. This article describes how to run DBA commands manually when the need arises.

+Azure Managed Instance for Apache Cassandra is a fully managed service for pure open-source Apache Cassandra clusters. The service also allows configurations to be overridden, depending on the specific needs of each workload, allowing maximum flexibility and control where needed.

+Azure Managed Instance for Apache Cassandra is a fully managed service for pure open-source Apache Cassandra clusters. The service also allows configurations to be overridden, depending on the specific needs of each workload, allowing maximum flexibility and control where needed. This article defines the management operations and features provided by the service. It also explains the separation of responsibilities between the Azure support team and customers when maintaining [hybrid](configure-hybrid-cluster.md) clusters.

+1. Provide the backup ID from portal for the backup you want to restore. This can be found in the portal:

+ :::image type="content" source="./media/management-operations/backup.png" alt-text="Screenshot of backup schedule configuration page highlighting backup ID." lightbox="./media/management-operations/backup.png" border="true":::

+Azure Managed Instance for Apache Cassandra is a fully managed service for pure open-source Apache Cassandra clusters. The service also allows configurations to be overridden, depending on the specific needs of each workload, allowing maximum flexibility and control where needed. This article discusses how to enable materialized views.

+The Azure Managed Instance for Apache Cassandra service requires certain network rules to properly manage the service. By ensuring you have the proper rules exposed, you can keep your service secure and prevent operational issues.

+Azure Managed Instance for Apache Cassandra is a fully managed service for pure open-source Apache Cassandra clusters. The service also allows configurations to be overridden, depending on the specific needs of each workload, allowing maximum flexibility and control where needed.

+Apache Cassandra is a great choice for building highly resilient applications due to it's distributed nature and masterless architecture ΓÇô any node in the database can provide the exact same functionality as any other node ΓÇô contributing to CassandraΓÇÖs robustness and resilience. This article provides tips on how to optimize high availability and how to approach disaster recover.

+RPO (recovery point objective) and RTO (recovery time objective), will both typically be low (close to zero) for Apache Cassandra as long as you have:

+RTO ("how long you're down in an outage") will be low because the cluster will be resilient across both zones and regions, and because Apache Cassandra itself is a highly fault tolerant, masterless system (all nodes can write) by default. RPO ("how much data can you lose in an outage") will be low because data will be synchronised between all nodes and data centers, so data loss in an outage would be minimal.

+ > It's not theoretically possible to achieve both RTO=0 *and* RPO=0 per [Cap Theorem](https://en.wikipedia.org/wiki/CAP_theorem). You will need to evaluate the trade off between consistency and availability/optimal performance - this will look different for each application. For example, if your application is read heavy, it might be better to cope with increased latency of cross-region writes to avoid data loss (favoring consistency). If the appplication is write heavy, and on a tight latency budget, the risk of losing some of the most recent writes in a major regional outage might be acceptable (favoring availability).

+Cassandra's architecture, coupled with Azure availability zones support, gives you some level of fault tolerance and resiliency. However, it's important to consider the impact of regional outages for your applications. We highly recommend deploying [multi region clusters](create-multi-region-cluster.md) to safeguard against region level outages. Although they're rare, the potential impact is severe.

+For business continuity, it isn't sufficient to only make the database multi-region. Other parts of your application also need to be deployed in the same manner either by being distributed, or with adequate mechanisms to fail over. If your users are spread across many geo locations, a multi-region data center deployment for your database has the added benefit of reducing latency, since all nodes in all data centers across the cluster can then serve both reads and writes from the region that is closest to them. However, if the application is configured to be "active-active", it's important to consider how [CAP theorem](https://cassandra.apache.org/doc/latest/cassandra/architecture/guarantees.html#what-is-cap) applies to the consistency of your data between replicas (nodes), and the trade-offs required to delivery high availability.

+- If your goal is to favor consistency (lower RPO) rather than latency or availability (lower RTO), this should be reflected in your consistency settings and replication factor. As a rule of thumb, the number of quorum nodes required for a read plus the number of quorum nodes required for a write should be greater than the replication factor. For example, if you have a replication factor of 3, and quorum_one on reads (one node), you should do quorum_all on writes (three nodes), so that the total of 4 is greater than the replication factor of 3.

+**Azure Hybrid Benefit** | Specifies whether you have software assurance and are eligible for [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) to use your existing OS licenses. If the setting is enabled, Azure prices for selected operating systems are not considered for VM costing.

+Target and pricing settings | **Azure Hybrid Benefit** | Specify whether you already have a Windows Server and/or SQL Server license or Enterprise Linux subscription. Azure Hybrid Benefit is a licensing benefit that helps you to significantly reduce the costs of running your workloads in the cloud. It works by letting you use your on-premises Software Assurance-enabled Windows Server and SQL Server licenses on Azure. For example, if you have a SQL Server license and they're covered with active Software Assurance of SQL Server Subscriptions, you can apply for the Azure Hybrid Benefit when you bring licenses to Azure.

+Assessment criteria | **Sizing criteria** | Set to *Performance-based* by default, which means Azure Migrate collects performance metrics pertaining to SQL instances and the databases managed by it to recommend an optimal-sized SQL Server on Azure VM and/or Azure SQL Database and/or Azure SQL Managed Instance configuration. <br/><br/> You can change this to *As on-premises* to get recommendations based on just the on-premises SQL Server configuration without the performance metric based optimizations.

+ - Azure Hybrid Benefit for SQL and Windows licenses or Enterprise Linux subscription

+ [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857

+ [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857

+ [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857

+ [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857

+ [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857

+ [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857

+ - In **Azure Hybrid Benefit**, specify whether you already have a Windows Server license or Enterprise Linux subscription. If you do and they're covered with active Software Assurance of Windows Server or Enterprise Linux Subscriptions, you can apply for the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) when you bring licenses to Azure.

+ Target and pricing settings | **Azure Hybrid Benefit** | Specify whether you already have a Windows Server and/or SQL Server license or Enterprise Linux subscription. Azure Hybrid Benefit is a licensing benefit that helps you to significantly reduce the costs of running your workloads in the cloud. It works by letting you use your on-premises Software Assurance-enabled Windows Server and SQL Server licenses on Azure. For example, if you have a SQL Server license and they're covered with active Software Assurance of SQL Server Subscriptions, you can apply for the Azure Hybrid Benefit when you bring licenses to Azure.

+**Reserved Instances (RI)** | This property helps you specify if you have [Reserved Instances](https://azure.microsoft.com/pricing/reserved-vm-instances/) in Azure, cost estimations in the assessment are then done taking into RI discounts. Reserved instances are currently only supported for pay-as-you-go offer in Azure Migrate.

+**Azure Hybrid Benefit** | Specify whether you have software assurance and are eligible for [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/). If the setting is enabled, Azure prices for selected operating systems are not considered for VM costing.

+- [Learn more](concepts-azure-vmware-solution-assessment-calculation.md) about how AVS assessments are calculated.

+a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857

+ [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857

+ VMware (85.8 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857

+ - In **Azure Hybrid Benefit**, specify whether you already have a Windows Server license or Enterprise Linux subscription. If you do and they're covered with active Software Assurance of Windows Server or Enterprise Linux Subscriptions, you can apply for the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) when you bring licenses to Azure.

+ - In **Azure Hybrid Benefit**, specify whether you already have a Windows Server license or Enterprise Linux subscription. If you do and they're covered with active Software Assurance of Windows Server or Enterprise Linux Subscriptions, you can apply for the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) when you bring licenses to Azure.

+ - In **Azure Hybrid Benefit**, specify whether you already have a Windows Server license or Enterprise Linux subscription. If you do and they're covered with active Software Assurance of Windows Server or Enterprise Linux Subscriptions, you can apply for the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) when you bring licenses to Azure.

+ - In **Azure Hybrid Benefit**, specify whether you already have a Windows Server license or Enterprise Linux subscription. If you do and they're covered with active Software Assurance of Windows Server or Enterprise Linux Subscriptions, you can apply for the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) when you bring licenses to Azure.

+ Target and pricing settings | **Azure Hybrid Benefit** | Specify whether you already have a Windows Server and/or SQL Server license or Enterprise Linux subscription. Azure Hybrid Benefit is a licensing benefit that helps you to significantly reduce the costs of running your workloads in the cloud. It works by letting you use your on-premises Software Assurance-enabled Windows Server and SQL Server licenses on Azure. For example, if you have a SQL Server license and they're covered with active Software Assurance of SQL Server Subscriptions, you can apply for the Azure Hybrid Benefit when you bring licenses to Azure.

+ - In **Azure Hybrid Benefit**, specify whether you already have a Windows Server license or Enterprise Linux subscription. If you do and they're covered with active Software Assurance of Windows Server or Enterprise Linux Subscriptions, you can apply for the [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-use-benefit/) when you bring licenses to Azure.

+ Target and pricing settings | **Azure Hybrid Benefit** | Specify whether you already have a Windows Server and/or SQL Server license or Enterprise Linux subscription. Azure Hybrid Benefit is a licensing benefit that helps you to significantly reduce the costs of running your workloads in the cloud. It works by letting you use your on-premises Software Assurance-enabled Windows Server and SQL Server licenses on Azure. For example, if you have a SQL Server license and they're covered with active Software Assurance of SQL Server Subscriptions, you can apply for the Azure Hybrid Benefit when you bring licenses to Azure.

+ Physical (85 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857

+ Physical (85 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857

+ Physical (85 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857

+ Physical (85 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857

+ Hyper-V (8.91 GB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191848) | 952e493a63a45f97ecdc0945807d504f4bd2f0f4f8248472b784c3e6bd25eb13

+ Hyper-V (85.8 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857

+ [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857

+ VMware (85.8 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | a551f3552fee62ca5c7ea11648960a09a89d226659febd26314e222a37c7d857

+description: This article describes how to migrate AWS VMs to Azure with Azure Migrate and Modernize.

+> This article references CentOS, a Linux distribution that's nearing end-of-life status. Please consider your use and plan accordingly.

+This tutorial shows you how to discover, assess, and migrate Amazon Web Services (AWS) virtual machines (VMs) to Azure VMs by using Azure Migrate: Server Assessment and the Migration and modernization tool.

+In this tutorial, you learn how to:

+> * Prepare Azure resources with the Migration and modernization tool. Set up permissions for your Azure account and resources to work with Azure Migrate and Modernize.

+> * Prepare AWS Elastic Compute Cloud (EC2) instances for migration.

+> * Add the Migration and modernization tool in the Azure Migrate and Modernize hub.

+> * Install the Mobility service on the AWS VMs you want to migrate.

+Before you migrate to Azure, we recommend that you perform a VM discovery and migration assessment. This assessment helps right-size your AWS VMs for migration to Azure and estimate potential Azure run costs.

+To set up an assessment:

+ - Azure Migrate and Modernize uses password authentication to discover AWS instances. AWS instances don't support password authentication by default. Before you can discover an instance, you need to enable password authentication.

+ - For Windows machines, allow WinRM port 5985 (HTTP). This port allows remote WMI calls.

+ 1. Sign in to each Linux machine.

+ 1. Open the *sshd_config* file: `vi /etc/ssh/sshd_config`.

+ 1. In the file, locate the `PasswordAuthentication` line and change the value to `yes`.

+ 1. Save the file and close it. Restart the ssh service.

+ - If you're using a root user to discover your Linux VMs, ensure that root login is allowed on the VMs.

+ 1. Sign in to each Linux machine.

+ 1. Open the *sshd_config* file: `vi /etc/ssh/sshd_config`.

+ 1. In the file, locate the `PermitRootLogin` line and change the value to `yes`.

+ 1. Save the file and close it. Restart the ssh service.

+1. Then, follow this [tutorial](./tutorial-assess-physical.md) to set up an Azure Migrate project and appliance to discover and assess your AWS VMs.

+Although we recommend that you try out an assessment, performing an assessment isn't a mandatory step to be able to migrate VMs.

+- Ensure that the AWS VMs you want to migrate are running a supported operating system (OS) version. AWS VMs are treated like physical machines for the migration. Review the [supported operating systems and kernel versions](../site-recovery/vmware-physical-azure-support-matrix.md#replicated-machines) for the physical server migration workflow. You can use standard commands like `hostnamectl` or `uname -a` to check the OS and kernel versions for your Linux VMs. We recommend that you perform a test migration (test failover) to validate if the VM works as expected before you proceed with the migration.

+- Verify that the AWS VMs that you replicate to Azure comply with [Azure VM requirements](./migrate-support-matrix-physical-migration.md#azure-vm-requirements).

+- Some changes are needed on the VMs before you migrate them to Azure:

+ - For some operating systems, Azure Migrate and Modernize makes these changes automatically.

+Review the [Windows](prepare-for-migration.md#windows-machines) and [Linux](prepare-for-migration.md#linux-machines) changes you need to make.

+Task | Details

+Create an Azure Migrate project | Your Azure account needs Contributor or Owner permissions to [create a new project](./create-manage-projects.md).

+Verify permissions for your Azure account | Your Azure account needs permissions to create a VM and write to an Azure managed disk.

+### Assign permissions to create a project

+1. In the Azure portal, open the subscription and select **Access control (IAM)**.

+1. In **Check access**, find the relevant account and select it to view permissions.

+1. You should have **Contributor** or **Owner** permissions.

+Assign the VM Contributor role to the Azure account. This role provides permissions to:

+[Set up](../virtual-network/manage-virtual-network.md#create-a-virtual-network) an Azure virtual network. When you replicate to Azure, the Azure VMs that are created are joined to the Azure virtual network that you specified when you set up migration.

+The Migration and modernization tool uses a replication appliance to replicate machines to Azure. The replication appliance runs the following components:

+- **Configuration server**: The configuration server coordinates communications between the AWS environment and Azure and manages data replication.

+- **Process server**: The process server acts as a replication gateway. It receives replication data and optimizes that data with caching, compression, and encryption. Then it sends the data to a cache storage account in Azure.

+To prepare for appliance deployment:

+- The appliance shouldn't be installed on a source VM that you want to replicate or on the Azure Migrate: Discovery and assessment appliance you might have installed before. It should be deployed on a different VM.

+- The source AWS VMs to be migrated should have a network line of sight to the replication appliance. Configure necessary security group rules to enable this capability. We recommend that you deploy the replication appliance in the same virtual private cloud (VPC) as the source VMs to be migrated. If the replication appliance needs to be in a different VPC, the VPCs must be connected through VPC peering.

+ 

+ 

+The first step of migration is to set up the replication appliance. To set up the appliance for AWS VMs migration, you must download the installer file for the appliance and then run it on the [VM you prepared](#prepare-a-machine-for-the-replication-appliance).

+1. In the Azure Migrate project, select **Servers, databases, and web apps** > **Migration and modernization** > **Discover**.

+ 

+1. In **Discover machines** > **Are your machines virtualized?**, select **Not virtualized/Other**.

+1. In **Target region**, select the Azure region to which you want to migrate the machines.

+1. Select **Confirm that the target region for migration is \<region-name\>**.

+1. Select **Create resources**. This step creates an Azure Site Recovery vault in the background.

+ - If you already set up migration with the Migration and modernization tool, the target option can't be configured because resources were set up previously.

+ - You can't change the target region for this project after you select this button.

+ - To migrate your VMs to a different region, you need to create a new or different Azure Migrate project.

+ > If you selected private endpoint as the connectivity method for the Azure Migrate project when it was created, the Recovery Services vault is also configured for private endpoint connectivity. Ensure that the private endpoints are reachable from the replication appliance. [Learn more](troubleshoot-network-connectivity.md).

+1. In **Do you want to install a new replication appliance?**, select **Install a replication appliance**.

+1. In **Download and install the replication appliance software**, download the appliance installer and the registration key. You need the key to register the appliance. The key is valid for five days after download.

+ 

+1. Copy the appliance setup file and key file to the Windows Server 2016 or Windows Server 2012 AWS VM you created for the replication appliance.

+1. Run the replication appliance setup file, as described in the next procedure.

+ 1. Under **Before You Begin**, select **Install the configuration server and process server**. Then select **Next**.

+ 1. In **Third-Party Software License**, select **I accept the third-party license agreement**. Then select **Next**.

+ 1. In **Registration**, select **Browse**, and then go to where you put the vault registration key file. Select **Next**.

+ 1. In **Internet Settings**, select **Connect to Azure Site Recovery without a proxy server**. Then select **Next**.

+ 1. The **Prerequisites Check** page runs checks for several items. When it's finished, select **Next**.

+ 1. In **MySQL Configuration**, provide a password for the MySQL database. Then select **Next**.

+ 1. In **Environment Details**, select **No**. You don't need to protect your VMs. Then select **Next**.

+ 1. In **Install Location**, select **Next** to accept the default.

+ 1. In **Network Selection**, select **Next** to accept the default.

+ 1. In **Summary**, select **Install**.

+ 1. **Installation Progress** shows you information about the installation process. When it's finished, select **Finish**. A window displays a message about a reboot. Select **OK**.

+ 1. Next, a window displays a message about the configuration server connection passphrase. Copy the passphrase to your clipboard and save the passphrase in a temporary text file on the source VMs. You need this passphrase later during the Mobility service installation process.

+1. After the installation finishes, the Appliance configuration wizard launches automatically. (You can also launch the wizard manually by using the `cspsconfigtool` shortcut that was created on the appliance desktop.) In this tutorial, we manually install the Mobility service on source VMs to be replicated. You need to create a dummy account in this step to proceed. For your dummy account, use "guest" as the friendly name, "username" as the username, and "password" as the password for the account. You use this dummy account in the Enable Replication stage.

+1. After the appliance restarts after setup, in **Discover machines**, select the new appliance in **Select Configuration Server** and select **Finalize registration**. The **Finalize registration** step performs a couple of final tasks to prepare the replication appliance.

+ 

+A Mobility service agent must be preinstalled on the source AWS VMs to be migrated before you can initiate replication. The approach you choose to install the Mobility service agent might depend on your organization's preferences and existing tools. The "push" installation method built into Site Recovery isn't currently supported. Approaches you might want to consider:

+- [Azure Arc for servers and custom script extensions](../azure-arc/servers/overview.md)

+1. In the Azure Migrate project, select **Servers, databases, and web apps** > **Migration and modernization** > **Replicate**.

+ 

+1. In **Replicate**, > **Source settings** > **Are your machines virtualized?**, select **Not virtualized/Other**.

+1. In **On-premises appliance**, select the name of the Azure Migrate appliance that you set up.

+1. In **Process Server**, select the name of the replication appliance.

+1. In **Guest credentials**, select the dummy account you created previously during the [replication installer setup](#download-the-replication-appliance-installer) to install the Mobility service manually. (Push installation isn't supported.) Then select **Next: Virtual machines**.

+ 

+1. In **Virtual Machines**, in **Import migration settings from an assessment?**, leave the default setting **No, I'll specify the migration settings manually**.

+1. Check each VM you want to migrate. Then select **Next: Target settings**.

+ :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/select-vms-inline.png" alt-text="Screenshot that shows selecting VMs." lightbox="./media/tutorial-migrate-physical-virtual-machines/select-vms-expanded.png":::

+1. In **Target settings**, select the subscription and target region to which you'll migrate. Specify the resource group in which the Azure VMs will reside after migration.

+1. In **Virtual Network**, select the Azure virtual network/subnet to which the Azure VMs will be joined after migration.

+1. In **Cache storage account**, keep the default option to use the cache storage account that was automatically created for the project. Use the dropdown list if you want to specify a different storage account to use as the cache storage account for replication. <br/>

+ > - If you selected private endpoint as the connectivity method for the Azure Migrate project, grant the Recovery Services vault access to the cache storage account. [Learn more](migrate-servers-to-azure-using-private-link.md#grant-access-permissions-to-the-recovery-services-vault).

+ > - To replicate by using Azure ExpressRoute with private peering, create a private endpoint for the cache storage account. [Learn more](migrate-servers-to-azure-using-private-link.md#create-a-private-endpoint-for-the-storage-account-1).

+1. In **Availability options**, select:

+ - **Availability Zone**: Pins the migrated machine to a specific availability zone in the region. Use this option to distribute servers that form a multinode application tier across availability zones. If you select this option, you need to specify the availability zone to use for each of the selected machines on the **Compute** tab. This option is only available if the target region selected for the migration supports availability zones.

+ - **Availability Set**: Places the migrated machine in an availability set. The target resource group that was selected must have one or more availability sets in order to use this option.

+ - **No infrastructure redundancy required**: Select this option if you don't need either of these availability configurations for the migrated machines.

+1. In **Disk encryption type**, select:

+ - Encryption-at-rest with a platform-managed key.

+ - Encryption-at-rest with a customer-managed key.

+ - Double encryption with platform-managed and customer-managed keys.

+ > To replicate VMs with customer-managed keys, you need to [create a disk encryption set](../virtual-machines/disks-enable-customer-managed-keys-portal.md#set-up-your-disk-encryption-set) under the target resource group. A disk encryption set object maps managed disks to an Azure Key Vault instance that contains the customer-managed key to use for server-side encryption.

+1. In **Azure Hybrid Benefit**:

+ - Select **No** if you don't want to apply Azure Hybrid Benefit. Then select **Next**.

+ - Select **Yes** if you have Windows Server machines that are covered with active Software Assurance or Windows Server subscriptions, and you want to apply the benefit to the machines you're migrating. Then select **Next**.

+ 

+1. In **Compute**, review the VM name, size, OS disk type, and availability configuration (if selected in the previous step). VMs must conform with [Azure requirements](migrate-support-matrix-physical-migration.md#azure-vm-requirements).

+ - **VM size**: If you're using assessment recommendations, the VM size dropdown list shows the recommended size. Otherwise, Azure Migrate and Modernize picks a size based on the closest match in the Azure subscription. Alternatively, pick a manual size in **Azure VM size**.

+ - **Availability Zone**: Specify the availability zone to use.

+ - **Availability Set**: Specify the availability set to use.

+1. In **Disks**, specify whether the VM disks should be replicated to Azure and select the disk type (standard SSD/HDD or premium managed disks) in Azure. Then select **Next**.

+ - If you exclude disks, they won't be present on the Azure VM after migration.

+ :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/disks-inline.png" alt-text="Screenshot that shows the Disks tab in the Replicate dialog." lightbox="./media/tutorial-migrate-physical-virtual-machines/disks-expanded.png":::

+1. In **Tags**, choose to add tags to your virtual machines, disks, and NICs.

+ :::image type="content" source="./media/tutorial-migrate-vmware/tags-inline.png" alt-text="Screenshot that shows the Tags tab in the Replicate dialog." lightbox="./media/tutorial-migrate-vmware/tags-expanded.png":::

+1. In **Review and start replication**, review the settings and select **Replicate** to start the initial replication for the servers.

+> To update replication settings any time before replication starts, select **Manage** > **Replicating machines**. Settings can't be changed after replication starts.

+- When you select **Replicate**, a Start Replication job begins.

+- After that initial replication finishes, delta replication begins. Incremental changes to AWS VM disks are periodically replicated to the replica disks in Azure.

+You can monitor replication status by selecting **Replicating servers** in **Azure Migrate: Server Migration**.

+

+When delta replication begins, you can run a test migration for the VMs before you run a full migration to Azure. We highly recommend the test migration. It provides an opportunity to discover any potential issues and fix them before you proceed with the actual migration. We recommend that you do this step at least once for each VM before you migrate it.

+- Running a test migration checks that migration works as expected without affecting the AWS VMs, which remain operational and continue replicating.

+- Test migration simulates the migration by creating an Azure VM by using replicated data. (The test usually migrates to a nonproduction virtual network in your Azure subscription.)

+To do a test migration:

+1. In **Migration goals**, select **Servers, databases, and web apps** > **Migration and modernization** > **Test migrated servers**.

+ 

+1. Right-click the VM you want to test and select **Test migrate**.

+ 

+1. In **Test Migration**, select the Azure virtual network in which the Azure VM will be located after the migration. We recommend that you use a nonproduction virtual network.

+1. The Test Migration job starts. Monitor the job in the portal notifications.

+1. After the migration finishes, view the migrated Azure VM in **Virtual Machines** in the Azure portal. The machine name has the suffix **-Test**.

+1. After the test is finished, right-click the Azure VM in **Replicating machines** and select **Clean up test migration**.

+ :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/clean-up-inline.png" alt-text="Screenshot that shows the result after the cleanup of test migration." lightbox="./media/tutorial-migrate-physical-virtual-machines/clean-up-expanded.png":::

+ > You can now register your servers running SQL Server with SQL VM RP to take advantage of automated patching, automated backup, and simplified license management by using the SQL IaaS Agent Extension.

+ >- Select **Azure Hybrid Benefit for SQL Server** if you have SQL Server instances that are covered with active Software Assurance or SQL Server subscriptions and you want to apply the benefit to the machines you're migrating to.

+After you verify that the test migration works as expected, you can migrate the AWS VMs.

+1. In the Azure Migrate project, select **Servers, databases, and web apps** > **Migration and modernization** > **Replicating servers**.

+ 

+1. In **Replicating machines**, right-click the VM and select **Migrate**.

+1. In **Migrate** > **Shut down virtual machines and perform a planned migration with no data loss**, select **Yes** > **OK**.

+ > Automatic shutdown isn't supported while migrating AWS VMs.

+1. A migration job starts for the VM. You can view the job status by selecting the notification bell icon on the top right of the portal page. You can also go to the **Jobs** page of the Migration and modernization tool. (Select **Overview** on the tool tile and select **Jobs** from the left menu.)

+1. After the job finishes, you can view and manage the VM from the **Virtual Machines** page.

+1. After the migration is finished, right-click the VM and select **Stop migration**. This action:

+1. Verify and [troubleshoot any Windows activation issues on the Azure VM](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems).

+ - Keep data secure by backing up Azure VMs by using Azure Backup. [Learn more](../backup/quick-backup-vm-portal.md).

+ - Lock down and limit inbound traffic access with [Microsoft Defender for Cloud - Just-in-time administration](../security-center/security-center-just-in-time.md).

+ - Restrict network traffic to management endpoints with [network security groups](../virtual-network/network-security-groups-overview.md).

+ - Deploy [Azure Disk Encryption](../virtual-machines/disk-encryption-overview.md) to help secure disks and keep data safe from theft and unauthorized access.

+ - Read more about [securing IaaS resources](https://azure.microsoft.com/services/virtual-machines/secure-well-managed-iaas/) and [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/).

+ - Consider deploying [Microsoft Cost Management](../cost-management-billing/cost-management-billing-overview.md) to monitor resource usage and spending.

+## Troubleshooting and tips

+**Question:** I can't see my AWS VM in the discovered list of servers for migration.<br>

+**Answer:** Check if your replication appliance meets the requirements. Make sure Mobility Agent is installed on the source VM to be migrated and is registered to the Configuration Server. Check the network setting and firewall rules to enable a network path between the replication appliance and source AWS VMs.

+**Question:** How do I know if my VM was successfully migrated?<br>

+**Answer:** Post migration, you can view and manage the VM from the **Virtual Machines** page. Connect to the migrated VM to validate.

+**Question:** I'm unable to import VMs for migration from my previously created Server Assessment results.<br>

+**Question:** I'm getting the error "Failed to fetch BIOS GUID" while trying to discover my AWS VMs.<br>

+**Answer:** Always use root login for authentication and not any pseudo user. Also, review supported operating systems for AWS VMs.

+**Question:** My replication status isn't progressing.<br>

+**Answer:** Check if your replication appliance meets the requirements. Make sure that you enabled the required ports on your replication appliance TCP port 9443 and HTTPS 443 for data transport. Ensure that no stale duplicate versions of the replication appliance are connected to the same project.

+**Question:** I'm unable to discover AWS instances by using Azure Migrate and Modernize because of the HTTP status code of 504 from the remote Windows management service.<br>

+**Answer:** Make sure to review the Azure Migrate appliance requirements and URL access needs. Make sure no proxy settings are blocking the appliance registration.

+**Question:** Do I have to make any changes before I migrate my AWS VMs to Azure?<br>

+**Answer:** You might have to make the following changes before you migrate your EC2 VMs to Azure:

+- If you're using cloud-init for your VM provisioning, you might want to disable cloud-init on the VM before you replicate it to Azure. The provisioning steps performed by cloud-init on the VM might be specific to AWS and won't be valid after the migration to Azure. ​

+- If the VM is a paravirtualized (PV) VM and not a hardware VM, you might not be able to run it as is on Azure. PV VMs use a custom boot sequence in AWS. You might be able to overcome this challenge by uninstalling PV drivers before you perform a migration to Azure.

+- We always recommend that you run a test migration before the final migration.

+**Question:** Can I migrate AWS VMs running the Amazon Linux operating system?<br>

+**Answer:** VMs running Amazon Linux can't be migrated as is because the Amazon Linux OS is only supported on AWS.

+To migrate workloads running on Amazon Linux, you can spin up a CentOS/RHEL VM in Azure. Then you can migrate the workload running on the AWS Linux machine by using a relevant workload migration approach. For example, depending on the workload, there might be workload-specific tools to aid the migration. These tools might be for databases or deployment tools for web servers.

+Investigate the [cloud migration journey](/azure/architecture/cloud-adoption/getting-started/migrate) in the Cloud Adoption Framework for Azure.

+ Title: Migrate machines as physical servers to Azure with Azure Migrate and Modernize

+description: This article describes how to migrate physical machines to Azure with Azure Migrate and Modernize.

+# Migrate machines as physical servers to Azure

+This article shows you how to migrate machines as physical servers to Azure by using the Migration and modernization tool. Migrating machines by treating them as physical servers is useful in many scenarios:

+- Migrate virtual machines (VMs) virtualized by platforms such as Xen and KVM.

+- Migrate Hyper-V or VMware VMs, if you're unable to use the standard migration process for [Hyper-V](tutorial-migrate-hyper-v.md) or [VMware](server-migrate-overview.md) migration.

+- Migrate VMs running in public clouds, such as Amazon Web Services (AWS) or Google Cloud Platform (GCP).

+> * Prepare to use Azure with the Migration and modernization tool.

+> * Check requirements for machines you want to migrate. Prepare a machine for the Azure Migrate and Modernize replication appliance that's used to discover and migrate machines to Azure.

+> * Add the Migration and modernization tool in the Azure Migrate and Modernize hub.

+> Tutorials show you the simplest deployment path for a scenario so that you can quickly set up a proof of concept. Tutorials use default options where possible and don't show all possible settings and paths. For detailed instructions, review the how-to articles for Azure Migrate and Modernize.

+> If you're planning to upgrade your Windows operating system, Azure Migrate and Modernize might download the Windows SetupDiag utility for error details in case upgrade fails. Ensure that the VM created in Azure after the migration has access to [SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142). If there's no access to SetupDiag, you might not be able to get detailed OS upgrade failure error codes but the upgrade can still proceed.

+Task | Details

+Create an Azure Migrate project | Your Azure account needs Contributor or Owner permissions to [create a new project](./create-manage-projects.md).

+Verify permissions for your Azure account | Your Azure account needs permissions to create a VM and write to an Azure managed disk.

+### Assign permissions to create a project

+1. In the Azure portal, open the subscription and select **Access control (IAM)**.

+1. In **Check access**, find the relevant account and select it to view permissions.

+1. You should have **Contributor** or **Owner** permissions.

+Assign the VM Contributor role to the Azure account. This role provides permissions to:

+> Virtual networks are a regional service, so make sure you create your virtual network in the desired target Azure region. For example, if you're planning on replicating and migrating VMs from your on-premises environment to the East US Azure Region, your target virtual network *must be created* in the East US Region. To connect virtual networks in different regions, see [Virtual network peering](../virtual-network/virtual-network-peering-overview.md).

+[Set up](../virtual-network/manage-virtual-network.md#create-a-virtual-network) an Azure virtual network. When you replicate to Azure, Azure VMs are created and joined to the Azure virtual network that you specified when you set up migration.

+To prepare for physical server migration, you need to verify the physical server settings and prepare to deploy a replication appliance.

+> When you migrate physical machines, the Migration and modernization tool uses the same replication architecture as agent-based disaster recovery in Azure Site Recovery. Some components share the same code base. Some content might link to Site Recovery documentation.

+1. Verify that on-premises machines that you replicate to Azure comply with [Azure VM requirements](migrate-support-matrix-physical-migration.md#azure-vm-requirements).

+1. Some changes are needed on VMs before you migrate them to Azure:

+ - For some operating systems, Azure Migrate and Modernize makes these changes automatically.

+ - Make these changes before you begin migration. If you migrate the VM before you make the change, the VM might not boot up in Azure.

+The Migration and modernization tool uses a replication appliance to replicate machines to Azure. The replication appliance runs the following components:

+- **Configuration server**: The configuration server coordinates communications between on-premises and Azure and manages data replication.

+- **Process server**: The process server acts as a replication gateway. It receives replication data and optimizes that data with caching, compression, and encryption. Then it sends the data to a cache storage account in Azure.

+To prepare for appliance deployment:

+> The replication appliance shouldn't be installed on a source machine that you want to replicate or on the Azure Migrate: Discovery and assessment appliance you might have installed before.

+The first step of migration is to set up the replication appliance. To set up the appliance for physical server migration, download the installer file for the appliance. Then run it on the [machine you prepared](#prepare-a-machine-for-the-replication-appliance). After you install the appliance, register it with the Migration and modernization tool.

+1. In the Azure Migrate project, select **Servers** > **Migration and modernization** > **Discover**.

+ 

+1. In **Discover machines** > **Are your machines virtualized?**, select **Not virtualized/Other**.

+1. In **Target region**, select the Azure region to which you want to migrate the machines.

+1. Select **Confirm that the target region for migration is region-name**.

+1. Select **Create resources** to create a Site Recovery vault in the background.

+ - If you already set up migration with the Migration and modernization tool, the target option can't be configured because resources were set up previously.

+ - You can't change the target region for this project after selecting this button.

+

+ > [!NOTE]

+ > If you selected private endpoint as the connectivity method for the Azure Migrate project when it was created, the Recovery Services vault is also configured for private endpoint connectivity. Ensure that the private endpoints are reachable from the replication appliance. [Learn more](troubleshoot-network-connectivity.md).

+1. In **Do you want to install a new replication appliance?**, select **Install a replication appliance**.

+1. In **Download and install the replication appliance software**, download the appliance installer and the registration key. You need the key to register the appliance. The key is valid for five days after it was downloaded.

+ 

+1. Copy the appliance setup file and key file to the Windows Server 2016 machine you created for the appliance.

+1. After the installation finishes, the Appliance configuration wizard launches automatically. (You can also launch the wizard manually by using the `cspsconfigtool` shortcut that was created on the appliance desktop.) In this tutorial, we manually install the Mobility service on the source VMs to be replicated. You need to create a dummy account in this step to proceed. For your dummy account, use "guest" as the friendly name, "username" as the username, and "password" as the password for the account. You use this dummy account in the Enable Replication stage.

+1. After the appliance restarts after setup, in **Discover machines**, select the new appliance in **Select Configuration Server**. Then select **Finalize registration**. The **Finalize registration** step performs a couple of final tasks to prepare the replication appliance.

+ 

+The mobility service agent must be installed on the servers to get them discovered by using the replication appliance. Discovered machines appear in **Azure Migrate: Server Migration**. As VMs are discovered, the **Discovered servers** count rises.

+

+> We recommend that you perform discovery and assessment prior to the migration by using the Azure Migrate: Discovery and assessment tool, a separate lightweight Azure Migrate appliance. You can deploy the appliance as a physical server to continuously discover servers and performance metadata. For detailed steps, see [Discover physical servers](tutorial-discover-physical.md).

+A Mobility service agent must be preinstalled on the source physical machines to be migrated before you can start replication. The approach you choose to install the Mobility service agent might depend on your organization's preferences and existing tools. The "push" installation method built into Site Recovery isn't currently supported. Approaches you might want to consider:

+- [Azure Arc for servers and custom script extensions](../azure-arc/servers/overview.md)

+1. Extract the contents of the installer tarball to a local folder (for example, */tmp/MobSvcInstaller*) on the machine:

+1. Run the installer script:

+1. Register the agent with the replication appliance:

+> You can replicate up to 10 machines together. If you need to replicate more, replicate them simultaneously in batches of 10.

+1. In the Azure Migrate project, select **Servers** > **Migration and modernization** > **Replicate**.

+ :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/select-replicate.png" alt-text="Screenshot that shows selecting Replicate.":::

+1. In **Replicate**, > **Source settings** > **Are your machines virtualized?**, select **Physical or other (AWS, GCP, Xen, etc.)**.

+1. In **On-premises appliance**, select the name of the Azure Migrate appliance that you set up.

+1. In **Process Server**, select the name of the replication appliance.

+1. In **Guest credentials**, select the dummy account created previously during the [replication installer setup](#download-the-replication-appliance-installer) to install the Mobility service manually. (Push installation isn't supported.) Then select **Next: Virtual machines**.

+ :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/source-settings.png" alt-text="Screenshot that shows source settings.":::

+1. In **Virtual machines**, in **Import migration settings from an assessment?**, leave the default setting **No, I'll specify the migration settings manually**.

+1. Check each VM you want to migrate. Then select **Next: Target settings**.

+ :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/select-vms-inline.png" alt-text="Screenshot that shows selecting VMs." lightbox="./media/tutorial-migrate-physical-virtual-machines/select-vms-expanded.png":::

+1. In **Target settings**, select the subscription and target region to which you'll migrate. Specify the resource group in which the Azure VMs will reside after migration.

+1. In **Virtual Network**, select the Azure virtual network/subnet to which the Azure VMs will be joined after migration.

+1. In **Cache storage account**, keep the default option to use the cache storage account that's automatically created for the project. Use the dropdown list if you want to specify a different storage account to use as the cache storage account for replication. <br/>

+ > - If you selected private endpoint as the connectivity method for the Azure Migrate project, grant the Recovery Services vault access to the cache storage account. [Learn more](migrate-servers-to-azure-using-private-link.md#grant-access-permissions-to-the-recovery-services-vault).

+ > - To replicate by using Azure ExpressRoute with private peering, create a private endpoint for the cache storage account. [Learn more](migrate-servers-to-azure-using-private-link.md#create-a-private-endpoint-for-the-storage-account-1).

+1. In **Availability options**, select:

+ - **Availability Zone**: Pins the migrated machine to a specific availability zone in the region. Use this option to distribute servers that form a multinode application tier across availability zones. If you select this option, you need to specify the availability zone to use for each of the selected machines on the **Compute** tab. This option is only available if the target region selected for the migration supports availability zones.

+ - **Availability Set**: Places the migrated machine in an availability set. The target resource group that was selected must have one or more availability sets in order to use this option.

+ - **No infrastructure redundancy required**: Select this option if you don't need either of the availability configurations for the migrated machines.

+1. In **Disk encryption type**, select:

+ - Encryption-at-rest with platform-managed key.

+ - Encryption-at-rest with customer-managed key.

+ - Double encryption with platform-managed and customer-managed keys.

+ > To replicate VMs with customer-managed keys, you need to [create a disk encryption set](../virtual-machines/disks-enable-customer-managed-keys-portal.md#set-up-your-disk-encryption-set) under the target resource group. A disk encryption set object maps managed disks to an Azure Key Vault instance that contains the customer-managed key to use for server-side encryption.

+1. In **Azure Hybrid Benefit**:

+ - Select **No** if you don't want to apply Azure Hybrid Benefit. Then select **Next**.

+ - Select **Yes** if you have Windows Server machines that are covered with active Software Assurance or Windows Server subscriptions, and you want to apply the benefit to the machines you're migrating. Then select **Next**.

+ :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/target-settings.png" alt-text="Screenshot that shows Target settings.":::

+1. In **Compute**, review the VM name, size, OS disk type, and availability configuration (if selected in the previous step). VMs must conform with [Azure requirements](migrate-support-matrix-physical-migration.md#azure-vm-requirements).

+ - **VM size**: If you're using assessment recommendations, the VM size dropdown list shows the recommended size. Otherwise, Azure Migrate and Modernize picks a size based on the closest match in the Azure subscription. Alternatively, pick a manual size in **Azure VM size**.

+ - **Availability Zone**: Specify the availability zone to use.

+ - **Availability Set**: Specify the availability set to use.

+1. In **Disks**, specify whether the VM disks should be replicated to Azure. Select the disk type (standard SSD/HDD or premium managed disks) in Azure. Then select **Next**.

+ - If you exclude disks, they won't be present on the Azure VM after migration.

+ :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/disks-inline.png" alt-text="Screenshot that shows the Disks tab in the Replicate dialog." lightbox="./media/tutorial-migrate-physical-virtual-machines/disks-expanded.png":::

+1. In **Tags**, choose to add tags to your VMs, disks, and NICs.

+ :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/tags-inline.png" alt-text="Screenshot that shows the tags tab in the Replicate dialog." lightbox="./media/tutorial-migrate-physical-virtual-machines/tags-expanded.png":::

+1. In **Review and start replication**, review the settings and select **Replicate** to start the initial replication for the servers.

+> You can update replication settings any time before replication starts. Select **Manage** > **Replicating machines**. Settings can't be changed after replication starts.

+- When you select **Replicate**, a Start Replication job begins.

+- After the Start Replication job finishes successfully, the machines begin their initial replication to Azure.

+You can monitor replication status by selecting **Replicating servers** in **Azure Migrate: Server Migration**.

+

+When delta replication begins, you can run a test migration for the VMs before you run a full migration to Azure. We highly recommend that you do this step at least once for each machine before you migrate it.

+- Running a test migration checks that migration works as expected, without affecting the on-premises machines, which remain operational and continue replicating.

+- Test migration simulates the migration by creating an Azure VM using replicated data. (The test usually migrates to a nonproduction virtual network in your Azure subscription.)

+To do a test migration:

+1. In **Migration goals**, select **Servers** > **Migration and modernization** > **Test migrated servers**.

+ :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/test-migrated-servers.png" alt-text="Screenshot that shows Test migrated servers.":::

+1. Right-click the VM you want to test and select **Test migrate**.

+ :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/test-migrate-inline.png" alt-text="Screenshot that shows the result after selecting Test migrate." lightbox="./media/tutorial-migrate-physical-virtual-machines/test-migrate-expanded.png":::

+1. In **Test Migration**, select the Azure virtual network in which the Azure VM will be located after the migration. We recommend that you use a nonproduction virtual network.

+1. You can upgrade the Windows Server OS during test migration. To upgrade, select the **Upgrade available** option. In the pane that appears, select the target OS version that you want to upgrade to and select **Apply**. [Learn more](how-to-upgrade-windows.md).

+1. The Test Migration job starts. Monitor the job in the portal notifications.

+1. After the migration finishes, view the migrated Azure VM in **Virtual Machines** in the Azure portal. The machine name has the suffix **-Test**.

+1. After the test is finished, right-click the Azure VM in **Replicating machines** and select **Clean up test migration**.

+ :::image type="content" source="./media/tutorial-migrate-physical-virtual-machines/clean-up-inline.png" alt-text="Screenshot that shows Clean up test migration." lightbox="./media/tutorial-migrate-physical-virtual-machines/clean-up-expanded.png":::

+ > You can now register your servers running SQL Server with SQL VM RP to take advantage of automated patching, automated backup, and simplified license management by using the SQL IaaS Agent Extension.

+ >- Select **Azure Hybrid Benefit for SQL Server** if you have SQL Server instances that are covered with active Software Assurance or SQL Server subscriptions and you want to apply the benefit to the machines you're migrating.

+After you verify that the test migration works as expected, you can migrate the on-premises machines.

+1. In the Azure Migrate project, select **Servers, databases, and web apps** > **Migration and modernization** > **Replicating servers**.

+ 

+1. In **Replicating machines**, right-click the VM and select **Migrate**.

+1. In **Migrate** > **Shut down virtual machines and perform a planned migration with no data loss**, select **No** > **OK**.

+ > For minimal data loss, we recommend that you bring the application down manually as part of the migration window. (Don't let the applications accept any connections.) Then initiate the migration. The server needs to be kept running so that remaining changes can be synchronized before the migration is finished.

+1. You can upgrade the Windows Server OS during migration. To upgrade, select the **Upgrade available** option. In the pane that appears, select the target OS version that you want to upgrade to and select **Apply**. [Learn more](how-to-upgrade-windows.md).

+1. A migration job starts for the VM. Track the job in Azure notifications.

+1. After the job finishes, you can view and manage the VM from the **Virtual Machines** page.

+1. After the migration is finished, right-click the VM and select **Stop replication**. This action:

+1. Verify and [troubleshoot any Windows activation issues on the Azure VM](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems).

+ - Keep data secure by backing up Azure VMs by using the Azure Backup service. [Learn more](../backup/quick-backup-vm-portal.md).

+ - Lock down and limit inbound traffic access with [Microsoft Defender for Cloud - Just-in-time administration](../security-center/security-center-just-in-time.md).

+ - Restrict network traffic to management endpoints with [network security groups](../virtual-network/network-security-groups-overview.md).

+ - Deploy [Azure Disk Encryption](../virtual-machines/disk-encryption-overview.md) to help secure disks and keep data safe from theft and unauthorized access.

+ - Read more about [securing IaaS resources](https://azure.microsoft.com/services/virtual-machines/secure-well-managed-iaas/)and [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/).

+ - Consider deploying [Microsoft Cost Management](../cost-management-billing/cost-management-billing-overview.md) to monitor resource usage and spending.

+Investigate the [cloud migration journey](/azure/architecture/cloud-adoption/getting-started/migrate) in the Cloud Adoption Framework for Azure.

+## Update (February 2024)

+- Public preview: Envision savings with Azure Hybrid Benefits by bringing your existing Enterprise Linux subscriptions to Azure using Azure VM assessments and business case.

+- Ease of deployment, simplified scaling, and low database management overhead for functions such as backups, high availability, security, and monitoring.

+- Application developments requiring community version of MySQL with better control and customizations.

+- Production workloads with same-zone, zone-redundant high availability, and managed maintenance windows.

+- Simplified development experience.

+- Enterprise grade security, compliance, and privacy.

+For more information, see [Backup concepts](concepts-backup-restore.md).

+For more information, see [Networking concepts](concepts-networking.md).

+For more information, see [Compute and Storage concepts](concepts-compute-storage.md).

+Azure Database for MySQL flexible server allows you to stop and start servers on-demand to optimize cost. The compute tier billing is stopped immediately when the server is stopped. This functionality can allow you to have significant cost savings during development, testing and for time-bound predictable production workloads. The server remains in stopped state for 30 days unless restarted sooner.

+Azure Database for MySQL flexible server encrypts data in-motion with transport layer security enforced by default. Azure Database for MySQL flexible server by default supports encrypted connections using Transport Layer Security (TLS 1.2) and all incoming connections with TLS 1.0 and TLS 1.1 are denied. You can disable TSL/SSL enforcement by setting the require_secure_transport server parameter and then setting the minimum tls_version for your server.

+| Canada Central | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |

+| China North 3 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |

+| Norway East | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: |

+| Sweden Central | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: |

+| Switzerland North | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: :heavy_check_mark: |

+| Switzerland West | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: |

+| UAE Central | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: |

+| UAE North | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: |

+For servers with more than 1 TiB of provisioned storage, the storage autogrow mechanism activates when the available space falls to less than 10% of the total capacity or 64 GiB of free space, whichever of the two values is smaller. Conversely, for servers with storage under 1 TiB, this threshold is adjusted to 20% of the available free space or 64 GiB, depending on which of these values is smaller.

+The process of scaling storage is performed online without causing any downtime, except when the disk is provisioned at 4,096 GiB. This exception is a limitation of Azure Managed disks. If a disk is already 4,096 GiB, the storage scaling activity will not be triggered, even if storage auto-grow is turned on. In such cases, you need to scale your storage manually. Manual scaling is an offline operation that you should plan according to your business requirements.

+Premium SSD v2 offers higher performance than Premium SSDs while also generally being less costly. You can individually tweak the performance (capacity, throughput, and IOPS) of Premium SSD v2 disks at any time, allowing workloads to be cost-efficient while meeting shifting performance needs. For example, a transaction-intensive database might need a large amount of IOPS at a small size, or a gaming application might need a large amount of IOPS but only during peak hours. Because of this, for most general-purpose workloads, Premium SSD v2 can provide the best price performance. You can now deploy Azure Database for PostgreSQL flexible server instances with Premium SSD v2 disk in limited regions.

+Unlike Premium SSDs, Premium SSD v2 doesn't have dedicated sizes. You can set a Premium SSD v2 to any supported size you prefer, and make granular adjustments (1-GiB increments) as per your workload requirements. Premium SSD v2 doesn't support host caching but still provides significantly lower latency than Premium SSD. Premium SSD v2 capacities range from 1 GiB to 64 TiBs.

+| **Scenario** | Production and performance-sensitive workloads that consistently require low latency and high IOPS and throughput | Production and performance-sensitive workloads |

+All Premium SSD v2 disks have a baseline throughput of 125 MB/s that is free of charge. After 6 GiB, the maximum throughput that can be set increases by 0.25 MB/s per set IOPS. If a disk has 3,000 IOPS, the maximum throughput it can set is 750 MB/s. To raise the throughput for this disk beyond 750 MB/s, its IOPS must be increased. For example, if you increase the IOPS to 4,000, then the maximum throughput that can be set is 1,000. 1,200 MB/s is the maximum throughput supported for disks that have 5,000 IOPS or more. Increasing your throughput beyond 125 increases the price of your disk.

+- Azure Database for PostgreSQL flexible server with Premium SSD V2 disk can be deployed only in East US2, West Europe, East US, Switzerland North regions during early preview. Support for more regions is coming soon.

+- During early preview, SSD V2 disk won't have support for High Availability, Read Replicas, Geo Redundant Backups, Customer Managed Keys, or Storage Auto-grow features. These features will be supported soon on Premium SSD V2.

+Vectors are stored in a search index. Use the [Create Index REST API](/rest/api/searchservice/indexes/create-or-update) or an equivalent Azure SDK method to [create the vector store](vector-search-how-to-create-index.md).

+Considerations for vector storage include the following points:

+## Vector retrieval patterns

+In Azure AI Search, there are two patterns for working with search results.

+Your index schema should reflect your primary use case.

+## Schema designs for each retrieval pattern

+The following examples highlight the differences in field composition for solutions build for generative AI versus classic search.

+An index schema for a vector store requires a name, a key field, one or more vector fields, and a vector configuration. Nonvector fields are recommended for hybrid queries, or for returning human readable content that doesn't have to be decoded first. For step by step instructions, see [Create a vector store](vector-search-how-to-create-index.md).

+### Basic vector field configuration

+A vector field, such as "content_vector" in the following example, is of type `Collection(Edm.Single)`. It must be searchable and retrievable. It can't be filterable, facetable, or sortable, and it can't have analyzers, normalizers, or synonym map assignments. It must have dimensions set to a value supported by the embedding model. Text-embedding-ada-002 is the mostly commonly used embedding model and it generates embeddings using 1,536 dimensions. A vector search profile is specified in a vector search configuration and assigned to a vector field using the profile name.

+Content (nonvector) fields are useful for human readable text returned directly from the search engine. If you're using language models exclusively for response formulation, you can skip nonvector content fields. This example assumes that "content" is the human readable equivalent of the "content_vector" field.

+Metadata fields are useful for filters, especially if metadata includes origin information about the source document.

+"name": "example-index-basic-vector-field",

+"fields": [

+ { "name": "id", "type": "Edm.String", "searchable": false, "filterable": true, "retrievable": true, "key": true },

+ { "name": "content_vector", "type": "Collection(Edm.Single)", "searchable": true, "filterable": false, "retrievable": true,

+ "dimensions": 1536, "vectorSearchProfile": null },

+ { "name": "content", "type": "Edm.String", "searchable": true, "retrievable": true, "analyzer": null },

+ { "name": "metadata", "type": "Edm.String", "searchable": true, "filterable": true, "retrievable": true, "sortable": true, "facetable": true }

+]

+### Schema generated by the Import and vectorize data wizard

+We recommend the [Import and vectorize data wizard](search-get-started-portal-import-vectors.md) for evaluation and proof-of-concept testing. The wizard generates the example schema in this section.

+The bias of this schema is that search documents are built around data chunks. If a language model formulates the response, you want a schema designed around data chunks.

+Data chunking is necessary for staying within the input limits of language models, but it also improves precision in similarity search when queries can be matched against smaller chunks of content pulled from multiple parent documents. Finally, if you're using semantic ranking, the semantic ranker also has token limits, which are more easily met if data chunking is part of your approach.

+In the following example, for each search document, there's one chunk ID, chunk, title, and vector field. The chunkID and parent ID are populated by the wizard, using base 64 encoding of blob metadata (path). Chunk and title are derived from blob content and blob name. Only the vector field is fully generated. It calls an Azure OpenAI resource that you provide.

+```json

+"name": "example-index-from-import-wizard",

+"fields": [

+ {"name": "chunk_id", "type": "Edm.String", "key": true, "searchable": true, "filterable": true, "retrievable": true, "sortable": true, "facetable": true, "analyzer": "keyword"},

+ { "name": "parent_id", "type": "Edm.String", "searchable": true, "filterable": true, "retrievable": true, "sortable": true},

+ { "name": "chunk", "type": "Edm.String", "searchable": true, "filterable": false, "retrievable": true, "sortable": false},

+ { "name": "title", "type": "Edm.String", "searchable": true, "filterable": true, "retrievable": true, "sortable": false},

+ { "name": "vector", "type": "Collection(Edm.Single)", "searchable": true, "retrievable": true, "dimensions": 1536, "vectorSearchProfile": "vector-1707768500058-profile"}

+]

+```

+## Vector data retrieval

+If you use search results as grounding data, where a chat model generates the answer to a query, design a schema that stores chunks of text. Data chunking is a requirement if source files are too large for the embedding model. It's also efficient for chat if the original source files contain a varied information.

+## See also

+| [Microsoft Azure ECC TLS Issuing CA 03](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2003%20-%20xsign.crt) | 0x01529ee8368f0b5d72ba433e2d8ea62d<br>56D955C849887874AA1767810366D90ADF6C8536 |

+| [Microsoft Azure ECC TLS Issuing CA 03](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2003.crt) | 0x330000003322a2579b5e698bcc000000000033<br>91503BE7BF74E2A10AA078B48B71C3477175FEC3 |

+| [Microsoft Azure ECC TLS Issuing CA 04](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2004%20-%20xsign.crt) | 0x02393d48d702425a7cb41c000b0ed7ca<br>FB73FDC24F06998E070A06B6AFC78FDF2A155B25 |

+| [Microsoft Azure ECC TLS Issuing CA 04](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2004.crt) | 0x33000000322164aedab61f509d000000000032<br>406E3B38EFF35A727F276FE993590B70F8224AED |

+| [Microsoft Azure ECC TLS Issuing CA 07](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2007%20-%20xsign.crt) | 0x0f1f157582cdcd33734bdc5fcd941a33<br>3BE6CA5856E3B9709056DA51F32CBC8970A83E28 |

+| [Microsoft Azure ECC TLS Issuing CA 07](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2007.crt) | 0x3300000034c732435db22a0a2b000000000034<br>AB3490B7E37B3A8A1E715036522AB42652C3CFFE |

+| [Microsoft Azure ECC TLS Issuing CA 08](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2008%20-%20xsign.crt) | 0x0ef2e5d83681520255e92c608fbc2ff4<br>716DF84638AC8E6EEBE64416C8DD38C2A25F6630 |

+| [Microsoft Azure ECC TLS Issuing CA 08](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2008.crt) | 0x3300000031526979844798bbb8000000000031<br>CF33D5A1C2F0355B207FCE940026E6C1580067FD |

+| [Microsoft Azure RSA TLS Issuing CA 03](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2003%20-%20xsign.crt) | 0x05196526449a5e3d1a38748f5dcfebcc<br>F9388EA2C9B7D632B66A2B0B406DF1D37D3901F6 |

+| [Microsoft Azure RSA TLS Issuing CA 03](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2003.crt) | 0x330000003968ea517d8a7e30ce000000000039<br>37461AACFA5970F7F2D2BAC5A659B53B72541C68 |

+| [Microsoft Azure RSA TLS Issuing CA 04](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2004%20-%20xsign.crt) | 0x09f96ec295555f24749eaf1e5dced49d<br>BE68D0ADAA2345B48E507320B695D386080E5B25 |

+| [Microsoft Azure RSA TLS Issuing CA 04](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2004.crt) | 0x330000003cd7cb44ee579961d000000000003c<br>7304022CA8A9FF7E3E0C1242E0110E643822C45E |

+| [Microsoft Azure RSA TLS Issuing CA 07](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2007%20-%20xsign.crt) | 0x0a43a9509b01352f899579ec7208ba50<br>3382517058A0C20228D598EE7501B61256A76442 |

+| [Microsoft Azure RSA TLS Issuing CA 07](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2007.crt) | 0x330000003bf980b0c83783431700000000003b<br>0E5F41B697DAADD808BF55AD080350A2A5DFCA93 |

+| [Microsoft Azure RSA TLS Issuing CA 08](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2008%20-%20xsign.crt) | 0x0efb7e547edf0ff1069aee57696d7ba0<br>31600991ED5FEC63D355A5484A6DCC787EAD89BC |

+| [Microsoft Azure RSA TLS Issuing CA 08](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2008.crt) | 0x330000003a5dc2ffc321c16d9b00000000003a<br>512C8F3FB71EDACF7ADA490402E710B10C73026E |

+| Γöö [Microsoft Azure RSA TLS Issuing CA 03](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2003%20-%20xsign.crt) | 0x05196526449a5e3d1a38748f5dcfebcc<br>F9388EA2C9B7D632B66A2B0B406DF1D37D3901F6 |

+| Γöö [Microsoft Azure RSA TLS Issuing CA 04](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2004%20-%20xsign.crt) | 0x09f96ec295555f24749eaf1e5dced49d<br>BE68D0ADAA2345B48E507320B695D386080E5B25 |

+| Γöö [Microsoft Azure RSA TLS Issuing CA 07](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2007%20-%20xsign.crt) | 0x0a43a9509b01352f899579ec7208ba50<br>3382517058A0C20228D598EE7501B61256A76442 |

+| Γöö [Microsoft Azure RSA TLS Issuing CA 08](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2008%20-%20xsign.crt) | 0x0efb7e547edf0ff1069aee57696d7ba0<br>31600991ED5FEC63D355A5484A6DCC787EAD89BC |

+| Γöö [Microsoft Azure ECC TLS Issuing CA 03](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2003%20-%20xsign.crt) | 0x01529ee8368f0b5d72ba433e2d8ea62d<br>56D955C849887874AA1767810366D90ADF6C8536 |

+| Γöö [Microsoft Azure ECC TLS Issuing CA 04](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2004%20-%20xsign.crt) | 0x02393d48d702425a7cb41c000b0ed7ca<br>FB73FDC24F06998E070A06B6AFC78FDF2A155B25 |

+| Γöö [Microsoft Azure ECC TLS Issuing CA 07](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2007%20-%20xsign.crt) | 0x0f1f157582cdcd33734bdc5fcd941a33<br>3BE6CA5856E3B9709056DA51F32CBC8970A83E28 |

+| Γöö [Microsoft Azure ECC TLS Issuing CA 08](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2008%20-%20xsign.crt) | 0x0ef2e5d83681520255e92c608fbc2ff4<br>716DF84638AC8E6EEBE64416C8DD38C2A25F6630 |

+| Γöö [Microsoft Azure ECC TLS Issuing CA 03](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2003.crt) | 0x330000003322a2579b5e698bcc000000000033<br>91503BE7BF74E2A10AA078B48B71C3477175FEC3 |

+| Γöö [Microsoft Azure ECC TLS Issuing CA 04](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2004.crt) | 0x33000000322164aedab61f509d000000000032<br>406E3B38EFF35A727F276FE993590B70F8224AED |

+| Γöö [Microsoft Azure ECC TLS Issuing CA 07](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2007.crt) | 0x3300000034c732435db22a0a2b000000000034<br>AB3490B7E37B3A8A1E715036522AB42652C3CFFE |

+| Γöö [Microsoft Azure ECC TLS Issuing CA 08](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20ECC%20TLS%20Issuing%20CA%2008.crt) | 0x3300000031526979844798bbb8000000000031<br>CF33D5A1C2F0355B207FCE940026E6C1580067FD |

+| Γöö [Microsoft Azure RSA TLS Issuing CA 03](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2003.crt) | 0x330000003968ea517d8a7e30ce000000000039<br>37461AACFA5970F7F2D2BAC5A659B53B72541C68 |

+| Γöö [Microsoft Azure RSA TLS Issuing CA 04](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2004.crt) | 0x330000003cd7cb44ee579961d000000000003c<br>7304022CA8A9FF7E3E0C1242E0110E643822C45E |

+| Γöö [Microsoft Azure RSA TLS Issuing CA 07](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2007.crt) | 0x330000003bf980b0c83783431700000000003b<br>0E5F41B697DAADD808BF55AD080350A2A5DFCA93 |

+| Γöö [Microsoft Azure RSA TLS Issuing CA 08](https://www.microsoft.com/pkiops/certs/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2008.crt) | 0x330000003a5dc2ffc321c16d9b00000000003a<br>512C8F3FB71EDACF7ADA490402E710B10C73026E |

+### Azure Virtual Network Manager

+[Azure Virtual Network Manager](../../virtual-network-manager/overview.md) provides a centralized solution for protecting your virtual networks at scale. It uses [security admin rules](../../virtual-network-manager/concept-security-admins.md) to centrally define and enforce security policies for your virtual networks across your entire organization. Security admin rules takes precedence over network security group(NSGs) rules and are applied on the virtual network. This allows organizations to enforce core policies with security admin rules, while still enabling downstream teams to tailor NSGs according to their specific needs at the subnet and NIC levels. Depending on the needs of your organization, you can use **Allow**, **Deny**, or **Always Allow** rule actions to enforce security policies.

+| Rule Action | Description |

+|-|-|

+| **Allow** | Allows the specified traffic by default. Downstream NSGs still receive this traffic and may deny it.|

+| **Always Allow** | Always allow the specified traffic, regardless of other rules with lower priority or NSGs. This can be used to ensure that monitoring agent, domain controller, or management traffic is not blocked. |

+| **Deny** | Block the specified traffic. Downstream NSGs will not evaluate this traffic after being denied by a security admin rule, ensuring your high-risk ports for existing and new virtual networks are protected by default. |

+In Azure Virtual Network Manager, [network groups](../../virtual-network-manager/concept-network-groups.md) allow you to group virtual networks together for centralized management and enforcement of security policies. Network groups are a logical grouping of virtual networks based on your needs from a topology and security perspective. You can manually update the virtual network membership of your network groups or you can [define conditional statements with Azure Policy](../../virtual-network-manager/concept-azure-policy-integration.md) to dynamically update network groups to automatically update your network group membership.

+ Use the [CONNECT](/rest/api/securityinsights/data-connectors/connect) endpoint to send a PUT method and pass the JSON configuration directly in the body of the message. For more information, see [auth configuration](#auth-configuration).

+Build the data connector user interface with the [**Data Connector Definition** API](/rest/api/securityinsights/data-connector-definitions). Use the [Data connector definitions reference](data-connector-ui-definitions-reference.md) as a supplement to explain the API elements in greater detail.

+To create a data connector with the Codeless Connector Platform (CCP), use this document as a supplement to the [Microsoft Sentinel REST API for Data Connector Definitions](/rest/api/securityinsights/data-connector-definitions) reference docs. Specifically this reference document expands on the following section:

+Reference the Create Or Update operation in the REST API docs to find the latest stable or preview API version. Only the `update` operation requires the `etag` value.

+The following example brings together some of the components defined in this article as a JSON body format to use with the Create Or Update data connector definition API.

+- See the Recorded Future Logic App [connector documentation](/connectors/recordedfuturev2/).

+- See the ReversingLabs TitaniumCloud Logic App [connector documentation](/connectors/reversinglabstitaniu/).

+- [Workspace Manager Assignment Jobs](/rest/api/securityinsights/workspace-manager-assignment-jobs)

+- [Workspace Manager Assignments](/rest/api/securityinsights/workspace-manager-assignments)

+- [Workspace Manager Configurations](/rest/api/securityinsights/workspace-manager-configurations)

+- [Workspace Manager Groups](/rest/api/securityinsights/workspace-manager-groups)

+- [Workspace Manager Members](/rest/api/securityinsights/workspace-manager-members)

+> [!NOTE]

+> Mobility service versions `9.58` and `9.59` are not released for Azure to Azure Site Recovery.

+Red Hat Enterprise Linux | 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6,[7.7](https://support.microsoft.com/help/4528026/update-rollup-41-for-azure-site-recovery), [7.8](https://support.microsoft.com/help/4564347/), [7.9](https://support.microsoft.com/help/4578241/), [8.0](https://support.microsoft.com/help/4531426/update-rollup-42-for-azure-site-recovery), 8.1, [8.2](https://support.microsoft.com/help/4570609/), [8.3](https://support.microsoft.com/help/4597409/), [8.4](https://support.microsoft.com/topic/883a93a7-57df-4b26-a1c4-847efb34a9e8) (4.18.0-305.30.1.el8_4.x86_64 or higher), [8.5](https://support.microsoft.com/topic/883a93a7-57df-4b26-a1c4-847efb34a9e8) (4.18.0-348.5.1.el8_5.x86_64 or higher), [8.6](https://support.microsoft.com/topic/update-rollup-62-for-azure-site-recovery-e7aff36f-b6ad-4705-901c-f662c00c402b), 8.7, 8.8, 8.9, 9.0, 9.1, 9.2, 9.3 <br> RHEL `9.x` is supported for the [following kernel versions](#supported-kernel-versions-for-red-hat-enterprise-linux-for-azure-virtual-machines).

+Oracle Linux | 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, [7.7](https://support.microsoft.com/help/4531426/update-rollup-42-for-azure-site-recovery), [7.8](https://support.microsoft.com/help/4573888/), [7.9](https://support.microsoft.com/help/4597409), [8.0](https://support.microsoft.com/help/4573888/), [8.1](https://support.microsoft.com/help/4573888/), [8.2](https://support.microsoft.com/topic/update-rollup-55-for-azure-site-recovery-kb5003408-b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8), [8.3](https://support.microsoft.com/topic/update-rollup-55-for-azure-site-recovery-kb5003408-b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8) (running the Red Hat compatible kernel or Unbreakable Enterprise Kernel Release 3, 4, 5, and 6 (UEK3, UEK4, UEK5, UEK6), [8.4](https://support.microsoft.com/topic/update-rollup-59-for-azure-site-recovery-kb5008707-66a65377-862b-4a4c-9882-fd74bdc7a81e), 8.5, 8.6, 8.7, 8.8 , 8.9, 9.0, 9.1, 9.2, 9.3. <br/><br/>8.1 (running on all UEK kernels and RedHat kernel <= 3.10.0-1062.* are supported in [9.35](https://support.microsoft.com/help/4573888/) Support for rest of the RedHat kernels is available in [9.36](https://support.microsoft.com/help/4578241/)). <br> Oracle Linux 9.x is supported for the [following kernel versions](#supported-red-hat-linux-kernel-versions-for-oracle-linux-on-azure-virtual-machines).

+#### Supported kernel versions for Red Hat Enterprise Linux for Azure virtual machines

+**Release** | **Mobility service version** | **Red Hat kernel version** |

+ | | |

+RHEL 9.0 <br> RHEL 9.1 <br> RHEL 9.2 <br> RHEL 9.3 | 9.60 | 5.14.0-70.13.1.el9_0.x86_64 <br> 5.14.0-70.17.1.el9_0.x86_64 <br> 5.14.0-70.22.1.el9_0.x86_64 <br> 5.14.0-70.26.1.el9_0.x86_64 <br> 5.14.0-70.30.1.el9_0.x86_64 <br> 5.14.0-70.36.1.el9_0.x86_64 <br> 5.14.0-70.43.1.el9_0.x86_64 <br> 5.14.0-70.49.1.el9_0.x86_64 <br> 5.14.0-70.50.2.el9_0.x86_64 <br> 5.14.0-70.53.1.el9_0.x86_64 <br> 5.14.0-70.58.1.el9_0.x86_64 <br> 5.14.0-70.64.1.el9_0.x86_64 <br> 5.14.0-70.70.1.el9_0.x86_64 <br> 5.14.0-70.75.1.el9_0.x86_64 <br> 5.14.0-70.80.1.el9_0.x86_64 <br> 5.14.0-70.85.1.el9_0.x86_64 <br> 5.14.0-162.6.1.el9_1.x86_64ΓÇ» <br> 5.14.0-162.12.1.el9_1.x86_64 <br> 5.14.0-162.18.1.el9_1.x86_64 <br> 5.14.0-284.11.1.el9_2.x86_64 <br> 5.14.0-284.13.1.el9_2.x86_64 <br> 5.14.0-284.16.1.el9_2.x86_64 <br> 5.14.0-284.18.1.el9_2.x86_64 <br> 5.14.0-284.23.1.el9_2.x86_64 <br> 5.14.0-284.25.1.el9_2.x86_64 <br> 5.14.0-284.28.1.el9_2.x86_64 <br> 5.14.0-284.30.1.el9_2.x86_64 <br> 5.14.0-284.32.1.el9_2.x86_64 <br> 5.14.0-284.34.1.el9_2.x86_64 <br> 5.14.0-284.36.1.el9_2.x86_64 <br> 5.14.0-284.40.1.el9_2.x86_64 <br> 5.14.0-284.41.1.el9_2.x86_64 <br>5.14.0-284.43.1.el9_2.x86_64 <br>5.14.0-284.44.1.el9_2.x86_64 <br> 5.14.0-284.45.1.el9_2.x86_64 <br>5.14.0-284.48.1.el9_2.x86_64 <br>5.14.0-284.50.1.el9_2.x86_64 <br> 5.14.0-284.52.1.el9_2.x86_64 <br>5.14.0-362.8.1.el9_3.x86_64 <br>5.14.0-362.13.1.el9_3.x86_64 |

+> [!NOTE]

+> Mobility service versions `9.58` and `9.59` are not released for Azure to Azure Site Recovery.

+14.04 LTS | [9.60]()| No new 14.04 LTS kernels supported in this release. |

+16.04 LTS | [9.60]() | No new 16.04 LTS kernels supported in this release. |

+18.04 LTS | [9.60]() | No new 18.04 LTS kernels supported in this release. |

+20.04 LTS | [9.60]() | No new 20.04 LTS kernels supported in this release. |

+22.04 LTS |[9.60]()| 5.19.0-1025-azure <br> 5.19.0-1026-azure <br> 5.19.0-1027-azure <br> 5.19.0-41-generic <br> 5.19.0-42-generic <br> 5.19.0-43-generic <br> 5.19.0-45-generic <br> 5.19.0-46-generic <br> 5.19.0-50-generic <br> 6.2.0-1005-azure <br> 6.2.0-1006-azure <br> 6.2.0-1007-azure <br> 6.2.0-1008-azure <br> 6.2.0-1011-azure <br> 6.2.0-1012-azure <br> 6.2.0-1014-azure <br> 6.2.0-1015-azure <br> 6.2.0-1016-azure <br> 6.2.0-1017-azure <br> 6.2.0-1018-azure <br> 6.2.0-25-generic <br> 6.2.0-26-generic <br> 6.2.0-31-generic <br> 6.2.0-32-generic <br> 6.2.0-33-generic <br> 6.2.0-34-generic <br> 6.2.0-35-generic <br> 6.2.0-36-generic <br> 6.2.0-37-generic <br> 6.2.0-39-generic <br> 6.5.0-1007-azure <br> 6.5.0-1009-azure <br> 6.5.0-1010-azure <br> 6.5.0-14-generic |

+> [!NOTE]

+> Mobility service versions `9.58` and `9.59` are not released for Azure to Azure Site Recovery.

+

+Debian 7 | [9.60]| No new Debian 7 kernels supported in this release. |

+Debian 8 | [9.60]| No new Debian 8 kernels supported in this release. |

+Debian 9.1 | [9.60]| No new Debian 9.1 kernels supported in this release. |

+Debian 10 | [9.60]| 4.19.0-26-amd64 <br> 4.19.0-26-cloud-amd64 <br> 5.10.0-0.deb10.27-amd64 <br> 5.10.0-0.deb10.27-cloud-amd64 |

+Debian 10 | [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50)| No new Debian 10 kernels supported in this release. |

+Debian 11 | [9.60]()| 5.10.0-27-amd64 <br> 5.10.0-27-cloud-amd64 |

+> [!NOTE]

+> Mobility service versions `9.58` and `9.59` are not released for Azure to Azure Site Recovery.

+SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.60]() | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.163-azure:5 |

+> [!NOTE]

+> Mobility service versions `9.58` and `9.59` are not released for Azure to Azure Site Recovery.

+

+SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4, SP5) | [9.60]() | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> No new SUSE 15 kernels supported in this release. |

+#### Supported Red Hat Linux kernel versions for Oracle Linux on Azure virtual machines

+**Release** | **Mobility service version** | **Red Hat kernel version** |

+ | | |

+Oracle Linux 9.0 <br> Oracle Linux 9.1 <br> Oracle Linux 9.2 <br> Oracle Linux 9.3 | 9.60 | 5.14.0-70.13.1.el9_0.x86_64 <br> 5.14.0-70.17.1.el9_0.x86_64 <br> <br> 5.14.0-70.22.1.el9_0.x86_64 <br> 5.14.0-70.26.1.el9_0.x86_64 <br> 5.14.0-70.30.1.el9_0.x86_64 <br> 5.14.0-70.36.1.el9_0.x86_64 <br> 5.14.0-70.43.1.el9_0.x86_64 <br> 5.14.0-70.49.1.el9_0.x86_64 <br> 5.14.0-70.50.2.el9_0.x86_64 <br> 5.14.0-70.53.1.el9_0.x86_64 <br> 5.14.0-70.58.1.el9_0.x86_64 <br> 5.14.0-70.64.1.el9_0.x86_64 <br> 5.14.0-70.70.1.el9_0.x86_64 <br> 5.14.0-70.75.1.el9_0.x86_64 <br> 5.14.0-70.80.1.el9_0.x86_64 <br> 5.14.0-70.85.1.el9_0.x86_64 <br> 5.14.0-162.6.1.el9_1.x86_64ΓÇ» <br> 5.14.0-162.12.1.el9_1.x86_64 <br> 5.14.0-162.18.1.el9_1.x86_64 <br> 5.14.0-284.11.1.el9_2.x86_64 <br>5.14.0-284.13.1.el9_2.x86_64 <br>5.14.0-284.16.1.el9_2.x86_64 <br>5.14.0-284.18.1.el9_2.x86_64 <br> 5.14.0-284.23.1.el9_2.x86_64 <br> 5.14.0-284.25.1.el9_2.x86_64 <br> 5.14.0-284.28.1.el9_2.x86_64 <br> 5.14.0-284.30.1.el9_2.x86_64 <br> 5.14.0-284.32.1.el9_2.x86_64 <br> 5.14.0-284.34.1.el9_2.x86_64 <br> 5.14.0-284.36.1.el9_2.x86_64 <br> 5.14.0-284.40.1.el9_2.x86_64 <br> 5.14.0-284.41.1.el9_2.x86_64 <br> 5.14.0-284.43.1.el9_2.x86_64 <br> 5.14.0-284.44.1.el9_2.x86_64 <br> 5.14.0-284.45.1.el9_2.x86_64 <br> 5.14.0-284.48.1.el9_2.x86_64 <br> 5.14.0-284.50.1.el9_2.x86_64 <br> 5.14.0-284.52.1.el9_2.x86_64 <br> 5.14.0-362.8.1.el9_3.x86_64 <br> 5.14.0-362.13.1.el9_3.x86_64 |

+> [!NOTE]

+> Mobility service versions `9.58` and `9.59` are not released for Azure to Azure Site Recovery.

+

+**Release** | **Mobility service version** | **Red Hat kernel version** |

+ | | |

+Rocky Linux 9.0 <br> Rocky Linux 9.1 | [9.60]() | 5.14.0-70.13.1.el9_0.x86_64 <br> 5.14.0-70.17.1.el9_0.x86_64 <br> 5.14.0-70.22.1.el9_0.x86_64 <br> 5.14.0-70.26.1.el9_0.x86_64 <br> 5.14.0-70.30.1.el9_0.x86_64 <br> 5.14.0-70.36.1.el9_0.x86_64 <br> 5.14.0-70.43.1.el9_0.x86_64 <br> 5.14.0-70.49.1.el9_0.x86_64 <br> 5.14.0-70.50.2.el9_0.x86_64 <br> 5.14.0-70.53.1.el9_0.x86_64 <br> 5.14.0-70.58.1.el9_0.x86_64 <br> 5.14.0-70.64.1.el9_0.x86_64 <br> 5.14.0-70.70.1.el9_0.x86_64 <br> 5.14.0-70.75.1.el9_0.x86_64 <br> 5.14.0-70.80.1.el9_0.x86_64 <br> 5.14.0-70.85.1.el9_0.x86_64 <br> 5.14.0-162.6.1.el9_1.x86_64ΓÇ» <br> 5.14.0-162.12.1.el9_1.x86_64 <br> 5.14.0-162.18.1.el9_1.x86_64 |

+> [!NOTE]

+> Mobility service versions`9.56` and `9.60` are only available for Modernized experience. <br>

+> Mobility service version `9.58` is not released for VMWare to Azure Site Recovery. <br>

+> Mobility service versions `9.59` is only available for Classic experience.

+Linux Red Hat Enterprise | 5.2 to 5.11</b><br/> 6.1 to 6.10</b> </br> 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, [7.7](https://support.microsoft.com/help/4528026/update-rollup-41-for-azure-site-recovery), [7.8](https://support.microsoft.com/help/4564347/), [7.9 Beta version](https://support.microsoft.com/help/4578241/), [7.9](https://support.microsoft.com/help/4590304/) </br> [8.0](https://support.microsoft.com/help/4531426/update-rollup-42-for-azure-site-recovery), 8.1, [8.2](https://support.microsoft.com/help/4570609), [8.3](https://support.microsoft.com/help/4597409/), [8.4](https://support.microsoft.com/topic/883a93a7-57df-4b26-a1c4-847efb34a9e8) (4.18.0-305.30.1.el8_4.x86_64 or higher), [8.5](https://support.microsoft.com/topic/883a93a7-57df-4b26-a1c4-847efb34a9e8) (4.18.0-348.5.1.el8_5.x86_64 or higher), [8.6](https://support.microsoft.com/topic/update-rollup-62-for-azure-site-recovery-e7aff36f-b6ad-4705-901c-f662c00c402b), 8.7, 8.8, 8.9, 9.0, 9.1, 9.2, 9.3 <br/> Few older kernels on servers running Red Hat Enterprise Linux 5.2-5.11 & 6.1-6.10 don't have [Linux Integration Services (LIS) components](https://www.microsoft.com/download/details.aspx?id=55106) pre-installed. If in-built LIS components are missing, ensure to install the [components](https://www.microsoft.com/download/details.aspx?id=55106) before enabling replication for the machines to boot in Azure. <br> <br> **Notes**: <br> - Support for Linux Red Hat Enterprise versions `8.9`, `9.0`, `9.1`, `9.2`, and `9.3` is only available for Modernized experience and isn't available for Classic experience. <br> - RHEL `9.x` is supported for [the following kernel versions](#supported-kernel-versions-for-red-hat-enterprise-linux-for-azure-virtual-machines) |

+Oracle Linux | 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, [7.7](https://support.microsoft.com/help/4531426/update-rollup-42-for-azure-site-recovery), [7.8](https://support.microsoft.com/help/4573888/), [7.9](https://support.microsoft.com/help/4597409/), [8.0](https://support.microsoft.com/help/4573888/), [8.1](https://support.microsoft.com/help/4573888/), [8.2](https://support.microsoft.com/topic/b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8), [8.3](https://support.microsoft.com/topic/b19c8190-5f88-43ea-85b1-d9e0cc5ca7e8), [8.4](https://support.microsoft.com/topic/update-rollup-59-for-azure-site-recovery-kb5008707-66a65377-862b-4a4c-9882-fd74bdc7a81e), 8.5, 8.6, 8.7, 8.8, 8.9, 9.0, 9.1, 9.2, and 9.3 <br/><br/> **Notes:** <br> - Support for Oracle Linux `8.9`, `9.0`, `9.1`, `9.2`, and `9.3` is only available for Modernized experience and isn't available for Classic experience. <br><br> Running the Red Hat compatible kernel or Unbreakable Enterprise Kernel Release 3, 4 & 5 (UEK3, UEK4, UEK5)<br/><br/>8.1<br/>Running on all UEK kernels and RedHat kernel <= 3.10.0-1062.* are supported in [9.35](https://support.microsoft.com/help/4573888/) Support for rest of the RedHat kernels is available in [9.36](https://support.microsoft.com/help/4578241/). <br> Oracle Linux `9.x` is supported for the [following kernel versions](#supported-red-hat-linux-kernel-versions-for-oracle-linux-on-azure-virtual-machines) |

+>- For each of the Windows versions, Azure Site Recovery only supports [Long-Term Servicing Channel (LTSC)](/windows-server/get-started/servicing-channels-comparison#long-term-servicing-channel-ltsc) builds. [Semi-Annual Channel](/windows-server/get-started/servicing-channels-comparison#semi-annual-channel) releases are currently unsupported at this time.

+>- Ensure that for Linux versions, Azure Site Recovery doesn't support customized OS images. Only the stock kernels that are part of the distribution minor version release/update are supported.

+#### Supported kernel versions for Red Hat Enterprise Linux for Azure virtual machines

+**Release** | **Mobility service version** | **Red Hat kernel version** |

+ | | |

+RHEL 9.0 <br> RHEL 9.1 <br> RHEL 9.2 <br> RHEL 9.3 | 9.60 | 5.14.0-70.13.1.el9_0.x86_64 <br> 5.14.0-70.17.1.el9_0.x86_64 <br> 5.14.0-70.22.1.el9_0.x86_64 <br> 5.14.0-70.26.1.el9_0.x86_64 <br> 5.14.0-70.30.1.el9_0.x86_64 <br> 5.14.0-70.36.1.el9_0.x86_64 <br> 5.14.0-70.43.1.el9_0.x86_64 <br> 5.14.0-70.49.1.el9_0.x86_64 <br> 5.14.0-70.50.2.el9_0.x86_64 <br> 5.14.0-70.53.1.el9_0.x86_64 <br> 5.14.0-70.58.1.el9_0.x86_64 <br> 5.14.0-70.64.1.el9_0.x86_64 <br> 5.14.0-70.70.1.el9_0.x86_64 <br> 5.14.0-70.75.1.el9_0.x86_64 <br> 5.14.0-70.80.1.el9_0.x86_64 <br> 5.14.0-70.85.1.el9_0.x86_64 <br> 5.14.0-162.6.1.el9_1.x86_64ΓÇ» <br> 5.14.0-162.12.1.el9_1.x86_64 <br> 5.14.0-162.18.1.el9_1.x86_64 <br> 5.14.0-284.11.1.el9_2.x86_64 <br> 5.14.0-284.13.1.el9_2.x86_64 <br> 5.14.0-284.16.1.el9_2.x86_64 <br> 5.14.0-284.18.1.el9_2.x86_64 <br> 5.14.0-284.23.1.el9_2.x86_64 <br> 5.14.0-284.25.1.el9_2.x86_64 <br> 5.14.0-284.28.1.el9_2.x86_64 <br> 5.14.0-284.30.1.el9_2.x86_64 <br> 5.14.0-284.32.1.el9_2.x86_64 <br> 5.14.0-284.34.1.el9_2.x86_64 <br> 5.14.0-284.36.1.el9_2.x86_64 <br> 5.14.0-284.40.1.el9_2.x86_64 <br> 5.14.0-284.41.1.el9_2.x86_64 <br>5.14.0-284.43.1.el9_2.x86_64 <br>5.14.0-284.44.1.el9_2.x86_64 <br> 5.14.0-284.45.1.el9_2.x86_64 <br>5.14.0-284.48.1.el9_2.x86_64 <br>5.14.0-284.50.1.el9_2.x86_64 <br> 5.14.0-284.52.1.el9_2.x86_64 <br>5.14.0-362.8.1.el9_3.x86_64 <br>5.14.0-362.13.1.el9_3.x86_64 |

+> [!NOTE]

+> Mobility service versions`9.56` and `9.60` are only available for Modernized experience. <br>

+> Mobility service version `9.58` is not released for VMWare to Azure Site Recovery. <br>

+> Mobility service versions `9.59` is only available for Classic experience.

+14.04 LTS | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f), [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810), [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d), [9.57](https://support.microsoft.com/topic/update-rollup-70-for-azure-site-recovery-kb5034599-e94901f6-7624-4bb4-8d43-12483d2e1d50), 9.59, 9.60 | 3.13.0-24-generic to 3.13.0-170-generic,<br/>3.16.0-25-generic to 3.16.0-77-generic,<br/>3.19.0-18-generic to 3.19.0-80-generic,<br/>4.2.0-18-generic to 4.2.0-42-generic,<br/>4.4.0-21-generic to 4.4.0-148-generic,<br/>4.15.0-1023-azure to 4.15.0-1045-azure |

+16.04 LTS | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f), [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810), [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50), 9.59, 9.60 | 4.4.0-21-generic to 4.4.0-210-generic,<br/>4.8.0-34-generic to 4.8.0-58-generic,<br/>4.10.0-14-generic to 4.10.0-42-generic,<br/>4.11.0-13-generic, 4.11.0-14-generic,<br/>4.13.0-16-generic to 4.13.0-45-generic,<br/>4.15.0-13-generic to 4.15.0-142-generic<br/>4.11.0-1009-azure to 4.11.0-1016-azure<br/>4.13.0-1005-azure to 4.13.0-1018-azure <br/>4.15.0-1012-azure to 4.15.0-1113-azure </br> 4.15.0-101-generic to 4.15.0-107-generic |

+18.04 LTS | [9.60]() | No new Ubuntu 18.04 kernels supported in this release. |

+18.04 LTS | [9.59]() | No new Ubuntu 18.04 kernels supported in this release. |

+18.04 LTS | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) | No new Ubuntu 18.04 kernels supported in this release|

+20.04 LTS | [9.60]() | No new Ubuntu 20.04 kernels supported in this release. |

+20.04 LTS | [9.59]() | No new Ubuntu 20.04 kernels supported in this release. |

+20.04 LTS |[9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) | 5.15.0-1049-azure <br> 5.15.0-1050-azure <br> 5.15.0-1051-azure <br> 5.15.0-86-generic <br> 5.15.0-87-generic <br> 5.15.0-88-generic <br> 5.4.0-1117-azure <br> 5.4.0-1118-azure <br> 5.4.0-1119-azure <br> 5.4.0-164-generic <br> 5.4.0-165-generic <br> 5.4.0-166-generic |

+22.04 LTS <br> **Note**: Support for Ubuntu 22.04 is available for Modernized experience only and not available for Classic experience yet. | [9.60]() | 5.19.0-1025-azure <br> 5.19.0-1026-azure <br> 5.19.0-1027-azure <br> 6.2.0-1005-azure <br> 6.2.0-1006-azure <br> 6.2.0-1007-azure <br> 6.2.0-1008-azure <br> 6.2.0-1011-azure <br> 6.2.0-1012-azure <br> 6.2.0-1014-azure <br> 6.2.0-1015-azure <br> 6.2.0-1016-azure <br> 6.2.0-1017-azure <br> 6.2.0-1018-azure <br> 6.5.0-1007-azure <br> 6.5.0-1009-azure <br> 6.5.0-1010-azure <br> 5.19.0-41-generic <br> 5.19.0-42-generic <br> 5.19.0-43-generic <br> 5.19.0-45-generic <br> 5.19.0-46-generic <br> 5.19.0-50-generic <br> 6.2.0-25-generic <br> 6.2.0-26-generic <br> 6.2.0-31-generic <br> 6.2.0-32-generic <br> 6.2.0-33-generic <br> 6.2.0-34-generic <br> 6.2.0-35-generic <br> 6.2.0-36-generic <br> 6.2.0-37-generic <br> 6.2.0-39-generic <br> 6.5.0-14-generic |

+> [!NOTE]

+> Mobility service versions`9.56` and `9.60` are only available for Modernized experience. <br>

+> Mobility service version `9.58` is not released for VMWare to Azure Site Recovery. <br>

+> Mobility service versions `9.59` is only available for Classic experience.

+Debian 7 | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f), [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810), [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d), [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50), 9.59, 9.60 | 3.2.0-4-amd64 to 3.2.0-6-amd64, 3.16.0-0.bpo.4-amd64 |

+Debian 8 | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f), [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810), [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) <br> [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50), 9.59, 9.60 | 3.16.0-4-amd64 to 3.16.0-11-amd64, 4.9.0-0.bpo.4-amd64 to 4.9.0-0.bpo.12-amd64 |

+Debian 9.1 | [9.60]() | No new Debian 9.1 kernels supported in this release. |

+Debian 9.1 | [9.59]() | No new Debian 9.1 kernels supported in this release. |

+Debian 9.1 | [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50) | No new Debian 9.1 kernels supported in this release|

+Debian 9.1 | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) | No new Debian 9.1 kernels supported in this release. |

+Debian 10 | [9.60]()| 4.19.0-26-amd64 <br> 4.19.0-26-cloud-amd64 <br> 5.10.0-0.deb10.27-amd64 <br> 5.10.0-0.deb10.27-cloud-amd64 |

+Debian 10 | [9.59]() | No new Debian 10 kernels supported in this release. |

+Debian 10 | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) | 5.10.0-0.deb10.26-amd64 <br> 5.10.0-0.deb10.26-cloud-amd64 |

+Debian 11 | [9.60]() | 5.10.0-27-amd64 <br> 5.10.0-27-cloud-amd64 |

+Debian 11 | [9.59]() | No new Debian 11 kernels supported in this release. |

+Debian 11 | [9.57](https://support.microsoft.com/topic/e94901f6-7624-4bb4-8d43-12483d2e1d50) | No new Debian 11 kernels supported in this release. |

+Debian 11 | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) | 5.10.0-26-amd64 <br> 5.10.0-26-cloud-amd64 |

+> [!NOTE]

+> Mobility service versions`9.56` and `9.60` are only available for Modernized experience. <br>

+> Mobility service version `9.58` is not released for VMWare to Azure Site Recovery. <br>

+> Mobility service versions `9.59` is only available for Classic experience.

+SUSE Linux Enterprise Server 12, SP1, SP2, SP3, SP4 | [9.60]() | By default, all [stock SUSE 12 SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> 4.12.14-16.163-azure:5 |

+SUSE Linux Enterprise Server 12, SP1, SP2, SP3, SP4 | [9.59]() | By default, all [stock SUSE 12 SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> No new SUSE 12 kernels supported in this release. |

+SUSE Linux Enterprise Server 12, SP1, SP2, SP3, SP4 | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) | By default, all [stock SUSE 12 SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> No new SUSE 12 kernels supported in this release. |

+> [!NOTE]

+> Mobility service versions`9.56` and `9.60` are only available for Modernized experience. <br>

+> Mobility service version `9.58` is not released for VMWare to Azure Site Recovery. <br>

+> Mobility service versions `9.59` is only available for Classic experience.

+SUSE Linux Enterprise Server 15, SP1, SP2, SP3, SP4 | [9.60]() | By default, all [stock SUSE 12 SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> No new SUSE 15 kernels supported in this release. |

+SUSE Linux Enterprise Server 15, SP1, SP2, SP3, SP4 | [9.59]() | By default, all [stock SUSE 12 SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> No new SUSE 15 kernels supported in this release. |

+SUSE Linux Enterprise Server 15, SP1, SP2, SP3, SP4, SP5 <br> **Note:** SUSE 15 SP5 is only supported for Modernized experience. | [9.56](https://support.microsoft.com/topic/update-rollup-69-for-azure-site-recovery-kb5033791-a41c2400-0079-4f93-b4a4-366660d0a30d) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4, SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported.</br> 4.12.14-16.152-azure:5 <br> 5.14.21-150400.14.69-azure:4 <br> 5.14.21-150500.31-azure:5 <br> 5.14.21-150500.33.11-azure:5 <br> 5.14.21-150500.33.14-azure:5 <br> 5.14.21-150500.33.17-azure:5 <br> 5.14.21-150500.33.20-azure:5 <br> 5.14.21-150500.33.3-azure:5 <br> 5.14.21-150500.33.6-azure:5 |

+#### Supported Red Hat Linux kernel versions for Oracle Linux on Azure virtual machines

+**Release** | **Mobility service version** | **Red Hat kernel version** |

+ | | |

+Oracle Linux 9.0 <br> Oracle Linux 9.1 <br> Oracle Linux 9.2 <br> Oracle Linux 9.3 | 9.60 | 5.14.0-70.13.1.el9_0.x86_64 <br> 5.14.0-70.17.1.el9_0.x86_64 <br> 5.14.0-70.22.1.el9_0.x86_64 <br> 5.14.0-70.26.1.el9_0.x86_64 <br> 5.14.0-70.30.1.el9_0.x86_64 <br> 5.14.0-70.36.1.el9_0.x86_64 <br> 5.14.0-70.43.1.el9_0.x86_64 <br> 5.14.0-70.49.1.el9_0.x86_64 <br> 5.14.0-70.50.2.el9_0.x86_64 <br> 5.14.0-70.53.1.el9_0.x86_64 <br> 5.14.0-70.58.1.el9_0.x86_64 <br> 5.14.0-70.64.1.el9_0.x86_64 <br> 5.14.0-70.70.1.el9_0.x86_64 <br> 5.14.0-70.75.1.el9_0.x86_64 <br> 5.14.0-70.80.1.el9_0.x86_64 <br> 5.14.0-70.85.1.el9_0.x86_64 <br> 5.14.0-162.6.1.el9_1.x86_64ΓÇ» <br> 5.14.0-162.12.1.el9_1.x86_64 <br> 5.14.0-162.18.1.el9_1.x86_64 <br> 5.14.0-284.11.1.el9_2.x86_64 <br>5.14.0-284.13.1.el9_2.x86_64 <br>5.14.0-284.16.1.el9_2.x86_64 <br>5.14.0-284.18.1.el9_2.x86_64 <br> 5.14.0-284.23.1.el9_2.x86_64 <br> 5.14.0-284.25.1.el9_2.x86_64 <br> 5.14.0-284.28.1.el9_2.x86_64 <br> 5.14.0-284.30.1.el9_2.x86_64 <br> 5.14.0-284.32.1.el9_2.x86_64 <br> 5.14.0-284.34.1.el9_2.x86_64 <br> 5.14.0-284.36.1.el9_2.x86_64 <br> 5.14.0-284.40.1.el9_2.x86_64 <br> 5.14.0-284.41.1.el9_2.x86_64 <br> 5.14.0-284.43.1.el9_2.x86_64 <br> 5.14.0-284.44.1.el9_2.x86_64 <br> 5.14.0-284.45.1.el9_2.x86_64 <br> 5.14.0-284.48.1.el9_2.x86_64 <br> 5.14.0-284.50.1.el9_2.x86_64 <br> 5.14.0-284.52.1.el9_2.x86_64 <br> 5.14.0-362.8.1.el9_3.x86_64 <br> 5.14.0-362.13.1.el9_3.x86_64 |

+**Release** | **Mobility service version** | **Red Hat kernel version** |

+ | | |

+Rocky Linux 9.0 <br> Rocky Linux 9.1 | [9.60]() | 5.14.0-70.13.1.el9_0.x86_64 <br> 5.14.0-70.17.1.el9_0.x86_64 <br> 5.14.0-70.22.1.el9_0.x86_64 <br> 5.14.0-70.26.1.el9_0.x86_64 <br> 5.14.0-70.30.1.el9_0.x86_64 <br> 5.14.0-70.36.1.el9_0.x86_64 <br> 5.14.0-70.43.1.el9_0.x86_64 <br> 5.14.0-70.49.1.el9_0.x86_64 <br> 5.14.0-70.50.2.el9_0.x86_64 <br> 5.14.0-70.53.1.el9_0.x86_64 <br> 5.14.0-70.58.1.el9_0.x86_64 <br> 5.14.0-70.64.1.el9_0.x86_64 <br> 5.14.0-70.70.1.el9_0.x86_64 <br> 5.14.0-70.75.1.el9_0.x86_64 <br> 5.14.0-70.80.1.el9_0.x86_64 <br> 5.14.0-70.85.1.el9_0.x86_64 <br> 5.14.0-162.6.1.el9_1.x86_64ΓÇ» <br> 5.14.0-162.12.1.el9_1.x86_64 <br> 5.14.0-162.18.1.el9_1.x86_64 |

+ from azure.storage.blob import BlobServiceClient

+> If you set the **Delete versions after** option, a rule is automatically added to the lifecycle management policy of the storage account. Once that rule is added, the **Delete versions after** option no longer appears in the **Data protection** configuration page.

+description: Azure PowerShell Script Sample - Create multiple Elastic SAN Preview volumes in a batch.

+## Limitations

+- If a volume is larger than 4 TiB, export of a volume snapshot to a disk snapshot is not supported.

+### Estimating storage transaction charges

+As you begin your migration to Azure Files, RoboCopy copies your files and folders into Azure. Depending on your billing model for Azure Files, transaction charges might apply. See [Understanding billing](understanding-billing.md).

+If you're using a pay-as-you-go billing model for standard Azure file shares, it might be difficult to estimate the number of transactions your migration will generate.

+- It's not possible to estimate the number of transactions based on the utilized storage capacity of the source. The number of transactions scales with the number of namespace items (files and folder) and their properties that are migrated, not their size. For example, more transactions are required to migrate 1 GiB of small files than 1 GiB of larger files.

+- In order to minimize downtime, you might need to run copy operations several times from source to target. All source and target items are processed during each copy operation, though subsequent runs finish faster. After the initial operations, only the differences introduced between copy runs are transported over the network. It's important to understand that although less data is being transported, the number of transactions required might remain the same.

+- Copying the same file twice might not result in the same number of transactions. Processing an item migrated in a previous copy run might result in only a few read transactions. In contrast, changes to metadata or content between copy runs might require a larger number of transactions to update the target. Each file in your namespace might have unique requirements, resulting in a different number of transactions.

+It's advisable to run some initial tests on your own data to better understand how many transactions are incurred. This will give you a better idea of the total number of transactions a file migration might generate.

+ echo "$SMB_PATH $MNT_PATH cifs _netdev,nofail,credentials=$SMB_CREDENTIAL_FILE,serverino,nosharesock,actimeo=30" | sudo tee -a /etc/fstab >

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+**Applies to:** :heavy_check_mark: Flexible scale sets

+### [Portal](#tab/portal)

+You can set your Spot Priority Mix in the Spot tab of the Virtual Machine Scale Sets creation process in the Azure portal. The following steps instruct you on how to access this feature during that process.

+1. Continue through the Virtual Machine Scale Set creation process.

+You can set your Spot Priority Mix using Azure CLI by setting the `priority` flag to `Spot` and including the `regular-priority-count` and `regular-priority-percentage` flags.

+You can set your Spot Priority Mix using Azure PowerShell by setting the `Priority` parameter to `Spot` and including the `BaseRegularPriorityCount` and `RegularPriorityPercentage` parameters.

+1. Your current Spot Priority Mix should be visible. Here you can change the **Base VM (uninterruptible) count** and **Instance distribution** of Spot and Standard VMs.

+1. Press the **Save** button to apply your changes.

+You can update your Spot Priority Mix using Azure CLI by updating the `regular-priority-count` and `regular-priority-percentage` parameters.

+You can update your Spot Priority Mix using Azure PowerShell by updating the `BaseRegularPriorityCount` and `RegularPriorityPercentage` parameters.

+The following examples have scenario assumptions, a table of actions, and walk-through of results to help you understand how Spot Priority Mix configuration works.

+1. By the last scale-out, your scale set is already balanced, so one of each type of VM is created.

+ - 10 of those VMs are the Base (standard) VMs, 2 extra standard VMs, and 8 Spot priority VMs for your 25% *regularPriorityPercentageAboveBase*.

+ - Another way to look at this ratio is you have 1 standard VM for every 4 Spot VMs in the scale set.

+## Troubleshooting

+Spot VMs, and therefore Spot Priority Mix, are available in all global Azure regions.

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+Some examples of configurations that won't work when using default outbound access:

+- When you have multiple NICs on the same VM, note that default outbound IPs won't consistently be the same across all NICs.

+- Similarly, default outbound IPs aren't consistent or contiguous across VM instances in a Virtual Machine Scale Set.

+> Private Subnet is currently in public preview. It's provided without a service-level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+ > Certain services won't function on a virtual machine in a Private Subnet without an explicit method of egress (examples are Windows Activation and Windows Updates).

+#### Private subnet limitations

+

+* In order to utilize to activate/update virtual machine operation systems, including Windows, it's a requirement to have an explicit outbound connectivity method.

+* Delegated subnets can't be marked as Private.

+* Existing subnets can't currently be converted to Private.

+* In configurations using a User Defined Route (UDR) with a default route (0/0) that sends traffic to an upstream firewall/network virtual appliance, any traffic that bypasses this route (e.g. to Service Tagged destinations) will break in a Private subnet.

+* Public connectivity is required for Windows Activation and Windows Updates. It's recommended to set up an explicit form of public outbound connectivity.

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+```

+ sudo yum install gcc -y

+ sudo apt-get -y install build-essential

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+Syncing of virtual network peers can be performed through the Azure portal or with Azure PowerShell. We recommend that you run sync after every resize address space operation instead of performing multiple resizing operations and then running the sync operation. To learn how to update the address space for a peered virtual network, see [Updating the address space for a peered virtual network](./update-virtual-network-peering-address-space.md).

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+> [!CAUTION]

+> This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly.

+Rate limiting enables you to detect and block abnormally high levels of traffic from any socket IP address. By using Azure Web Application Firewall in Azure Front Door, you can mitigate some types of denial-of-service attacks. Rate limiting also protects you against clients that were accidentally misconfigured to send large volumes of requests in a short time period.

+The socket IP address is the address of the client that initiated the TCP connection to Azure Front Door. Typically, the socket IP address is the IP address of the user, but it might also be the IP address of a proxy server or another device that sits between the user and Azure Front Door. If you have multiple clients that access Azure Front Door from different socket IP addresses, they each have their own rate limits applied.